LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-25-2017, 10:23 AM   #16
jmgibson1981
Senior Member
 
Registered: Jun 2015
Location: Tucson, AZ USA
Distribution: Debian
Posts: 1,135

Rep: Reputation: 392Reputation: 392Reputation: 392Reputation: 392

I can't speak with any authority about how safe encryption is. I look at it as another obstacle instead of the end all be all. Really it's about reducing risk. A reasonably encrypted file is to much work for anyone other than a nation state. And if they really want to decrypt something of mine, I shouldn't be worried about it but rather why they are targetting me in the first place. Most people are not and never will be targets. If you are a target you have bigger problems than someone decrypting an email regardless of content.
 
1 members found this post helpful.
Old 03-25-2017, 12:46 PM   #17
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by sundialsvcs View Post
But ... you are the weak link
John Podesta knows it.
 
1 members found this post helpful.
Old 03-25-2017, 04:33 PM   #18
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 19,872
Blog Entries: 12

Rep: Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053Reputation: 6053
Quote:
Originally Posted by syg00 View Post
Read the notes at the beginning of the article.
a dry remark, but right you are:
Quote:
Security expert Graham Cluley believes that the presence of seemingly random passwords such as “18atcskd2w” and “3rjs1la7qe” on the list indicates that bots use these codes over and over when they set up dummy accounts on public email services for spam and phishing attacks. Email providers could do everyone a favor by flagging this kind of repetition and reporting the guilty parties.
Quote:
Originally Posted by GazL View Post
This article speculates that they are from the accounts of automated forum spam-bots:
https://www.tripwire.com/state-of-se...ular-password/
thanks.

it's interesting, no?
and still a mystery... enter the realm of belief...

Last edited by ondoho; 03-25-2017 at 04:36 PM.
 
1 members found this post helpful.
Old 03-30-2017, 01:00 PM   #19
coralfang
Member
 
Registered: Nov 2010
Location: Bristol, UK
Distribution: Slackware, FreeBSD
Posts: 836
Blog Entries: 3

Rep: Reputation: 297Reputation: 297Reputation: 297
Quote:
Originally Posted by 273 View Post
I'm always confused by people wanting encryption that the government can't crack. In the UK there is now a law which effectively means life in prison if encryption keys, passwords or whatever are not handed over and the US government has this place they call "Gitmo" for people who do things like encrypting data and wearing Casio watches.
Then there's keeping things safe from corporations. Are your holiday snaps really worth $20K of computing time to a corporation?
used.
I'd say it's worth it. For one, any portable device can easily be lost. Whether it's a smartphone or a laptop, you probably want encryption here in the event you lose the device, and someone may be able to recover a save password for your banking/paypal etc.

Just as important on a desktop machine that never leaves the house, burglaries do happen, and it's likely a computer or hard drives would be some of the things stolen.

Any personal information can be used for identity fraud. Encryption there would help save you from that.
 
1 members found this post helpful.
Old 03-30-2017, 01:16 PM   #20
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680

Rep: Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373
Quote:
Originally Posted by coralfang View Post
I'd say it's worth it. For one, any portable device can easily be lost. Whether it's a smartphone or a laptop, you probably want encryption here in the event you lose the device, and someone may be able to recover a save password for your banking/paypal etc.

Just as important on a desktop machine that never leaves the house, burglaries do happen, and it's likely a computer or hard drives would be some of the things stolen.

Any personal information can be used for identity fraud. Encryption there would help save you from that.
Please read more carefully. I do not suggest that encryption is not worth it but I ask whether your secrets are worth the tens of thousands that breaking decent modern encryption costs. I also ask whether your genitals, to put it crudely, are more breakable than your encryption scheme.
Encrypt, of course, but nation states and corporations have other means.

Last edited by 273; 03-30-2017 at 01:38 PM. Reason: typo's
 
1 members found this post helpful.
Old 03-30-2017, 05:15 PM   #21
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,609
Blog Entries: 4

Rep: Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905
"And, quite frankly, I am not seriously worried about hostile governments!"

I am worried about: Google®!

The reality of the present-day Internet is that "e-v-e-r-y-b-o-d-y is eavesdropping, at e-v-e-r-y opportunity," merely because they have figured out that they can.

In this real-world context, then ... very practical pragmatic security becomes:
Quote:
"Putting your communications into ... an envelope!"
In this scenario, "you're not really trying to keep Your Government from steaming-open your envelope, and perhaps scissoring the letter that you entrusted within."

Instead, you're simply trying to keep your letter from being trivially(!) read by others, "as though you had written it upon a postcard, instead."

- - -

And so, "a very pragmatic modern-day description of 'the fundamental importance of cryptography'" just might be:
Quote:
... "a postcard"

... or ...

"reading the damned thing aloud at the top of your lungs from the very highest hills", for every marketer within earshot on Planet Earth to psycho-analyze"

... or ...

...

a letter" In an envelope.
- - -

Cryptography: in the end, nothing more than 'the 21st Century™ replacement of: "an 18th-Century 'paper envelope ...'"

And yet, a thing profoundly(!) important, merely for "being 'a thing nothing more than that,'," in the face of ... quite inexplicably ... "nothing(!) at all!'"

A thing very(!) significant, not because it can or cannot be "(even, 'effortlessly' ...) steamed open," but merely because it is there.

"Because, one by one by one, now, you actually have to do it."

Yessir, although "any single envelope" might – or, might not(!) – quite-effortlessly be "steamed," hundreds of millions of individually-"enveloped" messages per day are quite a different matter.

And yet: "isn't this standard practice, even for every bit of your 'junk mail?'" (That is to say ... "in your mailbox at the end of your driveway?")

Stop and think of it: exactly how costly and how difficult would it be for someone, if they could only work from the content of physical mailboxes containing sealed letters (which, by the way, they are already not permitted to "steam open") to discern anything-of-value about the junk-mail that you daily receive?

Therefore: why, exactly, is it so damned easy(!) to learn "exactly where your daughter was standing, ten minutes ago?!?!"

Last edited by sundialsvcs; 03-30-2017 at 05:44 PM.
 
1 members found this post helpful.
Old 03-30-2017, 10:14 PM   #22
jefro
Moderator
 
Registered: Mar 2008
Posts: 21,937

Rep: Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619
You'd have to expect that the major countries that have access to super computers are not really using them to play PONG now do you?
 
1 members found this post helpful.
Old 03-31-2017, 07:57 AM   #23
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,609
Blog Entries: 4

Rep: Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905
You may as well say that, "major governments will do as they please," because in the end they will.

Phil Zimmerman, the original developer of PGP®, wrote a little treatise – the readily-available versions of it are more cleaned-up than his original – called Why I Wrote PGP. "It's personal. It's private. And it's nobody's business but yours."

These paragraphs seem appropriate here:
Quote:
Originally Posted by PZ:
Perhaps you think your email is legitimate enough that encryption is unwarranted. If you really are a law-abiding citizen with nothing to hide, then why don't you always send your paper mail on postcards? Why not submit to drug testing on demand? Why require a warrant for police searches of your house? Are you trying to hide something? If you hide your mail inside envelopes, does that mean you must be a subversive or a drug dealer, or maybe a paranoid nut? Do law-abiding citizens have any need to encrypt their email?

What if everyone believed that law-abiding citizens should use postcards for their mail? If a nonconformist tried to assert his privacy by using an envelope for his mail, it would draw suspicion. Perhaps the authorities would open his mail to see what hes hiding. Fortunately, we don't live in that kind of world, because everyone protects most of their mail with envelopes. So no one draws suspicion by asserting their privacy with an envelope. Theres safety in numbers. Analogously, it would be nice if everyone routinely used encryption for all their email, innocent or not, so that no one drew suspicion by asserting their email privacy with encryption. Think of it as a form of solidarity.

Until now, if the government wanted to violate the privacy of ordinary citizens, they had to expend a certain amount of expense and labor to intercept and steam open and read paper mail. Or they had to listen to and possibly transcribe spoken telephone conversation, at least before automatic voice recognition technology became available. This kind of labor-intensive monitoring was not practical on a large scale. It was only done in important cases when it seemed worthwhile.
Today, of course, it is not merely "the government" that is spying on you. Corporations do it, and sell the information. Superlatively detailed information of this sort will one day prove itself to be a weapon of war – a war unlike any other mankind has ever known. And, we merely "gave it away." Phil's comment about "tapping conversations and transcribing it" is also obsolete: "Siri-"like technology can be built into the telephone switch, and there are people who insist that this isn't "wiretapping" because a human isn't the one "listening in."

We live in a far-too open world, and therefore a very dangerous one.

Readily-available public key technologies, as I've said, give you three very crucial assurances:
  1. It is not a forgery: the message did come from its purported sender.
  2. It has not been tampered with: the message you received is exactly what was sent, and there is no "man in the middle."
  3. (If you wish ...) The message could not be read by others.

And, most importantly of all, it is easy. OpenVPN is transparent. Any e-mail package worth its salad dressing can transparently validate signatures, encrypt or decrypt messages, sign messages, and so on ... unobtrusively. And yet, the encryption is believed to be very strong. Surrounding it, also, is key-management and other considerations which are also well thought-out and very strong.

Last edited by sundialsvcs; 03-31-2017 at 08:01 AM.
 
1 members found this post helpful.
Old 03-31-2017, 05:57 PM   #24
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680

Rep: Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373
I live in a part of the world where they're wanting to make encryption illegal again without full, unencumbered government access.
A decade or so ago I would have expected the story linked to above to be regarding China, Russia or a dictatorship somewhere...
So, the UK may be back to The Clipper Chip in the very near future.
And, as I mentioned, should be government become interested in you failure to provide the keys used to encrypt that data will result in a prison sentence of 2 to 5 years in jail but there's no reason that can't be extended until you do give up the keys since it's essentially a "contempt of court" type offence (notice the word "jail" not "prison").
In the UK, at least, the war for private data and communications has been lost. Hopefully the rest of the world will fare better.

Last edited by 273; 03-31-2017 at 05:58 PM.
 
1 members found this post helpful.
Old 03-31-2017, 07:00 PM   #25
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,609
Blog Entries: 4

Rep: Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905
Personally, I think that "Clipper chips," like any and every other notion of "key escrow," is and always will be thoroughly unworkable.

This is not the solution. (And, besides that, it could never possibly be imposed.)

Nevertheless, if an officer of the law presents you with (in American parlance ...) a search warrant, duly issued by a Court of Law, which demands that you turn over the encryption key, I personally think that you must(!) indeed, "timely do so." If you refuse, you are indeed (at least ...) "in contempt of court."

Since "you, of course, have done no wrong," you ought to be willing to cooperate with the officers, and with the Court who has authorized them, in their efforts to catch "the real bad guys."

- - -

But, having said all that, there remains another fundamental issue, unrelated to all of the preceding legalities:

"How can I, as the legitimate possessor of a secret that truly is worth vast amounts of money (and irreplaceable business advantage) to me, be made certain that some bumbling, under-paid, forever a civil servant, court clerk(!) does not give my priceless(!)-to-me crypto key ... which I divulged to you as the Honorable Court required ... to my cunning business competitor?"

Indeed: "How will I be protected from the possibility that said competitor 'made this whole thing up,' just to get his hands on that key?"

A crypto key – say, to an oil-exploration company – might legitimately(!) be worth hundreds of millions of dollars, and there are those out there who would do a-n-y-t-h-i-n-g to get their hands on it. (Including, if need be, "faking" a civil or a criminal complaint.)

Remember: "I am a legitimate, truly-innocent, businessman who has done no wrong." My concern is that my competitor might snooker you – purposely deceiving you and the entire legal process that you so-diligently and earnestly represent – just to get his hands on my secret and thus upon the data which it now protects.

Just sayin' . . .

Last edited by sundialsvcs; 03-31-2017 at 07:05 PM.
 
1 members found this post helpful.
Old 03-31-2017, 07:19 PM   #26
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680

Rep: Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373
Nevertheless, the UK government is demanding keys to all private conversations. If they stop before outlawing PGP we've only lost a couple of decades of progress...
To see mention of "the real bad guys from somebody who lives in a country known foor its modern-day slavery and abusive lack of access to trial for people left to be abused for years in jails is a little funny, in an ironic way.
 
1 members found this post helpful.
Old 03-31-2017, 07:34 PM   #27
jefro
Moderator
 
Registered: Mar 2008
Posts: 21,937

Rep: Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619
I think that the question about handing over keys to encryption revolves around one case here lately. The court claims they have evidence that the guy has kiddie porn on his computer and they are demanding to get the encryption keys. Under the Constitution you are not required to provide incriminating evidence. The guy should get a different court to lift his "contempt of court" order but that will never happen. How the court knows there is illegal data on his computer I can't say as they didn't seem to mention it.

Yes, contempt of court is a really broad and too far ranging tool.

A lady lawyer here was ordered to name where her client buried the body. Somehow the court found out that she knew. She spent a few days in jail and decided to tell. Then she sued the court for a million or so.

Personally I'd think that heinous crimes should never be protected.
 
1 members found this post helpful.
Old 03-31-2017, 07:35 PM   #28
Sefyir
Member
 
Registered: Mar 2015
Distribution: Linux Mint
Posts: 634

Rep: Reputation: 316Reputation: 316Reputation: 316Reputation: 316
Quote:
live in a part of the world where they're wanting to make encryption illegal again without full, unencumbered government access.
.. from article

Quote:
As the security expert Bruce Schneier has written: “I can’t build an access technology that only works with proper legal authorisation, or only for people with a particular citizenship or the proper morality. The technology just doesn’t work that way. If a backdoor exists, then anyone can exploit it.”
Quote:
Fortunately, Rudd appears not to want to go down that road. She put the emphasis on working with the tech companies to find a solution rather sweeping legislation. Later, she clarified her views on encryption. She told Sky’s Sophy Ridge on Sunday programme: “End-to-end encryption has a place. Cybersecurity is really important and getting it wrong costs the economy and costs people money, so I support end-to-end encryption.”

She said she supports end-to-end encryption for families (presumably those using WhatsApp?), for banking and for business. But she insisted: “We also need to have a system whereby when the police have an investigation, where the security services have put forward a warrant signed off by the home secretary, we can get that information when a terrorist is involved.”
Yes, it is easy to support end-to-end when you assume only good people use it..
 
1 members found this post helpful.
Old 03-31-2017, 07:42 PM   #29
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680

Rep: Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373
The frightening thing being that the Gestapo Officer Rudd here is suggesting this not because a child could have been saved from abuse or people from a terrorist attack but because a man who commited murder using a car and a knife used WhatsApp shortly before doing so. There is absolutely no way that the government being able to read everything everybody is posting all the time would have stopped his act. Only a complete and utter brainless moron would think that to be the case.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Now We All Agree: There are no safe backdoors when it comes to encryption LXer Syndicated Linux News 0 12-23-2016 02:56 AM
[SOLVED] Non-system partition encryption versus container-file encryption of equal size Ulysses_ Linux - Security 13 07-17-2015 07:38 PM
LXer: No One Is Safe: $300 Gadget Steals Encryption Keys out of the Air, and It's Nearly Unstoppable LXer Syndicated Linux News 4 07-11-2015 01:07 PM
Once thought safe, WPA Wi-Fi encryption is cracked win32sux Linux - Security 3 11-08-2008 04:38 AM
Linux password encryption and data encryption Tux-Slack Programming 4 06-20-2007 06:46 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration