[Tfug] Why would *anyone* leave a door open?
Jordan Aberle
jordan.aberle at gmail.com
Fri Aug 28 18:04:35 MST 2009
Anything can be insecure, it depends on the person securing it.
Look at how simple physical security can be bypassed. It's a joke.
http://www.youtube.com/watch?v=QRtSikCqWIg
On Fri, Aug 28, 2009 at 5:59 PM, Bexley Hall <bexley401 at yahoo.com> wrote:
> > Your "John the Ripper" example
>
> I don't use "John the Ripper".
>
> > doesn't work for WPA2 cracking, the SSID is integrated
> > into the hash. So, you need a premade list that has been
> > computed with the SSID into all the words in the dictionary
> > list. That you are trying to crack, that is what makes
> > WPA2 that much more secure.
>
> Ah, so an SSID like, maybe "linksys"? Gee, I wonder how many
> *thousands* of networks in Tucson alone have *that* SSID??
>
> Every "secure" system has been *considered* secure -- until
> it was PROVEN otherwise. If you think any one of these is *truly*
> secure, you just haven't seen the right "headline"... *yet*!
>
> I stand by my claim: When someone breaks into my house to tap
> into my WIRED network (and decides *not* to simply walk off with
> all of my machines) *then* I'll worry about my security... ;-)
>
> > Example of a premade list:
> http://www.churchofwifi.org/default.asp?PageLink=Project_Display.asp?PID=90
> >
> > The
> > 1000 SSID list here took 3 days of some serious computing
> > power to make a list that works with cracking WPA2 networks,
> > if the SSID of the network does not exist in this list you
> > would have to do some serious number crunching yourself to
> > make a dictionary list for that one SSID you are trying to
> > crack. It would take days to add an SSID you were trying
> > to crack to the list in the above example with a normal dual
> > core system. Lots of withs.. ;p
> >
> >
> >
> > On Fri, Aug 28, 2009 at 3:29 PM,
> > Bexley Hall <bexley401 at yahoo.com>
> > wrote:
> >
> >
> > > >>> s/does/did/
> >
> > > >>
> >
> > > >> OK...what the hell does that mean?
> >
> > > >
> >
> > > > Substitute 'does' with 'did'. Not
> > a vi user, eh? ;-)
> >
> > >
> >
> > > Ah. Meaning he probably threw
> > it in there now :).
> >
> > >
> >
> > > Good news is, I deliberately used a passphrase that
> > I've
> >
> > > never actually used :).
> >
> > >
> >
> > > I tend to use that sort of style though, and recommend
> > it
> >
> > > often. It's the best way to memorize a long
> > passphrase.
> >
> > >
> >
> > > You can also create "families" of passwords
> > with it.
> >
> > > In other words, both a longer and shorter version of
> > the same
> >
> > > concept. Done right,
> >
> > > each has meaning only to you, so that if one is
> > compromised
> >
> > > the other version isn't, or at least the search is
> > only narrowed a
> >
> > > little bit but still basically impossible.
> >
> > >
> >
> > > Example...if the long phrase is
> >
> > > "iseedeadpeopleinabadmovie", the short
> >
> > > might be "ghostpoop". To a human, one will
> > remind you of the other,
> >
> > > but to a computer there's no link.
> >
> >
> >
> > But some cracking algorithms don't *care* about
> > the significance
> >
> > of the character sequence you choose! E.g.,
> > "34fdY7g42" is just as
> >
> > (insecure) as "ghostpoop"! Dictionary based
> > attacks rely on
> >
> > the dictionary happening to contain the vulnerable
> > password
> >
> > in order to work. So, using digits "4",
> > "8", "2", etc. make
> >
> > your password more likely to appear in such a list
> > (dictionary).
> >
> > E.g., born2run, iamgr8, ready4it, etc.
> >
> >
> >
> > OTOH, other cracking techniques essentially try *all* of
> > the
> >
> > possible combinations of characters (in a less
> > computationally
> >
> > intensive approach). So, passwords that wouldn't
> > *tend* to
> >
> > appear in a "dictionary" are just as likely to be
> > discovered
> >
> > as those that *would*. As such, your best defense is a
> >
> > longer (wider) password and/or using characters that
> > *really* are
> >
> > "never encountered" in passwords.
> >
> >
> >
> > As I said, theory and practice are very different animals
> >
> > in this world. And, just because something *seems*
> > secure,
> >
> > doesn't mean someone hasn't found a way to
> > *efficiently*
> >
> > circumvent it!
> >
> >
> >
> > Is someone going to crack your password if they have to
> > gain
> >
> > *physical* access to your machine (i.e., you keep it
> > offline
> >
> > as I do mine) *and* have to be motivated to *want*
> > what's
> >
> > on your machine? Or, are they going to attack some
> > account
> >
> > of yours (banking account$ tend to be worth $omething to
> >
> > $tranger$!) that is publicly accessible with little
> >
> > *practical* hope of ever being "traced" to the
> > attacker?
> >
> >
> >
> > If I have to break into your home to tap into your wired
> >
> > network, I put myself at considerable risk. OTOH, if I
> >
> > can sit down the end of the block -- or, in a
> > neighbor's
> >
> > house -- and do this "safely"...
> >
> >
> >
> > Do the math.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> >
> > Tucson Free Unix Group - tfug at tfug.org
> >
> > Subscription Options:
> >
> > http://www.tfug.org/mailman/listinfo/tfug_tfug.org
> >
> >
> >
> >
> > -----Inline Attachment Follows-----
> >
> > _______________________________________________
> > Tucson Free Unix Group - tfug at tfug.org
> > Subscription Options:
> > http://www.tfug.org/mailman/listinfo/tfug_tfug.org
> >
>
>
>
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tfug.org/pipermail/tfug_tfug.org/attachments/20090828/23493401/attachment-0002.html>
More information about the tfug
mailing list