Friday, July 26, 2013
Tuesday, July 23, 2013
The word on passwords: shun words
Memorable passwords are often devised by placing one or two words within the passphrase. But these blocks represent the computer-assisted code-cracker's first line of attack.
Of course, internet services such as Google and Yahoo block attempts to test more than a few passwords in one day. But passwords for your personal computer, laptop and smartphone are not necessarily immune from what might be called modified dictionary attacks.
One reason so many Google, Yahoo and Facebook accounts are hacked is because a typical hacker tries a few common password types and if he doesn't strike pay dirt within the allotted number of tries, he moves on to the next account. Of course, there are many other tools and tricks for obtaining passwords, but one should at least put the first latch on the door. The word "password," for example, is used by a great many people, whose accounts are of course highly vulnerable.
So let's consider a modified dictionary attack.
There are 26 letters in the English alphabet. 26! = 4 x 10^26, a fantastically high number of combinations. But, who uses a random 26-letter password?
Or you might use all numerals. But a 10-digit password (say, a phone number) is part of a set of 10! = 3,628,800, which is within the range of any modern code-cracking algorithm. If the password is, say, 13 digits, we have 10!(10C3) = 435,456,000, which is pushing half a billion combinations, so a certain level of security is found here. Fifteen numerals yields 10!(10C5) = 914 million, or pushing one billion combinations.
But there is a more efficient way to do things.
If we use upper and lower case letters, we have 52 letters plus 10 numerals. If we also employ the punctuation and other symbols -- my keyboard has 32 -- we arrive at a grand total of 94 characters (or 95 if you include the space bar).
So, a 7-character password nests within a set of 10 billion combinations. Nine characters nests within a set of one trillion
combinations.
Technically, if many others are drawing from this set for their passwords, you needn't use all types of characters. But, because most people use a much smaller set of characters, you are better off drawing from every type.
Now consider what happens if you use a word, let's say, having between 3 and 7 letters, in a 7-character password.
The decryption program has access to a database of all such character combinations, of say between three and seven letters. Using a database commensurate with the program's computational power, it runs a modified "dictionary attack." The database might have all the words in all English dictionaries as well as all dictionaries of other languages, along with common strings of numbers. So maybe there are a million such entries, which are ranked by frequency and hence probability of occurrence. But, the program prioritizes candidate words by frequency and language of the user. It is likely to drop all words that occur at less than some specific frequency.
Suppose the program "guesses" that your password contains a word.
It breaks your password into blocks like this:
1. (XXXXXXX) Rather than bother with the 94C7 = 10 billion combinations, it first checks common words of 7 letters, which I would guess come from a set of no more than 100.
2. x(XXXXXX) Similarly for six letters, maybe 100 words. It begins checking words slotted on the first space, then if necessary the second. There are only two possibilities, so the total of items to be checked is 2 x 94 x 100 = 18800
3. (xx)(XXXXX) For five letters, let's make a ballpark estimate of 300 probable words. This gives us 2 x 94C2 x 300 = 2,622,600. Still easy going for a code-cracking program.
4. (xxx)(XXXX) For five letters, I can't imagine more than 350 probable words. This gives us 2 x 94C3 x 350 = 93,830,800. Still feasible for a powerful computer.
Our total of combinations is 100+18800+2622600+93830800 = 96,472,300.
But in fact, the decryption program would likely have a suite of subroutines, so that it wouldn't first run the program that accounts for 94 characters, but would start out with an algorithm that uses 26 lower-case letters, then one that uses 26 lower-case letters and 10 numerals. Chances are good that that will suffice to expose most passwords that contain a word of three to seven letters.
In the past, I have used a block of lower case letters and some numerals. Had my password been seven characters long and had I used a recognizable word,
we would get 100; 2 x 36 x 100 = 7200; 2 x 36C2 x 300 = 378,000; 2 x 36C3 x 350 = 4,998,000 for a total of 5,383,300. A snap for a modern decryption program.
We must also be careful about deliberately misspelling a word, because common improper spellings may be included in the decrypter's database. I made an embarrassing gaffe on this point. The word "wordd" was part of my password. But a block-checker of the type I've described would have tested the word "word" and treated the extra d as part of another block.
The advice to shun words holds for common digit strings such as 1234567 or 24681012 or 3141592 (leading digits of pi).
This is all very well, you say, but you'd like to be able to remember your password.
If you can memorize your phone number, there's no reason you can't remember a haphazard group of eight or so characters from a 94-character set.
But, you might try something like this:
Write down an auto license plate number from a random vehicle, say
JCB37K
Insert two characters, such as $ and =, for JC=B37$K
Change one or two letters to lower case, as in jC=B37$K
You'll never remember that? OK, try this:
Last two letters of your place of birth.
ON
Street address number, or last two letters of your zip code
41
Last two letters of mother's maiden name
KE
This gives us, in this example,
ON41KE
change one or two letters to lower case
oN41kE
Sprinkle with punctation marks:
oN,41&kE
You can reconstruct the password by remembering that it is related to the sequence "street address, mother's maiden name." Once you do that, your memory should be refreshed as to the remaining steps.
Another possibility is a type of code that might be easy for a human expert to break, but not so easy for a typical code-cracking program.
You have a number that is easy to remember, such as the last four digits of your phone number.
3776.
Another easy number to remember might be the last four digits of your Social Security number. 5893
Add them together: 9669
Take a friend or relative's name and reverse the order of letters: sam to mas
Write maybe 9669mas and change one or two letters to uppercase. 9669Mas. Toss in one or two punctuation marks 9669&Mas!
So if you forget your password, you remember your two numbers and the name and reconstruct the password. As you do so, your memory of the "&" and the "!" will be refreshed.
There are many such stratagems. Yes, making and remembering strong passwords can be annoying, but the small bit of effort required may pay off in a big boost in security.
Disclaimer: These tactics won't stop the NSA or other federal agency. On the internet, they simply siphon your data before your provider encrypts it. On your home PC or laptop, they have a suite of high-tech methods to detect it; though you might conceivably defeat federal snoops from prying into your system, their hackers know a great number of weaknesses in whatever operating system you use and can probably insert a spyware program to obtain your password as you type it in, even if you use a keyboard scrambler. Unless you are a real expert, it isn't worth the effort to try to outwit the feds; you'll only get a false sense of cyber security.
Related post: the Kalin cipher
http://kryptograff.blogspot.com/2007/06/kalin-cipher.html
Related post: the Kalin cipher
http://kryptograff.blogspot.com/2007/06/kalin-cipher.html
Monday, July 22, 2013
MY COMPUTER IS A STRANGE LOOP*
My initial page was the News from Limbo URL without me being signed into Google.
Now this is strange. I can't help wondering whether some coding glitch of a national lab monitor is behind this phenomenon. The NSA isn't the only agency capable of all kinds of wild stuff on the internet. The national labs are bristling with supercomputers and computer scientists, of course.
Or maybe, it's just another funny coincidence. But, a while back I was monitoring national lab pages in search of interesting news items...
*With a tip of the hat to Douglas Hofstadter
Wednesday, July 17, 2013
Time for a special counsel
on federal secrecy abuses
This parallel government is a contraption whose underpinnings are worthy of a Rube Goldberg* cartoon. The uproar over Edward Snowden's disclosures has prompted a lawsuit against the secret system, Congressional hearings in which lawmakers are beginning to show signs of rebellion at security system controls and deceptions and a new awareness of the possibility that "our people" could get far out of line with the first principles of American liberty.
on federal secrecy abuses
The National Security State hides many more secrets, some almost certainly worse than what has reached the public's ear.
This parallel government is a contraption whose underpinnings are worthy of a Rube Goldberg* cartoon. The uproar over Edward Snowden's disclosures has prompted a lawsuit against the secret system, Congressional hearings in which lawmakers are beginning to show signs of rebellion at security system controls and deceptions and a new awareness of the possibility that "our people" could get far out of line with the first principles of American liberty.
We also have the Justice Department's unscrupulous practice of investigating leaks by seizing telephone data of reporters and of prosecuting whistleblowers as though they are traitorous spies rather than friends of America. Let's keep in mind that leaking embarrassing secret documents is a time-honored practice and one of the checks necessary against abuse of power. For example, before the Japanese attack on Pearl Harbor, the Chicago Tribune published what looked very like a secret plan of the Roosevelt administration to bring the United States into World War II. What was done to the reporter, the editor and the owner? Nothing. They were within their rights.
And, Franklin Roosevelt and his allies could easily have argued that the secrecy was justified because the national security of the United States was at stake. Nevertheless, there was no frenzied effort to catch the leaker by cracking down on the reporter or other members of the press. Roosevelt accepted the expose as one of those things that happens in our democracy.
As Democratic Rep. John Conyers has said, things have gone "too far" and as Republican Rep. James Sensenbrenner, a Patriot Act author, has said, the secret body of "law"-- concocted by secret judges handpicked by Supreme Court Chief Justice John Roberts -- is subversive of the Constitution and contradicts the intent of the law. The Kafkaesque secret foreign intelligence court, as "overseen" by the secret court of review, can, and does, permit things that the judges never would have dared do in the bright light of day. The security chiefs, who argue in favor of absolute power to themselves, talk about the pluses and rarely acknowledge the very, very real dangers not only to our liberty, but also to national security (one spy could compromise all America's defenses because of excessive pooling of data).
Barret Brown, a freelance investigative reporter published in major publications, has been held without bail for some 300 days as he awaits federal trial for exposes based on secret documents obtained by the hacker group Anonymous. What did the documents disclose? A conspiracy among federally funded propagandists to smear -- including via fabricated documents -- journalist Glenn Greenwald for supporting WikiLeaks. So the reporter faces prison for violating federal secrecy statutes. No charges have been filed against those illegally conspiring to damage a man, using your tax money, because of his political beliefs.
Unlike Greenwald, Brown has no institutional affiliation and hence, as Holder's henchmen see it, lacks power. He's a chump, an easy mark in the National Security game.
There is a great deal more like this.
I favor three moves:
1. A citizens' committee to hold evidence-gathering hearings and issue reports concerning the many problems of abuse of power in the National Security State, including an analysis of the poor privacy laws guiding U.S. cyber firms.
2. An independent counsel who will be granted broad power to look into the many issues and abuses, to file charges against federal officials where warranted and to issue a report that goes into the many nooks and crannies of this Byzantine business. Democrats may prefer this option, whereby they can distance themselves from President Obama's secrecy policies to the alternative of a broad-based Tea Party-style campaign debacle. An important area of concern is the use of NSA or Pentagon power within domestic media, which is against the law.
3. Increasing pressure to have Eric Holder removed as attorney general. His people have fought long and hard against liberty in favor of the secret national security monstrosity that we find in our midst.
It might seem a vain idea to expect that a Washington judge would agree to an appointment of a special prosecutor in a case that would call the rulings of fellow jurists into question. However, once the political pressure is great enough, anything is possible.
It might seem a vain idea to expect that a Washington judge would agree to an appointment of a special prosecutor in a case that would call the rulings of fellow jurists into question. However, once the political pressure is great enough, anything is possible.
* (Goldberg's cartoons are under copyright, but his British version, Heath Robinson, gives an example of the elaborate, nonsensical contraptions they designed. https://www.google.com/search?
Friday, July 12, 2013
Herbert Yardley: king of whistleblowers
Herbert O. Yardley is America's archetypical spook whistleblower. He had successfully modernized America's code-breaking power as an Army Signal Corps lieutenant during and shortly after World War I. But the powers that be decided to force him out of his well-paid post as a high-caliber code-cracker.
As an NSA history says, Yardley, "with no civil service status or retirement
benefits, found himself unemployed just as the stock
market was collapsing and the Great Depression beginning. He left Queens and returned to his hometown
of Worthington, Indiana, where he began writing what
was to become the most famous book in the history of
cryptology. There had never been anything like it. In
today's terms, it was as if an NSA employee had
publicly revealed the complete communications intelligence operations of the Agency for the past twelve
years-all its techniques and major successes, its
organizational structure and budget-and had, for
good measure, included actual intercepts, decrypts,
and translations of the communications not only of our
adversaries but of our allies as well.
"The American Black Chamber created a sensation
when it appeared on 1 June 1931, preceded by excerpts
in the Saturday Evening Post, the leading magazine
of its time. The State Department, in the best
tradition of 'Mission: Impossible,' promptly disavowed any knowledge of Yardley's activities."
Government officials, though angry, decided to do nothing. According to some accounts, Yardley then went to work for the Japanese. The Canadians hired him briefly at the onset of World War I but British intelligence insisted on his ouster.
Yardley went on to write a successful book on poker strategies.
Join us on Facebook for a mixture of fun and politics.
This tactic has been used in the past when national security was deemed to be at stake. It was more important to find out what a spy knew than to imprison him. Immunity is a normal tool of the security system when confronted with dangerous breaches.
But Snowden has not been offered immunity. That implies that the political situation for the security gurus is of far more importance to them than the condition of our national security.
The wise move, if America's best interests override the need to punish a man, is to grant Snowden full immunity from prosecution on condition that he make himself available for extensive debriefing by NSA experts.
The wise move, if America's best interests override the need to punish a man, is to grant Snowden full immunity from prosecution on condition that he make himself available for extensive debriefing by NSA experts.
I don't have a smart phone. Even with a laptop I notice that the human-cybernetic interface is turning me into a Cyborg.
And, with no offense intended against IT people, I can easily imagine others who get a similar addictive/allergic reaction to too much code and too many algorithms.
I can imagine that Snowden saw that his expertise as a computer geek had taken him to a dry, barren place. He had a cool job, a good income, trophy girlfriend... And yet he was a mere tool of the Czars of Cyberia, where the rat race of existence goes on at a frantic pace. He was a cypher in the Cyberian Underworld where Data sits on the throne. "I'm losing my soul as an American," he doubtless said.
"There is nothing here but more algorithms, more code, more encryption/decryption arms racing!" his soul must have cried out.
So when he examined his life, looked at the existential trap he found himself in, he decided to BREAK OUT. And the only way he could think to do this was to blow the whistle and run for it.
Hell's bells rang out, as the global security network centered in Washington, or London, or Jerusalem, or somewhere nakedly displayed the vast sway of its conspiracy when a group of European nations coordinated the "legal" hijacking of the Bolivian president's plane based on the bad intelligence that Snowden was aboard.
May the true God lend a hand and a heart to Snowden, who has done America and all those who love democracy a great service.
I can imagine that Snowden saw that his expertise as a computer geek had taken him to a dry, barren place. He had a cool job, a good income, trophy girlfriend... And yet he was a mere tool of the Czars of Cyberia, where the rat race of existence goes on at a frantic pace. He was a cypher in the Cyberian Underworld where Data sits on the throne. "I'm losing my soul as an American," he doubtless said.
"There is nothing here but more algorithms, more code, more encryption/decryption arms racing!" his soul must have cried out.
So when he examined his life, looked at the existential trap he found himself in, he decided to BREAK OUT. And the only way he could think to do this was to blow the whistle and run for it.
Hell's bells rang out, as the global security network centered in Washington, or London, or Jerusalem, or somewhere nakedly displayed the vast sway of its conspiracy when a group of European nations coordinated the "legal" hijacking of the Bolivian president's plane based on the bad intelligence that Snowden was aboard.
May the true God lend a hand and a heart to Snowden, who has done America and all those who love democracy a great service.
Wednesday, July 3, 2013
Senators: NSA's dope-fiend logic
could justify gun-sale snooping
Trawling of medical records, credit card transactions
also could be rationalized by classified interpretation
of laws which don't specifically authorize surveillance
"The fact that Patriot Act authorities were used for the bulk collection of email records as well as phone records underscores our concern that this authority could be used to collect other types of records in bulk as well, including information on credit card purchases, medical records, library records, firearm sales records, financial information and a range of other sensitive subjects," the two senators said.
"These other types of collection could clearly have a significant impact on Americans' constitutional rights."
No comments:
Post a Comment