Dumb pipes and smart crypto

page: 2
1
<< 1   >>

log in

join

posted on Mar, 3 2013 @ 06:26 PM
link   
reply to post by Maxatoria
 





Wireshark color codes Color is your friend when analyzing packets with Wireshark. Notice in the example above that each row is color-coded. The darker blue rows correspond to DNS traffic, the lighter blue rows are UDP SNMP traffic, and the green rows signify HTTP traffic. Wireshark includes a complex color-coding scheme (which you can customize). The default settings appear below:


Thats what I figured, and with so much high bandwidth video traffic these days an unknown steganographic process would be less likely to be detected.




posted on Mar, 4 2013 @ 03:31 AM
link   
I do have a somewhat restricted internet quota and have not seen the video, but done a little research into it. I am not saying UCE is a bad system, but it does have its limitations and is not suited for every application. Personally, if I was to use Mega's service I would encrypt all the files using some other process before uploading any sensitive information, just to be sure because at the end of the day it is my responsibility if I get hacked. Generally I do prefer to wait for any new security systems to get some real world battle testing before putting some trust in it.

One weakness that has been identified with the system is with the trust that is placed with Mega and their ability to quickly update the system. With servers placed in America they do have obligations to abide by America law, which has been growing in its ability to breach privacy and access information. With a court order, it is possible for Mega to grab a copy of the users encryption key, without the users knowledge. By moving away from Javascript to a peer reviewed browser plugin it will help close this hole, but reduces the ability to update the system. Perhaps in time as the system becomes more stable it might be an option or branch.



this should raise your eyebrows, ... this is really bad PR and there should not be a compromise between security and convenience.


Actually I consider this hacking event as very good PR. Evernote performed a very responsible reaction to what is an unfortunate, but realistic event. Most companies just pretend it does not happen when it does, which further increases the risks and insecurity. The hash and salt done their job and provided the time so all account passwords could be reset. Even if the hackers had a massive bot network ready to go with a brute force attack it still would take some time to break the passwords. If the website just used a common hash without a salt then some of the passwords might have been discovered a lot quicker from rainbow tables.

But if a hacker can get administrator access to your server they can just bypass the whole user password login and take or alter whatever they want. The more you get into computer security, the more realize that it is all about compromising security with convenience.



posted on Mar, 4 2013 @ 06:40 PM
link   

Originally posted by kwakakev
I do have a somewhat restricted internet quota and have not seen the video, but done a little research into it. I am not saying UCE is a bad system, but it does have its limitations and is not suited for every application.


there are some web sights that would not work with,
it is also a young technology
i think we have only just begun to see its uses.


Personally, if I was to use Mega's service I would encrypt all the files using some other process before uploading any sensitive information, just to be sure because at the end of the day it is my responsibility if I get hacked.


for 70-80% of users the level security would be appropriate, for their privacy and legal requirements.
for an added layer of protection, prior encryption would be good but add extra decryption keys to deal with,


Generally I do prefer to wait for any new security systems to get some real world battle testing before putting some trust in it.


it is fair to say the longer a system has been used the more people trust it,
and the more eyes on it the better
i like it because it is novel and new
and FUN to use
it gives me confidence that there is a bounty program for bugs ect


One weakness that has been identified with the system is with the trust that is placed with Mega and their ability to quickly update the system.


being agile in the fast paced internet security world is a must if you take security seriously

hackers evolve their attacks over hours or days, not weeks.
zero day threats become zero hour threats



With servers placed in America they do have obligations to abide by America law, which has been growing in its ability to breach privacy and access information. With a court order,


any business has to comply with the laws of the country they are in,
it surprises me there is a server there



it is possible for Mega to grab a copy of the users encryption key, without the users knowledge.


i have not seen anyone say that before, is that opinion or fact?


By moving away from Javascript to a peer reviewed browser plugin it will help close this hole, but reduces the ability to update the system. Perhaps in time as the system becomes more stable it might be an option or branch.


i can see it being done for frequent users, i dont think it would be far off, but it would not be the main demographic,
take up of plugins can be slow compared to just clicking a link



Actually I consider this hacking event as very good PR. Evernote performed a very responsible reaction to what is an unfortunate, but realistic event. Most companies just pretend it does not happen when it does, which further increases the risks and insecurity. The hash and salt done their job and provided the time so all account passwords could be reset. Even if the hackers had a massive bot network ready to go with a brute force attack it still would take some time to break the passwords. If the website just used a common hash without a salt then some of the passwords might have been discovered a lot quicker from rainbow tables.


well you do make a point, but how long were the hackers there before they started harvesting password hashes?
best thing you can do is own it and fix it PROPERLY (unlike yahoo mail hack 2+months)


But if a hacker can get administrator access to your server they can just bypass the whole user password login and take or alter whatever they want. The more you get into computer security, the more realize that it is all about compromising security with convenience.


there is a saying,
if its simple it will get used,
even if you stole a remote data storage server from its location,
you wouldn't be able to unclutter the info let alone find it to decrypt it,

in theory you could run this on a "hostile" server and still be ok

not that that would be an option


xploder
edit on 4/3/13 by XPLodER because: (no reason given)
edit on 4/3/13 by XPLodER because: (no reason given)
edit on 4/3/13 by XPLodER because: (no reason given)



posted on Mar, 4 2013 @ 08:49 PM
link   
reply to post by XPLodER
 




it is possible for Mega to grab a copy of the users encryption key, without the users knowledge.


i have not seen anyone say that before, is that opinion or fact?



While Mega uses Javascript to perform all the client side scripting it is a fact. The Javascript is reloaded every time you visit the site so while Mega may not take a copy of your key today, there are no technological hurdles to stop them taking it tomorrow. Only the trust that is placed in the site helps prevent this, but could come under a lot of political and legal pressure depending on who uses the site and what watch list they are on. It is feasible with the central management facility that different Javascript versions are provided to different members, ones that copy keys and ones that don't. Until a more secure client side scripting service is used there is a risk.

It is possible for you to see the source code each time you access the site and work out what is going on. But it does take quite a lot of effort and depending on how much Javascript is used can become quite messy. If it is discovered that keys are being copied, at least for some accounts there will be a big public backlash. If Mega refuses to play ball with the authorities then their servers could get shut down. It is quite an interesting position Mega is getting itself into and quite likely make headlines one way or another.



posted on Mar, 4 2013 @ 11:24 PM
link   

While Mega uses Javascript to perform all the client side scripting it is a fact. The Javascript is reloaded every time you visit the site so while Mega may not take a copy of your key today, there are no technological hurdles to stop them taking it tomorrow. Only the trust that is placed in the site helps prevent this, but could come under a lot of political and legal pressure depending on who uses the site and what watch list they are on. It is feasible with the central management facility that different Javascript versions are provided to different members, ones that copy keys and ones that don't. Until a more secure client side scripting service is used there is a risk.


ok so this is why some people think, the fast update mechanism is a bad sign.......
i was only looking at it from a threat/response time frame, point of view the faster you can respond to new threats the better

the very thing that makes it more secure over time against zero hour threats, also forces the user to increase their trust level interesting............



It is possible for you to see the source code each time you access the site and work out what is going on. But it does take quite a lot of effort and depending on how much Javascript is used can become quite messy.


i have taken a look but i dont have the skills to understand most of it

i am now learning _javascript and never realised how abstracted it is from binary


If it is discovered that keys are being copied, at least for some accounts there will be a big public backlash. If Mega refuses to play ball with the authorities then their servers could get shut down. It is quite an interesting position Mega is getting itself into and quite likely make headlines one way or another.


i hope they supply the "white label" software to us universities, so that people can asses the code and review
there approach. if it is as novel as i suspect it is, there will be no liability on mega,

i would expect mega to follow the law as much as possible while being unable to give up users as much as
possible.

that said the terms and conditions are very clear,
any court ordered warrant, or order that is lawful


Information and Privacy

43. We reserve the right to disclose data and other information as required by law.


IMHO it clear that mega.co.nz is lawful and wants to stay that way,
and that anyone breaking the law and drawing attention to mega with lawful court orders
is just asking to have there details handed to the authorities.
as there really is no choice if the service is to prosper.

xploder






edit on 4/3/13 by XPLodER because: (no reason given)



posted on Mar, 5 2013 @ 01:20 AM
link   
reply to post by XPLodER
 


The main recourse Mega has to preserve its ability to legally maintain all encryption processes is to undertake some legal shopping to find a jurisdiction that is more favorable of the privacy issues and place all of their servers there. DNS withdrawal and financial account closures as with wikileaks could still be one option available to the US if there is a strong desire to get into the systems as well as other challenges through international law.

If Mega has invested quite a large legal undertaking into their systems then any source code provided for review may have some non disclosure aspects tied to certain functions, which would be withheld as external review processes where undertaken. Only with administrator access to their servers can there be certainty as to what code is being used, something that is not expected due to many security implications. But if most of the source code is released and gets good reviews then other similar services could also be quickly established without all the public attention that is on Mega. There are still confidentiality and Intellectual Property issues with this, but a possibility.



posted on Mar, 5 2013 @ 12:17 PM
link   

Originally posted by kwakakev
reply to post by XPLodER
 


The main recourse Mega has to preserve its ability to legally maintain all encryption processes is to undertake some legal shopping to find a jurisdiction that is more favorable of the privacy issues and place all of their servers there. DNS withdrawal and financial account closures as with wikileaks could still be one option available to the US if there is a strong desire to get into the systems as well as other challenges through international law.


No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence. Everyone has the right to the protection of the law against such interference.

Universal Declaration of Human Rights, Article 12
any signatory to the human rights convention would do as this is about legally defined privacy

alas the USA is NOT a signatory


If Mega has invested quite a large legal undertaking into their systems then any source code provided for review may have some non disclosure aspects tied to certain functions, which would be withheld as external review processes where undertaken. Only with administrator access to their servers can there be certainty as to what code is being used, something that is not expected due to many security implications. But if most of the source code is released and gets good reviews then other similar services could also be quickly established without all the public attention that is on Mega. There are still confidentiality and Intellectual Property issues with this, but a possibility.


it is my hope that the entire source code is released to the us universities, under a non disclosure agreement,
and that they adopt the system for use for their students.

with the intellectual property and competition concerns i can understand "why" the source code has not been "open sourced" for review by the crypto community. but i think the professor community could comment on their behalf.


it could save alot of money for universities.

xploder



posted on Mar, 5 2013 @ 12:26 PM
link   
reply to post by kwakakev
 


the market for privacy is the new focus for many start ups,
in fact even the "big boys" of the web have taken notice,


During a panel at the RSA Conference, a security-focused industry gathering here last week, Brendon Lynch, chief privacy officer at Microsoft, declared that companies like his had come to appreciate the "market forces at play with privacy "It's not just privacy advocates and regulators pushing," Mr. Lynch said. "Increasingly, people are concerned more about privacy as technology intersects their life."."



"What does privacy mean?" Facebook's chief privacy officer, Erin Egan, asked at the RSA Conference. "It's understanding what happens to your data and having the ability to control it."



Whether Internet users are ready to pay to protect their personal data is unclear, though surveys have repeatedly pointed to consumer anxiety.

In a national survey last year, Forrester Research found that one in three consumers were concerned about companies having access to their behavioral data. More than 40 percent said they had stopped short of completing a transaction on a Web site because of something they read in a privacy policy.

Consumer trust is an increasingly vital commodity for Web companies, said Fatemeh Khatibloo, a Forrester analyst. "There's enough market traction and momentum from the consumer side and the business side to drive this forward," Ms. Khatibloo said.


NY Times

the market analysis is clear, the more people know about their lack of privacy, the more they look for companies that activly develop technology to safe guard their privacy,

this transforms them for the "product"
to a "private client"

many companies could find themselves on the wrong side of the privacy debate if they dont recognise that consumer demand has reached an inflection point.

xploder



posted on Mar, 7 2013 @ 12:05 AM
link   
reply to post by XPLodER
 


Market forces are very much a strong driver in the direction that technology takes as there are many different competing interests within the range of human behavior and how this is expressed online. As human nature can have quite an aggressive and deceptive edge to it, the demand for online protection and privacy is a growing market.

One important sector to watch here is the Open Source community. This model of development does have some limitations compared to the proprietary sector. In terms of being able to establish stronger levels of trust and review through public exposure and support of its code base the resulting package can be very strong and highly tuned towards its specific aims. The core browser engine of Mozilla Firefox and Google Chrome is one of many examples. KeePass is another if you are looking for a way to maintain all your passwords. As for what other options are available for online encrypted storage I am not sure, but something that is worth taking your time and research if it is a service you require.





new topics
top topics
 
1
<< 1   >>

log in

join