It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Originally posted by Maxatoria
The real problem is securing both ends of the communication from things like keyloggers etc
and if you get control of the other end you can just read the decoded data anyway making the whole encryption of the data stream a waste of time
Then i can see the client server nature of the operation as possibly troublesome as the servers will have to instantly have to update to new versions at the same time so as not to get version mismatches where you connect to server A with version 10.1 and do something with server B on 10.2 so there would be a need to support multiple versions
Originally posted by Maxatoria
Given that some sort of software will need to be pushed to the browser somehow the protection on this point of failure would be the most important
as if i have root access on the server i could recompile the client parts required and give them a new client number so they can be updated
and in theory i've got a screen grabber/mouse tracker/key logger piece of code
or if i'm really idle i just slap a few lines of code in
just to pass the password/private key which are both held in memory at relevant points in the clients memory and slap then down the encrypted path where they'll be decoded and slapped into a text file ready for harvesting as my altered copy of the server code will look for certain code patterns to know the next x bytes are the password and then the next y are the private key
In a perfect world the system would provide a very secure end to end transport mechanism but without absolute control and security of both ends its very open to abuse
and even if everything has to be signed off by some organization then what happens should they get hacked and the private keys get released
Originally posted by Maxatoria
The truth is that if i was so interested in your data stream i'd probably be a government agent and at that point there would probably be a court order allowing me access to the server side or possibly even allow me to enter a property to slap a key logger onto the system and its game over and for those who are in it for more profitable concerns just inverting the bitstream would probably be enough to put them off never mind 1000's of cpu cycles of encoding/decoding a stream of data that may just be you posting another cat photo onto facebook etc
But there is very much an audience that does want to make sure there online backups are secure and accept responsibility for this. To store a back up copy of my business records on line is a great example and use of UCE. It helps fulfill my tax obligations by providing insurance in case my house get taken out by flood or fire and destroys all my onsite equipment and records as well as defending against corporate espionage as there is money in business secrets.
As Mega uses this model and continues off its public reputation, pirates will continue to use the site to share material with sharing keys now another part of the process. As databases of the keys and material become more public then the copyright enforces will start to step in again as the games go on.
By storing hashes of the password, this is a form of UCE. As website administrator or hacker it is extremely difficult, highly computational and time expensive to find out what the password is. As administrator, the best that can be done is to reset it if the user forgets it. If you are concerned about the strength of hashing then adding a SALT to it can improve the resilience, which basically expands the password length.
"Another online company has had its security compromised. Today Evernote posted on their blog that they're issuing a service-wide password reset because of suspicious activity on their network. They say an unknown intruder gained access to usernames, email address, and encrypted passwords. Even though the passwords were hashed and salted, they're doing the password reset as a precautionary measure. Nevertheless, it's a good reminder to keep a close eye on who you keep your data with in the cloud. Nothing is totally secure; it's always a compromise between security and convenience."
the crypto hash (fingerprint) of the program is sent to the web browser and checked against what was downloaded to ensure the program was not tampered with.
Originally posted by Maxatoria
reply to post by XPLodER
Absolute security will never be achievable
so there is always a compromise and its where those compromises are made that will possibly allow people into the system,
having done helldesk support i can tell you that some people couldn't remember their password even if it was their first name so any system like UCE for them would be a waste of time.
Many crypto hashes have some kind of relatively infrequent collision, probably not an issue for applications like authenticating internet payments etc. but for serious applications such as NWO league communications you would not want any chance of ambiguity.
Back during WW1 the PTB were using a shared transatlantic cable (dumb pipe) to communicate. Obviously securing their communications would have been of paramount concern. The British end of the cable near Lands end had the capability to eavesdrop, and a cryptographic unit known as "Room 40" of the Admiralty Headquarters attempted to sort the coded messages. Apparently the Germans were using a simple Pseudo Random Number generator to salt some of their messages, EG "code 0075". Looked fairly effective by 1914 standards, as long as the PRNG algorithm was not compromised or reused to salt multiple cables.
The Germans however by necessity reused the same salt algorithms. For example they did not replace codes captured on the cruiser Magdeburg when it ran aground off the Estonian coast in August 1914? Perhaps this was because the lack of a secure channel prevented key distribution, or the large number of intended recipients for coded messages made such a venture complicated.
Now to stay on topic we fast forward to dumb pipes and smart crypto in the age of the internet. We realize any and all content could be intercepted and analyzed by a modern day "room 40". Obviously we should know our limits and not expect much private communication, we are after all just monkeys in the ATS zoo.
Originally posted by Maxatoria
The dumb pipe method can just be recorded and worked on afterwards and as there is no change to the data stream it will be easy to use wireshark or something similar to record the data stream from a mid point should you decide to brute force an attack (some one with a few billion years or a very lucky guess on the keys needed)
and as for using pictures to help people remember stuff in a corporate environment you just probably increased the use of "big boobs" as a password by using some topless model stuck to the side of a monitor in the warehouse