Active Topics

 


Page 3 of 3 12 3
Reply
Thread Tools
smoothc is offline smoothc
2010-10-29 , 09:36
Posts: 80 | Thanked: 45 times | Joined on Mar 2010
#21
Originally Posted by lma View Post
the (really weak) device lock code
What? Why do you say so? I thought if you wanted to reset the lock code all the data would be erased.
 
dchky's Avatar
dchky is offline dchky
2010-10-29 , 09:45
Posts: 549 | Thanked: 299 times | Joined on Jun 2010 @ Australian in the Philippines
#22
Originally Posted by lma View Post
If you think root privileges can bypass everything, then

Code:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.10 (GNU/Linux)

hIwDAAAAAAAAAAABA/0Qt/YgWTEfXfB3hwNc5IqiL3lIaDU0Iqw5tWG9M4/b59Sp
d+cO8c4COL18+xSPjvp7mVJ4/wsZWPq0B3ujmvm2hMPpX4DeUWR1klB3+kBqyKyg
Hb9GcDhqdiu+eEKH95zr8rc/NxuVAPtc5x1/3h5p5/o0w6aFz+DXgBVNelnedYUC
DgMAAAAAAAAAABAH/07UepgQKfPVsMeJfxRTDfdkxKHmuCP8j9dDBOjhNQTteiiN
XB+lhLoYjjeXM/EYMlpzuGSWdQ54TIfz6Q3Gh9Wqs0TU6R9eSsl9RjeLeSELkXp1
r+fXu0xpVHJdRciVJ9zn+a0s3LZosxXT9Ub8TaNORJ1hF813ncHT/NxuQM259ao6
SRgPXDKv2L0Qzv6Tdvi/caa47cpNxVNYUbfPtCQW15yAVfofKcsn3Kweq8wIvNzg
PJ3s6mIbPuo09SeVS3SFwf37wuSElqdtrciu0aSDpR3IyTOjR4+Ak2ifpK4TFhVP
H8Cz7rMfg3actFpEip2UUi7JgkOXfD3qNefCcE8H/1WlqzOmVE945H+EzhrZS6iQ
B1vkdcNsgUKcI+JSM6arswm8MNcBeBOq34Yx0G7qiEMA8gLQx2qi5aKb4+foPd7X
39fuJ4mVhSKc1v7mtciGfdwbwjySayFXWFT7+T2b5jrX0WSir1kx1128QCDGkJNn
KTfoQiCB8BSUWXUhtGuPJY6YOnlOQaOnw8GyEPV1+kOrtsd5NNS9xQKrHUzI+dnj
eMDVZTJCmK/7NLtwiiB22TuMGqr7sLVUC0Jo5vRMpWk7nDbpiuerWwMlyQC6yf0/
zy2OxlzUjhmi6UmNaozEFH2DiLL5Jt4hv5iJXSk5kQacPF6BfWyMzyFKGKiYwqnS
UgHM9pwP3BO0hLyYCPZS5AC6VoWoguZYdGcnJycNveFkvT0mmdpZDD5uxA+7Tfyl
Ow4sNv0QqAb0OtX83A9bzZ7IOSAFCY9wCqvvsk/o/xKnE5s=
=ECnd
-----END PGP MESSAGE-----
If you were an interesting target any half decent 3 letter agency is going to be monitoring the message recipients along with traffic analysis that soaks up your contact associations many levels deep - as well as all their chatter. If you were a really interesting target, then someone will pick through your trash and watch everything you do, everything your associates do, their trash as well.

You might be great at keeping secrets, but trust me when I say the vast majority of humans are terrible at it.

I'm an ex military scope goat and secret 3 letter agency drone, even when people are trained to keep compartmented TS stuff secret, we are still human on the inside and have the same failings.

Encryption is only a tiny part of the bigger picture - if you haven't secured the rest of the jigsaw you might as well not encrypt anything.
 
lma is offline lma
2010-10-29 , 09:55
Posts: 2,802 | Thanked: 4,491 times | Joined on Nov 2007
#23
Originally Posted by smoothc View Post
What? Why do you say so?
As an encryption passphrase, a 5-8 digit long numeric-only string is useless (it can be brute-forced easily).

I thought if you wanted to reset the lock code all the data would be erased.
That's a different discussion, but no. There are many threads here describing how to discover/reset the lock code, just search for them.
 

The Following 2 Users Say Thank You to lma For This Useful Post:
lma is offline lma
2010-10-29 , 09:59
Posts: 2,802 | Thanked: 4,491 times | Joined on Nov 2007
#24
Originally Posted by dchky View Post
If you were an interesting target any half decent 3 letter agency [...]
Sure, but the threat model we are discussing here is rather more modest. Most people just want to keep their private data private when they lose their device, leave it unattended for 5 minutes etc. People who worry about 3 letter agencies probably shouldn't be using a phone to store sensitive data in the first place ;-)
 

The Following User Says Thank You to lma For This Useful Post:
juise-'s Avatar
juise- is offline juise-
2010-10-29 , 10:14
Posts: 186 | Thanked: 192 times | Joined on Jan 2010 @ Finland
#25
Originally Posted by dchky View Post
so ask yourself, are you really going to type in 64+ characters or whatever your pass phrase happens to be, every time you want email?
Here's some entropy counts for different password lengths, assuming [0-9A-Za-z] 62 character alphabet, and brute force times (assuming 1ns/attempt, which is quite fast unless you go distributed):

8 characters: 47 bits, 1 day
10 characters: 59 bits, 4857 days
12 characters: 71 bits, 18670525 days =~ 50000 years.
14 characters: 83 bits, ~20 million years.

So, strong passwords don't have to be inpractically long, provided that the password is not guessable.

Originally Posted by dchky View Post
Alternatively you could just go web based and keep your mail server locked in a concrete box in your basement...
This still faces the same issue of having to type your password in every time. Unless you store the password on the device...

Originally Posted by dchky View Post
I'm an ex military scope goat and secret 3 letter agency drone, even when people are trained to keep compartmented TS stuff secret, we are still human on the inside and have the same failings.
Yes, most passwords start to fail when the secret keeper is pointed with a weapon.
__________________
Trout have underwater weapons.
Last edited by juise-; 2010-10-29 at 10:20.
 
dchky's Avatar
dchky is offline dchky
2010-10-29 , 11:08
Posts: 549 | Thanked: 299 times | Joined on Jun 2010 @ Australian in the Philippines
#26
Originally Posted by lma View Post
Sure, but the threat model we are discussing here is rather more modest. Most people just want to keep their private data private when they lose their device, leave it unattended for 5 minutes etc. People who worry about 3 letter agencies probably shouldn't be using a phone to store sensitive data in the first place ;-)
Right you are :-)

From a more modest perspective I think a better option would be SMSCON - as soon as you notice your phone is lost, send it a kill signal - have the kill signal also trigger on things a thief is likely to do - swapping sim card, opening up certain applications and so on.
 
Pluto is offline Pluto
2010-10-29 , 18:58
Posts: 8 | Thanked: 0 times | Joined on Oct 2010
#27
I think we might be straying away from the real issue. The issue is not whether the N900 is a secure device or not, the issue is with applications themselves. It doesn’t matter whether you run the app on a mobile computer, a smart phone, a laptop or a PC, what matters is the app shouldn’t be storing or caching such sensitive information in plain text, specially without the user knowledge or any control to disable/enable.

I am not talking here about a hacker getting a hold of the device and try to break any sort of encryption, that’s a different story all together, I am talking about ordinary users who can simply use any text viewer and instantly have access to sensitive info without any computer savvy experience. It doesn’t matter what device this stuff is on.

Bottom line is apps should not be storing sensitive info in plain text. It is a no no, plain and simple and is a security guideline in any development framework.
 
michaelxy is offline michaelxy
2010-10-29 , 19:10
Posts: 64 | Thanked: 24 times | Joined on Aug 2007 @ Germany ...
#28
The N900 does not have the security Level of a symbian s60 device - without "hacks" like truecrypt etc. Plaint Text Passwords are a bad joke in every way. Of you want security, you have it to make it yourself - on your n900

But allmost every Mail-Client will store Mails in 0815-Text files - this is normal: NORMAL.
 
javispedro's Avatar
javispedro is offline javispedro
2010-10-30 , 03:50
Posts: 2,355 | Thanked: 5,249 times | Joined on Jan 2009 @ Barcelona
#29
Please, don't make us throw again the same tired arguments against plain text passwords again and read the thread I quoted on the previous page.
 
michaelxy is offline michaelxy
2010-10-30 , 19:11
Posts: 64 | Thanked: 24 times | Joined on Aug 2007 @ Germany ...
#30
Security Flaws can not be mentioned often enough. But it can also be a feature - so other people must reply to hundreds of mails in my own inbox
 
Reply
Page 3 of 3 12 3

« Previous Thread | Next Thread »

 
Forum Jump


All times are GMT. The time now is 19:43.

Contact Us - Home - Archive - Top