[Q] Diceware password size

Daniel Carrera dcarrera@math.umd.edu
Tue May 27 23:54:02 2003


--EeQfGwPcQSOJBaQU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Thanks for the info.  It's good to be aware of possible avenues of=20
attack.

What precautions would you suggest be used to protect one's data?

I mean, if it's so easy to grab the passphrase as you say it is, why=20
bother with GnuPG at all?

I can't protect from a hired thief breaking into my home/office and=20
attaching a key-logger to my keyboard.  Perhaps I can protect from the=20
software-based attacks.  I already use Unix/Linux where viruses and worms=
=20
are less common, and I don't generally install software from unknown=20
sources.

What advise would you offer?

Thanks for the help.
Daniel.

On Tue, May 27, 2003 at 03:56:54PM -0500, Ryan Malayter wrote:
> From: Daniel Carrera [mailto:dcarrera@math.umd.edu]=20
> >If I make sure that breaking my passphrase is=20
> >harder than putting a key-logger, all I have to=20
> >make sure is that putting a key-logger is more=20
> >expensive than the value of my data.
>=20
> This is going to be very hard for you to do. Almost every OS can be
> remotely compromised by a skilled hacker if you allow any connections
> from the Internet at all. There is undoubtedly a buffer overflow
> somewhere in the service you use. The "hack this box" contests security
> companies use to show of their wares routinely end in hours.
>=20
> A foreign attacker could easily bribe a local thief to break into your
> house for a few hundred dollars. They could write a virus, worm, patch,
> or game that includes a keystroke logger that you unwittingly install
> yourself. You may say, "I only use open-source software", but do you
> review each line of code yourself, or simply trust the PGP signature on
> the package came from someone trustworthy? Putting a keystroke logging
> program into your machine in this way is not too expensive or difficult
> for an organization with the right skills; the recent file-sharing
> viruses actually do this.
>=20
> This is why *really* secure systems need to be on isolated networks in
> extremely physically secure locations. The U.S. Department of Defense,
> CIA, FBI, and NSA, Britain's MI5, Russia's CSR, and the Israeli Mossad
> are probably still the leaders in this area.
>=20
> Regards,
> 	-ryan-
>=20
>=20
>=20

--=20
Daniel Carrera         | OpenPGP fingerprint:
Graduate TA, Math Dept | 6643 8C8B 3522 66CB D16C D779 2FDD 7DAC 9AF7 7A88
UMD  (301) 405-5137    | http://www.math.umd.edu/~dcarrera/pgp.html

--EeQfGwPcQSOJBaQU
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (SunOS)

iD8DBQE+097anxE8DWHf+OcRAjXVAJ9WxlFbTAfucOWot+LLgQqxGGLb9ACfYnbQ
mFxS1f0EamVkTTud6FAasN4=
=EbUM
-----END PGP SIGNATURE-----

--EeQfGwPcQSOJBaQU--