We've Moved! Visit our NEW FORUM to join the latest discussions. This is an archive of our previous conversations...

You can find the login page for the old forum here.
CHATPRIVACYDONATELOGINREGISTER
DMT-Nexus
FAQWIKIHEALTH & SAFETYARTATTITUDEACTIVE TOPICS
Very good password article...and question Options
 
SWIMfriend
#1 Posted : 11/10/2012 10:02:30 PM

DMT-Nexus member

Senior Member

Posts: 1695
Joined: 04-May-2009
Last visit: 11-Jul-2020
Location: US
Here's the article. It includes nice advice on how to have passwords that even YOU don't know--and how to use them in a way that helps avoid keystroke recorders.

Which brings up a question: Suppose one wanted to make a random password--a long string of random characters plucked on a keyboard. That's a good password, but it COULD conceivably be recorded by a keystroke recorder WHEN you're creating it (I will say, the idea of keystroke recorders frightens me most regarding computer security--and their use is not unknown among some LE departments).

So, what would happen if you created such a password, and then used your mouse to select and overwrite (again, randomly) random parts/characters of the password--and did that over and over in a random fashion? You would have a random password, with random characters, over-written repeatedly in random portions, by more random characters, a random number of times...

Would that foil keystroke recorders, because they would have no way to know which characters or text you selected for overwrite using your mouse?
 

STS is a community for people interested in growing, preserving and researching botanical species, particularly those with remarkable therapeutic and/or psychoactive properties.
 
ntwhtyouknw
#2 Posted : 11/10/2012 10:57:48 PM

You do not have to see alike, feel alike or even think alike in order spiritually to be alike


Posts: 703
Joined: 24-Aug-2011
Last visit: 10-Jul-2014
Location: USA
Sounds plausible, but are you asking out of curiosity or are you paranoid about it?
Toadfreak!

Travel like a king
Listen to the inner voice
A higher wisdom is at work for you
Conquering the stumbling blocks come easier
When the conqueror is in tune with the infinite
Every ending is a new beginning
Life is an endless unfoldment
Change your mind, and you change your relation to time
Free your mind and the rest will follow
 
cyb
#3 Posted : 11/10/2012 11:01:25 PM

DMT-Nexus member

Moderator | Skills: Digi-Art, DTP, Optical tester, Mechanic, CarpenterSenior Member | Skills: Digi-Art, DTP, Optical tester, Mechanic, Carpenter

Posts: 3574
Joined: 18-Apr-2012
Last visit: 05-Feb-2024
SWIMfriend wrote:
foil keystroke recorders


Voice control would do it...
Please do not PM tek related questions
Reserve the right to change your mind at any given moment.
 
SWIMfriend
#4 Posted : 11/11/2012 12:38:11 AM

DMT-Nexus member

Senior Member

Posts: 1695
Joined: 04-May-2009
Last visit: 11-Jul-2020
Location: US
My problem with security is an epistemological one: it's easy to read an article and study a topic and "know what you know." But in the area of security it's not always easy to know what you DON'T know--and of course, it's what you don't know that represents a security danger to you.

So, I try to think about such things more or less as an intellectual exercise.

The article I linked to recommends storing your complex password in a secure place, and then copying and pasting, rather than typing it, in order to foil the problem of keystroke logging. The problem is that you would have to type to SET UP those passwords originally...and, you would probably have to type a password in order to unlock the security that protects the place your keep your passwords!

My idea was that this would be easy to get around if the keystroke logger could ONLY log keystrokes--and nothing else. You could write and overwrite a password field, using the mouse to locate your changes, and it would be essentially impossible to decode your passwords from a mere record of keystrokes--because it would be impossible to tell which strokes "counted," and WHERE those strokes resided within the password.

But I have zero experience with ACTUAL security issues: I was hoping someone had enough experience to determine whether my idea was reasonable or not. If keystroke loggers also recorded all mouse positions, clicks, and selections, then virtually everything you did on your computer could be "decoded" to determine what you were up to.


This suggests another question: If one used a linux-based operating system on an encrypted memory stick for sensitive applications and browsing, then it would seem likely one could go a long way toward avoiding software logging--especially if one regularly re-loaded such operating systems and changed one's passwords. In that case (I think--I'd like an expert opinion) you would really only have to worry about hardware keystroke loggers--and I would suspect those would probably NOT also record mouse data (which, really, if I understand it correctly, would only be expected to reside in software--and not the hardware of the mouse itself.
 
a1pha
#5 Posted : 11/11/2012 12:44:56 AM


Moderator | Skills: Master hacker!

Posts: 3830
Joined: 12-Feb-2009
Last visit: 08-Feb-2024
SWIMfriend - Have you looked into One Time Passwords (OTP)? I've been testing this method for a few years now and while it has a few flaws it aims to solve the keylogger problem (and some other issues) you describe.

https://www.yubico.com/
https://www.yubico.com/d...tware/validation-server/

This topic is of great interest to me and I will respond a bit more on this later. For now, I wanted to share this resource and get the gears turning.
"Facts do not cease to exist because they are ignored." -A.Huxley
 
SWIMfriend
#6 Posted : 11/11/2012 12:47:51 AM

DMT-Nexus member

Senior Member

Posts: 1695
Joined: 04-May-2009
Last visit: 11-Jul-2020
Location: US
The wikipedia article on keystroke logging seems quite informative. An interesting thing it talks about is network monitoring -- which seems like a potentially very useful thing for anyone to have.

That's the problem with all this: the more you learn, the more you realize what you DON'T know...lol.
 
SWIMfriend
#7 Posted : 11/11/2012 12:55:37 AM

DMT-Nexus member

Senior Member

Posts: 1695
Joined: 04-May-2009
Last visit: 11-Jul-2020
Location: US
a1pha wrote:
SWIMfriend - Have you looked into One Time Passwords (OTP)? I've been testing this method for a few years now and while it has a few flaws it aims to solve the keylogger problem (and some other issues) you describe.

https://www.yubico.com/
https://www.yubico.com/d...tware/validation-server/

This topic is of great interest to me and I will respond a bit more on this later. For now, I wanted to share this resource and get the gears turning.


This does look very cool indeed. Two things, though:

1) (Geez, maybe I'm paranoid. The fact is that I have UTTERLY NO REASON to believe that anyone should be interested in spying on me--however, as I gain interest in perhaps generating...ahem...lifetime supplies...just as b*rk issues are becoming inflamed, I'd like to think about COMPLETELY RE-DOING my computer and system, and starting all again with hyper-vigilant security awareness--including new ISP, etc.) but....problem #1: Whenever I deal with a second party I have to ask the question "How do I know they can be trusted? If I were a high-level government agency the FIRST THING I'd think of would be to start a company that many people might think of as a "security company," and then backdoor the pants off it. (like, for example, a VPN--or tor, which was FINANCED by government, no? For all I know tor stuff goes STRAIGHT to government servers!)

2) I am interested in password issues, but it's really keyloggers GENERALLY that I'd like to be able to thwart, if possible.
 
a1pha
#8 Posted : 11/11/2012 12:58:33 AM


Moderator | Skills: Master hacker!

Posts: 3830
Joined: 12-Feb-2009
Last visit: 08-Feb-2024
SWIMfriend wrote:
"How do I know they can be trusted? If I were a high-level government agency the FIRST THING I'd think of would be to start a company that many people might think of as a "security company," and then backdoor the pants off it. (like, for example, a VPN--or tor, which was FINANCED by government, no? For all I know tor stuff goes STRAIGHT to government servers!)

Take a look under the developer section of the site. They offer ALL the code as open-source packages. For the extra-paranoid you can run your own validation server. Take a look at the APIs and PDF documentation...

I'll expand on this more when I don't have a headache after a day of redoing my own systems for the exact same things you describe. After playing with Windows some it's back to Linux!
"Facts do not cease to exist because they are ignored." -A.Huxley
 
SWIMfriend
#9 Posted : 11/11/2012 1:04:47 AM

DMT-Nexus member

Senior Member

Posts: 1695
Joined: 04-May-2009
Last visit: 11-Jul-2020
Location: US
Right. I do feel good about open source stuff--another reason I like what TrueCrypt represents.
 
cyb
#10 Posted : 11/11/2012 7:00:36 AM

DMT-Nexus member

Moderator | Skills: Digi-Art, DTP, Optical tester, Mechanic, CarpenterSenior Member | Skills: Digi-Art, DTP, Optical tester, Mechanic, Carpenter

Posts: 3574
Joined: 18-Apr-2012
Last visit: 05-Feb-2024
I've been interested in security for a long while now too.

If you use use windows onscreen keyboard, it uses mouse clicks and no keyboard strokes are stored.
Start > All Programs > Accessories > Ease of access > On-Screen Keyboard

Also the use of 'Auto Form Filling' can have similar benefits...

This was also interesting, copy pasted from another forum:
I used to keylog people all the time, so i'll give you some tips from experience. The keylogger can be made undetectable very easily, especially from commercial software like Norton, Avast, etc. through packaging/binding them with special rootkits.

Anyways, it tracks keystrokes, but not copy and pastes. So i'd suggest if you know you're logged and you NEED to enter a CC # for some reason, here is what you do:

Open notepad, have credit card number handy, and make a pattern you recognize only. Maybe if your # was 1892 (first 4 digits as an example), then you'd make it so you can type random numbers, but every 6th digit is a number. So it'd be 29384110202818279911183228374 etc. and then simply copy and paste the number. It will be nearly impossible for anyone to figure that out.
Please do not PM tek related questions
Reserve the right to change your mind at any given moment.
 
SWIMfriend
#11 Posted : 11/11/2012 7:39:44 AM

DMT-Nexus member

Senior Member

Posts: 1695
Joined: 04-May-2009
Last visit: 11-Jul-2020
Location: US
*I will infer then that most people interested in keystroke logging DO NOT utilize capacity to also log mouse data--so that opens a lot of possibilities for safety, including my original ideas.
 
Shaolin
#12 Posted : 11/11/2012 8:06:04 AM

Stiletto Stoner

Moderator

Posts: 1132
Joined: 18-Nov-2008
Last visit: 15-Mar-2015
Location: Blazin'
Advanced keyloggers work with clipboard and also take screenshots of the screen so virtual keyboard in not that useful.

And it gets worse - TEMPEST
https://www.youtube.com/watch?v=B05wPomCjEY
https://www.youtube.com/watch?v=ozl8_8wzEVI

About here Tor and the military, here is a comment from Michael Reed, one of the original designers of Tor.

Quote:

BINGO, we have a winner! The original *QUESTION* posed that led to the invention of Onion Routing was, "Can we build a system that allows for bi-directional communications over the Internet where the source and destination cannot be determined by a mid-point?" The *PURPOSE* was for DoD / Intelligence usage (open source intelligence gathering, covering of forward deployed assets, whatever). Not helping dissidents in repressive countries. Not assisting criminals in covering their electronic tracks. Not helping bit-torrent users avoid MPAA/RIAA prosecution. Not giving a 10 year old a way to bypass an anti-porn filter. Of course, we knew those would be other unavoidable uses for the technology, but that was immaterial to the problem at hand we were trying to solve (and if those uses were going to give us more cover traffic to better hide what we wanted to use the network for, all the better...I once told a flag officer that much to his chagrin). I should know, I was the recipient of that question from David, and Paul was brought into the mix a few days later after I had sketched out a basic (flawed) design for the original Onion Routing.

The short answer to your question of "Why would the government do this?" is because it is in the best interests of some parts of the government to have this capability...


https://lists.torproject...k/2011-March/019898.html
https://lists.torproject...k/2011-March/019913.html

To put things in perspective, ARPANET was funded by United States Department of Defense and National Christian Foundation funded Tor too. Can I get "Jesus owns all the nodes!" Very happy
https://www.torproject.org/about/sponsors.html.en


I am pretty surprised that article did not mention KeePass which is, in my experience, kind of a standard password manager recommendation.

"But consider yourself warned: Mr. Kocher said he did not use the software because even with encryption, it still lived on the computer itself. “If someone steals my computer, I’ve lost my passwords.”

Offline backup of the password manager data is always recommended.

"Mr. Grossman said he did not trust the software because he didn’t write it"

Source code is usually available if one is proficient enough in such matters.

"Indeed, at a security conference in Amsterdam earlier this year, hackers demonstrated how easily the cryptography used by many popular mobile password managers could be cracked."

The paper deals with analysis of password manager software. They have shown some poor designs of some software but that is pretty much it. I would not avoid using reputable password managers due to this analysis.

http://www.elcomsoft.com/WP/BH-EU-2012-WP.pdf

For a nonFBI threat level, I recommend using full disk encryption, password managers (KeePassX or Password Safe) and long phrases with addition of random characters - "I love Nexus so much it's not even funny ieg56Hh".

http://www.guardian.co.u...ov/13/internet-passwords
https://www.schneier.com...9/recent_developm_1.html
Got GVG ? Mhm. Got DMT ?

Pandora wrote:
Nexus enjoys cutting edge and ongoing superior programming skills of the owner of this site (The Traveler), including recent switching to the .me domain name.


I'm still, I'm still Jenny from the block

Simon Jester wrote:
"WTF n00b, buy the $100 vapor pipe or GTFO"


Ignorance of the law does not protect you from prosecution
 
cyb
#13 Posted : 11/11/2012 8:28:22 AM

DMT-Nexus member

Moderator | Skills: Digi-Art, DTP, Optical tester, Mechanic, CarpenterSenior Member | Skills: Digi-Art, DTP, Optical tester, Mechanic, Carpenter

Posts: 3574
Joined: 18-Apr-2012
Last visit: 05-Feb-2024
It appears that even if an intelligence is great enough to devise decent security...there will always be a way to reverse-engineer and eventually render the security invalid. (virtual evolution in action)

I guess that the only True way to disclose sensitive information is to physically whisper it in to the recipients ear...Even then there is a trust issue.

I'ts a sad world...Big Bro is virtually omnipotent...Confused
Please do not PM tek related questions
Reserve the right to change your mind at any given moment.
 
 
Users browsing this forum
Guest

DMT-Nexus theme created by The Traveler
This page was generated in 0.033 seconds.