|
|
This topic comprises 2 pages: 1 2
|
|
Author
|
Topic: Is Encryption this Difficult to Break?
|
|
|
Dave Williams
Wet nipple scene
Posts: 1836
From: Salt Lake City, UT, USA
Registered: Jan 2000
|
posted 06-23-2005 09:59 AM
It all depends on the encryption algorythyms used. Most really good encrytion takes about three weeks to bust. Most of the standard stuff is already broken by hackers, so even if you change the encryption keys, chances are you are open to attack through the back door and won't even know when it happens.
I tend to use the 128 bit encryption that is out there now for financial transactions on the net, and to cover my own stuff here at home, and I rotate the encryption key randomly to keep it fresh. However it is not perfect and is breakable. Luckily no one cares about little ol' me.
At work however, we use a proprietary encryption algorythym that is stronger than any government database. No one has ever been able to break it, and they have people constantly monitoring the incoming end, and others actually trying to break it, just to keep them on thier toes.
So as for your friends encryption, hard to say. Depends on what it is and if it has been beaten in the past in any significant way.
Ciao
| IP: Logged
|
|
Randy Stankey
Film God
Posts: 6539
From: Erie, Pennsylvania
Registered: Jun 99
|
posted 06-23-2005 12:09 PM
All depends on what encryption algorighm he used, how secure the passphrase is and how well he guards the passphrase.
1) Some algorithms are simple to crack, even with a laptop. Others (DES3 with a long key) can take weeks and weeks to crack even with a supercomputer even if they can be cracked at all.
2) Do you use a passphrase that anybody who knows you could guess? I use nonsense words for the passwords like "googoodoggy" that I don't wany anybody to guess. (No, that's not one of my real passwords.) I think most people know the rules for making good passwords by now.
3) You could have the most secure password in the world but, if you write it down where anybody else could see it, you might as well just shout it from the rooftops.
If he really wants to keep his financial data secure the best way is to make sure nobody can even get access to the data in the first place, let alone decrypt it.
Go get an external hard drive and store all your sensitive data on there and nowhere else. At night when you finish your work shut the computer down, disconnect the drive and lock it up in a safe place like a fireproof safe.
Cripes! You can get a 1/2 decent external drive at Circuit city, et. al., for $100 - $200.
Wanna' know the best way to keep people from finding out your secrets? Don't even admit that you HAVE secrets! ![[Wink]](wink.gif) If you tell people that you have sensitive information somebody's BOUND to get nosy and try to find out what you're hiding just for the principle of it! (Like putting up a "Wet Paint" sign, doncha' know! ![[Big Grin]](biggrin.gif) )
So, the best way to keep your data safe is to encrypt it with a good algorithm, use a good key, store it in a physically secure location and then shut up about it! ![[Smile]](smile.gif)
| IP: Logged
|
|
|
|
|
|
|
|
|
|
|
|
John Walsh
Film God
Posts: 2490
From: Connecticut, USA, Earth, Milky Way
Registered: Oct 1999
|
posted 06-24-2005 07:52 AM
My experience generally agrees with others here ... Louis' comment about time=security. There are a few free encryption programs, such as PGP (Pretty Good Privacy) from the famous RSA guys. As far as securing a regular person's personal financial data, almost anything would be good enough. I especially agree with Dave about publishing encryption algorithms. Everyone, from math professors to bored teenagers will beat on that algorithm. You couldn't buy that kind of testing.
Most entities dealing with US federal government, like banks, are required to use the DES encryption algorithm. There are many people (myself included) that feel there is a 'back door' in the DES algorithm. Of course, I don't have access to the algorithm, and my math sucks, but when I worked on an encryption system years ago I just got 'a feeling' about it.
| IP: Logged
|
|
Dave Williams
Wet nipple scene
Posts: 1836
From: Salt Lake City, UT, USA
Registered: Jan 2000
|
posted 06-24-2005 06:29 PM
quote: Dave Macaulay
These are the unmistakeable words of a snake-oil salesman.
Well I never did say that we SELL encryption. In fact we don't sell anything that has much to do with computers at all, unless you use one of our products to purchase a computer.
Our "proprietary" only means that it was designed "IN HOUSE" and not by anyone else, and is constantly changed and rotated and updated, much like any government database, however we have not ever been broken into.
Yes the possibility exists that it could happen, but not likely. We have a very expert staff that handles that area 24 hours a day and is always looking for that.
Our database has been secure since the dawn of the database, and it is our most guarded precious item. No one has access to it from outside sources, we do not sell or transfer it to anyone, and only those with thorough background checks can access it. We are audited on EVERY KEYSTROKE we do, including this one, which is why I cannot speak officially for my firm, nor can I even state who I work for.
So as for the BS and Snake Oil, we don't sell either of that. We sell quality, convenience, success, and overall, um.... lots of goodies and things....
Ciao
| IP: Logged
|
|
|
|
Tao Yue
Expert Film Handler
Posts: 209
From: Princeton, NJ
Registered: Apr 2001
|
posted 06-24-2005 09:27 PM
quote: John Walsh
Most entities dealing with US federal government, like banks, are required to use the DES encryption algorithm. There are many people (myself included) that feel there is a 'back door' in the DES algorithm. Of course, I don't have access to the algorithm, and my math sucks, but when I worked on an encryption system years ago I just got 'a feeling' about it.
Actually, DES is so simple to break with the computing power available nowadays that anybody using a DES variant uses triple-DES.
There's a fun story in Bruce Schneier's book Applied Crytography about DES. Back in the 1970s IBM was working on a proposed national standard for encryption called Lucifer, and sent it to the NSA for review. When it came back, they found that NSA actually approved a slightly different system. IBM ran their tests on modified-Lucifer and it was OK, so that was what became DES. The conspiracy theory is that the NSA took this opportunity to insert a back door.
DES is weak because computing power has caught up with it. The back door story is generally considered to be just a rumor, albeit more likely than most conspiracy theories due to NSA's secrecy.
| IP: Logged
|
|
Bobby Henderson
"Ask me about Trajan."
Posts: 10973
From: Lawton, OK, USA
Registered: Apr 2001
|
posted 06-24-2005 10:25 PM
I'm currently a bit disillusioned by encryption systems. Considering how so many millions of credit card numbers and bank accounts have been compromised either by outside hackers or thieves working on the inside, I feel our entire financial industry is highly vulnerable. It almost feels like a "Fight Club" style climax is due to hit.
Aside from broad sweeping feelings, I'm a little pissed about data encryption in regards to my day job, designing signs (as well as my freelance graphics work). I use the PDF format to allow customers to proof designs without the need of having an expensive graphics program installed on their machine.
In the past, I have taken a number of manual steps to protect the artwork. That involves converting vector-based logos into low-rez bitmaps and then pockmarking the bitmaps with repeating patterns and such. The method is effective at giving a big FU to any thieves looking to extract or autotrace any good artwork. But the process takes time. If you have a bunch of PDFs to make, then you can wind up spending a bunch of time creating anti-theft PDFs.
I recently purchased the new Adobe Creative Suite 2 Premium upgrade, which includes Acrobat 7 Professional. I figured this app and its security features would eliminate the need for all those steps to protect artwork I just described. Not really.
There's a couple utilities you can buy online for as little as $30 that will defeat the 40-bit and 128-bit encryption methods and password blocks used by Acrobat 7 Professional and Acrobat Distiller 7. The only security feature in Acrobat that stands up to these utilities is optional password block on opening the file. But if the user has the open file password, then all the other permissions topple like dominoes.
The situation pisses me off from the standpoint that customers, particularly sign customers in my day job, don't like overt security stuff hammering them in the face. It would seem easier to just have password blocks on being able to open the PDF in Illustrator or copy stuff to the clipboard.
In the end, I'm stuck with doing all my manual rasterizing crap to protect my vector art. But I'll still apply password permissions to those PDFs anyway. That way when some bastard runs the PDF through his crack utility to get the password, he'll think he will have accomplished something. Then he'll load the PDF into his stolen copy of Illustrator and get SHIT quality bitmaps instead of art he can take directly to a vinyl cutter.
![[fu]](graemlins/fu.gif)
| IP: Logged
|
|
Mark J. Marshall
Film God
Posts: 3188
From: New Castle, DE, USA
Registered: Aug 2002
|
posted 06-25-2005 05:05 PM
quote: Dave Williams
"proprietary" only means that it was designed "IN HOUSE" and not by anyone else, and is constantly changed and rotated and updated
quote: Dave Macaulay
Security for a private database is not really a cryptography problem; it's a security matter. ... I would trust an established public cryptographic system way more than any in-house "secret" code.
Agreed 100%. If the algorythm is good enough, there's no need to keep changing it. Unless you're talking about rotating the keys to the encrypted database - which is actually not always a good idea. One of the ways to attack an encryption system is to start with multiple copies of the same data encrypted with different keys. Of course I'm guessing based on what you've said, and I know you can't say much more, so I'll just leave it as a guess.
quote: Paraphrasing from Applied Cryptography:
If I lock a document in a safe, hide the safe in New York, and tell you to go find it, that's not security, that's obscurity. On the other hand, if I lock a document in a safe, then give you the safe, along with the schematics of the safe, and a hundred other identical safes along with their combinations so that you and the best lock smiths in the world can study the locking mechanism, and you still can't get to the document, THAT is security.
When choosing a reliable encryption system, one that uses published algorythms, which is also open source (like PGP) is the way to go. History has shown over and over again that "proprietary" closed source encryption systems generally end up being very weak. CSS comes to mind.
| IP: Logged
|
|
Dave Williams
Wet nipple scene
Posts: 1836
From: Salt Lake City, UT, USA
Registered: Jan 2000
|
posted 06-26-2005 02:27 AM
I think I should just use a new term here instead of proprietary..
Keep in mind I am sure that no one here is trying to insinuate that I am full of crap or something, but the mere fact I brought it up leads me to believe that I need to clarify this word...
REPHRASE...
Yep... maybe a rephrase is in order. I should have used a differnt word or phrase.
We don't sell or offer encryption, so since proprietary is often used by people selling something, it was innapropriate to use it in this instance.
What we do have is a massive database that is protected by extraordinary means. We do not use commercially available means to secure this database.
Imagine 52 decks of cards. you place them all face down. Somewhere in there is the 52 cards you need to win the prize. All the while you are trying to figure out the right combination without actualy bieng able to see the combination, someone else keeps changing the combination for each right card you choose. No matter how far you think you get, you always end up back in square one.
Keep in mind that we don't just sit on it and hope for the best either. Our data is our most prized and protected possesion. Other firms may not keep thier data as secure, but it is who we are and our reputation is all we sell. Whatever the exercise may be, it is undertaken to ensure complete protection.
We also do not sell anything from our database. It is not up for public access in anyway shape or form. The only people who have access to it are authorized employees who are audited on every key stroke and computer event, and government auditors to check for legal compliances on a very rather frequent basis.
Unlike many firms you see lately that have lost information to hackers and other people unauthorized, we do not do any business that would give anyone access at any time to our information. It is just not an avenue that we go down.
While it is true that some of our clients information has been compromised, it was done by outside sources who did not gain access to our systems, but rather to other entities who collected on many occasions identical information files for thier own use, but did so on their own valition and without access to our database.
We are secure, and will continue to be secure. If there is ever an attempted breach that cannot be shut down or steered out, the systems will be shut down without warning to protect the data, and the lines cleared and the security measures changed.
the number of times our systems have gone down for this reason... none.
So I apologize for even bringing up proprietary. I just wanted to make sure and very clear that where I work and the company I work for takes very careful precautions to secure our data, and that we work very hard to not be a victim, but instead be the leader when it comes to data protection, even though that is not our business.
Ciao
| IP: Logged
|
|
|
|
All times are Central (GMT -6:00)
|
This topic comprises 2 pages: 1 2
|
Powered by Infopop Corporation
UBB.classicTM
6.3.1.2
The Film-Tech Forums are designed for various members related to the cinema industry to express their opinions, viewpoints and testimonials on various products, services and events based upon speculation, personal knowledge and factual information through use, therefore all views represented here allow no liability upon the publishers of this web site and the owners of said views assume no liability for any ill will resulting from these postings. The posts made here are for educational as well as entertainment purposes and as such anyone viewing this portion of the website must accept these views as statements of the author of that opinion
and agrees to release the authors from any and all liability.
|
Home
Printer-friendly view of this topic