On Wed, Jul 21, 2010 at 9:43 AM, James Hatridge
Hi Greg et al,
It does not seem to be part of a default pattern.
That's good, I don't have 11.3 on yet, will upgrade this coming weekend.
And even if installed it does nothing until you go through a very obvious process of creating an account.
Are you sure? and just because they say so is not enough for me.
And if you to that all of the data is transmitted and stored in encrypted form. SpiderOak states that they do NOT keep passwords at all. (They do keep the password hint you provide.)
I don't recall which form of encryption they use, but pgp encryption as an example is secure enough for my needs.
While pgp is ok, I don't know of any encryption good enough if the goverment thugs decide to open your files. Or for that matter the company itself might open them. Yes, of course they promise. BUT I heard of a case in the US or UK about a database from a gay teenager site that they promise would be private and safe etc etc etc. Then the site went out of business and they are selling the database to pay off bills. So much for that promise....
I actually know a little bit about cracking encryption. (My company owns commercial tools to do the job and we offer it as a service.) 1) If the government(s) have a way to crack pgp easily via a backdoor, they've done a great job of keeping it secret. 2) Brute force attacks are very, very inefficient. Many cpu years to crack a long password. But a short password of 5 or 6 characters can be cracked in an hour or less. But the fastest way of all is a rainbow table. So if your using a encryption solution for which rainbow tables are available, your just wasting your time. (Many / most pre-2000 encryption techniques now have rainbow tables available.) 3) One way to attack passwords that works surprisingly well: take your home PC / work PC, extract every single word from every single document / email and build a dictionary. It will likely have a couple hundred thousands words in it minimum. Now use that dictionary in addition to the normal language dictionary’s as the basis of dictionary based attacks. Thus if your password is "passw0rd" and you have it recorded in a unencrypted doc as "password" , then password will be added to the dictionary and passw0rd will be found via letter / number substitution attempts. So if you have to record your password somewhere, either use hints that are not very easily understood, or be sure they are themselves encrypted.
ALSO how safe is your backup from someone ADDING stuff to it? A good friend in the US was thrown in jail for photos that he did not put on his hard disk at work. Lucky for him he was able to prove to the judge that many people at his job had access to his HD. So they could not prove who put the photos on it. How would you feel if the thugs demanded you open your files and you did it. "I've got nothing to hide!" right? And the first thing that pops up is an under-aged photo.
Interesting point. Also applies to anyone dumb enough to use unencrypted wireless. I've heard of someone's unencrypted wireless being used surf CP and the owner of the wireless router being arrested. As with your case, they were able to prove it wasn't them.
Greg
Sorry Greg, there is no way in hell I would put files on a system I don't control.
Most corporate/private networks have been hacked at one time or another, so you need to stay away from them even if you "think" you control them. Especially if they use LDAP to share security control with a Windows network. The best firewall is an air-gap. ie. If you want to load a file on your PC, you put it on a external media and carry it to your PC. Before loading it in, you scan it with everything you've got. Most US top secret LANs are air-gaped I believe.
I don't encrypt my files (yet) but I heard about someone working on a way to set up a system so that if you give it one password you get into the normal file system, but if you give it another password you get another file system and it hides your real file system. Personally I like that idea as far as it goes. What I would like better would be that the second password (or even a third password) connects you to the safe file system and delete the first file system. That way, when the thugs use the old rubber hose decryption on you, you can give them the delete password and know that your info is safe/gone even if you are too. :(
There are a lot of commercial laptop drives that accept to passwords. One allows access to the encrypted data they hold. The other wipes the drive. See man hdparm for more info about drive security features it supports. (ie. both of those I think.)
Later!
JIM
Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org