From: Dossy (dossy@panoptic.com)
Date: Sun Feb 23 2003 - 21:34:48 MST
On 2003.02.23, gts <gts_2000@yahoo.com> wrote:
> > the only challenge is getting your password. It probably wasn't
> > longer than 8 characters, was it?
>
> I know better than to answer a question like that online. ;-) The password
> in question is still "out there," though I have changed my email
> addresses/usernames/passwords on the sites that concern me most.
This means it's probably shorter than 8 characters, which could be
reasonable to hack by brute-force. If it were longer, you'd probably
respond "of course it's much longer than 8 characters -- you wouldn't
bother trying to brute-force it, would you?" :-)
> > > My PC is generally not physically accessible to anyone other than
> > > myself.
> >
> > What do you mean by "generally"? How often is your PC physically
> > accessible to someone else? Once a week? Once a month?
>
> Basically, never. I can't think of a time that anyone had access to
> this computer without my close supervision, which is not to say it's
> never happened.
Even under close supervision, if someone else was using your computer
and went to a malicious site that'd drop a quiet in-the-background
installer of a keylogger, do you think you'd be able to (1) know enough
to spot it happening, (2) be quick enough to catch it happening?
> > Occam's Razor would say your little conspiracy theory is a bit
> > unlikely.
>
> If you knew more about my life and the placement of my computer then I
> think you find my remote keylogging theory to be the best explanation.
If I knew more about your life, would I be able to guess your password?
> > > I am running Windows XP Home Edition. Until a couple of week ago I was
> > > connected 24/7 via DSL, but in the last few weeks I have been using
> > > dialup only.
> >
> > h0 h0 h0! Windows XP 0wned Edition connected 24/7 by DSL. I bet you
> > probably didn't keep up with the latest security patches as they
> > immediately came out, did you?
>
> Actually I do. I'm set up to automatically download and install every patch.
I'm too paranoid to do that -- I'm still waiting for someone to 0wn
Microsoft Windows Update and widely distribute a backdoor/trojan from
Microsoft's own servers.
> > Did you know enough to rename your owner account? And put a password on
> > it?
>
> I've had several different user accounts on my own PC over several different
> installations, each one a renamed admin account. One of them used the same
> password as that used on the hacked site. Stealth software capable of
> recovering that owner password would have helped the hacker.
Did you disable the Guest account? If not, remotely someone could have
grabbed the appropriate file on your drive that contains the passwords,
and as you mention, go through the process of password-recovery of it.
> > Anyone running Windows XP (Home or Pro, but /especially/ XP Home) should
> > at least glance over this web page at least three times:
> >
> > http://www.blackviper.com/WinXP/supertweaks.htm
> >
> > Specifically, number 12 which I'll quote here:
>
> Very interesting (and another thing to be alarmed about).
>
> However I don't believe I've ever used the default owner/admin account
> without first renaming it.
Of course, this is only useful to do if you've also disabled the guest
account as well.
> > If I were a betting person, I'd bet you a nickel that you got socially
> > engineered or shoulder surfed, and not keylogged.
>
> Yes, social engineering is quite possible, as is shoulder surfing, though
> I'm usually extremely careful about the latter.
I'm betting that the password was not a random sequence of letters and
numbers, and was probably a mnemonic of some sort, which is conceivably
guessable given enough knowledge about you and the kind of thing you may
choose as a password. A few very pointed (but still benign) questions
might be enough to reveal it.
> In case I haven't made it clear, my focus on anti-keylogging is due in
> part to the fact that I have another password, one which I use for
> high security purposes (e.g., encryption of data files). I'm most
> concerned about that password, and it's not one that would normally be
> accessible via such things as social engineering and shoulder surfing.
> Probably only a keylogger could capture it, because I use it only
> rarely, (never on websites), and because I am in general very careful
> about its use.
You sound like a person who thinks they have something worth hiding.
What could you possibly be protecting that's worth losing sleep over?
Schematics for a space-temporal-transport-matter-thing-a-ma-dingy that
you received from your future self, or something?
About the most worried I get with regard to passwords is the fact that
my bank uses my ATM's PIN code as the /same/ password for their online
banking interface. Can you say "brute force a password less than 8
characters and is entirely numeric"? I knew you could.
I'm waiting for people to set up high-powered telescopes aimed at public
ATM keypads from a distance to surf people's PIN codes as well as a
glance at their ATM card to get their account number, then see if
they're signed up for web banking then *slurrrrrrrrrp* run off with
their money. I cannot believe it hasn't happened yet, especially in
places like New York City.
Regardless, whatever it is you're trying to either hide, or protect ...
sounds like you shouldn't be storing it on a machine that's ever
connected to a public network. Otherwise, you might as well not be
protecting it -- locks only keep honest people out -- since you're only
inconveniencing yourself.
> Thanks for all your advice.
Free advice is worth exactly what you paid for it. :-)
-- Dossy
-- Dossy Shiobara mail: dossy@panoptic.com Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70)
This archive was generated by hypermail 2.1.5 : Sun Feb 23 2003 - 21:37:43 MST