From: gts (gts_2000@yahoo.com)
Date: Sun Feb 23 2003 - 23:51:41 MST
Dossy wrote:
> On 2003.02.23, gts <gts_2000@yahoo.com> wrote:
>>> the only challenge is getting your password. It probably wasn't
>>> longer than 8 characters, was it?
>>
>> I know better than to answer a question like that online. ;-) The
>> password in question is still "out there," though I have changed my
>> email addresses/usernames/passwords on the sites that concern me
>> most.
>
> This means it's probably shorter than 8 characters, which could be
> reasonable to hack by brute-force. If it were longer, you'd probably
> respond "of course it's much longer than 8 characters -- you wouldn't
> bother trying to brute-force it, would you?" :-)
Sorry but as I said I just don't answer those kinds of questions! :-)
The irony here is that I am really no dummy about software and computer
security. In fact I am a Microsoft Certified Visual C++ Product
Developer who once wrote a Windows front end for an old DOS version of
PGP. I'm no longer in the software business but I do know more than the
average bear about these subjects. If you did a google search on my full
real name (which for security reasons I no longer make easily available
in online communications) you would find me offering some interesting
discussion some years ago about a beta product designed to automate PGP,
and perhaps also find discussion by me about other security and
encryption products. At one time I even published a website designed to
help people ensure the security of their computers! Unfortunately that
was back in about 1997 (eons ago in hacking years), and I'm no longer in
the software business. In those days I'm not sure one could even send an
HTML email without attracting attention, if it was possible at all. And
since those days I've gotten a bit lax about my own security (how
embarrassing). I've been too busy with other projects to keep up with
developments in this area.
>>> What do you mean by "generally"? How often is your PC physically
>>> accessible to someone else? Once a week? Once a month?
>>
>> Basically, never. I can't think of a time that anyone had access to
>> this computer without my close supervision, which is not to say it's
>> never happened.
>
> Even under close supervision, if someone else was using your computer
> and went to a malicious site that'd drop a quiet in-the-background
> installer of a keylogger, do you think you'd be able to (1) know
> enough to spot it happening, (2) be quick enough to catch it
> happening?
You'll just have to trust me on this: it would be a huge surprise to me
find out that
anyone has ever physically accessed my PC in this way without my
knowledge.
> If I knew more about your life, would I be able to guess your
> password?
Very, very doubtful. You would need to be almost telepathic. This
low-security password of mine was discovered by someone in text form via
hacking, or by social engineering, (or perhaps over the shoulder, but
very unlikely). My best hope is that it was not discovered via any kind
of keylogging Trojan software, since this would mean my high-security
password was almost certainly not compromised. This is why I am so keen
on the idea of eliminating that possibility.
>> Actually I do. I'm set up to automatically download and install
>> every [XP] patch.
>
> I'm too paranoid to do that -- I'm still waiting for someone to 0wn
> Microsoft Windows Update and widely distribute a backdoor/Trojan from
> Microsoft's own servers.
Well I will admit this much to you: despite my former affiliation with
MS, I have decided because of this security breach to eliminate all
dependence on MS for internet purposes. I've been using MSIE and Outlook
Express and Outlook XP, while hoping that my McAfee firewall and virus
software would protect me from their deficiencies, but I am no longer
convinced that anyone is really capable of protecting these MS apps.
They will be gone from my computer in short order, as soon as I can
decide on suitable replacements. I'm going to dissolve the damned
Microsoft CD's in acid so that I am no longer tempted to use them.
>> I've had several different user accounts on my own PC over several
>> different installations, each one a renamed admin account. One of
>> them used the same password as that used on the hacked site. Stealth
>> software capable of recovering that owner password would have helped
>> the hacker.
>
> Did you disable the Guest account? If not, remotely someone could
> have grabbed the appropriate file on your drive that contains the
> passwords, and as you mention, go through the process of
> password-recovery of it.
The guest account is currently disabled, but I can't say for certain
that I disabled it immediately upon my last installation or upon my
previous installation. So that's a possibility.
> I'm betting that the password was not a random sequence of letters and
> numbers, and was probably a mnemonic of some sort, which is
> conceivably guessable given enough knowledge about you and the kind
> of thing you may choose as a password. A few very pointed (but still
> benign) questions might be enough to reveal it.
I dare you to try formulating those few pointed questions. ;-)
> You sound like a person who thinks they have something worth hiding.
> What could you possibly be protecting that's worth losing sleep over?
If I answered that question then I would have to kill you. Lol. :)
> I'm waiting for people to set up high-powered telescopes aimed at
> public ATM keypads from a distance to surf people's PIN codes as well
> as a glance at their ATM card to get their account number, then see if
> they're signed up for web banking then *slurrrrrrrrrp* run off with
> their money. I cannot believe it hasn't happened yet, especially in
> places like New York City.
I agree.
>> Thanks for all your advice.
>
> Free advice is worth exactly what you paid for it. :-)
:-)
-gts
This archive was generated by hypermail 2.1.5 : Sun Feb 23 2003 - 23:54:23 MST