RE: Hackers please help

From: gts (gts_2000@yahoo.com)
Date: Sun Feb 23 2003 - 23:51:41 MST

  • Next message: Spudboy100@aol.com: "Spacetime/Inflation/Civilizations"

    Dossy wrote:

    > On 2003.02.23, gts <gts_2000@yahoo.com> wrote:

    >>> the only challenge is getting your password. It probably wasn't
    >>> longer than 8 characters, was it?
    >>
    >> I know better than to answer a question like that online. ;-) The
    >> password in question is still "out there," though I have changed my
    >> email addresses/usernames/passwords on the sites that concern me
    >> most.
    >
    > This means it's probably shorter than 8 characters, which could be
    > reasonable to hack by brute-force. If it were longer, you'd probably
    > respond "of course it's much longer than 8 characters -- you wouldn't
    > bother trying to brute-force it, would you?" :-)

    Sorry but as I said I just don't answer those kinds of questions! :-)

    The irony here is that I am really no dummy about software and computer
    security. In fact I am a Microsoft Certified Visual C++ Product
    Developer who once wrote a Windows front end for an old DOS version of
    PGP. I'm no longer in the software business but I do know more than the
    average bear about these subjects. If you did a google search on my full
    real name (which for security reasons I no longer make easily available
    in online communications) you would find me offering some interesting
    discussion some years ago about a beta product designed to automate PGP,
    and perhaps also find discussion by me about other security and
    encryption products. At one time I even published a website designed to
    help people ensure the security of their computers! Unfortunately that
    was back in about 1997 (eons ago in hacking years), and I'm no longer in
    the software business. In those days I'm not sure one could even send an
    HTML email without attracting attention, if it was possible at all. And
    since those days I've gotten a bit lax about my own security (how
    embarrassing). I've been too busy with other projects to keep up with
    developments in this area.

    >>> What do you mean by "generally"? How often is your PC physically
    >>> accessible to someone else? Once a week? Once a month?
    >>
    >> Basically, never. I can't think of a time that anyone had access to
    >> this computer without my close supervision, which is not to say it's
    >> never happened.
    >
    > Even under close supervision, if someone else was using your computer
    > and went to a malicious site that'd drop a quiet in-the-background
    > installer of a keylogger, do you think you'd be able to (1) know
    > enough to spot it happening, (2) be quick enough to catch it
    > happening?

    You'll just have to trust me on this: it would be a huge surprise to me
    find out that
    anyone has ever physically accessed my PC in this way without my
    knowledge.

    > If I knew more about your life, would I be able to guess your
    > password?

    Very, very doubtful. You would need to be almost telepathic. This
    low-security password of mine was discovered by someone in text form via
    hacking, or by social engineering, (or perhaps over the shoulder, but
    very unlikely). My best hope is that it was not discovered via any kind
    of keylogging Trojan software, since this would mean my high-security
    password was almost certainly not compromised. This is why I am so keen
    on the idea of eliminating that possibility.

    >> Actually I do. I'm set up to automatically download and install
    >> every [XP] patch.
    >
    > I'm too paranoid to do that -- I'm still waiting for someone to 0wn
    > Microsoft Windows Update and widely distribute a backdoor/Trojan from
    > Microsoft's own servers.

    Well I will admit this much to you: despite my former affiliation with
    MS, I have decided because of this security breach to eliminate all
    dependence on MS for internet purposes. I've been using MSIE and Outlook
    Express and Outlook XP, while hoping that my McAfee firewall and virus
    software would protect me from their deficiencies, but I am no longer
    convinced that anyone is really capable of protecting these MS apps.
    They will be gone from my computer in short order, as soon as I can
    decide on suitable replacements. I'm going to dissolve the damned
    Microsoft CD's in acid so that I am no longer tempted to use them.

    >> I've had several different user accounts on my own PC over several
    >> different installations, each one a renamed admin account. One of
    >> them used the same password as that used on the hacked site. Stealth
    >> software capable of recovering that owner password would have helped
    >> the hacker.
    >
    > Did you disable the Guest account? If not, remotely someone could
    > have grabbed the appropriate file on your drive that contains the
    > passwords, and as you mention, go through the process of
    > password-recovery of it.

    The guest account is currently disabled, but I can't say for certain
    that I disabled it immediately upon my last installation or upon my
    previous installation. So that's a possibility.

    > I'm betting that the password was not a random sequence of letters and
    > numbers, and was probably a mnemonic of some sort, which is
    > conceivably guessable given enough knowledge about you and the kind
    > of thing you may choose as a password. A few very pointed (but still
    > benign) questions might be enough to reveal it.

    I dare you to try formulating those few pointed questions. ;-)

    > You sound like a person who thinks they have something worth hiding.
    > What could you possibly be protecting that's worth losing sleep over?

    If I answered that question then I would have to kill you. Lol. :)

    > I'm waiting for people to set up high-powered telescopes aimed at
    > public ATM keypads from a distance to surf people's PIN codes as well
    > as a glance at their ATM card to get their account number, then see if
    > they're signed up for web banking then *slurrrrrrrrrp* run off with
    > their money. I cannot believe it hasn't happened yet, especially in
    > places like New York City.

    I agree.

    >> Thanks for all your advice.
    >
    > Free advice is worth exactly what you paid for it. :-)

    :-)

    -gts



    This archive was generated by hypermail 2.1.5 : Sun Feb 23 2003 - 23:54:23 MST