Maybe a combination of biometrics scanners - including smart card
readers (the latter should be more stringent in its encryption). Having
said this, the suggested solution has a hint of over paranoid and has
definitely gone overboard.

Since this topic is "what can one do against keylogger attacks", my
guess is that to be sure,
1) we have to make sure our environment are scanned to make sure there
is no keyboard logger,
2) every time we install a new software, we check that we are
installing good software.
3) we monitor all outgoing IP traffic (to detect suspicious IP
activities)
4) we do not key in any password when we enter our password
5) we do not allow the keyboard logger to capture any screen that would
show our password

1 is probably achieved by using a good AV program and constant O/S
security upgrades.
2 is probably achieved by adoptaion of good common sense practice
3 is probably achieved by a non intrusive IP activity monitor (e.g.
ipTicker or Ethereal. ipTicker is easier though)
4 is probably achieved by a good password manager (one that reads in
encryption data that translates the data internally and then injects
the password internally i.e. not simulating the keyboard AND not using
cut and paste technology).
5 is ??? (not sure) ???.


My 2 cents worth

"Joe Peschel" <jpeschel@no.spam.org> wrote in message
news:Xns969CD0A92544Ffa0khgj7ji8i8jo9@216.168.3.44 ...

LOL

--
"When you have to choose between a first-rate company with a
second-rate product and a second-rate company with a first-rate
product, it's never an ideal choice. " -Ed (www.overclockers.com)

"pclogger" <pclogger_888@hotmail.com> wrote in
news:1122175226.326061.178960@g43g2000cwa.googlegr oups.com:


All of those are sensible precautions and will work reasonably well
against garden-variety spies.

However, they are grotesquely deficient against skilled adversaries. For
instance, if one has uninterrupted access to the machine for a short
while, it is child's play to install (i.e., substitute) a modified driver
such that it is also a software keylogger (in addition to whatever else
it is supposed to do). Drivers will (usually) be invoked at kernel level
and can log whatever they wish (even simpler if all that is required is
outside input during system initiation - passwords and such - rather than
all user input during a session.)

Similar actions can be done (more conveniently but not quite as robustly)
with dlls. And it goes on and on.

Thwarting such methods is possible but usually too inconvenient (e.g.,
regularly sweep for the SHA256 of all files and check agaionst known-good
list - and this presumes that third party software is not compromised by
design in the first place!).

In short, if you do not have continuous control and custody of the
machine you are extremely vulnerable. And ANY network connection
(especially internet) counts as shared custody and control!

Regards,

nemo_outis wrote:
should also have a good pc audit trail logger; an install and forget
utility that captures normal and unsolicited installation changes
including
1) important directory changes (this would capture dll changes as well)
2) changes to nt services
3) changes to activex registrations
4) changes to auto startups
5) changes to standard installations
6) changes to schedulers
7) changes to shared drives and so on ...

Probably,k depending on the "security needs", one may need to install
some form of instrusion detector. I think we are going o/t but still
keen in this discussion - BTW - What is the best intrusion detector in
the market and how many are using?


as I did it myself and at the end of the day, I gave up on the
additional security. Instead, I have to selectively checksum just one
or two selected directories. Still, I think this is probably the job of
a good av instead.

services/daemons that may expose our vulnerabilities.

Joe Peschel wrote:
Some people will want the whole hand if you give them a finger.....

On Sun, 24 Jul 2005 04:57:25 GMT, nemo_outis wrote:

you mean like fuckin' Braniac, man?

"pclogger" <pclogger_888@hotmail.com> wrote in
news:1122184213.095971.216300@o13g2000cwo.googlegr oups.com:


An intrusion detector is a good idea, but far from a panacea. While not a
classical ID, I use ProcessGuard (in combination with RegDefend). However,
ANY protection run under the OS is potentially inadequate if one does not
have continuous control and custody.

For instance, in principle, the OS could have been compromised to not show
the keylogger, to misreport its SHA256 or MD5 hash, etc. IOW the keylogger
may be, in essence, part of a rootkit suite.

The only solid defence against this is a scan from OUTSIDE the regular OS
- such as a hash-checker run from a Knoppix CD.

Yes, it's incredibly tedious but anything less is a kludge.

Regards,

Yortuk Festrunk wrote:
No, he refers to commonly applied methods. These devices, including the
smart card, only create some level of assurance. In the case of
biometric devices, their are a number of methods and techniques that
make these devices close to useless. They do provide a level of
assurance, but they do not provide a high level of assurance. All
consumer grade biometric devices commercially marketed today are quite
capable of being compromised or bypassed, perhaps by the 12 year old
down the street. Nemo is absolutely correct. The device can make the
system no more secure than the systems access availability. This
deficiency applies not only to biometric devices but a number of other
encryption techniques. Key loggers aren't even needed to capture (for
example) data from the CRT emissions. Recently I read and article about
reading data being transmitted via a NIC card or written to a hard drive
by monitoring the LCD light emission flicker on a device from a distance
away. Often simply thinking of the appropriate approach to emulate the
function of a device is enough. The approach usually is not the direct
approach but a vector. Just because you don't know how it can be done
doesn't mean it can't be done and it is usually easier than you think.
It isn't rocket science, it is understanding.

It is not only governments that have this risk but corporations and
research facilities. It is far cheaper to learn what your competition
knows by stealing their data or knowledge base than it is to develop the
data from scratch. These tools and techniques are known by both sides
of the security equation.

Winged

PS The best coders I know are black hats.

winged <winged@nofollow.com> wrote:

What's wrong with Blowfish? I've never seen any documented attack on it
other than brute force, which is unusable given the key length.

--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html

Johan Wevers wrote:

Joe Ashwood has stated that Blowfish is weak.

<Crypto@S.M.S> wrote:

All I can find of this person are usenet postings (google with "john ashwood
blowfish"). Is he supposed to be some authority? And if so, what has he
published?

--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html

"Johan Wevers" <johanw@vulcan.xs4all.nl> wrote in message
news:IKroJ6.5r0@vulcan.xs4all.nl...
I'd say you didn't do enough searching, but you won't find anything that I
have published about Blowfish, you will also find that my publications are
difficult to locate as most have nevertouched the internet. But my statement
was never that Blowfish is weak, my statement was that Blowfish has some
minor attacks and is not considered among the state-of-the-art ciphers.

For the case in question (password storage), the data files are likely to be
small enough, the data changes infrequent enough, and the data used in such
a fashion that Blowfish, used in a suitable mode of operation, should be
sufficient.
Joe

True, although possibly misleading. "State of the art" is usually a
euphemism for "has no significant track record". Ciphers are about
trust and confidence as much as they are about the latest and greatest
mathematical innovations. Nobody would seriously suggest 3DES as a
state of the art cipher--it's got all the aesthetics of a Soviet-era
automobile--but the trust and confidence in 3DES is nothing short of
profound, given that after 25-plus years of cryptanalysis we've yet to
find any practical results.

My rule of thumb is I don't move a cipher over into the "I really like
it" until there's ten years of history to look back over. So pretty
much by definition, none of my "I really like it" ciphers are state of
the art.

3DES: 25+ years, still going strong.
Blowfish: 12 years, still going strong.

Joseph Ashwood <ashwood@msn.com> wrote:

OK, a misinterpretaton from the previous poster I assume.

As is stated in another reply, what matters for ciphers is trust, not
modernness. Personally I still prefer IDEA.

--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html

Johan Wevers wrote:

I agree. Trust comes over time.
How do you feel about 3IDEA or triple IDEA?

Crypto@S.M.S wrote:

Even with it's long key capabilities I wouldn't trust it with nuclear
secrets, but it's good enough that I use it. I just indicated it might
be broken by someone if they wanted to bad enough. It is a good cypher.

Winged

<Crypto@S.M.S> wrote:

If applied the same with 3DES: I don't know enouggh of ciphers to judge
that. I can't judge if this is stronger than single IDEA. If IDEA is a group
this won't make it any stronger AFAIK, but I don't know if IDEA is a group.

--
ir. J.C.A. Wevers // Physics and science fiction site:
johanw@vulcan.xs4all.nl // http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html

Joseph Ashwood wrote:
You claimed that CryptoSMS is weak because it uses Blowfish
as one of its encryption layers. SO which is it? Do these
"minor" attacks allow you to break Blowfish encrypted messages,
or not?

Are short messages equally small enough that Blowfish in CBC mode
"should be sufficient"?

[Note to those who are in the groups other than sci.crypt. I am only
replying to this because these are legitimate questions, Crypto@SMS has been
nominated for "troll of the year" on sci.crypt for various reasons]

<Crypto@S.M.S> wrote in message news:11fds0ma5lt8vd1@news.supernews.com...
I claimed that CryptoSMS has so many flaws in every part of it that it's
strength is somewhere up there with tissue paper, among these was the poor
selection of cryptographic primitives, which I believe the one I repeatedly
told you was weak is RC4.

If the key is strong yes, in the case you are referring to, it was rather
thoroughly lestablished that the key selection would be heavily flawed. It
is also critical that the password storage case requires a single file so
the CBC proof is easily satisfied, using short messages it is far more
difficult to satisfy.
Joe

Joseph Ashwood wrote:

Note that Joe has been similarly nominated.

You claimed it was weak because it *might* have a
problematic implementation of ARC4 and Blowfish.

You also pointed out "flaws" that were in fact nonexistent.
Tissue paper that you can't break?

Imagined flaws in key selection based on your assumptions about English
passwords. Such statements make no sense when examined in the light of
actual/potential pass phrases in use.

If it is so heavily flawed, why have you not demonstrated real "breaks"
instead of imaginary ones? The anonymous challenger is still floating
around, posting requests from time-to-time, which you have been patently
ignoring.

Meanwhile, your suggestions of possible weaknesses in CryptoSMS have
been taken seriously, and pass phrase salting/stretching has been added
to increase entropy. I really do appreciate the realistic criticisms
you have posted. Thanks. It's just your continued insults that get
a little bit tiring.