Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
SmurfBoxMasta: I guess he could also verify that the government has been covering up alien encounters all these years.:rolleyes:
 
SmurfBoxMasta said:
Normal people, with normal computers, will be hard pressed to crack a strong password and 128bit encryption, UNLESS they have physical access to the machine that the data is on.

However, you have to remember that the gov't has access to things that normal people dont :p

And knowing someone who does extremely high-level stuff for the gov't, I can assure you, WITHOUT ANY DOUBTS WHATSOEVER, that if they want/need to crack yours, or anyone elses, passwords & encryption schemes, the can & will do it in a friggin heartbeat !

With respect your government has a diastrous recent history of being unable to understand unencypted arabic let alone anything more complicated.

If you want maximum security I would suggest the old fashioned mafia (sicilian) technique of no computers, no land lines, no mobile phones just "pizzini". This kept Bernardo Provenzano, Capo dei Capi, out of the clutches of the Italian state for 43 years.
 
Heb1228 said:
If anybody wants to try, I made a sample encrypted disk image. See if you can get into it. Its 2MB and you can download it here. After downloading, you'll have to take the .txt off the end of the filename so its just challenge.sparseimage. See if anyone can tell me whats inside. :eek:

It's a shame nobody tried this. I'd be interested to know if it was possible :)

If I had the first idea of how to do it I'd be willing to give it a go. I'm willing to give it a try with my dual 2.5GHz G5 if somebody can supply me with the software etc :)
 
MD5 has been cracked, if you think AES is invincible you have another thing coming.
 
you dont need to, AES is strong but has been broken by cache hacking and at some point someone will think up some maths to topple that brute force time by several orders of magnitude.
 
Hector said:
you dont need to, AES is strong but has been broken by cache hacking and at some point someone will think up some maths to topple that brute force time by several orders of magnitude.
  • Cache hacking wouldn't help with this, as we don't have access to Heb1228's cache.
  • A several order of magnitude speed-up in cracking times would mean nothing given those time scales. Rubber-hose cryptanalysis remains our best bet. Anyone know where Heb1228 lives? ;)
 
Heb1228 said:
This is mainly just one of those 'I always wondered' things. How secure really is the 128-bit encryption offered in Disk Utility? Is it virtually impossible to crack? Somewhat difficult? How long would it take someone who really knew what they were doing?

I normal person who only owned a few computers would not live long enough to complete a brute force attack on the disk. Someone with billions in funding could likely crack it faster but those guys would never tell you how long it would take them.

But I doubt brute force attack would be used. They's be beter off trying to guess or otherwise obtain your password. For example read it off your screen when you type it in. CRTs are pretty bad about broadcasting their content. (The high voltage electronics inside generate radio signals.) Or maybe you have used your name or kid's names for a password or you have written i down some place.

Back in the 1950's the Rosenburgs used a theoretically "unbreakable" code to send messages back to the Soviet Union. Years later, only a few years ago someone finaly broke the code. Nothing wrong with the encription algorithum they used. but the keys were generated using an imperfect method. It's always the key that is the weak link.

What you need is a __truely__ random method of key genertion that covers the entire "keyspace". Truly randon methods are done with physical devices like dice, coins or rolette wheels. So drop 128 coins on the ground and record if they were heads or tails as you pick each one up and use that as your 128 bit key and never write it down. Memorize it as you pick up each coin.

Most people pick keys from a much smaller space. A dictionary word is the worst as there are only about 100,000 of those and an attackers could simply try each one. But a truely randon key is very secure as long no one can out what it is
 
andym172 said:
If I had the first idea of how to do it I'd be willing to give it a go.

If you had the "first idea of how to do it" you would know enough not to try.

If you had a computer that could make a million guess per second and you gave all 6 billion people on Earth a million of these computers each then they could not finish before the sun would run out of fuel and burn out.
Basically 2^128 is a big number and brute force guessing ain't going to work.

On the other hand most users pick easy to guess keys like his wife's first name and you might just crack it in 20 minutes after about 100 guesses.
 
Heb1228 said:
On another note, I've actually forgotten the password of that disk image i originally posted and what I put inside.

It was a picture of the ill-fated PowerBook G5. Anybody wanna see?


*ducks below desk*
 
Are there any 'cracking/hacking' forums on the internet (be it pc or Mac based) who would be willing to give this a go?

Maybe supply them with a less secure file first?
 
Heb1228 said:
I think I just decided to move. :D

On another note, I've actually forgotten the password of that disk image i originally posted and what I put inside.

This is one reason I prefer not to encrypt stuff - I used to get over enthusiastic and set complicated passwords that I forgot the very next day. :p Now I'm a lot more careful with passwords.

Another reason I don't like encryption much is the question, "what if the encryption/decryption software is buggy or is patched by a buggy version in the future?" - plain data could be recovered by low level reads of the HDD, but with data encrypted by any buggy mechanism, you're lost forever. :eek: Anyone heard about flaws in FileVault so far???
 
supremedesigner said:
You know what really suck? If "terrorist" enable FileVault that contain documents where to attack next and FBI won't be able to crack it. That will be bad.

You make me laugh fool
 
Disk Images Encrypted are only as strong as your password. If you have an easy password, then it would be easy to crack. The only way to compromise the disk image is to toss a dictionary attack at it and use every possible known combination of letters and numbers. The longer the password, the longer it will take.

Even the US Government couldn't crack the AES-128. Where most people fail is storing the password in a location, knowingly or unknowingly in plain text on the drive. Someone who really wanted to crack it would have much better luck doing research than starting a dictionary attack against it.

That said, it would be ideal to have a separate private key you store with the Disk Image. This way, you have the private key and your password. This follows the standard two-factor authentication... something you have and something you know.

Your ATM card is like that... you have the ATM card, something you have, and your PIN is the something you know. With only the ATM card, you can't get money out of the ATM... if you know the PIN w/o the card, your still up the creek.

So, in a situation where you store your private keys in a unknown location, you could give out the password to someone in authority asking for it, but without the key file, the password is useless. But, you wouldn't want to give out the password, as they may have located the private key.

Anyhow, that all said... FileVault is the same and as long as you keep things like Spotlight from not scanning those images and you don't have your password stored in a plain-text file or in plain-text unknowingly in some cache or history file... your secure.


-----
Get Free Mac Support http://www.macosx.com
 
zami said:
With respect your government has a diastrous recent history of being unable to understand unencypted arabic let alone anything more complicated.

Not everyone is dumb/blunt as George Bush.

It is just a series of trial and error, unless this particular disc image has a known password security problem. Eg. you can access the password hash file in the windows system directory and then crack it to obtain the administrator password.
 

From the above linked page, the time to guess a 4-digit password of numerals only, such as is used on every ATM in the world, is basically zero. :eek:

HTML:
Length Combinations Class A  Class B  Class C  Class D  Class E  Class F
4            10,000 Instant  Instant  Instant  Instant  Instant  Instant
However, this assumes that the site that you are trying to break into is going to allow you to try thousands of passwords in less than a second.

Fortunately banks have lock out procedures in place that will ignore any attempt to access the account using any password after something like 3 failed attempts. :eek: So there is about 3/100 of 1% chance to guess the password before the account is locked out.

Of course, there are some common things that people do with their ATM PIN that will make them much easier to remember and also much easier to guess, such as using the 4 digits on the corners (1, 3, 7, and 9), the middle of each edge (2, 4, 6 and 8), down the middle, or one side (0, 2, 5, and 8; 0, 1, 4, and 7; 0, 3, 6, and 9).

So do yourself a favor and avoid those combinations. This is not to say that you should avoid using these digits (that would not leave anything to use!), only that you should avoid using any of these sets of digits. You can use a pair that are in one of these sets if you throw in a pair that are not in that same set, such as 1,7,5 and 8. (About now, something like 10,000 people are changing their ATM PINs that were 1758 :p)

Lockout procedures, unfortunately, do not apply to attempts to crack an encrypted file that is stored on your own harddrive, but then the available choices for the password is much greater than is available for ATM PINs.

So do yourself a favor and use a longer password with a mix of the character classes (UPPERCASE, lowercase, numerals, and special characters).
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.