"If I said 'VFR not recommended,' would you want to hear the rest of the brief?"

I keep getting a security notice.

Secure Connection Failed

The connection to the server was reset while the page was loading.

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Maybe it is a setting in firefox.
 
tmyers said:
I keep getting a security notice.

Secure Connection Failed

The connection to the server was reset while the page was loading.

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Maybe it is a setting in firefox.
Click to expand...

That's the notice I was getting when I said that it was"crashing," and I was using Firefox.
 
tmyers said:
I keep getting a security notice.

Secure Connection Failed

The connection to the server was reset while the page was loading.

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

Maybe it is a setting in firefox.
Click to expand...

I had that stuff once, it was caused by some spyware/malware that would trigger the security on the far side and not allow the connection. Malware bytes took care of it.
 
denverpilot said:
As far as the password vaults go, they're a security problem waiting to happen, not good security. Encryption always gets cracked eventually. Ask the Germans.

I like their convenience, not their security.
Click to expand...

That's one of the things I'm worried about. It seems like it's setting up a "single point of failure."
 
Reminds me of a certain briefing many years back that was may have been made on speakerphone in a Cadillac full of PoA members. If I recall the proposed flight was in a 172 during a nasty blizzard with a VFR only pilot at night :)
 
denverpilot said:
As far as the password vaults go, they're a security problem waiting to happen, not good security. Encryption always gets cracked eventually. Ask the Germans.
Click to expand...

The theory is that "eventually" occurs after your lifetime or the lifetime of the information you're trying to protect. DES had a good run and AES seems to be doing well so far.

I'm more concerned about system-level security rather than the encryption algorithm. If I were trying to hack you I'd attempt a bit of social engineering, perhaps facilitate a side-channel attack.
 
Palmpilot said:
That's one of the things I'm worried about. It seems like it's setting up a "single point of failure."
Click to expand...

They're a much stronger single point of failure that's considerably more difficult to attack than the incredibly unsafe people do without them.

I've been using a password vault, of one form or another, for probably 10 years now. I don't reuse passwords anywhere. I understand and research the security strengths of whatever I'm using.

I am considerably more secure with than I am without.
 
Which one do you like?
 
asicer said:
The theory is that "eventually" occurs after your lifetime or the lifetime of the information you're trying to protect. DES had a good run and AES seems to be doing well so far.

I'm more concerned about system-level security rather than the encryption algorithm. If I were trying to hack you I'd attempt a bit of social engineering, perhaps facilitate a side-channel attack.
Click to expand...


I thought the first iterations of DES were cracked by distributed.net in the 90s and the answer was just to up the key length. Could be misremembering though.

I do know it doesn't take much money to build a massive cracking farm with the use of dedicated GPUs and government has enough bucks to build and buy ASICs custom made for the job, but they don't really need them with a cluster of GPU laden machines. Let's just say someone I know, knows just how much heat load a typical server box can handle stuffed with "video" cards and how much cooling each rack of them needs.

It's just a Cold War of compute horsepower vs key size at this point. Given enough time, they'll all be broken. Many sites are using 2048-bit or larger keys and I sure remember being told in the early part of my career that 64 or 128 bit would be plenty for personal encryption protection for a looooooong time. Nope.

Basically if your encryption isn't making a typical non-optimized CPU work hard, it's about two to three years before it's toast, and that's assuming no one finds a math error in the algorithm.

Seen the info on who was involved in AES and how much of it wasn't peer-reviewed? That's the real attack vector... Lets just hope those involved keep whatever they did a true secret. Many very serious security researchers won't use it or combine it with something else treating it as if it's already backdoored.

You and I bought a VERY big datacenter in Utah and pay the power bill on it. And all the salaries of everyone in it. Here's hoping the kids have fun with it. Nobody asked if we wanted to buy it.
 
denverpilot said:
I do know it doesn't take much money to build a massive cracking farm with the use of dedicated GPUs and government has enough bucks to build and buy ASICs custom made for the job, but they don't really need them with a cluster of GPU laden machines. Let's just say someone I know, knows just how much heat load a typical server box can handle stuffed with "video" cards and how much cooling each rack of them needs.
Click to expand...
Eh, not quite Nate, Pretty much anyone that's protecting anything even barely important these days is using AES-128 at minimum but really AES-256.

You're not going to crack AES-256 brute-force even if you are the Feds.

Let's say you take a GPU that can do 2 gigaflops. Now lets say that SOMEHOW you were able to buy a BILLION of them. Not even the Feds can hide buying a BILLION GPU(s). Nevermind having to power and cool the damn things.

It'd only take you 6.7e40 times longer than the age of the universe itself to work your way through half the keyspace of AES-256.

Back to the power problem. It'd take 1.5e11 watts to power that many GPU(s) and we're ignoring the whole cooling problem. How much power is that? Like 150 nuclear power plants worth.

By the way, if you do some digging you'll find GPUs significantly faster than the above I'm sure. But, it really doesn't matter, because the point still remains that it would take a ridiculous quantity of energy and time to go through the whole AES-256 keyspace.

Maybe super computers would be a better choice..Well, if you bought yourself 10e38 super computers and somehow figured out how to hide and cool and power the damn things without anyone noticing..Let's say you were thinking ahead and fired these bad boys up when the universe first formed. If you were running all that **** since that moment in time to today..you'd only be through half the AES-256 keyspace.

So, use AES-256 at minimum, and sleep well knowing that nobody is cracking it. If the Feds could crack AES-256 they would do so in high profile cases..but they don't..because well they didn't start 10e38 worth of supercomputers 14 billion years ago. They should have thought ahead...

And I'll repeat, one could probably come up with ways to improve the above by a couple times using newer fancier hardware. But a couple of times won't help you. Unless it can be brute forced in a short amount of time then nobody is going to try to brute force it. It's not like the Fed's can tie up their fastest **** for the next couple generations on your personal data.

denverpilot said:
It's just a Cold War of compute horsepower vs key size at this point. Given enough time, they'll all be broken. Many sites are using 2048-bit or larger keys and I sure remember being told in the early part of my career that 64 or 128 bit would be plenty for personal encryption protection for a looooooong time.
Click to expand...
Apples and Oranges. Yes, sites are using 2048 bit larger, some 4096 keys these days. That's not because something like AES-128 or AES-256 are broken that's because of the difference between asymmetric and symmetric encryption.

SSL/TLS uses asymmetric cryptography for the first stage of authenticating the connection. Once it is authenticated it negotiates a symmetric key that is used to encrypt/decrypt the actual data that is sent.

A 2048 bit asymmetric key is roughly the equivalent of a 128 bit symmetric key. Actually, the 128 bit symmetric key is stronger.

To sum this all up, if you want to break a strong encryption like AES-256, even if you are the Feds, you're going to do so by stealing the key which will be a HELL of a lot easier than brute forcing which really isn't an option no matter how much money you have. Yes, at some point in the future it may be easier to brute force but at that point encryption will have advanced to keep up and your AES-256 data probably is stale and no longer worth stealing.

I have a lot of apples in the basket of AES-256 keeping our company and my future safe. I lose sleep over security concerns from time to time, but it's certainly not because I'm afraid someone would brute force our most critical data which is encrypted with AES-256. Not only that, every record has a different encryption key...
 
Last edited:
denverpilot said:
I thought the first iterations of DES were cracked by distributed.net in the 90s and the answer was just to up the key length. Could be misremembering though.
Click to expand...

It was never fully cracked. There were some discoveries that made faster-than-brute-force attacks possible. It still took them a day or two recover 1 key and even then it required known plaintext. The answer was triple-DES (i.e. run the algorithm 3 times using 2 or 3 different keys). Still, 20+ years on the plain-jane version is pretty good run. Just how long does your data need protection? And are you unable to re-encrypt it with the latest algorithm?

denverpilot said:
Seen the info on who was involved in AES and how much of it wasn't peer-reviewed? That's the real attack vector... Lets just hope those involved keep whatever they did a true secret. Many very serious security researchers won't use it or combine it with something else treating it as if it's already backdoored.
Click to expand...

Actually it was DES that had stuff that was not reviewed. Specifically, the NSA gave an alternate set of S-boxes without explanation. The algorithm for forming the S-boxes in AES is published.

jesse said:
To sum this all up, if you want to break a strong encryption like AES-256, even if you are the Feds, you're going to do so by stealing the key which will be a HELL of a lot easier than brute forcing which really isn't an option no matter how much money you have.
Click to expand...

Yup. Even if brute force were an option a simple key logger or even a pretty escort with a bottle of absinthe is a whole lot cheaper and easier than a multi-acre data center that needs several terawatts to feed it.
 
Geez.....

You computer guys are quite entertaining....:yes:.........:D
 
Ha. Sorry Ben.

It'll be interesting to keep these true-believer posts around and see how many years it really is before they're cracked or significantly under question.

Doesn't matter anyway. Our formerly innocent until proven guilty courts have decided that if you refuse to type the password to unencrypt your data, you're held in contempt and imprisoned. There's no expectation of 5th Amendment rights when it comes to personally encrypted data.

So you get to decide if whatever you have encrypted is worth being held indefinitely.

Plus using encryption is still a generally PITA decades after PGP hit the scene. We've had the technology to non-repudiate emails now with PKI going on over 20 years and no one uses it. That plus TLS between servers would have ended spam completely, without stealing someone's private key.

But then again, we can't write a web browser yet that doesn't put the OS as risk and is still functional, and never will.

Implementations suck, even if the math is pretty good.

None of it is where it needs to be for an open untrusted worldwide computer network.

Anyway. We'll see when AES falls. It will. And it'll be before I'm dead.
 
I clicked on a post about VFR weather and somehow ended up reading a rant about encryption. :dunno:
 
You must log in or register to reply here.
Back
Top