Security and safety

Recently people who use Mac computers have asked me about security. Good question. I’d say they are pretty secure. They didn’t ask me about safety. That is a different question. I will try to explain why:

The only safe operating system is the one that is turned off, disconnected and preferably locked in a safe. And even then, it only takes one human to breach that security. As long as it is not turned on, or plugged into a network, it is still secure, but not safe.

Now, if you understand those rules, you can maneuver pretty safe and secure on the internet.

To do so, there are some simple rules you can follow:

Choose an operating system that is released as open source (why? because everything is transparent, every single bit of your operating system is out there, people know about it, good hackers and bad hackers the like, history has proven this, you are more vulnerable with a Microsoft (closed source) OS than with any obscure linux variant out there). Apple is turning towards the Microsoft side, but is at least based on a BSD unix variant, so, as long as you don’t give out your password to install the next .dmg you download, you are pretty safe (even if history has proven that Mac users are the least computer savvy users out there, you just got lucky that it’s in essence a unix machine)

Choose an operating system that is maintained (what does that mean? simply, the more people that are working on it, the more people who know a lot more than you do about operating systems are working on it) If more people are working on it, it does not mean it is not ready yet, it actually most often means that those good hackers are quite fond of it (pick any popular linux or freebsd version, it’s free and people are actively working on it to make it the most secure system they can think of)

Third, be a user when you can, only change into an administrator if you need to be. The way the unix (and alike) operating systems were designed was about giving users power to do things, but not to disrupt other users. I personally change into my root clothes when I think it’s time to delete a user account that has been compromised, or at least leans towards it or when I’m simply done with it. And since I have the power to become root, I can always create a new user.

Finally, and absolutely not the least, don’t be lazy, don’t reuse that password on website nr1 you used for website nr2, unless you don’t care about either of these (this is a rule I break often, I start out with using a weak password until I think I really want to keep that account).

Don’t use that service name in your password. Cryptology is only as smart as you are. You can have all your keys encoded in (who cares) 8 gigabyte keys, but if you use “-facebook” for facebook and “-twitter” for twitter, the other party already has 50% of your password decoded.

No matter how many bits you use to encrypt it, if they know half the message, it’s pretty useless because knowing what you are looking for makes it easy. (Really don’t want to go into details here, but you can understand that looking for “Hi Mom!” in a decrypt is easier if you are sure it contains “Hi Mom!” then if you don’t know that it should contain that)

A password like ‘IchHateMeinFuckingFriendDieZesBlocksDownWoont’ (normal words, but 3 different languages) is far more effective than the not so random ‘qwerty123’, especially if you, as a hacker, already know that the password is going to end in the plaintext ‘-facebook’. (and it is easy to remember). As with anything, but especially in cryptoanalysis, if you already know what you are looking for, it is easier to find it.

Coming back to the 3 language 10 words password, it is 46 characters, let’s assume we only use lowercase, that would be 26^42 combinations. Being able to use uppercase makes it 52^42, include numbers, 62^42, giving a resolution of 1.9074403212938070052188251342723e+75 possible combinations.

With this I’d also advice to look at how the password is used. Yes, the iphone number password is actually quite safe, BUT ONLY if you turned on the feature to wipe the phone after 10 misses. If you don’t, it’s just 10000 tries in which case brute force works. And quickly too. Even the hardware of the iphone you are trying to crack is much faster in 0-10000 than you are. Don’t forget, the computing power in your pocket supersedes in many magnitudes the computing power that was used to put a man on the moon.

Don’t underestimate brute force, as a rule, it takes only 1/2 to crack it. Either they get it right at ‘A’ or at the end at ‘ZZZZZZZZZZZ’, on average it is half and brute force is actually one of the ‘cracking algorithms’ that is 100% sure to crack any code, unless it is accompanied by a total wipeout, as the iphone offers. Use it. Objects that completely lock after X tries are much safer than object that use whatever amount of gigabytes for keys. Imagine what luck you need to crack a safe if you have the previously amount of options (1.9074403212938070052188251342723e+75) with only 10 tries. Brute force is completely useless against systems that lock.

But, it’s not completely useless. If it’s a digital safe? it can be copied. You may lock after 10 tries, but if I can make 1.9074403212938070052188251342723e+75 copies, I only need to try 1 combination per copy. So what do you learn from this? If someone wants to crack you, and if they have enough resources, they can and will. The safest place to keep really private information is still locked in your brain. You will never be secure if your brain is not safe.

As per today, 25/04/2012, they haven’t found a way to secure anything that was saved in your brain and as long as you keep it there, it can’t be protected by security