Comments for Labix Blog http://blog.labix.org by Gustavo Niemeyer Wed, 10 Mar 2010 15:15:34 +0000 http://wordpress.org/?v=2.9.2 hourly 1 Comment on Recovering a bootable EBS image by Victor http://blog.labix.org/2010/03/09/recovering-a-bootable-ebs-image/comment-page-1#comment-76073 Victor Wed, 10 Mar 2010 15:15:34 +0000 http://blog.labix.org/?p=250#comment-76073 Wow. That is so elegant and logical and clearly explained. Brilliantly goes through what could be a complex process and makes it obvious. Wow. That is so elegant and logical and clearly explained. Brilliantly goes through what could be a complex process and makes it obvious.

]]> Comment on Breaking into an Android password manager – Practice by Rik Hemsley http://blog.labix.org/2009/12/05/breaking-into-an-android-password-manager-practice/comment-page-1#comment-75412 Rik Hemsley Mon, 22 Feb 2010 15:00:21 +0000 http://blog.labix.org/?p=230#comment-75412 I'd like to see your analysis of keepassdroid. I’d like to see your analysis of keepassdroid.

]]> Comment on Breaking into an Android password manager – Practice by gbrors http://blog.labix.org/2009/12/05/breaking-into-an-android-password-manager-practice/comment-page-1#comment-72554 gbrors Mon, 07 Dec 2009 19:52:01 +0000 http://blog.labix.org/?p=230#comment-72554 By the way I own and have read parts of the books "Practical cryptography" and "Applied Cryptography" by Bruce Schneier. Even with open source solutions you are forced to enter a long and cryptic master key if you want to defeat brute force attacks.I guess that 99.5% of the users would not do it, but use a weak master key that can be broken with brute force attacks. My solution with the "unlock key" was wrong, but right now I see no real solution to the problem, because the Java cryptography API implemented in the Android system helps brute force attacks by throwing an exception when trying to decode with a wrong master key. If it did not, but just gave back some randomly decoded bytes, I could develop a much more clever solution similar to one that was developed by a German research institute: http://www.mobilesitter.de/en/result.htm By the way I own and have read parts of the books “Practical cryptography” and “Applied Cryptography” by Bruce Schneier. Even with open source solutions you are forced to enter a long and cryptic master key if you want to defeat brute force attacks.I guess that 99.5% of the users would not do it, but use a weak master key that can be broken with brute force attacks. My solution with the “unlock key” was wrong, but right now I see no real solution to the problem, because the Java cryptography API implemented in the Android system helps brute force attacks by throwing an exception when trying to decode with a wrong master key. If it did not, but just gave back some randomly decoded bytes, I could develop a much more clever solution similar to one that was developed by a German research institute: http://www.mobilesitter.de/en/result.htm

]]> Comment on Breaking into an Android password manager – Practice by Gustavo Niemeyer http://blog.labix.org/2009/12/05/breaking-into-an-android-password-manager-practice/comment-page-1#comment-72524 Gustavo Niemeyer Mon, 07 Dec 2009 02:08:12 +0000 http://blog.labix.org/?p=230#comment-72524 Thanks David. Unfortunately, given the comments right above, it looks like he didn't read it yet. Gunter, you seem to blame Android for a problem that actually lies in the application itself. No matter how hard it is to disassemble an application (and trust me, other platforms aren't much harder than this), if the application security depends on not having the source code, the application is badly engineered. Using an obfuscator will just serve to prove that its security is not to be trusted. Following David's suggestion and reading some papers and articles by people like Bruce Schneier might be enlightening. Thanks David. Unfortunately, given the comments right above, it looks like he didn’t read it yet.

Gunter, you seem to blame Android for a problem that actually lies in the application itself. No matter how hard it is to disassemble an application (and trust me, other platforms aren’t much harder than this), if the application security depends on not having the source code, the application is badly engineered. Using an obfuscator will just serve to prove that its security is not to be trusted.

Following David’s suggestion and reading some papers and articles by people like Bruce Schneier might be enlightening.

]]> Comment on Breaking into an Android password manager – Practice by David Allouche http://blog.labix.org/2009/12/05/breaking-into-an-android-password-manager-practice/comment-page-1#comment-72511 David Allouche Sun, 06 Dec 2009 14:02:15 +0000 http://blog.labix.org/?p=230#comment-72511 Nice job Gustavo. I hope the author of this app will read some Bruce Schneier before making bold security claims the next time. Nice job Gustavo.

I hope the author of this app will read some Bruce Schneier before making bold security claims the next time.

]]> Comment on Breaking into an Android password manager – Practice by gbrors http://blog.labix.org/2009/12/05/breaking-into-an-android-password-manager-practice/comment-page-1#comment-72506 gbrors Sun, 06 Dec 2009 12:59:17 +0000 http://blog.labix.org/?p=230#comment-72506 Thank you for your good work. It shows how easy it is to manipulate and change the Java apps of Android, so it is useless trying to implement a copy protection or registration solution. I'm looking for a good obfuscator, as it might make it more difficult for hackers. I released version 1.2.0 of gbaSafe where the problem with the weak key is solved. Thank you for your good work. It shows how easy it is to manipulate and change the Java apps of Android, so it is useless trying to implement a copy protection or registration solution. I’m looking for a good obfuscator, as it might make it more difficult for hackers.
I released version 1.2.0 of gbaSafe where the problem with the weak key is solved.

]]> Comment on Breaking into an Android password manager – Theory by Gustavo Niemeyer http://blog.labix.org/2009/12/01/breaking-into-an-android-password-manager-theory/comment-page-1#comment-72490 Gustavo Niemeyer Sun, 06 Dec 2009 01:01:47 +0000 http://blog.labix.org/?p=203#comment-72490 It's good to know that some of the issues are being fixed. That said, these comments above just reinforce my worries about the application, unfortunately. Unbreakable algorithms, dumb thieves, associating the use of good passwords with "absolute" security (it's <i>some security at all</i>, really)... I can't provide more insight than I already did in these couple of posts at this point, but I do recommend taking a step back and researching a bit more about security before exposing your name next to a security-oriented software which you're selling people. It’s good to know that some of the issues are being fixed. That said, these comments above just reinforce my worries about the application, unfortunately.

Unbreakable algorithms, dumb thieves, associating the use of good passwords with “absolute” security (it’s some security at all, really)…

I can’t provide more insight than I already did in these couple of posts at this point, but I do recommend taking a step back and researching a bit more about security before exposing your name next to a security-oriented software which you’re selling people.

]]> Comment on Breaking into an Android password manager – Theory by Breaking into an Android password manager – Practice « Labix Blog http://blog.labix.org/2009/12/01/breaking-into-an-android-password-manager-theory/comment-page-1#comment-72487 Breaking into an Android password manager – Practice « Labix Blog Sun, 06 Dec 2009 00:38:18 +0000 http://blog.labix.org/?p=203#comment-72487 [...] Archives « Breaking into an Android password manager – Theory [...] [...] Archives « Breaking into an Android password manager – Theory [...]

]]> Comment on Breaking into an Android password manager – Theory by gbrors http://blog.labix.org/2009/12/01/breaking-into-an-android-password-manager-theory/comment-page-1#comment-72483 gbrors Sat, 05 Dec 2009 23:13:13 +0000 http://blog.labix.org/?p=203#comment-72483 I've changed the program so that by default no key is stored in any way, but the user must enter the long master key when starting the program (the short unlock key is still an option for people like myself that prefer ease of use to absolute security, guessing that normal thieves would not invest much time trying to get my secrets with brute force attacks). So if the user chooses a good master key and doesn't use the optional unlock key, then the secrets are really unbreakable (with AES-256). The version 1.1.1 will be published on Sunday. I’ve changed the program so that by default no key is stored in any way, but the user must enter the long master key when starting the program (the short unlock key is still an option for people like myself that prefer ease of use to absolute security, guessing that normal thieves would not invest much time trying to get my secrets with brute force attacks). So if the user chooses a good master key and doesn’t use the optional unlock key, then the secrets are really unbreakable (with AES-256). The version 1.1.1 will be published on Sunday.

]]> Comment on Breaking into an Android password manager – Theory by ben http://blog.labix.org/2009/12/01/breaking-into-an-android-password-manager-theory/comment-page-1#comment-72433 ben Fri, 04 Dec 2009 21:47:32 +0000 http://blog.labix.org/?p=203#comment-72433 I am interested then as to what the best password manager for android would be then? Google Secrets, KeePassDroid, SplashID, etc.? Thanks for pointing this out either way and hope the Hero is treating you well. I am interested then as to what the best password manager for android would be then? Google Secrets, KeePassDroid, SplashID, etc.?

Thanks for pointing this out either way and hope the Hero is treating you well.

]]>