A $5 Tool Called PoisonTap Can Hack Your Locked Computer In One Minute (vice.com) 172
An anonymous reader quotes a report from Motherboard: A new tool makes it almost trivial for criminals to log onto websites as if they were you, and get access to your network router, allowing them to launch other types of attacks. Hackers and security researchers have long found ways to hack into computers left alone. But the new $5 tool called PoisonTap, created by the well-known hacker and developer Samy Kamkar, can even break into password-protected computers, as long as there's a browser open in the background. Kamkar explained how it works in a blog post published on Wednesday. And all a hacker has to do is plug it in and wait. PoisonTap is built on a Raspberry Pi Zero microcomputer. Once it's plugged into a USB port, it emulates a network device and attacks all outbound connections by pretending to be the whole internet, tricking the computer to send all traffic to it. Once the device is positioned in the middle like this, it can steal the victim's cookies, as long as they come from websites that don't use HTTPS web encryption, according to Kamkar. Security experts that reviewed Kamkar's research for Motherboard agreed that this is a novel attack, and a good way to expose the excessive trust that Mac and Windows computers have in network devices. That's the key of PoisonTap's attacks -- once what looks like a network device is plugged into a laptop, the computer automatically talks to it and exchanges data with it.
News at 11 (Score:5, Informative)
Physical access to equipment trumps (Trumps, heheheh!) almost all security. News at 11.
Re:News at 11 (Score:5, Insightful)
Physical access, browser running, and it only work if you use cookies on sites that don't require SSL.
At that point it s probably best to invest that $5 in a box-cutter and force the user to give your their password.
Re: (Score:3)
and it only work if you use cookies on sites that don't require SSL.
You mean, except for the part where they are able to hijack any site that uses Google's, jQuery's, or other scripting CDN by replacing the legit Javascript with a version that opens a persistent connection to the attacker's server, through which they can serve up anything to your browser? Or the part where they strip out a whole slew of HTTP header security features by serving up fake, insecure versions that they tell your browser to perma-cache for every single one of the Alexa top 1,000,000 sites? Or the
Re:News at 11 (Score:5, Insightful)
It's basically a MITM attack. There's no difference between this and using a malicious network router. In fact, that's exactly what this is. The only difference is that you're connecting directly to the computer and pretending to be a network adapter rather that it being something upstream.
If a malicious actor has physical access to your PC, then this is the *least* of your worries. There are all sorts of things that could be done.
Re:News at 11 (Score:5, Funny)
If a malicious actor has physical access to your PC, then this is the *least* of your worries.
True. I don't even want to think about what Russell Crowe would do if he had physical access to my computer.
Re: (Score:2)
It's times like this I wish I could mod posts on the same article I posted a comment on.
apk you are forgiven (Score:2)
APK, you asked for forgiveness, and I forgive you.
https://hardware.slashdot.org/... [slashdot.org]
Maybe it's time to move on with your life.
Re: (Score:1)
Not really. Even when SSL is used, a redirect to HTTP can be forced. If the cookie doesn't have the "Secure" flag, it will happily send the cookie over HTTP in this case.
Re: (Score:2)
Forcing with a box-cutter at least gives the user the knowledge they've been compromised, so not realyl the same thing.
Re: (Score:2)
So if you had to choose you'd prefer to be box-cutted than quietly hacked?
Re: (Score:3)
It's the default setting for every major OS, apparently. It exploits a weird quirk where it claims the the entire Internet is part of its LAN, which causes it to get priority over any existing connections to the Internet you might have, since they'll all be via WAN. It won't work on any computer, but it will work on most.
Re: (Score:1, Informative)
It won't work on any computer but Microsoft Windows computer. It is like the autoexec cd-rom all over again.
If they want to make it work on ALL computer, they need to use a Ethernet interface.
Re: (Score:1, Funny)
> Major OS
> It won't work on any computer but Microsoft Windows computer.
That's what he said.
Re: (Score:3)
It won't work on any computer but Microsoft Windows computer.
Blind hope that your choice of operating system is safe is the worst form of security. From the article:
PoisonTap emulates an Ethernet device (eg, Ethernet over USB/Thunderbolt) - by default, Windows, OS X and Linux recognize an ethernet device, automatically loading it as a low-priority network device and performing a DHCP request across it, even when the machine is locked or password protected
Re: (Score:2)
When you deliberately choose and operating system so inconvenient by default that it's not even part of the mainstream conversation, it's hardly blind hope.
USB Tethering: How to auto-configure? [freebsd.org]
Re: (Score:3)
The problem is HOW do you patch it.
It's going to involve a heavy user space network manager to do it, because the way it works the simple routing engine the kernels have is the root cause.
You also need to consider that you may be connected to WiFi, and Ethernet devices always have routing priority over WiFi (being wired, the metric of connection is lower than WiFi) in practically every OS.
Then you have to consider the ethernet device might already be
Re:News at 11 (Score:4, Funny)
The problem is HOW do you patch it.
It is easy. Do what Apple does and remove the ports while requiring users to buy new systems.
Re: (Score:2)
Re: (Score:2)
That's not what the original blog post said:
PoisonTap responds to the DHCP request and provides the machine with an IP address, however the DHCP response is crafted to tell the machine that the entire IPv4 space (0.0.0.0 - 255.255.255.255) is part of the PoisonTap’s local network, rather than a small subnet (eg 192.168.0.0 - 192.168.0.255)
Re: (Score:2)
Re: (Score:2)
Indeed. Boot the pc on a USB Linux, mount the computer disk, enjoy.
... and risk getting stuck at bios password. Get around that and get stuck at disk encryption password (usb boot not enabled). Re-enable usb boot in bios and unable to mount encrypted disks. Or, stick this thing in a usb port for a bit and get access to everything remotely thereafter. Never reboot a box if you can avoid it.
'This text can hack your computer' (Score:1)
Even better flamebait :
'This text can hack your computer'
just by reading this text, your computer has been hacked!! of course you need to have physical access to the computer and the person, a baseball bat, a wrench, an installation of kali linux on a usb drive, a non encrypted disk, cotton candy, and a captain crunch whistle ( optional, but very amusing )
Re: (Score:3)
Re: (Score:3)
Even better flamebait :
'This text can hack your computer'
just by reading this text, your computer has been hacked!!
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Tag.
Title and summary are complete bullshit (Score:1)
This attack can in no way determine operating system passwords. It cannot "hack your locked computer".
Now if they had described powering off the computer and then booting it from external media running something like l0phtcrack, then they would be actually "hacking your (no longer) locked computer" - that's only if you do not have a bios power-on password set.
Hey, if I have physical access why not just remove the hard-disk(s) and put it in another system?
And neither of these approaches would be news.
This is
Okay... (Score:5, Informative)
"Once the device is positioned in the middle like this, it can steal the victim's cookies, as long as they come from websites that don't use HTTPS web encryption, according to Kamkar."
While I do think the fact that this works at all is problematic... if you're doing anything non-trivial on any website which doesn't employ https, that information has likely been available to anyone who really wanted it already.
Re: (Score:2)
I did this in college since our dorm still had a Hub. How is this new (other than being smaller)?
Re: (Score:2)
Exactly, won't a more useful tool be one that clones the SID and MAC of a open WAP at a coffee shop, over powers the existing network, and then forcefully disconnects all the clients so they reconnect automatically to the hacking device?
Only people using their own data connections would be safe, but who actually does that versus using the free connection?
You could then do everything this does without needing to physically connect to the machine.
Re: (Score:2)
Only people using their own data connections would be safe...
Or those using a VPN.
Re: (Score:1)
Re:Okay... (Score:5, Insightful)
if you're using your computer and you didn't notice the paperback-sized device plugged into one of your USB ports, you may have other problems.
Corporate users hardly notice anything odd plugged into their systems. I could set a bowling ball under their desk and they probably wouldn't ask about it for a month, because that's not their job. They're far too busy doing the other three jobs they maintain now.
For those of us managing the average user community, the problem is far more systemic than you dismiss here. Behavior modification is one of the hardest jobs in Security.
Re: (Score:2)
Behavior modification is one of the hardest jobs in Security.
That's what the sucker rod is for...
rgb
Re: (Score:2)
Anyone want to weigh in? I know OpenVPN uses a similar routing entry to preempt traffic and force it into the VPN tunnel.
Re: (Score:2)
if you're using your computer and you didn't notice the paperback-sized device plugged into one of your USB ports, you may have other problems.
I walk into a lot of work places. What I see are a lot of those old "tower" boxes. You wouldn't see anything plugged into the back of one of those. Also, the device doesn't have to stay there forever. Not super-convenient, but workable. Also, the device is the size of a small cell phone, not the size of a paperback, and with a longer cable, and a little creativity, could be disguised and/or placed out of sight.
Re: (Score:2)
Re: (Score:2)
The Raspberry Pi zero dimensions [raspberrypi.org] are 65 x 30 x 4.5mm [raspiworld.com]
Re: (Score:2)
Does it need to be plugged directly into the desktop? Why not use a USB cable to hide it. Or the back of a monitor (many have USB hubs built-in now).
There's many ways to hide these devices. The vast majority of users don't look over their work area before they start working.
Isn't this (Score:1)
just a run of the mill man in the middle attack? How is that novel? And, where's the part where they break into the actual computer?
Re: (Score:2)
it's stupid and could be WAY "better". (Score:4, Insightful)
what's puzzling is that why it doesn't just get full access as YOU COULD JUST REDIRECT THE STUFF TO SOMETHING THAT CAUSES WINDOWS TO SEND THE MS ACCOUNT PASSWORD AND USERNAME IN PLAIN TEXT.. and while at that create a tunnel that stays once it gets plugged to real internet.
how is plugging a computer into a network an offline attack?
requiring physical access is less novel, especially when there are a number of attacks described where if you can place something like that, you could just get the keyboard codes by audio, em and a number of other ways - or heck, do this attack over recording the led at the router.
also it requires you to be logged into the sites already, the sites to not be https.. sorry about the yelling but this seems like a dolt just taking an existing concept, putting it on a raspberry pi and claiming fame based on that.
Re: (Score:1)
what's puzzling is that why it doesn't just get full access as YOU COULD JUST REDIRECT THE STUFF TO SOMETHING THAT CAUSES WINDOWS TO SEND THE MS ACCOUNT PASSWORD AND USERNAME IN PLAIN TEXT.. and while at that create a tunnel that stays once it gets plugged to real internet.
because to send it to the MS account site you would need to man in the middle the SSL tunnel which in turn requires you to have either compromised the computer already with a fake CA to be trusted or have a compromised public CA. basically nothing at all remotely interesting with this attack.
Re: (Score:2)
Windows versions since Vista won't send plaintext passwords without the user first confirming that the network is a trusted one. I think since 8 they disabled even that, or it might have been 8.1.
Re: (Score:3)
just a run of the mill man in the middle attack? How is that novel? And, where's the part where they break into the actual computer?
Why not RTFA? You don't even have to google - the links are right at the top of this page.
Pi Zero (Score:4, Interesting)
Yet another interesting use of a Raspberry Pi Zero. Give people a $5 computer and they just have to come up with something to use it for.
Obligatory xkcd (Score:5, Funny)
Re: (Score:1)
$5 hammer, $5 Pi. Well played sir, well played.
Obligatory xkcd (Score:5, Funny)
https://xkcd.com/386/ [xkcd.com]
Not the worst that can happen (Score:3, Informative)
Re: (Score:3)
If you have physical access and the computer is on, you can already read the contents of RAM with some specialized hardware. That gives you access to pretty much everything.
I think the more valid point being made here is the "specialized hardware" in this case costs five bucks, and can be purchased pretty much anywhere by anyone.
Re: (Score:2)
If you have physical access and the computer is on, you can already read the contents of RAM with some specialized hardware. That gives you access to pretty much everything.
The Amiga used Sram for memory. You could play say the game "Blood Money", turn off the system and then boot up with a disk with a program to view the memory.
You could then grab the haunting music of the game or any other sound byte
https://www.youtube.com/watch?... [youtube.com]
Sram is in just about everywhere now, even Intel CPU's use it for it's speed and ability to maintain it's contents without being refreshed. You really can't tell what's it's being using in anymore.
I always turn off my system(s) for an extended per
Re: (Score:2)
The Amiga used Sram for memory.
no it didnt
Re: (Score:2)
The Amiga used Sram for memory.
no it didnt
Yep sure did. I should of been more specific, the Amiga 3000 came with 2megs stock (a guess) that was just memory, opposite that memory were memory slots for Sram you purchased separately, it was the only ram that would fit. I put in 10 megs of Sram which disabled the stock memory. I ran a Cnet BBS from it, an 8 line chat board so not much else. I'd search the Sram every now and again just to see what was there.
Had a friend not sure what Amiga he had I thought a 500. It was what he did, he ripped music out
Re: (Score:2)
No. Amiga used DRAM just like every home computer of that period. You are confusing couple of things.
1 you can reset machine without losing ram contents, this was possible in pretty much every computer at the time.
2 ramdisk for storing files in ram.
SRAM is static, that means you dont need to refresh it = you can power down whole computer leaving only ram voltage rail. This is how storage worked on early portables like portfolio.
Re: (Score:2)
No. Amiga used DRAM just like every home computer of that period. You are confusing couple of things.
1 you can reset machine without losing ram contents, this was possible in pretty much every computer at the time.
2 ramdisk for storing files in ram.
SRAM is static, that means you dont need to refresh it = you can power down whole computer leaving only ram voltage rail. This is how storage worked on early portables like portfolio.
Don't know if you went through the "computer wars", but to purchase an Amiga was was to put ones self on the front line. I could of really gone off on this thread, a direction of nobodies real interest, or use.
The main point of my first post was that Sram is everywhere and a reboot isn't resetting ones system, it takes a full shutdown and a wait.
"SRAM is also used in personal computers, workstations, routers and peripheral equipment: CPU register files, internal CPU caches and external burst mode SRAM cache
Re: (Score:2)
there is no sram in amigas (except for 768 bytes of palette inside Lisa chip)
The difference between sram and dram is _not_ that one of them can keep the data over a reset, its that one of them keeps data without explicit _refresh cycles_ when rest of computer is powered down completely. Reboot is not doing ANYTHING to ANY type or ram. Resetting a running computer without stopping current program was standard on Intel 286 (dram simms) when switching from protected mode back to real addressing: https://blogs. [microsoft.com]
Re: (Score:2)
so again, there never was any sram in amigas
I have an 8 Meg expansion card for the 2000, I only got as far as I needed
http://amiga.resource.cx/searc... [resource.cx]
ps: I fix computers on a component level since nineties :/
Got a late start eh, I don't think many on /. haven't worked on computers
Re: (Score:2)
I have an 8 Meg expansion card for the 2000, I only got as far as I needed
http://amiga.resource.cx/searc... [resource.cx]
1 this is A500 expansion
2 this is fast ram expansion, Amiga stores images/sounds in the chip ram (separate memory bus) so even if you had third party sram expansion it would do nothing for you because pictures and music was stored in different part of the computer. Amiga rasterizer and sound chips had no access to fast ram (where this particular sram extension installs). https://en.wikipedia.org/wiki/... [wikipedia.org]
3 again - what you described (reset to rip memory content) _never_ required special memory type. You coul
Re: (Score:2)
Got a late start eh, I don't think many on /. haven't worked on computers
cute :)
I get it man, you miss remembered something and now just cant let go. Its ok, its not the end of the world. I will leave you and your cognitive dissonance in peace.
If I found it to be Sram you can sure bet I'd of sent off a message, so in all fairness.
I stopped by my storage today to pick my stereo with no HDMI. I'm going digital optical connections instead - it's a much nicer receiver.
Just so happened all my Amigas were there, so I brought the 3000 home, snapped a shot of the ram and found it's not Sram and it's not Dram
it's called static column ram - which is as close to Sram as you can get (but not Sram, yet we called it that). In fact if you search for 9A9Z you ge
Re: (Score:2)
so I brought the 3000 home, snapped a shot of the ram and found it's not Sram and it's not Dram
it's called static column ram - which is as close to Sram as you can get (but not Sram, yet we called it that).
Its not close to sram at all other than similarly sounding name, as I wrote in previous post it is an improved variant of page mode DRAM:
>and here a definition of "static column mode" in case you would somehow think this means SRAM: https://www.jedec.org/standard... [jedec.org]
even wiki has a section on it https://en.wikipedia.org/wiki/... [wikipedia.org]
In fact if you search for 9A9Z you get all sorts of answers of what it is.
datasheet: http://datasheet.datasheetarch... [datasheetarchive.com]
a big hints are
-a whole timing diagrams section on refresh
-multiplexed address bus
-fact 4Mbit sram chips didnt exist until 1993, and wh
Re: (Score:2)
Which widely used computers encrypt RAM?
Re: (Score:3)
Re: (Score:3, Interesting)
Not yet, but AMD Zen CPUs will have such a feature. Have some articles:
http://wccftech.com/amd-zen-en... [wccftech.com]
http://www.phoronix.com/scan.p... [phoronix.com]
http://www.redgamingtech.com/a... [redgamingtech.com]
old news (Score:2)
Re: (Score:2)
(don't whooosh me or you'll be whoooshed in return!)
Next from Kamkar: plain text can be read anywhere (Score:2)
You don't even need access to the computer to do this "hack" - just use an existing network cable or be on the same network and you can read and modify any plain text sent over the wire. This isn't even "new", compromised USB network cards were all the rage 10 years ago when they first came out with those wallplug computers (before RPi even existed)
There is some novelty here (Score:5, Interesting)
Sure, you can do anything with physical access if you have some time on your hands.
Sure, you can be persistent if you can leave something behind, like a modified keyboard.
Sure, you can be persistent if you can install something, but that USUALLY requires either the ability to use the mouse or keyboard on an unlocked machine or tricking the user to do so for you.
The novelty here is that it's a "plug it in, wait a few minutes, unplug it, and walk away" compromise, AND it doesn't make any permanent hardware changes such as blowing up your PC by sending a few hundred volts down the USB ports.
It's also novel in that it exposes a design flaw that should've been noticed and widely discussed decades ago.
By the way, am I the only one that remembers Thick Ethernet, aka 10BASE5, and its "vampire taps"?
Re: (Score:3, Insightful)
Re: (Score:3)
well gosh golly gumpers, I can also plug an evil thing into the ethernet jack, and then plug that evil thing into the wired network, and do all manner of bad also. Hell I can substitute an evil hub for a good one and do even more bad. where will it end?
*snooze*
What is this "ethernet jack" you speak of (Score:3)
well gosh golly gumpers, I can also plug an evil thing into the ethernet jack, and then plug that evil thing into the wired network, and do all manner of bad also. Hell I can substitute an evil hub for a good one and do even more bad. where will it end?
*snooze*
I have no ethernet jack - I have a Mac, you insensitive clod.
Re: (Score:2)
I can also plug an evil thing into the ethernet jack, and then plug that evil thing into the wired network, and do all manner of bad also. Hell I can substitute an evil hub for a good one and do even more bad. where will it end?
*snooze*
You didn't read TFA. It requires an available USB port and a minute or two. That's it. It does not require pass through and does not interrupt the network connectivity of the running machine, and has a good chance to work on an average workstation (a workstation that is locked with a web browser open). It also is an incredibly cheap tool:
It requires a $5 Raspberry Pi, a microSD card of probably 4GB or greater, and a USB micro cable. It doesn't even need to be powered, as the Pi is powered from the host.
Re: (Score:2)
I read TFA. If I have physical access to machine there is no end to the bad things I can do. Not impressed
Re: (Score:2)
how many of them can you do without even unlocking the screen and thereby indicating to the user that something changed? (Serious question - the two factors here that seem to make it interesting are low cost and low visible impact.)
Re: (Score:2)
It also is an incredibly cheap tool:
It requires a $5 Raspberry Pi, a microSD card of probably 4GB or greater, and a USB micro cable. It doesn't even need to be powered, as the Pi is powered from the host.
A $5 R-Pi is actually substantially more expensive for everyone who doesn't live near a Micro Center. (Why oh why can't they put it in Rat Shack? I have one of those near me. They are everywhere. Oh, that's why. They can't make that many.) But a $9 CHIP can be had for less than typical Pi Zero prices on the interwebs, and it has onboard flash.
Re: (Score:2)
It also is an incredibly cheap tool: It requires a $5 Raspberry Pi, a microSD card of probably 4GB or greater, and a USB micro cable. It doesn't even need to be powered, as the Pi is powered from the host.
A $5 R-Pi is actually substantially more expensive for everyone who doesn't live near a Micro Center. (Why oh why can't they put it in Rat Shack? I have one of those near me. They are everywhere. Oh, that's why. They can't make that many.) But a $9 CHIP can be had for less than typical Pi Zero prices on the interwebs, and it has onboard flash.
Adafruit and other online vendors have had them in stock for most of the year. Can the CHIP connect as a USB device?
Useful for Espionage (Score:1)
Made me think about who this will really affect. I mean who among us really leaves their browser window open and then logs out or times out from inactivity? I don't simply not to waste the cpu cycles when I know I'll be afk for long enough for inactivity to log me out. Most people I think this could affect are businesses and corporate workstations. They usually have a very short inactivity timer, log out whenever afk, and leave their browsers open while logging out. If your next thought is well who wan
Joke's on you (Score:5, Funny)
My Macbook doesn't have any USB ports!
Re: (Score:1)
nice one ;)
Re: (Score:2)
Comment removed (Score:4, Funny)
He'll have to buy an Apple dongle for $200 (Score:1)
The attacker will have to buy an Apple dongle for $200.
Re: (Score:2)
Re: (Score:2)
The latest Macs don't even have many ports of which to speak. Did the attacker bring a dongle with them?
The $9 adapter approximately doubles the cost of the kit, on top of the $5 pi, mSD card and usb micro cable:
http://www.apple.com/shop/product/MJ1M2AM/A/usb-c-to-usb-adapter?fnode=85
Re: (Score:2)
general USB insecurity problem (Score:1)
a good way to expose the excessive trust that Mac and Windows computers have in network devices.
The problem is wider. The trust is wrongfully placed on USB devices in general, not just network devices. The simple fact that OS X and Windows auto-mount anything inserted into their slots is just pissing me off. I think some "user-friendly" Linux distributions are also doing that. It's too hard to click an "allow" button anymore, not to mention using the terminal to type mount commands.
A much bigger problem is that device manufacturers typically don't care about security, allowing anyone to update their f
The news is (Score:1)
No news. But it is selling the weakness of non-https as something new. This is so old school.
But hopefully somebody cn get the budget to implement HTTPS or whatever the purpose was.
Re: (Score:2)
MITM novel? (Score:1)
> Man in the middle attack
> Novel attack
Sounds pretty contradictory to me.
Dupe (Score:3)
We discussed this previously. Too lazy to find the conversation, but then, so are the Slashdot "editors". This is actually a non-problem in a Windows corporate environment because if you have not already prevented users from installing hardware via group policy, you have already failed as a Windows admin.
It's not terribly difficult to prevent hardware hotplugging on Linux.
Couldn't tell you about Mac, don't care.
Wank wank, flonk flonk.
Setec Astronomy (Score:2)
As long as they are not using HTTPS.... (Score:3)
So that means it's pretty ineffective. everything that is important to me is HTTPS, even my routers config pages.
I have yet to see any important site not force HTTPS. Will this see that I log into "fluffybunnypodcast.com" with the username bunnyman42 and the password 12345? yep. but I fully expect that the chinese hackers already have this as I really dont care if they get free copies of the latest free fluffybunny broadcast.
This hack is not dangerous at all (Score:2)
According to people right here on Slashdot, you can't find the Raspberry Pi Zero anywhere.
So where can we buy one? (Score:2)
As above, where can we buy one?
Re: (Score:2)
Why not just use a regular usb stick? (Score:2)
Sound like a hardware version of a proxy
Here's your attack scenario (Score:2)
Coworker goes to lunch and locks his PC, you go and steal his cookies and mess with his project files while making it look like it's him.
Many fat client applications have been replaced by REST apps and web based approaches, and many companies do not use HTTPS for servers that can only be accessed internally. Yes, even companies that should be security conscious. The attack scenario is not webservers out on the internet but company-internal servers. Once I was even told by a client that this actually increas
Re: (Score:1)
The White House will be the site of the new Apprentice reality show starring President Trump. I expect a lot of firing and hiring. It should be interesting.
Re: (Score:2)
Someone should inform Trump of this immediately. Kamkar is a foreign sounding name, he should be deported immediately. Put Steve Bannon on it right away!
That'll fix it!
What do you mean, he's already sacked Bannon?? That was quick.
No worries. Trump already hired Steve's brother.
https://youtu.be/diAGexlJtHk [youtu.be]
Strat
Re: Kamkar is a foreign name (Score:1)
Unless your name is drawn from nature and given to you according to your Native American tribe's traditions, then it must also be a foreign name.
Re: (Score:2)
Because it steals your browser's cookies.
It's a Monster!
A Cookie Monster!!!
Also, a guy was sighted near or in a trash can...
said trash can may actually be a giant cantenna!
Re:This means nothing (Score:4, Interesting)
....and, good luck reading my fully encrypted hard drive when you get it home. For that, you might need the $5 billion NSA complex. Or (as noted above) a $5 wrench and physical access to my person.
Which would work, very quickly actually. I don't keep anything on a computer drive, encrypted or not, that I wouldn't want my mother to read. Or the Feeb. Or Soviet Russia, where your disk reads you! Because seriously, if somebody REALLY REALLY wants to get into your disk, and you're not dead, they probably can. With 4096 bit encryption and a nice long pseudorandom key, maybe not. But only MAYBE, and over time, it is even probable that they will eventually be able to do so. I remember a time when 6 digit passwords were relatively safe. Then 7. At this point 8 in lower case ASCII is easily searchable by the NSA or anyone with teraflop resources, and teraflop resources aren't even that expensive, petaflops are out there. If one assumes 64 characters, it is still only order of 10^15 permutations, so a petaflop cluster could do it in minutes, a teraflop cluster in days, and that's if one chooses a GOOD password that is essentially random. At this point, I'm not sure that a 12 character password is secure against NSA-level exhaustive attacks, although with 10^22 possibilities it would start to take a while even with a petaflop -- say a couple or three years. Again, unless you use a truly random 12 character string, they can probably cut this down to months just by searching on the most probable strings first.
But if I were alive, and (say) my hard drive had the coordinates of a nuclear bomb planted somewhere in Manhattan, I'm guessing that they'd opt for the drugs and the wrench and a bit of electricity applied to the testicles to see if they couldn't get the key in minutes instead of weeks or months. Cheaper, faster, and who takes the Constitution seriously any more anyway?
rgb