Trying to get into a password protected zip. Got three instances of a free password cracker (Stella Data Recovery) running for the last handful of hours trying three different methods (they only use 1 core each). Still not got in. I find it hard to believe zips are that tightly sealed.
Commander Kinsey explained on 2/14/2023 :
Trying to get into a password protected zip. Got three instances of a free >> password cracker (Stella Data Recovery) running for the last handful of hours
trying three different methods (they only use 1 core each). Still not got >> in. I find it hard to believe zips are that tightly sealed.
256 bit encryption is pretty strong.
What was used to encrypt it?
On Tue, 14 Feb 2023 15:36:51 -0000, FromTheRafters <FTR@nomail.afraid.org> wrote:
Commander Kinsey explained on 2/14/2023 :Is there not a standard for all zips?
Trying to get into a password protected zip. Got three instances of a free >>> password cracker (Stella Data Recovery) running for the last handful of hours256 bit encryption is pretty strong.
trying three different methods (they only use 1 core each). Still not got >>> in. I find it hard to believe zips are that tightly sealed.
What was used to encrypt it?
I remember from the 90s when zips were a new thing, it was a laugh they could easily be opened.
Trying to get into a password protected zip. Got three instances of a free password cracker (Stella Data Recovery) running for the last handful of hours trying three different methods (they only use 1 core each). Still not got in. I find it hard tobelieve zips are that tightly sealed.
On Tue, 14 Feb 2023 15:36:51 -0000, FromTheRafters <FTR@nomail.afraid.org> wrote:
Commander Kinsey explained on 2/14/2023 :
Trying to get into a password protected zip. Got three instances of a
free
password cracker (Stella Data Recovery) running for the last handful of
hours
trying three different methods (they only use 1 core each). Still not got >>> in. I find it hard to believe zips are that tightly sealed.
256 bit encryption is pretty strong.
What was used to encrypt it?
Is there not a standard for all zips?
I remember from the 90s when zips were a new thing, it was a laugh they could easily be opened.
Trying to get into a password protected zip. Got three instances of a free password cracker (Stella Data Recovery) running for the last handful of hours trying three different methods (they only use 1 core each). Still not got in. I find it hard tobelieve zips are that tightly sealed.
"Commander Kinsey" <CK1@nospam.com> wrote:
Trying to get into a password protected zip. Got three instances of a free >> password cracker (Stella Data Recovery) running for the last handful of
hours trying three different methods (they only use 1 core each). Still not >> got in. I find it hard to believe zips are that tightly sealed.
The ZIP format was created for data compression, not security. Since
then password protection has been added to it. I guess it would be as
strong or weak as any other encrypted format.
"Commander Kinsey" <CK1@nospam.com> wrote:believe zips are that tightly sealed.
Trying to get into a password protected zip. Got three instances of a free password cracker (Stella Data Recovery) running for the last handful of hours trying three different methods (they only use 1 core each). Still not got in. I find it hard to
The ZIP format was created for data compression, not security. Since
then password protection has been added to it. I guess it would be as
strong or weak as any other encrypted format.
Trying to get into a password protected zip. Got three instances of a free password cracker (Stella Data Recovery) running for the last handful of hours trying three different methods (they only use 1 core each). Still not got in. I find it hard tobelieve zips are that tightly sealed.
On 14/2/2023 11:05 pm, Commander Kinsey wrote:
Trying to get into a password protected zip. Got three instances of a
free password cracker (Stella Data Recovery) running for the last
handful of hours trying three different methods (they only use 1 core
each). Still not got in. I find it hard to believe zips are that
tightly sealed.
Talk to ChatGPT? :)
Theoretically, all password prompts can be hacked. Dictionary attack is usually the first method to try.
The other method is of course using the characteristic of ASCII/EBCDIC!
That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", .... This
method will definitely work, but needs time! ;)
Not in the dictionary much.
Back in the 80s or 90s we needed to unzip a file after an engineer left
the co.
Another engineer used a dictionary attack. Got nowhere.
Then asked "who was the engineer anyway?"
"Eric"
He switched to a Hebrew dictionary and the zip file was opened
quickly... (Hebrew rendered in the English alphabet).
On 18/2/2023 7:25 am, Alan Browne wrote:
Not in the dictionary much.
Back in the 80s or 90s we needed to unzip a file after an engineer left
the co.
Another engineer used a dictionary attack. Got nowhere.
Then asked "who was the engineer anyway?"
"Eric"
He switched to a Hebrew dictionary and the zip file was opened
quickly... (Hebrew rendered in the English alphabet).
It's still a dictonary hack, using a human languagte called Hebrew! :)
The other method is of course using the characteristic of ASCII/EBCDIC!
That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", .... This
method will definitely work, but needs time! ;)
On 18/2/2023 7:25 am, Alan Browne wrote:
Not in the dictionary much.
Back in the 80s or 90s we needed to unzip a file after an engineer left
the co.
Another engineer used a dictionary attack. Got nowhere.
Then asked "who was the engineer anyway?"
"Eric"
He switched to a Hebrew dictionary and the zip file was opened
quickly... (Hebrew rendered in the English alphabet).
It's still a dictonary hack, using a human languagte called Hebrew! :)
The other method is of course using the characteristic of ASCII/EBCDIC! That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", .... This method will definitely work, but needs time! ;)
Modified Brute Force attack.
Twice Modified Brute Force attack.
Brute Force attack.
On 19/2/2023 1:18 am, FromTheRafters wrote:
Modified Brute Force attack.
Twice Modified Brute Force attack.
Brute Force attack.
People might not know the meaning of "brute force".
Picking phyical locks
might be easier to understand. :)
On 2023-02-18 08:35, Mr. Man-wai Chang wrote:
On 18/2/2023 7:25 am, Alan Browne wrote:
Not in the dictionary much.
Back in the 80s or 90s we needed to unzip a file after an engineer left
the co.
Another engineer used a dictionary attack. Got nowhere.
Then asked "who was the engineer anyway?"
"Eric"
He switched to a Hebrew dictionary and the zip file was opened
quickly... (Hebrew rendered in the English alphabet).
It's still a dictonary hack, using a human languagte called Hebrew! :)
The other method is of course using the characteristic of ASCII/EBCDIC!
That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", .... This
method will definitely work, but needs time! ;)
That was back then - since then people have learned (I hope) to use real passwords such as the one I put up.
Also the encryption level used
these days is far better than back then.
Alan Browne <bitbucket@blackhole.com> wrote:
On 2023-02-18 08:35, Mr. Man-wai Chang wrote:
On 18/2/2023 7:25 am, Alan Browne wrote:
Not in the dictionary much.
Back in the 80s or 90s we needed to unzip a file after an engineer left >>>> the co.
Another engineer used a dictionary attack. Got nowhere.
Then asked "who was the engineer anyway?"
"Eric"
He switched to a Hebrew dictionary and the zip file was opened
quickly... (Hebrew rendered in the English alphabet).
It's still a dictonary hack, using a human languagte called Hebrew! :)
The other method is of course using the characteristic of ASCII/EBCDIC!
That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", .... This
method will definitely work, but needs time! ;)
That was back then - since then people have learned (I hope) to use real
passwords such as the one I put up.
Many do and many don't.
As long as people need to type in passwords they aren't going to use long
and complicated strings.
Also the encryption level used
these days is far better than back then.
It doesn't matter how good the encryption is if the password is bad.
Alan Browne <bitbucket@blackhole.com> wrote:
On 2023-02-18 08:35, Mr. Man-wai Chang wrote:
On 18/2/2023 7:25 am, Alan Browne wrote:
Not in the dictionary much.
Back in the 80s or 90s we needed to unzip a file after an engineer left >>>> the co.
Another engineer used a dictionary attack. Got nowhere.
Then asked "who was the engineer anyway?"
"Eric"
He switched to a Hebrew dictionary and the zip file was opened
quickly... (Hebrew rendered in the English alphabet).
It's still a dictonary hack, using a human languagte called Hebrew! :)
The other method is of course using the characteristic of ASCII/EBCDIC!
That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", .... This
method will definitely work, but needs time! ;)
That was back then - since then people have learned (I hope) to use real
passwords such as the one I put up.
Many do and many don't.
As long as people need to type in passwords they aren't going to use long
and complicated strings.
Also the encryption level used
these days is far better than back then.
It doesn't matter how good the encryption is if the password is bad.
Part of the security for a home user, is what the ISP
is doing. For example, I watched one day, as someone within
myisp.com was scanning my node. Today, the ISP does not allow
other users to scan internal nodes, so I no longer see
script kiddies doing stuff like that. However, Google can
still attempt to scan the node. There is, of course, no
purposeful webserver running (that I know of). There could
be localhost:631 within the bash shell, but that's about it.
Even if IIS on the current OS, actually installed useful
stuff (it doesn't), I would not be doing that.
I have used
the IIS ftpd setup in the past, but only on an episode basis
(for a couple hours, and not port-forwarded, then removed).
I have used
the IIS ftpd setup in the past, but only on an episode basis
(for a couple hours, and not port-forwarded, then removed).
On 2023-02-19 17:56, Chris wrote:
Alan Browne <bitbucket@blackhole.com> wrote:
On 2023-02-18 08:35, Mr. Man-wai Chang wrote:
On 18/2/2023 7:25 am, Alan Browne wrote:
Not in the dictionary much.
Back in the 80s or 90s we needed to unzip a file after an engineer left >>>>> the co.
Another engineer used a dictionary attack. Got nowhere.
Then asked "who was the engineer anyway?"
"Eric"
He switched to a Hebrew dictionary and the zip file was opened
quickly... (Hebrew rendered in the English alphabet).
It's still a dictonary hack, using a human languagte called Hebrew! :) >>>>
The other method is of course using the characteristic of ASCII/EBCDIC! >>>> That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", .... This
method will definitely work, but needs time! ;)
That was back then - since then people have learned (I hope) to use real >>> passwords such as the one I put up.
Many do and many don't.
As long as people need to type in passwords they aren't going to use long
and complicated strings.
Either use a password manager (as I do) or become clever in the
composition of the passwords.
As long as people need to type in passwords they aren't going to
use long and complicated strings.
On Sun, 19 Feb 2023 22:56:10 -0000 (UTC), Chris wrote:
As long as people need to type in passwords they aren't going to
use long and complicated strings.
No excuse!
On Sun, 19 Feb 2023 22:56:10 -0000 (UTC), Chris wrote:
As long as people need to type in passwords they aren't going to
use long and complicated strings.
No excuse!
mechanic <mechanic@example.net> wrote:
On Sun, 19 Feb 2023 22:56:10 -0000 (UTC), Chris wrote:
As long as people need to type in passwords they aren't going to
use long and complicated strings.
No excuse!
And long passwords need not be difficult. 1RoseByAnyOtherNameWillSmellAsSweet!
will be just fine,
(if you are not known for fandom)
mechanic <mechanic@example.net> wrote:
On Sun, 19 Feb 2023 22:56:10 -0000 (UTC), Chris wrote:
As long as people need to type in passwords they aren't going to
use long and complicated strings.
No excuse!
And long passwords need not be difficult. 1RoseByAnyOtherNameWillSmellAsSweet!
will be just fine,
At work one time, I set up my password as a 25 character random string via
my password manager which was great until they decided to sync the network password with the local password on my machine. So when when I needed to login after a reboot or screensaver kicks in I had to type it in manually.
Alan Browne <bitbucket@blackhole.com> wrote:
On 2023-02-19 17:56, Chris wrote:
Alan Browne <bitbucket@blackhole.com> wrote:
On 2023-02-18 08:35, Mr. Man-wai Chang wrote:
On 18/2/2023 7:25 am, Alan Browne wrote:
Not in the dictionary much.
Back in the 80s or 90s we needed to unzip a file after an engineer left >>>>>> the co.
Another engineer used a dictionary attack. Got nowhere.
Then asked "who was the engineer anyway?"
"Eric"
He switched to a Hebrew dictionary and the zip file was opened
quickly... (Hebrew rendered in the English alphabet).
It's still a dictonary hack, using a human languagte called Hebrew! :) >>>>>
The other method is of course using the characteristic of ASCII/EBCDIC! >>>>> That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", .... This
method will definitely work, but needs time! ;)
That was back then - since then people have learned (I hope) to use real >>>> passwords such as the one I put up.
Many do and many don't.
As long as people need to type in passwords they aren't going to use long >>> and complicated strings.
Either use a password manager (as I do) or become clever in the
composition of the passwords.
I agree and do use s password manager myself. However, having tried to persuade family members to do the same, it's just too much of a faff and
they stick with their crappy and/or written down passwords.
With the best will in the world many people will not be using best
practices.
On 2023-02-20 07:33, J. J. Lodder wrote:
mechanic <mechanic@example.net> wrote:
On Sun, 19 Feb 2023 22:56:10 -0000 (UTC), Chris wrote:
As long as people need to type in passwords they aren't going to
use long and complicated strings.
No excuse!
And long passwords need not be difficult. 1RoseByAnyOtherNameWillSmellAsSweet!
will be just fine,
Good, but insert a few numbers/spec chars in the middle too ... along
with a misspelled word and caps in the "wrong" places ... and it will be
as good as random where a dictionary+brute force attack occurs.
On 20/2/2023 8:42 pm, Chris wrote:
At work one time, I set up my password as a 25 character random string via my password manager which was great until they decided to sync the network password with the local password on my machine. So when when I needed to login after a reboot or screensaver kicks in I had to type it in manually.
You should use your brain to memorize all 25-character random strings. :)
Most sites insist nowadays on at least one digit,
one capitalised letter, and one special sign.
My example complies,
In article <1q6gy5q.1fuccml6gve0bN%nospam@de-ster.demon.nl>, J. J.
Lodder <nospam@de-ster.demon.nl> wrote:
Most sites insist nowadays on at least one digit,
one capitalised letter, and one special sign.
My example complies,
that actually makes it *easier* to crack, since all passwords that
don't meet the artificial requirements can immediately be ruled out,
thereby reducing the number of possibilities.
On 20/2/2023 8:42 pm, Chris wrote:
At work one time, I set up my password as a 25 character random string via >> my password manager which was great until they decided to sync the network >> password with the local password on my machine. So when when I needed to
login after a reboot or screensaver kicks in I had to type it in manually.
You should use your brain to memorize all 25-character random strings. :)
Alan Browne <bitbucket@blackhole.com> wrote:
On 2023-02-20 07:33, J. J. Lodder wrote:
mechanic <mechanic@example.net> wrote:
On Sun, 19 Feb 2023 22:56:10 -0000 (UTC), Chris wrote:
As long as people need to type in passwords they aren't going to
use long and complicated strings.
No excuse!
And long passwords need not be difficult.
1RoseByAnyOtherNameWillSmellAsSweet!
will be just fine,
Good, but insert a few numbers/spec chars in the middle too ... along
with a misspelled word and caps in the "wrong" places ... and it will be
as good as random where a dictionary+brute force attack occurs.
Most sites insist nowadays on at least one digit,
one capitalised letter, and one special sign.
My example complies,
Hello.
"Commander Kinsey" <CK1@nospam.com> schrieb
On Tue, 14 Feb 2023 15:36:51 -0000, FromTheRafters <FTR@nomail.afraid.org> wrote:
Commander Kinsey explained on 2/14/2023 :Is there not a standard for all zips?
Trying to get into a password protected zip. Got three instances of a free256 bit encryption is pretty strong.
password cracker (Stella Data Recovery) running for the last handful of hours
trying three different methods (they only use 1 core each). Still not got >>>> in. I find it hard to believe zips are that tightly sealed.
What was used to encrypt it?
I don't think so, because zip can be produced by a variety of
software.
I remember from the 90s when zips were a new thing, it was a laugh they could easily be opened.
Well, that ist only 30 years ago, there was a 'tiny' step forward in
zip files.
On 2/14/2023 10:05 AM, Commander Kinsey wrote:believe zips are that tightly sealed.
Trying to get into a password protected zip. Got three instances of a free password cracker (Stella Data Recovery) running for the last handful of hours trying three different methods (they only use 1 core each). Still not got in. I find it hard to
Old ZIP, trivially crack-able.
New ZIP, not so much.
https://en.wikipedia.org/wiki/ZIP_%28file_format%29#Strong_encryption_controversy
"WinZip introduced its own AES-256 encryption"
Not everything with that file extension, is easy pickins.
You'll need a dictionary attack, and cracking speed will
depend on whether they decided to use multi-pass or not.
The last time I experimented with cracking, the software
said "it will take 13 years" :-) You get the idea. Mind you,
I was unable to get my video card to work on it, my attempt
ran CPU-only.
$ file SketchUp2017.zip <=== made an AES-256 with 7-ZIP zip option, set password to "12345"
SketchUp2017.zip: Zip archive data, at least v5.1 to extract
$ file shotwell-master.zip
shotwell-master.zip: Zip archive data, at least v1.0 to extract
$ file Sandboxie-5.40.zip
Sandboxie-5.40.zip: Zip archive data, at least v1.0 to extract
The non-crypto ones are the "more-compatible" ones that even
Windows can open for extraction.
Commander Kinsey wrote on 2/14/2023 :
On Tue, 14 Feb 2023 15:36:51 -0000, FromTheRafters <FTR@nomail.afraid.org> >> wrote:
Commander Kinsey explained on 2/14/2023 :
Trying to get into a password protected zip. Got three instances of a >>>> free
password cracker (Stella Data Recovery) running for the last handful of >>>> hours
trying three different methods (they only use 1 core each). Still not got >>>> in. I find it hard to believe zips are that tightly sealed.
256 bit encryption is pretty strong.
What was used to encrypt it?
Is there not a standard for all zips?
I remember from the 90s when zips were a new thing, it was a laugh they could
easily be opened.
Yes, their password protection was feeble. Now they 'can' encrypt with
128 or 256 bit encryption algorithms.
That is a very large 'password space' (keyspace) to slog through doing
even modified brute force attacks.
On 2/15/2023 11:13 AM, Tim Slattery wrote:to believe zips are that tightly sealed.
"Commander Kinsey" <CK1@nospam.com> wrote:
Trying to get into a password protected zip. Got three instances of a free password cracker (Stella Data Recovery) running for the last handful of hours trying three different methods (they only use 1 core each). Still not got in. I find it hard
The ZIP format was created for data compression, not security. Since
then password protection has been added to it. I guess it would be as
strong or weak as any other encrypted format.
The export laws on crypto, historically had a chilling effect
on crypto strength.
And to some extent, that hasn't changed.
It's only when it impacts the competitiveness of a country,
that it stops.
It used to be "you stop it before it happens" was how
you handled crypto. Today, it's the usage of rubber hoses
which is the preferred method (the TrueCrypt mystery,
and legislative attempts to build backdoors).
When ZIP was invented, elliptic curve didn't exist. But
there were still likely to have been methods which signal
you are using the "tough" version. Using a weak-as-piss
method ensures your product can be Exported.
The same kinds of things happened on PDF format.
And the old protection on ZIP is so weak, if Google wants to,
they can scan ZIP attachments in GMail with that protection method,
in "real time". You can't have a much weaker crypto than that.
It's no barrier at all.
The newer method on the other hand, is more of an impediment.
Even the encryption on 7Z has had the odd issue, but these
implementation details have been corrected.
Tim Slattery formulated on Wednesday :
"Commander Kinsey" <CK1@nospam.com> wrote:
Trying to get into a password protected zip. Got three instances of a free >>> password cracker (Stella Data Recovery) running for the last handful of
hours trying three different methods (they only use 1 core each). Still not
got in. I find it hard to believe zips are that tightly sealed.
The ZIP format was created for data compression, not security. Since
then password protection has been added to it. I guess it would be as
strong or weak as any other encrypted format.
From:
https://pkware.cachefly.net/webdocs/APPNOTE/APPNOTE-6.3.7.TXT
4.4.3 version needed to extract (2 bytes)
4.4.3.1 The minimum supported ZIP specification version needed
to extract the file, mapped as above. This value is based on
the specific format features a ZIP program MUST support to
be able to extract the file. If multiple features are
applied to a file, the minimum version MUST be set to the
feature having the highest value. New features or feature
changes affecting the published format specification will be
implemented using higher version numbers than the last
published value to avoid conflict.
4.4.3.2 Current minimum feature versions are as defined below:
1.0 - Default value
1.1 - File is a volume label
2.0 - File is a folder (directory)
2.0 - File is compressed using Deflate compression
2.0 - File is encrypted using traditional PKWARE encryption
2.1 - File is compressed using Deflate64(tm)
2.5 - File is compressed using PKWARE DCL Implode
2.7 - File is a patch data set
4.5 - File uses ZIP64 format extensions
4.6 - File is compressed using BZIP2 compression*
5.0 - File is encrypted using DES
5.0 - File is encrypted using 3DES
5.0 - File is encrypted using original RC2 encryption
5.0 - File is encrypted using RC4 encryption
5.1 - File is encrypted using AES encryption
5.1 - File is encrypted using corrected RC2 encryption**
5.2 - File is encrypted using corrected RC2-64 encryption**
6.1 - File is encrypted using non-OAEP key wrapping***
6.2 - Central directory encryption
6.3 - File is compressed using LZMA
6.3 - File is compressed using PPMd+
6.3 - File is encrypted using Blowfish
6.3 - File is encrypted using Twofish
On Wed, 15 Feb 2023 17:09:44 -0000, Paul <nospam@needed.invalid> wrote:to believe zips are that tightly sealed.
On 2/15/2023 11:13 AM, Tim Slattery wrote:
"Commander Kinsey" <CK1@nospam.com> wrote:
Trying to get into a password protected zip. Got three instances of a free password cracker (Stella Data Recovery) running for the last handful of hours trying three different methods (they only use 1 core each). Still not got in. I find it hard
The ZIP format was created for data compression, not security. Since
then password protection has been added to it. I guess it would be as
strong or weak as any other encrypted format.
The export laws on crypto, historically had a chilling effect
on crypto strength.
No government can stop me encrypting how I wish, then sending it to anyone in any country.
On Wed, 15 Feb 2023 17:09:44 -0000, Paul <nospam@needed.invalid> wrote:to believe zips are that tightly sealed.
On 2/15/2023 11:13 AM, Tim Slattery wrote:
"Commander Kinsey" <CK1@nospam.com> wrote:
Trying to get into a password protected zip. Got three instances of a free password cracker (Stella Data Recovery) running for the last handful of hours trying three different methods (they only use 1 core each). Still not got in. I find it hard
The ZIP format was created for data compression, not security. Since
then password protection has been added to it. I guess it would be as
strong or weak as any other encrypted format.
The export laws on crypto, historically had a chilling effect
on crypto strength.
No government can stop me encrypting how I wish, then sending it to anyone in any country.
And to some extent, that hasn't changed.
It's only when it impacts the competitiveness of a country,
that it stops.
It used to be "you stop it before it happens" was how
you handled crypto. Today, it's the usage of rubber hoses
which is the preferred method (the TrueCrypt mystery,
and legislative attempts to build backdoors).
When ZIP was invented, elliptic curve didn't exist. But
there were still likely to have been methods which signal
you are using the "tough" version. Using a weak-as-piss
method ensures your product can be Exported.
The same kinds of things happened on PDF format.
And the old protection on ZIP is so weak, if Google wants to,
they can scan ZIP attachments in GMail with that protection method,
in "real time". You can't have a much weaker crypto than that.
It's no barrier at all.
The newer method on the other hand, is more of an impediment.
Even the encryption on 7Z has had the odd issue, but these
implementation details have been corrected.
Isn't 7zip just a zip program, using the same standards as any other?
On Tue, 14 Feb 2023 18:45:46 -0000, Shinji Ikari <shinji@gmx.net> wrote:
"Commander Kinsey" <CK1@nospam.com> schriebBut it's all compatible. If you create it with 7zip, I can open int with winzip.
On Tue, 14 Feb 2023 15:36:51 -0000, FromTheRafters <FTR@nomail.afraid.org> wrote:I don't think so, because zip can be produced by a variety of
Commander Kinsey explained on 2/14/2023 :Is there not a standard for all zips?
Trying to get into a password protected zip. Got three instances of a free256 bit encryption is pretty strong.
password cracker (Stella Data Recovery) running for the last handful of hours
trying three different methods (they only use 1 core each). Still not got
in. I find it hard to believe zips are that tightly sealed.
What was used to encrypt it?
software.
So I couldn't open a modern zip with the 1st version of pkunzip?I remember from the 90s when zips were a new thing, it was a laugh they could easily be opened.Well, that ist only 30 years ago, there was a 'tiny' step forward in
zip files.
On 18/2/2023 9:35 pm, Mr. Man-wai Chang wrote:
The other method is of course using the characteristic of ASCII/EBCDIC!
That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", .... This
method will definitely work, but needs time! ;)
Exactly like hacking a combination lock...
On 18/2/2023 7:25 am, Alan Browne wrote:
Not in the dictionary much.
Back in the 80s or 90s we needed to unzip a file after an engineer left
the co.
Another engineer used a dictionary attack. Got nowhere.
Then asked "who was the engineer anyway?"
"Eric"
He switched to a Hebrew dictionary and the zip file was opened
quickly... (Hebrew rendered in the English alphabet).
It's still a dictonary hack, using a human languagte called Hebrew! :)
The other method is of course using the characteristic of ASCII/EBCDIC!
That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", .... This
method will definitely work, but needs time! ;)
On 19/2/2023 1:18 am, FromTheRafters wrote:
Modified Brute Force attack.
Twice Modified Brute Force attack.
Brute Force attack.
People might not know the meaning of "brute force". Picking phyical
locks might be easier to understand. :)
Mr. Man-wai Chang explained on 2/19/2023 :
On 19/2/2023 1:18 am, FromTheRafters wrote:
Modified Brute Force attack.
Twice Modified Brute Force attack.
Brute Force attack.
People might not know the meaning of "brute force".
True, but as you know it just means the whole keyspace is searched and
on average you check half of them to get a winner.
Picking phyical locks might be easier to understand. :)
True again, but when you can reduce the keyspace to a smaller set it is
a 'Modified Brute Force attack' so needing to check only for words
reduces the effective keyspace and then further restricting to only
words for a language known to be used by the person doing the
encryption narrows it even further.
On 2023-02-18 08:35, Mr. Man-wai Chang wrote:
On 18/2/2023 7:25 am, Alan Browne wrote:
Not in the dictionary much.
Back in the 80s or 90s we needed to unzip a file after an engineer left
the co.
Another engineer used a dictionary attack. Got nowhere.
Then asked "who was the engineer anyway?"
"Eric"
He switched to a Hebrew dictionary and the zip file was opened
quickly... (Hebrew rendered in the English alphabet).
It's still a dictonary hack, using a human languagte called Hebrew! :)
The other method is of course using the characteristic of ASCII/EBCDIC!
That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", .... This
method will definitely work, but needs time! ;)
That was back then - since then people have learned (I hope) to use real passwords such as the one I put up. Also the encryption level used
these days is far better than back then.
On 2/19/2023 5:56 PM, Chris wrote:
Alan Browne <bitbucket@blackhole.com> wrote:
On 2023-02-18 08:35, Mr. Man-wai Chang wrote:
On 18/2/2023 7:25 am, Alan Browne wrote:
Not in the dictionary much.
Back in the 80s or 90s we needed to unzip a file after an engineer left >>>>> the co.
Another engineer used a dictionary attack. Got nowhere.
Then asked "who was the engineer anyway?"
"Eric"
He switched to a Hebrew dictionary and the zip file was opened
quickly... (Hebrew rendered in the English alphabet).
It's still a dictonary hack, using a human languagte called Hebrew! :) >>>>
The other method is of course using the characteristic of ASCII/EBCDIC! >>>> That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", .... This
method will definitely work, but needs time! ;)
That was back then - since then people have learned (I hope) to use real >>> passwords such as the one I put up.
Many do and many don't.
As long as people need to type in passwords they aren't going to use long
and complicated strings.
Also the encryption level used
these days is far better than back then.
It doesn't matter how good the encryption is if the password is bad.
Any Internet-facing passwords here, are long and strong.
Security inside my LAN is poor. If something gets in here,
it's total destruction time... If I spent the whole day
building a fort out of cardboard boxes, there would be nothing
of value inside the fort (all my waking hours would be spent
on the fort and nothing else).
Is my router vulnerable ? Based on industry standards of
security, the answer to that is... Yes.
Part of the security for a home user, is what the ISP
is doing. For example, I watched one day, as someone within
myisp.com was scanning my node. Today, the ISP does not allow
other users to scan internal nodes, so I no longer see
script kiddies doing stuff like that. However, Google can
still attempt to scan the node. There is, of course, no
purposeful webserver running (that I know of). There could
be localhost:631 within the bash shell, but that's about it.
Even if IIS on the current OS, actually installed useful
stuff (it doesn't), I would not be doing that. I have used
the IIS ftpd setup in the past, but only on an episode basis
(for a couple hours, and not port-forwarded, then removed).
Since my WinXP machine died, my imaginary security has
gone up this much [fingers measure a tiny space about
the size of a millimeter] :-)
On 2023-02-19 17:56, Chris wrote:
Alan Browne <bitbucket@blackhole.com> wrote:
On 2023-02-18 08:35, Mr. Man-wai Chang wrote:
On 18/2/2023 7:25 am, Alan Browne wrote:
Not in the dictionary much.
Back in the 80s or 90s we needed to unzip a file after an engineer left >>>>> the co.
Another engineer used a dictionary attack. Got nowhere.
Then asked "who was the engineer anyway?"
"Eric"
He switched to a Hebrew dictionary and the zip file was opened
quickly... (Hebrew rendered in the English alphabet).
It's still a dictonary hack, using a human languagte called Hebrew! :) >>>>
The other method is of course using the characteristic of ASCII/EBCDIC! >>>> That is, try "a", "b", "c", ... "aa", "ab", "ac", "ad", .... This
method will definitely work, but needs time! ;)
That was back then - since then people have learned (I hope) to use real >>> passwords such as the one I put up.
Many do and many don't.
As long as people need to type in passwords they aren't going to use long
and complicated strings.
Either use a password manager (as I do) or become clever in the
composition of the passwords. So earlier I posted a pretty random one appropriate to a password manager.
Alternately strong passwords that are memorable can look something like:
merrY$penGuin@2four78
On Sun, 19 Feb 2023 05:54:34 -0000, Mr. Man-wai Chang <toylet.toylet@gmail.com> wrote:
On 19/2/2023 1:18 am, FromTheRafters wrote:
Modified Brute Force attack.
Twice Modified Brute Force attack.
Brute Force attack.
People might not know the meaning of "brute force". Picking phyical
locks might be easier to understand. :)
Everybody knows what brute force is.
On Sat, 18 Feb 2023 13:35:15 -0000, Mr. Man-wai Chang <toylet.toylet@gmail.com> wrote:
It's still a dictonary hack, using a human languagte called Hebrew! :)
They're not human.
Alan Browne <bitbucket@blackhole.com> wrote:
On 2023-02-20 07:33, J. J. Lodder wrote:
mechanic <mechanic@example.net> wrote:
On Sun, 19 Feb 2023 22:56:10 -0000 (UTC), Chris wrote:
As long as people need to type in passwords they aren't going to
use long and complicated strings.
No excuse!
And long passwords need not be difficult.
1RoseByAnyOtherNameWillSmellAsSweet!
will be just fine,
Good, but insert a few numbers/spec chars in the middle too ... along
with a misspelled word and caps in the "wrong" places ... and it will be
as good as random where a dictionary+brute force attack occurs.
Most sites insist nowadays on at least one digit,
one capitalised letter, and one special sign.
My example complies,
On 20/2/2023 8:42 pm, Chris wrote:
At work one time, I set up my password as a 25 character random string via >> my password manager which was great until they decided to sync the network >> password with the local password on my machine. So when when I needed to
login after a reboot or screensaver kicks in I had to type it in manually.
You should use your brain to memorize all 25-character random strings. :)
Mr. Man-wai Chang <toylet.toylet@gmail.com> wrote:
On 20/2/2023 8:42 pm, Chris wrote:
You should use your brain to memorize all 25-character random strings. :)
At work one time, I set up my password as a 25 character random string via >> > my password manager which was great until they decided to sync the network >> > password with the local password on my machine. So when when I needed to >> > login after a reboot or screensaver kicks in I had to type it in manually. >>
No problem with that at all, for me.
The problem is memorising a few particular ones,
On 2/23/2023 3:10 AM, Commander Kinsey wrote:to believe zips are that tightly sealed.
On Wed, 15 Feb 2023 17:09:44 -0000, Paul <nospam@needed.invalid> wrote:
On 2/15/2023 11:13 AM, Tim Slattery wrote:
"Commander Kinsey" <CK1@nospam.com> wrote:
Trying to get into a password protected zip. Got three instances of a free password cracker (Stella Data Recovery) running for the last handful of hours trying three different methods (they only use 1 core each). Still not got in. I find it hard
The ZIP format was created for data compression, not security. Since
then password protection has been added to it. I guess it would be as
strong or weak as any other encrypted format.
The export laws on crypto, historically had a chilling effect
on crypto strength.
No government can stop me encrypting how I wish, then sending it to anyone in any country.
And to some extent, that hasn't changed.
It's only when it impacts the competitiveness of a country,
that it stops.
It used to be "you stop it before it happens" was how
you handled crypto. Today, it's the usage of rubber hoses
which is the preferred method (the TrueCrypt mystery,
and legislative attempts to build backdoors).
When ZIP was invented, elliptic curve didn't exist. But
there were still likely to have been methods which signal
you are using the "tough" version. Using a weak-as-piss
method ensures your product can be Exported.
The same kinds of things happened on PDF format.
And the old protection on ZIP is so weak, if Google wants to,
they can scan ZIP attachments in GMail with that protection method,
in "real time". You can't have a much weaker crypto than that.
It's no barrier at all.
The newer method on the other hand, is more of an impediment.
Even the encryption on 7Z has had the odd issue, but these
implementation details have been corrected.
Isn't 7zip just a zip program, using the same standards as any other?
Just as RAR has a custom compressor (and charges money for it),
7ZIP has a custom compressor (7z) and it is free.
I think these are arithmetic compressors, similar to LZMA, but
you'll probably find a wikipedia entry with the details.
The other thing it has, is a pre-processor. There is a method
for re-encoding EXE files, and if 7Z senses EXE files, it passes
the data through the pre-processor, before the main 7Z compression
step runs.
7ZIP has multithreaded compression and multithreaded decompression.
By using all the cores, the slow LZMA-like method is delivered at
moderate speed.
To compress a hard drive full of data with 7Z, costs about $1 worth
of electricity. Just to give some idea, that certain computing things
do cost real money. A machine can grind for most of the day,
compressing a disk drive.
Some of the other compressors built into 7Z, are not multicore.
The winZIP compressor is probably not running on multiple cores.
PIGZ is a parallel version of GZIP. It uses multiple cores during compression, but only one core during decompression. And the
multiple cores, may have a limit. Whereas 7ZIP can use all your
cores for .7z .
On Win10 or Win11, you set the thread count to 2x as many as
the CPU. A CPU with 6C 12T, you set the thread count to 24,
so that the 12 virtual cores are well-loaded. This helps keep
the CPU usage bar at 100%. If you set the thread count to 12
(one per virtual core), it only runs at about 80% or so.
Since the dictionary size for Ultra mode is 600MB per thread,
24*600 = close to 16GB of RAM. So if you want to make your
CPU as hot as possible, you need sufficient RAM for all the
threads of execution to use.
And then, when 7ZIP is finished all that mumbo-jumbp, it
can do a pass of AES256 and encrypt the output blocks.
Encryption is done after compression, because encrypted
data does not compress. That's how you can tell the
quality of encryption, if it does not compress and
the file becomes smaller.
Am 23.02.23 um 09:10 schrieb Commander Kinsey:to believe zips are that tightly sealed.
On Wed, 15 Feb 2023 17:09:44 -0000, Paul <nospam@needed.invalid> wrote:
On 2/15/2023 11:13 AM, Tim Slattery wrote:
"Commander Kinsey" <CK1@nospam.com> wrote:
Trying to get into a password protected zip. Got three instances of a free password cracker (Stella Data Recovery) running for the last handful of hours trying three different methods (they only use 1 core each). Still not got in. I find it hard
The ZIP format was created for data compression, not security. Since
then password protection has been added to it. I guess it would be as
strong or weak as any other encrypted format.
The export laws on crypto, historically had a chilling effect
on crypto strength.
No government can stop me encrypting how I wish, then sending it to anyone in any country.
Sure. But you will be blacklisted and not allowed to fly anymore.
Your next parking ticket is your death sentence ... :-D
America is as totalitarian as Russia or China.
But many Americans think they live in a free country.
*ROTFLSTC*.
Hello.
"Commander Kinsey" <CK1@nospam.com> schrieb
On Tue, 14 Feb 2023 18:45:46 -0000, Shinji Ikari <shinji@gmx.net> wrote:
"Commander Kinsey" <CK1@nospam.com> schriebBut it's all compatible. If you create it with 7zip, I can open int with winzip.
On Tue, 14 Feb 2023 15:36:51 -0000, FromTheRafters <FTR@nomail.afraid.org> wrote:I don't think so, because zip can be produced by a variety of
Commander Kinsey explained on 2/14/2023 :Is there not a standard for all zips?
Trying to get into a password protected zip. Got three instances of a free256 bit encryption is pretty strong.
password cracker (Stella Data Recovery) running for the last handful of hours
trying three different methods (they only use 1 core each). Still not got
in. I find it hard to believe zips are that tightly sealed.
What was used to encrypt it?
software.
Yes, but only, if the unpacking ZIP compatible programm can use the
same en-/decryption used while packing it.
So I couldn't open a modern zip with the 1st version of pkunzip?I remember from the 90s when zips were a new thing, it was a laugh they could easily be opened.Well, that ist only 30 years ago, there was a 'tiny' step forward in
zip files.
if it is encrypted with an never encrytion method, that pkunzip does
not know of: yes, then you can not get the data inside of the ZIP file
with a to old pkunzip versoion.
On 3/1/2023 3:32 PM, Commander Kinsey wrote:
On Sat, 18 Feb 2023 13:35:15 -0000, Mr. Man-wai Chang
<toylet.toylet@gmail.com> wrote:
It's still a dictonary hack, using a human languagte called Hebrew! :)
They're not human.
Really? If you think that then nobody is
and since a lot of the computer
hardware and code was developed by them you should not be using any of it.
It happens that Commander Kinsey formulated :
On Sun, 19 Feb 2023 05:54:34 -0000, Mr. Man-wai Chang
<toylet.toylet@gmail.com> wrote:
On 19/2/2023 1:18 am, FromTheRafters wrote:
Modified Brute Force attack.
Twice Modified Brute Force attack.
Brute Force attack.
People might not know the meaning of "brute force". Picking phyical
locks might be easier to understand. :)
Everybody knows what brute force is.
A cryptography 'jargon' term for an exhaustive key search.
On Wed, 01 Mar 2023 21:49:12 -0000, FromTheRafters <FTR@nomail.afraid.org> wrote:
It happens that Commander Kinsey formulated :
On Sun, 19 Feb 2023 05:54:34 -0000, Mr. Man-wai Chang
<toylet.toylet@gmail.com> wrote:
On 19/2/2023 1:18 am, FromTheRafters wrote:
Modified Brute Force attack.
Twice Modified Brute Force attack.
Brute Force attack.
People might not know the meaning of "brute force". Picking phyical
locks might be easier to understand. :)
Everybody knows what brute force is.
A cryptography 'jargon' term for an exhaustive key search.
I thought Mr. Man-wai Chang meant people might not know the everyday phrase.
on 3/12/2023, Commander Kinsey supposed :
On Wed, 01 Mar 2023 21:49:12 -0000, FromTheRafters
<FTR@nomail.afraid.org> wrote:
It happens that Commander Kinsey formulated :
On Sun, 19 Feb 2023 05:54:34 -0000, Mr. Man-wai Chang
<toylet.toylet@gmail.com> wrote:
On 19/2/2023 1:18 am, FromTheRafters wrote:
Modified Brute Force attack.
Twice Modified Brute Force attack.
Brute Force attack.
People might not know the meaning of "brute force". Picking phyical
locks might be easier to understand. :)
Everybody knows what brute force is.
A cryptography 'jargon' term for an exhaustive key search.
I thought Mr. Man-wai Chang meant people might not know the everyday
phrase.
That very well may be. I put it back in context.
Did you teach THIS fellow?
https://youtu.be/EpBWFF8i_gc
On 13/03/2023 11:25, FromTheRafters wrote:
on 3/12/2023, Commander Kinsey supposed :
On Wed, 01 Mar 2023 21:49:12 -0000, FromTheRafters
<FTR@nomail.afraid.org> wrote:
It happens that Commander Kinsey formulated :
On Sun, 19 Feb 2023 05:54:34 -0000, Mr. Man-wai Chang
<toylet.toylet@gmail.com> wrote:
On 19/2/2023 1:18 am, FromTheRafters wrote:
Modified Brute Force attack.
Twice Modified Brute Force attack.
Brute Force attack.
People might not know the meaning of "brute force". Picking phyical >>>>>> locks might be easier to understand. :)
Everybody knows what brute force is.
A cryptography 'jargon' term for an exhaustive key search.
I thought Mr. Man-wai Chang meant people might not know the everyday
phrase.
That very well may be. I put it back in context.
Did you tech THIS fellow?
https://youtu.be/EpBWFF8i_gc
On Mon, 13 Mar 2023 11:54:56 -0000, David Brooks
<DavidB@nomail.afraid.org> wrote:
On 13/03/2023 11:25, FromTheRafters wrote:
on 3/12/2023, Commander Kinsey supposed :
On Wed, 01 Mar 2023 21:49:12 -0000, FromTheRafters
<FTR@nomail.afraid.org> wrote:
It happens that Commander Kinsey formulated :
On Sun, 19 Feb 2023 05:54:34 -0000, Mr. Man-wai Chang
<toylet.toylet@gmail.com> wrote:
On 19/2/2023 1:18 am, FromTheRafters wrote:
Modified Brute Force attack.
Twice Modified Brute Force attack.
Brute Force attack.
People might not know the meaning of "brute force". Picking phyical >>>>>>> locks might be easier to understand. :)
Everybody knows what brute force is.
A cryptography 'jargon' term for an exhaustive key search.
I thought Mr. Man-wai Chang meant people might not know the everyday
phrase.
That very well may be. I put it back in context.
Did you teach THIS fellow?
https://youtu.be/EpBWFF8i_gc
Fucking hell, that beats any other one I've seen.
Alan Browne <bitbucket@blackhole.com> wrote:
On 2023-02-20 07:33, J. J. Lodder wrote:
mechanic <mechanic@example.net> wrote:
On Sun, 19 Feb 2023 22:56:10 -0000 (UTC), Chris wrote:
As long as people need to type in passwords they aren't going to
use long and complicated strings.
No excuse!
And long passwords need not be difficult.
1RoseByAnyOtherNameWillSmellAsSweet!
will be just fine,
Good, but insert a few numbers/spec chars in the middle too ... along
with a misspelled word and caps in the "wrong" places ... and it will be
as good as random where a dictionary+brute force attack occurs.
Most sites insist nowadays on at least one digit,
one capitalised letter, and one special sign.
My example complies,
Alan Browne <bitbucket@blackhole.com> wrote:
On 2023-02-20 07:33, J. J. Lodder wrote:
mechanic <mechanic@example.net> wrote:
On Sun, 19 Feb 2023 22:56:10 -0000 (UTC), Chris wrote:
As long as people need to type in passwords they aren't going to
use long and complicated strings.
No excuse!
And long passwords need not be difficult.
1RoseByAnyOtherNameWillSmellAsSweet!
will be just fine,
Good, but insert a few numbers/spec chars in the middle too ... along
with a misspelled word and caps in the "wrong" places ... and it will be
as good as random where a dictionary+brute force attack occurs.
Most sites insist nowadays on at least one digit,
one capitalised letter, and one special sign.
My example complies,
On 20/02/2023 20:04, J. J. Lodder wrote:
Alan Browne <bitbucket@blackhole.com> wrote:
On 2023-02-20 07:33, J. J. Lodder wrote:
mechanic <mechanic@example.net> wrote:
On Sun, 19 Feb 2023 22:56:10 -0000 (UTC), Chris wrote:
As long as people need to type in passwords they aren't going to
use long and complicated strings.
No excuse!
And long passwords need not be difficult.
1RoseByAnyOtherNameWillSmellAsSweet!
will be just fine,
Good, but insert a few numbers/spec chars in the middle too ... along
with a misspelled word and caps in the "wrong" places ... and it will be >> as good as random where a dictionary+brute force attack occurs.
Most sites insist nowadays on at least one digit,
one capitalised letter, and one special sign.
My example complies,
I often seem to manage to pick the one special character that isn't
allowed! Then the website doesn't tell me what's wrong, it just repeats
what it already told me, something like "your password must include at
least 8 characters including one lowercase letter, one uppercase letter,
one digit, and one special character or punctuation symbol".
Brian Gregory <void-invalid-dead-dontuse@email.invalid> wrote:
On 20/02/2023 20:04, J. J. Lodder wrote:
Alan Browne <bitbucket@blackhole.com> wrote:
On 2023-02-20 07:33, J. J. Lodder wrote:
mechanic <mechanic@example.net> wrote:
On Sun, 19 Feb 2023 22:56:10 -0000 (UTC), Chris wrote:
As long as people need to type in passwords they aren't going to
use long and complicated strings.
No excuse!
And long passwords need not be difficult.
1RoseByAnyOtherNameWillSmellAsSweet!
will be just fine,
Good, but insert a few numbers/spec chars in the middle too ... along
with a misspelled word and caps in the "wrong" places ... and it will be >> >> as good as random where a dictionary+brute force attack occurs.
Most sites insist nowadays on at least one digit,
one capitalised letter, and one special sign.
My example complies,
I often seem to manage to pick the one special character that isn't
allowed! Then the website doesn't tell me what's wrong, it just repeats
what it already told me, something like "your password must include at
least 8 characters including one lowercase letter, one uppercase letter,
one digit, and one special character or punctuation symbol".
I've found some sites don't accept the question mark,
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 297 |
Nodes: | 16 (2 / 14) |
Uptime: | 04:32:26 |
Calls: | 6,666 |
Files: | 12,213 |
Messages: | 5,335,881 |