Password File
Bob
What is the name and location of the file that contains form
information?
"Prediction is very difficult, especially about the future."
--Niels Bohr
Ed Mullen
> What is the name and location of the file that contains passwords?
In Mozilla, Firefox, and Netscape I believe it's still [random].s
>
> What is the name and location of the file that contains form
> information?
In Mozilla and Netscape I believe it's still [random].w
In Firefox I'm not sure.
>
>
--
Ed Mullen
http://edmullen.net
http://edmullen.net/moz.html
Bob
>In Mozilla and Netscape I believe it's still [random].w
I trashed my password and form info files when I did a complete
re-install. I have archived files available, but Mozilla will not read
them. I tried renaming them but that doesn't work either.
How do I get Mozilla to read and store my old password and form info
files?
Ed Mullen
It could be that the files are from an older profile. Close Moz, open
your current profile's prefs.js, look for the entries refering to the .w
and .s files, rename accordingly either the prefs.js entries or the
Windows filenames.
David Ross
>
> What is the name and location of the file that contains passwords?
>
> What is the name and location of the file that contains form
> information?
For security, the files are intentionally hidden through the use of
randomly generated file names. To find your own, use Password
Manager or Form Manager to change the content of the file and then
immediately do a search for recently changed files in your
profile. It will be one of the files most recently changed.
Why is this important? These are not files you should be manually
editing. For backups, you should include your entire profile.
If you think you might be able to hack someone else's password or
form files, think again. I've seeded my profile with fake copies
of the files.
--
David E. Ross
<http://www.rossde.com/>
I use Mozilla as my Web browser because I want a browser that
complies with Web standards. See <http://www.mozilla.org/>.
Bob
wrote:
>If you think you might be able to hack someone else's password or
>form files, think again. I've seeded my profile with fake copies
>of the files.
I thought passwords were encrypted. If so, there is no need to hide
the password file.
BTW, in cryptography there is a rule: "Obscurity is not security".
Hiding things does not provide security. In crypto everything but the
cipher key is open to the world, including the crypto algorithm.
If you want to hide things, then you should use steganography.
Bob
>It could be that the files are from an older profile.
That is indeed the case since I completely removed the previous
version of Mozilla.
>Close Moz, open
>your current profile's prefs.js, look for the entries refering to the .w
>and .s files, rename accordingly either the prefs.js entries or the
>Windows filenames.
I tried renaming the old archive files to the current name but it did
not work. Interestingly Mozilla read the file because it added a
password I had inserted. But it won't read the remaining entries.
I will try renaming the entry in prefs.js. But I suspect something
else is going on.
Bob
>Close Moz, open
>your current profile's prefs.js, look for the entries refering to the .w
>and .s files, rename accordingly either the prefs.js entries or the
>Windows filenames.
I opened prefs.js and found the entries for the password file and the
form info file. They are identical to the file names I have currently
in the profile section.
I open Mozilla, enter a new password and enter a new form, and then
close Mozilla. The two files are updated in terms of time stamp and
they are a bit larger. So Mozilla is opening them and editing them.
The problem is that Mozilla is unable to reference the previous
passwords. I am using the same Master Password as before.
In Edit+Preferences+Security+Master Password I notice there is a
provision for "Resetting" the Master Password, with the warning that
you will lose all your password and login information. Maybe that's
what's going on - the internal encryption key is not matching.
Certainly I can't be the only person to have run into this problem of
importing previous collections of passwords and form info. There has
got to be a solution. I have nearly 100 passwords on file, and the
prospect of having to enter all those manually again is too much.
Leonidas Jones
> Bob wrote:
>
>>What is the name and location of the file that contains passwords?
>
>
> In Mozilla, Firefox, and Netscape I believe it's still [random].s
>
>>What is the name and location of the file that contains form
>>information?
>
>
> In Mozilla and Netscape I believe it's still [random].w
> In Firefox I'm not sure.
>
>>
>
Lee
Ed Mullen
I generally don't respond to posts that have snipped so much of the
previous content that I can't figure out what product or version or both
that is in discussion. I only do so here to urge everyone to PLEASE
DON'T SNIP -- you probably can't figure out what might be important down
the road as we read and try to help. Leave all the previous stuff.
As it stands here, I have little idea what we're talking about, version
and product wise, and it matters for the answers.
I'm not going back x number of posts to try and figure it out. Too many
posts, too little time. Suite yourself.
Bob
>I generally don't respond to posts that have snipped so much of the
>previous content that I can't figure out what product or version or both
>that is in discussion. I only do so here to urge everyone to PLEASE
>DON'T SNIP -- you probably can't figure out what might be important down
>the road as we read and try to help. Leave all the previous stuff.
>As it stands here, I have little idea what we're talking about, version
>and product wise, and it matters for the answers.
>I'm not going back x number of posts to try and figure it out. Too many
>posts, too little time. Suite yourself.
You are only one half of Usenet. The other half bitches about not
snipping.
Mozilla 1.7.3 password file and form info file. They are identified by
their extensions, ".s" and ".w".
I completely removed all traces of Mozilla, including a deep Registry
swab. I kept only Bookmarks. Then I installed Mozilla only. I
installed extensions.
NB: There is something really weird going on regarding plugins. I do
not have any plugins in the profile yet Mozilla is reporting that
plugins are present.
Anyway, I dug up older archived versions of the ".s" and ".w" files
and named them the same as the names in the prefs.js file. Mozilla
reads them because it also updates them. But it won't display any of
the old passwords or form info.
So the question is really simple: How do I import old passwords and
form info into Mozilla?
Bob
>NB: There is something really weird going on regarding plugins. I do
>not have any plugins in the profile yet Mozilla is reporting that
>plugins are present.
Correction: I meant to say that I have only "npnul32.dll" in the
Mozilla\plugin directory. But when I do an "about:plugins" I get a
list of every one of the previous ones I had.
Mozilla is keeping information somewhere that I do not know about -
and it is incorrect information too.
Doug Kanter
"Bob" <sp...@spamcop.com> wrote in message
news:4184e482...@news-server.houston.rr.com...
Heaven forbid anyone were to buy a new computer and want to transfer these
things.....
Bob
>>NB: There is something really weird going on regarding plugins. I do
>>not have any plugins in the profile yet Mozilla is reporting that
>>plugins are present.
>Correction: I meant to say that I have only "npnul32.dll" in the
>Mozilla\plugin directory. But when I do an "about:plugins" I get a
>list of every one of the previous ones I had.
>Mozilla is keeping information somewhere that I do not know about -
>and it is incorrect information too.
On top of all that, the plugins that do not exist in my Mozilla\lugins
directory are functional. I have Acrobat, Java, WMP. They all work
within Mozilla. There is apparently no need for the Mozilla\plugin
directory after all.
Why do developers do things like this - hiding references, making
useless directories, etc.
Ed Mullen
> On Sun, 31 Oct 2004 13:31:10 GMT, sp...@spamcop.com (Bob) wrote:
>
>
>>>NB: There is something really weird going on regarding plugins. I do
>>>not have any plugins in the profile yet Mozilla is reporting that
>>>plugins are present.
>
>
>>Correction: I meant to say that I have only "npnul32.dll" in the
>>Mozilla\plugin directory. But when I do an "about:plugins" I get a
>>list of every one of the previous ones I had.
>
>
>>Mozilla is keeping information somewhere that I do not know about -
>>and it is incorrect information too.
>
>
> On top of all that, the plugins that do not exist in my Mozilla\lugins
> directory are functional. I have Acrobat, Java, WMP. They all work
> within Mozilla.
The java, acrobat, and wmp plugins are in their respective program
directories and Mozilla knows that.
There is apparently no need for the Mozilla\plugin
> directory after all.
There is if you add any other plugins.
Ed Mullen
At this point I can't be sure what you have going on on your system.
Create a new profile then make sure it is working. Then, assuming you
have a backup, migrate the appropriate stuff into the new profile. Some
links that might help you:
http://users.adelphia.net/~irwingreenwald/About%20Profiles.html
http://www.holgermetzger.de/pdl.html
http://www.ufaq.org/modules.php?name=Sections&op=viewarticle&artid=121
http://www.ufaq.org/modules.php?name=Sections&op=viewarticle&artid=99
Bob
>Bob wrote:
>
>> On Sun, 31 Oct 2004 13:31:10 GMT, sp...@spamcop.com (Bob) wrote:
>>
>>
>>>>NB: There is something really weird going on regarding plugins. I do
>>>>not have any plugins in the profile yet Mozilla is reporting that
>>>>plugins are present.
>>
>>
>>>Correction: I meant to say that I have only "npnul32.dll" in the
>>>Mozilla\plugin directory. But when I do an "about:plugins" I get a
>>>list of every one of the previous ones I had.
>>
>>
>>>Mozilla is keeping information somewhere that I do not know about -
>>>and it is incorrect information too.
>>
>>
>> On top of all that, the plugins that do not exist in my Mozilla\lugins
>> directory are functional. I have Acrobat, Java, WMP. They all work
>> within Mozilla.
>
>The java, acrobat, and wmp plugins are in their respective program
>directories and Mozilla knows that.
I wonder how Mozilla knows that.
>There is apparently no need for the Mozilla\plugin
>> directory after all.
>There is if you add any other plugins.
What if I want to remove a plugin? In the past I just removed it from
the official Mozilla plugin directory, not from its program directory.
But now there are no plugins in the official Mozilla plugin directory.
I suspect I did not remove everything from the Registry and that's
where Mozilla found the references. Either that or it swept the disk
when I installed it.
Bob
OK, I tried that procedure and it would not open up the old passwords.
Something is very screwed up here that I would not be able to access
passwords from a previous session.
>http://users.adelphia.net/~irwingreenwald/About%20Profiles.html
>http://www.holgermetzger.de/pdl.html
>http://www.ufaq.org/modules.php?name=Sections&op=viewarticle&artid=121
>http://www.ufaq.org/modules.php?name=Sections&op=viewarticle&artid=99
Thanks for the references but at this point I have loaded about half
the passwords manually so I think the only sensible recourse is to
continue.
Every application I have ever seen is extremely lame when it comes to
managing configurations. Someone thinks it's cool to build a
configuration manager but they never work properly.
Ed Mullen
Just out of curiosity, did you use a Master Password in the previous
profile(s)? Because that does change things. Perhaps someone else can
chime in here on that topic.
Ed Mullen
> On Sun, 31 Oct 2004 11:29:49 -0500, Ed Mullen <e...@edmullen.net> wrote:
>
>
>>Bob wrote:
>>
>>
>>>On Sun, 31 Oct 2004 13:31:10 GMT, sp...@spamcop.com (Bob) wrote:
>>>
>>>
>>>
>>>>>NB: There is something really weird going on regarding plugins. I do
>>>>>not have any plugins in the profile yet Mozilla is reporting that
>>>>>plugins are present.
>>>
>>>
>>>>Correction: I meant to say that I have only "npnul32.dll" in the
>>>>Mozilla\plugin directory. But when I do an "about:plugins" I get a
>>>>list of every one of the previous ones I had.
>>>
>>>
>>>>Mozilla is keeping information somewhere that I do not know about -
>>>>and it is incorrect information too.
>>>
>>>
>>>On top of all that, the plugins that do not exist in my Mozilla\lugins
>>>directory are functional. I have Acrobat, Java, WMP. They all work
>>>within Mozilla.
>>
>>The java, acrobat, and wmp plugins are in their respective program
>>directories and Mozilla knows that.
>
>
> I wonder how Mozilla knows that.
>
>
>>There is apparently no need for the Mozilla\plugin
>>
>>>directory after all.
>
>
>>There is if you add any other plugins.
>
>
> What if I want to remove a plugin? In the past I just removed it from
> the official Mozilla plugin directory, not from its program directory.
> But now there are no plugins in the official Mozilla plugin directory.
If you want to remove one of the plugins Mozilla automatically finds you
need to delete or rename it in that program's folder.
>
> I suspect I did not remove everything from the Registry and that's
> where Mozilla found the references. Either that or it swept the disk
> when I installed it.
>
>
Mozilla, as I said, automatically finds certain plugins on installation.
Also, hacking the registry is always a very iffy thing. And don't
forget that uninstalling the program does not uninstall your profile(s)
where much "stuff" is kept. You can even put your plugins folder in
your profile so it will be there when you upgrade/reinstall Mozilla.
Can't remember exactly but I think it needs to be placed in:
C:\Documents and Settings\[username]\Application Data\Mozilla
Bob
>And don't
>forget that uninstalling the program does not uninstall your profile(s)
>where much "stuff" is kept.
That's why I said I did a *complete* removal. I found out the time
before that whatever corrupted Mozilla was not fixed by the
traditional uninstall/reinstall. The first time this happened to me I
got lucky by overwriting a couple files that had been modified by the
rogue extension. I have no clue why that would have fixed the problem
but it worked. This time I could not fix the problem so easily, so I
had no choice but to remove everything completely and start over from
scratch. That did work to fix the problem, but now I can't import my
passwords or form info.
Maybe this is a good thing - at least the password and form files will
not be filled with a year's worth of old crap.
Bob
>Just out of curiosity, did you use a Master Password in the previous
>profile(s)? Because that does change things. Perhaps someone else can
>chime in here on that topic.
Yes I did use Master Password. You cannot encrypt your passwords in
Mozilla unless you do. And I used the identical password in the
re-installation, for what that's worth.
The old passwords are in the password file I copied from the archive
because I can see it has a rather large size on disk. Mozilla is
opening and editing that file because I can insert new passwords
because I can see the date stamp change and as I insert "new"
passwords the file grows in size.
But since Mozilla won't access the old passwords in that file, I
renamed it and let Mozilla build a new empty one to which I am adding
"new" passwords. I haven't even tackled the form info file - I will
let Mozilla build a new one too.
Nelson B
The short answer to your problem is this: In order to reuse the contents
of the old *.s and *.w files, your profile must also have the old cert8.db
file and key3.db file that were in use when the *.s and *.w files were
created and/or updated. Those files should be though of as a set.
If someone advised you to restore the *.s and *.w files, and did not also
advise you to restore the old key3.db and cert8.db files, then you
received bad advice.
Plugins, browser extensions, and the directories that hold them are
irrelevant to your issue, as it seems you've discovered.
> I thought passwords were encrypted. If so, there is no need to hide
> the password file.
FireFox (and perhaps TBird) always encrypt all stored passwords, IINM.
mozilla gives the user the choice of encrypting passwords or merely
"obfuscating" them. mozilla's default is Obfuscation.
Obfuscation merely makes it a little more difficult for a human who can
read the contents of the file to figure out the password from what he sees,
somewhat like rot-13. It's not encryption. It's pretty trivial for any
computer program that can get the obfuscated password file to show all the
passwords directly. mozilla's password file name has a random component
to compensate for the weak protection offered by obfuscation.
mozilla uses the same file-naming scheme for encrypted password files
that it uses for obfuscated password files. Not that the added difficulty
of finding the file name for an encrypted password file is needed with
encryption, but because having one set of code to get the file name is
better than having two sets of code to do it.
When passwords (or anything else in mozilla) are encrypted, they are
encrytped using one or more keys. All your private and secret keys
(not public keys) are kept in the file key3.db, which is in your profile.
Your public keys are kept in cert8.db, which is also kept in your profile.
The encryption key that encrypts and decrypts your encrypted passwords
is stored in key3.db. Therefore, in order to ever be able to decrypt
your passwords, you must have your old *.s file *AND* your old key3.db
file.
The "Master Password" does exactly one thing, regardless of the purpose
for which you're asked for it. It "unlocks" the key3.db file and hence
the keys in that file. Any time you try to do something and are asked
for the "Master Password", you are being asked to unlock the key3.db file,
so that one of the keys in that file can then be used to accomplish
some other purpose that is needed to do what you asked mozilla to do.
The keys in that key3.db file are not derived from the Master Password.
They are randomly generated, and protected (encrypted) with a key derived
from the Master Password. The Master Password lets you decrypt the keys
in that key3.db file, but you must have the key3.db file from which to
decrypt them. You cannot recreate the keys in the key3.db file if you
do not have the key3.db file. The Master Password is not enough to
recreate the keys in that file, by itself.
Until you create a master password for your profile, then the "master
password" is merely the empty string. But that does not mean that all
the keys in the key3.db file are the same for all users with empty master
passwords.
Each time you start with an empty key3.db file (e.g. in a new profile)
and you save a new encrypted password, mozilla makes up a new random
key to encrypt your encrypted passwords, and stores that new key in the
key3.db file, encrypted with a key derived from your "master password"
(even if it is empty).
You can create a new key3.db file, and use the same "Master Password" to
lock it that you used for the old key3.db file, but the secret password
encryption key in the new key3.db file will not be the same secret key
that was in your old key3.db file. So, even though you may have used
the same "Master Password" for both key3.db files, if mozilla has your
new key3.db file, mozilla will not be able to decrypt passwords that
were encrypted with the password in your old key3.db file.
This is not accidental, by the way. It is as designed.
The need for treating *.s, *.w, key3.db and cert*.db as a set has been
written about many times in mozilla newsgroups. I'm not sure why it
seems to be such a mystery now.
According to your recent reports, you now have a *.s file that contains
a mixture of passwords, some that can be decypted (because they were
encrypted with the new key in your new key3.db file), and others that
cannot be decrypted (with your new key3.db file) because they were
encrypted with the key in your old key3.db file. I don't know of any
tool that will take passwords encrypted with multiple keys and convert
them to all have been encrypted with a single key.
Your options include these (and perhaps others):
a) If you have them backed up and can restore them, restore your original
*.s *.w and cert*.db and key*.db files into your mozilla profile directory.
Then just resume using those files (e.g., forget the current password files
that are half old and half new). You already know about changes needed
to the *.s and *.w files. The cert and key DB file names need no changes.
b) Backup your current *.s, *.w, cert and key DB files, then restore the
old *.s, *.w, cert and key DB files, get the passwords out of them with
mozilla (e.g. copy them onto paper, temporariliy), then switch back to
the new files, and enter the passwords into the new files.
Before doing any of those, be SURE that you back up your Current files with
those names, and be SURE that mozilla is NOT running whenever you use ANY
other program on those files (e.g. to back them up, restore them, rename
them, or whatever)!
--
Nelson B
Bob
<NOnels...@NObolyardSPAM.com> wrote:
>The short answer to your problem is this: In order to reuse the contents
>of the old *.s and *.w files, your profile must also have the old cert8.db
>file and key3.db file that were in use when the *.s and *.w files were
>created and/or updated. Those files should be though of as a set.
[snip to save space. If someone wanta to see everything, then go back
and read it. People who are following this thread do not want to see
it twice.]
Thanks for the heads up.
David Ross
Here is my interpretation of what you describe:
My sensitive information (e.g., passwords) are protected by
encryption. This encryption uses a key that is not only different
for each installation but for each profile within that
installation. There is even a different encryption key within the
profile for each file containing sensitive information.
The encryption keys themselves are contained within a
profile-specific file that itself is then encrypted by my master
password (or by a hash thereof). My master password itself is not
stored except in my head (unless I am foolish enough to write it
down).
Is this correct?
Phillip M. Jones, C.E.T
Now anyone that's crooked and wants to get passwords in Mozilla,
FireFox, Tbird now has a perfect blueprint for figuring out which files
to work on.
Gee!
--
---------------------------------------------------------------------------
Phillip M. Jones, CET |MEMBER:VPEA (LIFE) ETA-I, NESDA,ISCET, Sterling
616 Liberty Street |Who's Who. PHONE:276-632-5045, FAX:276-632-0868
Martinsville Va 24112-1809 |pjo...@kimbanet.com, ICQ11269732, AIM pjonescet
---------------------------------------------------------------------------
If it's "fixed", don't "break it"!
mailto:pjo...@kimbanet.com
<http://www.kimbanet.com/~pjones/default.htm>
<http://home.kimbanet.com/~pjones/birthday/index.htm>
<http://vpea.exis.net>
Phillip M. Jones, C.E.T
Gee Wheez! has everyone gone daft!!!!
This is one subject that should have never, ever been detailed lat alone
even brought up.
with all the crooks in the world now.
Now I'll have to think about erasing all my usernames and passwords and
not use any in any of the Moz products.
Pas the Tums please! :-(
David Ross
If it works as I described, then Mozilla works the same way PGP
works. The only difference is in terminology:
Mozilla has encryption keys in key3.db, each of which is encrypted
to the user's master password.
PGP has private keys in Secring.pgp or secring.skr (depending on
PGP version). Each private key is encrypted to a hash of a user's
pass-phrase (with usually a different pass-phrase for each private
key).
For PGP, this is common knowledge, thoroughly documented in the PGP
User's guide. Such public information does not compromise PGP
encryption. Indeed, the trust given PGP derives from making its
internal workings -- including the source code -- public so that
interested users can examine it for weaknesses and backdoors.
Security is found with a hard to guess pass-phrase; users are
encouraged to use pass-phrases that include letters (both upper-
and lower-case), numbers, special characters, and blanks. I
suggest that Mozilla users heed that advice when choosing master
passwords. Security is also found with controls on physical and
electronic access to the computer; this is something that is very
important whether or not you use Mozilla's Password Manager.
A compromise of a PGP private key without its pass-phrase is
annoying but not catastrophic. In the hands of a hacker, the
thought police, or your spouse's divorce attorney, having the
private key might allow encrypted files to be decrypted a little
more easily than not having the private key. However, without a
weak pass-phrase (e.g., short, easily guessed), even having the
private key might still require several days or weeks to decrypt
protected files, enough time to generate a new set of keys, change
all passwords on financial and other accounts, and re-encrypt the
files containing them.
Bob
<pjo...@kimbanet.com> wrote:
>Now anyone that's crooked and wants to get passwords in Mozilla,
>FireFox, Tbird now has a perfect blueprint for figuring out which files
>to work on.
As if they would want to do that.
If your passwords are *that* sensitive, you need to be using something
more secure than a scheme like this. How do you know, for example,
that these very same crooks have not discovered how to factor the
product of two large prime numbers, rendering PKE useless?
You must use a one time pad if you want absolute cryptographic
security - only don't let any crooks get ahold of the key.
Do you know why it is absolutely impossible to decrypt a cipher that
has been encrypted using the OTP method?
Hint: Unicity Distance.
Doug Kanter
news:cmb9jl$9c...@ripley.netscape.com...
> >
> Did you "really" to give all this detail?
>
> Now anyone that's crooked and wants to get passwords in Mozilla,
> FireFox, Tbird now has a perfect blueprint for figuring out which files
> to work on.
I suspect that someone capable of doing the nasty stuff doesn't need the
explanation provided. But more important, since we're talking about a
browser here, and someone suggested not using Moz because of this scheme,
which browser would you replace it with? Which one do you KNOW has a better
scheme, one which has never been discussed between two human beings anyplace
on the web?
Nelson B
> Here is my interpretation of what you describe:
>
> My sensitive information (e.g., passwords) are protected by encryption.
If you chose that, yes.
> This encryption uses a key that is not only different
> for each installation but for each profile within that installation.
Correct.
> There is even a different encryption key within the
> profile for each file containing sensitive information.
Not exactly. There may be more than one encryption key, but
presently, AFAIK, there is not typically one for each file.
> The encryption keys themselves are contained within a
> profile-specific file that itself is then encrypted by my master
> password (or by a hash thereof). My master password itself is not
> stored except in my head (unless I am foolish enough to write it
> down).
>
> Is this correct?
Yes, essentially.
--
Nelson B
Bob
<ancien...@hotmail.com> wrote:
>I suspect that someone capable of doing the nasty stuff doesn't need the
>explanation provided. But more important, since we're talking about a
>browser here, and someone suggested not using Moz because of this scheme,
>which browser would you replace it with? Which one do you KNOW has a better
>scheme, one which has never been discussed between two human beings anyplace
>on the web?
Even if all of the crooks in the world knew this, what good would it
do them? There is no way to crack the crypto unless you know the key
and that doesn't take a detailed description to realize.
This is a tempest in a teapot. Can we move on to more relevant
matters.
--
Life is not a journey to the grave with the intention of
arriving safely in one pretty and well-preserved piece.
One should rather skid in broadside, thoroughly used up,
totally worn out, and loudly proclaiming "WOW! WHAT A RIDE!"
Phillip M. Jones, C.E.T
But to describe in minute exactly, is another.
As crooked as the world is now we can't be passing out secrets like its
candy.
I'm just hoping against hope that everyone on this group is honest and
wouldn't try the knowledge to do harm.
Bob
<pjo...@kimbanet.com> wrote:
> Its one thing to describe what security measures are taken it one thing.
>But to describe in minute exactly, is another.
>As crooked as the world is now we can't be passing out secrets like its
>candy.
>I'm just hoping against hope that everyone on this group is honest and
>wouldn't try the knowledge to do harm.
What are you so worried about? In crypto, everything is known except
the key. You cannot hide anything but the key.
In crypto, obscurity is not security. Read Bruce Schneier's classic
reference, Applied Cryptography, on the subject before you get a
coronary at an early age.
<jeez>
--
Life is not a journey to the grave with the intention of
arriving safely in one pretty and well-preserved piece.
One should rather skid in broadside, thoroughly used up,
totally worn out, loudly proclaiming "WOW! WHAT A RIDE!"
David Ross
>
> > "Phillip M. Jones, C.E.T" <pjo...@kimbanet.com> wrote in message
> > news:cmb9jl$9c...@ripley.netscape.com...
> >
> >
> >>Did you "really" to give all this detail?
> >>
> >>Now anyone that's crooked and wants to get passwords in Mozilla,
> >>FireFox, Tbird now has a perfect blueprint for figuring out which files
> >>to work on.
> >
> >
> > I suspect that someone capable of doing the nasty stuff doesn't need the
> > explanation provided. But more important, since we're talking about a
> > browser here, and someone suggested not using Moz because of this scheme,
> > which browser would you replace it with? Which one do you KNOW has a better
> > scheme, one which has never been discussed between two human beings anyplace
> > on the web?
> >
> >
> Its one thing to describe what security measures are taken it one thing.
>
> But to describe in minute exactly, is another.
>
> As crooked as the world is now we can't be passing out secrets like its
> candy.
>
> I'm just hoping against hope that everyone on this group is honest and
> wouldn't try the knowledge to do harm.
The most secure encryption system is PGP, which is indeed described
in minute detail. As I indicated before, it's only because of that
detail that PGP is accepted as secure. When NAI (the former owner
of the PGP product line) stopped making the source code available
for public review, users stopped installing new versions because of
concern about backdoors and other intentional vulnerabilities. PGP
Corp. (the current owner of the product line) resumed making the
source code available, which rekindled interest in new versions.
No, not everyone reviews the code; but the possibility that someone
can review it gives the rest of us some confidence that PGP Corp.
has released software that is indeed secure.
By the way, the PGP algorithms are fully detailed in various public
RFCs, including RFC 2440. While some might try to improve on the
algorithms, most effort is directed towards implementing the same
algorithms in different products to compete with PGP Corp.
Just because you have all the details about the algorithms of an
encryption system and how they are implemented does not give you
the decryption keys, especially when the keys themselves are first
randomly generated and then encrypted with a password that is NOT
stored on the computer. To attack my password file, you need the
decryption key. Although the key itself is in a file on my PC, you
can't get it because it too is encrypted with my master password.
The master password to decrypt the key to then decrypt the contents
of my password file exists only in my mind, not on my PC.
When I earlier said that I "seeded my profile with fake copies of
the files", that was because I did not have this understanding,
which I got from Nelson B's message (02 Nov 2004 23:45:44 -0800) in
this thread. When I can safely determine which files are the
fakes, I will remove them as unnecessary.
Doug Kanter
> On Thu, 04 Nov 2004 04:05:13 GMT, "Doug Kanter"
> <ancien...@hotmail.com> wrote:
>
> >I suspect that someone capable of doing the nasty stuff doesn't need the
> >explanation provided. But more important, since we're talking about a
> >browser here, and someone suggested not using Moz because of this scheme,
> >which browser would you replace it with? Which one do you KNOW has a
better
> >scheme, one which has never been discussed between two human beings
anyplace
> >on the web?
>
> Even if all of the crooks in the world knew this, what good would it
> do them? There is no way to crack the crypto unless you know the key
> and that doesn't take a detailed description to realize.
>
> This is a tempest in a teapot. Can we move on to more relevant
> matters.
Yeah. That's kind of what I was thinking. :-)
Doug Kanter
> Doug Kanter wrote:
> > "Phillip M. Jones, C.E.T" <pjo...@kimbanet.com> wrote in message
> > news:cmb9jl$9c...@ripley.netscape.com...
> >
> >
> >>Did you "really" to give all this detail?
> >>
> >>Now anyone that's crooked and wants to get passwords in Mozilla,
> >>FireFox, Tbird now has a perfect blueprint for figuring out which files
> >>to work on.
> >
> >
> > I suspect that someone capable of doing the nasty stuff doesn't need the
> > explanation provided. But more important, since we're talking about a
> > browser here, and someone suggested not using Moz because of this
scheme,
> > which browser would you replace it with? Which one do you KNOW has a
better
> > scheme, one which has never been discussed between two human beings
anyplace
> > on the web?
> >
> >
> Its one thing to describe what security measures are taken it one thing.
>
> But to describe in minute exactly, is another.
>
> As crooked as the world is now we can't be passing out secrets like its
> candy.
>
> I'm just hoping against hope that everyone on this group is honest and
> wouldn't try the knowledge to do harm.
I'm too tired, and I don't know how. Besides, why would I want your
passwords? You may have even less money in the bank than I do.
Bob
wrote:
>The most secure encryption system is PGP, which is indeed described
>in minute detail.
Not quite true. The only classical cryptosystem that is 100% secure is
the OTP (One Time Pad) cryptosystem. However, for practical purposes
the PKI system (which is used by PGP) is extremely secure if the key
is long enough and the correct crypto algorithms are implemented (see
pgpi.com, latest owners of PGP for details).
>As I indicated before, it's only because of that
>detail that PGP is accepted as secure. When NAI (the former owner
>of the PGP product line) stopped making the source code available
>for public review, users stopped installing new versions because of
>concern about backdoors and other intentional vulnerabilities.
That is indeed correct. PGP5 was the last version anyone trusted
because it was the last version for which source code was made
available.
Phil Zimmerman, inventor of PGP, was rumored to have sold out to the
spooks in exchange for "immunity" from further persecution at the
hands of the JBGTs (the very same ones who failed to prevent 911
because they were wasting valuable resources on people like Zimmerman,
the "Olympic Bomber" Richard Jewell and the Branch Davidians at the
Waco Massacre. Persecution is always much easier - and a lot more fun
- than prosecution).
>PGP Corp. (the current owner of the product line)
I believe PGPI claims ownership now, but I could be behind the times
on that.
>When I earlier said that I "seeded my profile with fake copies of
>the files", that was because I did not have this understanding,
>which I got from Nelson B's message (02 Nov 2004 23:45:44 -0800) in
>this thread. When I can safely determine which files are the
>fakes, I will remove them as unnecessary.
>
>--
>
>David E. Ross
><http://www.rossde.com/>
>
>I use Mozilla as my Web browser because I want a browser that
>complies with Web standards. See <http://www.mozilla.org/>.
--
Map Of The Vast Right Wing Conspiracy:
http://home.houston.rr.com/rkba/vrwc.html
I believe that sex is one of the most beautiful,
natural, wholesome things that money can buy.
--Tom Clancy
Phillip M. Jones, C.E.T
I figure anyone on this newsgroup has more money than I do.
Bob
<pjo...@kimbanet.com> wrote:
>I figure anyone on this newsgroup has more money than I do.
The it is you we need to worry about getting our passwords.
Your guilty conscience gave you away.
<g>
Phillip M. Jones, C.E.T
> On Fri, 05 Nov 2004 19:40:25 -0500, "Phillip M. Jones, C.E.T"
> <pjo...@kimbanet.com> wrote:
>
>
>>I figure anyone on this newsgroup has more money than I do.
>
>
> The it is you we need to worry about getting our passwords.
>
> Your guilty conscience gave you away.
>
> <g>
>
>