Loading ...
Sorry, an error occurred while loading the content.

an important issue - seeking advice

Expand Messages
  • Paul Nevai
    Hi Guys: Suppose that I decided, against all common sense, to introduce some encryption tool which, of course, would be the stupidest thing I ever did since
    Message 1 of 12 , Aug 27, 2005
    • 0 Attachment
      Hi Guys:

      Suppose that I decided, against all common sense, to introduce some
      encryption tool which, of course, would be the stupidest thing I ever did
      since all of you paranoid Europeans [smiley] would immediately demand
      encryption which can't be cracked, not even by Turing and Co., and which is
      based o factoring prime numbers with 10^100 digits or more.

      Anyway, for the sake of argument, let's assume that I did...

      QUESTION. Should such an encryption be based on passwords assigned to each
      individual text which is to be encrypted, or should it use the general
      password assigned to your Palm.

      Before you say anything, please think hard and use common sense. I can
      bring up numerous very valid reasons that either way it is a terribly bad
      idea with potentially disastrous consequences.

      Please respond only if you yourself can imagine such scenarios when either of
      them would lead to disaster. In other words, I'd like to hear the opinion of
      those who are sufficiently practical to see beyond the obvious.

      NOTE. Seriously, I think an encryption method which can't be cracked by
      ordinary people such as you and I is all what is needed on the Palm.

      All=my=best, Paul
    • John Markley
      ... Excellent idea. ... Yes ... No ... I did, (I hope). ... Which is precisely the point. For those who fear losing everything if they lose their one
      Message 2 of 12 , Aug 27, 2005
      • 0 Attachment
        Hi, Paul:

        >Suppose that I decided, against all common sense, to introduce some
        >encryption tool.....

        Excellent idea.

        >
        >QUESTION. Should such an encryption be based on passwords assigned to each
        >individual text which is to be encrypted
        Yes

        >or should it use the general
        >password assigned to your Palm.
        No

        >Before you say anything, please think hard and use common sense.
        I did, (I hope).

        > I can
        >bring up numerous very valid reasons that either way it is a terribly bad
        >idea with potentially disastrous consequences.

        Which is precisely the point. For those who fear losing
        everything if they lose their one password, and for those who fear
        that one password is too vulnerable no matter how impenetrable the
        encryption, the multiple option is correct. For those who fear they
        won't be able to keep track of multiple pw, all that is necessary is
        to always use the same password, ie with the multiple option the
        single option is still available, but not the other way round.

        regards, John.
      • Adam Coleman
        ... How is what you are considering different than the private records that are currently supported? The memos are hidden till I enter my system password. I
        Message 3 of 12 , Aug 27, 2005
        • 0 Attachment
          --- Paul Nevai <nevai@...-state.edu> wrote:

          > Hi Guys:
          >
          > Suppose that I decided, against all common sense, to introduce some
          > encryption tool which, of course, ....<snip>


          How is what you are considering different than the "private records"
          that are currently supported? The memos are hidden till I enter my
          system password. I personally don't forsee keeping anything requiring
          more security than that in my Palm.

          Adam
        • Paolo Amoroso
          ... [...] ... This article by user interface guru Bruce Tognazzini: D ohLT #2: Security D ohLTs http://www.asktog.com/columns/058SecurityD ohlts.html may seem
          Message 4 of 12 , Aug 27, 2005
          • 0 Attachment
            Paul Nevai <nevai@...-state.edu> writes:

            > Suppose that I decided, against all common sense, to introduce some
            > encryption tool which, of course, would be the stupidest thing I ever did
            [...]
            > QUESTION. Should such an encryption be based on passwords assigned to each
            > individual text which is to be encrypted, or should it use the general
            > password assigned to your Palm.

            This article by user interface guru Bruce Tognazzini:

            D'ohLT #2: Security D'ohLTs
            http://www.asktog.com/columns/058SecurityD'ohlts.html

            may seem to suggest the single password option on usability grounds.


            Paolo
            --
            Lisp Propulsion Laboratory log - http://www.paoloamoroso.it/log
          • Paul Nevai
            HI Adam: # Suppose that I decided, against all common sense, to introduce some # encryption tool which, of course, .... # # # How is what you are
            Message 5 of 12 , Aug 27, 2005
            • 0 Attachment
              HI Adam:

              # > Suppose that I decided, against all common sense, to introduce some
              # > encryption tool which, of course, ....<snip>
              #
              #
              # How is what you are considering different than the "private records"
              # that are currently supported?

              See below.

              # The memos are hidden till I enter my system password. I personally don't
              # forsee keeping anything requiring more security than that in my Palm.

              I agree but hordes of peditors disagree [and hidden memos aren't encrypted
              and/or safe anyway, even a 5-year old can read them].

              All=my=best, Paul
            • Paul Nevai
              Hi John: # Which is precisely the point. For those who fear losing everything if they # lose their one password, and for those who fear that one password is
              Message 6 of 12 , Aug 27, 2005
              • 0 Attachment
                Hi John:

                # Which is precisely the point. For those who fear losing everything if they
                # lose their one password, and for those who fear that one password is too
                # vulnerable no matter how impenetrable the encryption, the multiple option
                # is correct. For those who fear they won't be able to keep track of
                # multiple pw, all that is necessary is to always use the same password, ie
                # with the multiple option the single option is still available, but not the
                # other way round.

                Just my personal opinion...

                Your scenario assumes that people make smart decisions in advance. In real
                life the opposite is true. Almost all smart decisions come from after the
                facts. That's why we even have that saying about hindsight and 20/20.

                RELATED QUESTION. Once you encrypt a memo, who can you remember what password
                you used? The encrypted memo has no relationship with the original one
                [except that once decrypted, it becomes the original].

                All=my=best, Paul
              • John Markley
                ... Sad, but likely true. ... CAUTION- This response is being written after a glass of red wine before dinner. However, I do believe it to be rational. :) In
                Message 7 of 12 , Aug 27, 2005
                • 0 Attachment
                  Hi, Paul:
                  >Just my personal opinion...
                  >
                  >Your scenario assumes that people make smart decisions in advance. In real
                  >life the opposite is true. Almost all smart decisions come from after the
                  >facts. That's why we even have that saying about hindsight and 20/20.
                  Sad, but likely true.

                  >RELATED QUESTION. Once you encrypt a memo, who can you remember what password
                  >you used? The encrypted memo has no relationship with the original one
                  >[except that once decrypted, it becomes the original].

                  CAUTION- This response is being written after a glass of red
                  wine before dinner. However, I do believe it to be rational. :)
                  In real life, as you say, I encrypt things (if necessary,
                  which is relatively rare-but I like the idea of being able to) in
                  categories. I have two basic passwords I use to which I append a
                  permutation ((known only to me, heh heh) of the category in question.

                  cheers, John
                • Jeff Roule
                  Hey Paul, I would have to vote for one password, though not necessarily the same password as the system password. That way you get a double layer of
                  Message 8 of 12 , Aug 27, 2005
                  • 0 Attachment
                    Hey Paul,

                    I would have to vote for one password, though not necessarily the same
                    password as the system password. That way you get a double layer of
                    protection: if someone should figure out the system password, they still
                    have to get through the pEdit password to actually get to your memos.

                    rgds,
                    Jeff

                    Paul Nevai wrote:

                    >Hi Guys:
                    >
                    >Suppose that I decided, against all common sense, to introduce some
                    >encryption tool which, of course, would be the stupidest thing I ever did
                    >since all of you paranoid Europeans [smiley] would immediately demand
                    >encryption which can't be cracked, not even by Turing and Co., and which is
                    >based o factoring prime numbers with 10^100 digits or more.
                    >
                    >Anyway, for the sake of argument, let's assume that I did...
                    >
                    >QUESTION. Should such an encryption be based on passwords assigned to each
                    >individual text which is to be encrypted, or should it use the general
                    >password assigned to your Palm.
                    >
                    >Before you say anything, please think hard and use common sense. I can
                    >bring up numerous very valid reasons that either way it is a terribly bad
                    >idea with potentially disastrous consequences.
                    >
                    >Please respond only if you yourself can imagine such scenarios when either of
                    >them would lead to disaster. In other words, I'd like to hear the opinion of
                    >those who are sufficiently practical to see beyond the obvious.
                    >
                    >NOTE. Seriously, I think an encryption method which can't be cracked by
                    >ordinary people such as you and I is all what is needed on the Palm.
                    >
                    >All=my=best, Paul
                    >
                    >
                  • John Kershaw
                    ... I agree with John. I ve used ReadThis! almost since I got my handheld and I use it to encrypt 3 memos: * credit card info, which I use almost daily for web
                    Message 9 of 12 , Aug 28, 2005
                    • 0 Attachment
                      At 14:06 -0400 27/8/05, John Markley wrote:
                      >For those who fear they won't be able to keep track of multiple pw,
                      >all that is necessary is to always use the same password, ie with
                      >the multiple option the single option is still available, but not
                      >the other way round.

                      I agree with John. I've used ReadThis! almost since I got my handheld
                      and I use it to encrypt 3 memos:

                      * credit card info, which I use almost daily for web shopping, since
                      I don't carry my business credit card around with me, but have the
                      details to hand

                      * my list of server accounts (I run a bunch of web sites)

                      * my Christmas/birthday present list

                      The first two use the same password (derived from the initial letters
                      of a phrase from the three little pigs story of keeping the wolf
                      out), the third uses the initial letters from a Christmas carol. Both
                      of them are easy for me to remember, but random. (My wife knows the
                      first one, which is why her present ideas list uses a different one).

                      The first line doesn't get encrypted, does it? I've liked the way
                      ReadThis! does things so far (4 years of use) - you can either
                      encrypt the whole memo, or just bits within specified tags, so I can
                      write

                      Password: .<thepasswordhere>.

                      and only the bits inside .< >. get encrypted/unencrypted when I
                      leave/enter the memo.

                      Regards encryption strength, I think everyone will be happy with
                      encryption that can only be broken by someone with specialised tools,
                      knowledge & time. If the CIA/FBI/M15 want to come reading my memos,
                      that's fine by me. I'm sure the stuff I'm encrypting could be got at
                      more easily by other means.

                      OTOH I'm not wanting to encrypt patient data that's subject to laws
                      about how secure it has to be. Anyone able to comment who is?

                      John.
                      --
                      -------------------------------------------------------------------
                      T:01274 581519 / M:07944 755613 www.kershaw.org john@...
                      skype:johnmkershaw AIM:johnkershaw MSN:john_m_kershaw@...
                    • Marcus Williams
                      On 27/08/2005 16:14, Paul Nevai wrote: [...] ... [...] You can download and use the blowfish algorithm from Bruce Schneiers (sp?) company website for free.
                      Message 10 of 12 , Aug 30, 2005
                      • 0 Attachment
                        On 27/08/2005 16:14, Paul Nevai wrote:
                        [...]
                        > I ever did
                        > since all of you paranoid Europeans [smiley] would immediately demand
                        > encryption which can't be cracked, not even by Turing and Co., and which is
                        > based o factoring prime numbers with 10^100 digits or more.
                        [...]

                        You can download and use the blowfish algorithm from Bruce Schneiers
                        (sp?) company website for free. This provides plenty of security for
                        your paranoid european types (which would include me :) All I'd
                        recommend is not to try and implement an algorithm yourself as it almost
                        certainly wont be as secure as you think. Dont take offense from this -
                        what I mean is, crypto needs to be done by cryptologists! Of course, you
                        might be a talented cryptologist as well so I'd have to eat my words then!

                        > QUESTION. Should such an encryption be based on passwords assigned to each
                        > individual text which is to be encrypted, or should it use the general
                        > password assigned to your Palm.

                        Personally, I'd rather password for each text with no passwords stored
                        on the palm. You'll still have problems with the die hard tin foil hat
                        wearing palm users, but like you say you only really need enough to keep
                        your information away from prying eyes. The blowfish algorithm provides
                        this in spades - and has implementations specifically optimised for
                        small devices (I think OS5 has this alg built in in fact).

                        I'd like to be able to swipe a bit of text and bring up your tool, type
                        a password and have the text replaced for an encrypted text. Swipe and
                        type for decryption. But thats a feature request and you didnt ask that ;)

                        Marcus

                        --
                        Marcus Williams -- http://www.cad-schroer.co.uk
                        CAD Schroer UK, 39 Newnham Road, Cambridge, UK
                      • Paul Nevai
                        # All I d recommend is not to try and implement an algorithm yourself as it # almost certainly wont be as secure as you think. Dont take offense from # this -
                        Message 11 of 12 , Aug 30, 2005
                        • 0 Attachment
                          # All I'd recommend is not to try and implement an algorithm yourself as it
                          # almost certainly wont be as secure as you think. Dont take offense from
                          # this - what I mean is, crypto needs to be done by cryptologists! Of course,
                          # you might be a talented cryptologist as well so I'd have to eat my words
                          # then!

                          I agree with this. If I ever added encryption, I'd use a standard one,
                          perhaps with some extra twists. All=my=best, Paul
                        • mervynvv
                          Hi Paul I would like to second this suggestion - one password for pedit encrypted memos which is different from the System password could be a good balance
                          Message 12 of 12 , Sep 2, 2005
                          • 0 Attachment
                            Hi Paul
                            I would like to second this suggestion
                            - one password for pedit encrypted
                            memos which is different from the
                            System password could be a good
                            balance
                            Regrds
                            Mervyn
                            --- In peditors@yahoogroups.com,
                            Jeff Roule <jeffroule@y...> wrote:
                            > Hey Paul,
                            >
                            > I would have to vote for one
                            password, though not necessarily the
                            same
                            > password as the system password.
                            That way you get a double layer of
                            > protection: if someone should figure
                            out the system password, they still
                            > have to get through the pEdit
                            password to actually get to your
                            memos.
                            >
                            > rgds,
                            > Jeff
                            >
                            > Paul Nevai wrote:
                            >
                            > >Hi Guys:
                            > >
                            > >Suppose that I decided, against all
                            common sense, to introduce some
                            > >encryption tool which, of course,
                            would be the stupidest thing I ever did
                            > >since all of you paranoid Europeans
                            [smiley] would immediately demand
                            > >encryption which can't be cracked,
                            not even by Turing and Co., and
                            which is
                            > >based o factoring prime numbers
                            with 10^100 digits or more.
                            > >
                            > >Anyway, for the sake of argument,
                            let's assume that I did...
                            > >
                            > >QUESTION. Should such an
                            encryption be based on passwords
                            assigned to each
                            > >individual text which is to be
                            encrypted, or should it use the general
                            > >password assigned to your Palm.
                            > >
                            > >Before you say anything, please
                            think hard and use common sense. I
                            can
                            > >bring up numerous very valid
                            reasons that either way it is a terribly
                            bad
                            > >idea with potentially disastrous
                            consequences.
                            > >
                            > >Please respond only if you yourself
                            can imagine such scenarios when
                            either of
                            > >them would lead to disaster. In
                            other words, I'd like to hear the
                            opinion of
                            > >those who are sufficiently practical
                            to see beyond the obvious.
                            > >
                            > >NOTE. Seriously, I think an
                            encryption method which can't be
                            cracked by
                            > >ordinary people such as you and I
                            is all what is needed on the Palm.
                            > >
                            > >All=my=best, Paul
                            > >
                            > >
                          Your message has been successfully submitted and would be delivered to recipients shortly.