1 |
On Tue, Sep 21, 2010 at 10:40 AM, "Mr. Teo En Ming (Zhang Enming) 张恩鸣 of |
2 |
Singapore" <space.time.universe@×××××.com> wrote: |
3 |
|
4 |
> Article: Google Warns of China Exit Over Hacking |
5 |
> Link: http://online.wsj.com/article/SB126333757451026659.html |
6 |
> |
7 |
> |
8 |
Nice to be back in January and OT ;) |
9 |
|
10 |
|
11 |
> I don't think it is that easy to hack if you are using SSL connections and |
12 |
> very strong passwords. How long would it take supercomputers to perform a |
13 |
> brute force attack if you are using a strong password with at least 20 |
14 |
> characters, and a combination of upper case and lower case letters, numbers, |
15 |
> and symbols? |
16 |
> |
17 |
|
18 |
In TFA they said the attack against google was sophisticated and IP was also |
19 |
stolen, so if that's true it wasnt a brute force against gmail accounts |
20 |
which isnt sophisticated or would reveal any of google's IP. |
21 |
|
22 |
Also an easier way to attack gmail passwords would be via a MITM with a |
23 |
dodgy certificate. x509 authentication is as weak as the weakest CA in a web |
24 |
browsers trusted certificate store.... Remember the the dodgy mozilla cert |
25 |
from last year? |
26 |
|
27 |
|
28 |
> |
29 |
> I am wondering if Chinese government officials could have secretly |
30 |
> approached specific Google China employees for direct access to the Google |
31 |
> GMail email accounts of human rights activists in China? It would have been |
32 |
> far simpler to do it that way. What is the size of China's sovereign wealth |
33 |
> fund? |
34 |
> |
35 |
|
36 |
Or they could get their agents to apply for jobs at google and get in that |
37 |
way. |
38 |
|
39 |
This would be OnT at securityfocus.com Security Basics list.You'd probably |
40 |
get an answer about the password cracking time there, but you'd need to |
41 |
specify the conditions (online or offline, and if offline what format the |
42 |
passwords are stored in) |