Do you trust them? How much?

[atferrari]

These are concrete questions, not a rant in disguise.

a) Sites as duduckgo.com say they are not tracking their users. How mere mortals, not conversant on the innards of the Web (my case), could confirm that?

b) Virtual keyboards offered for home banking, couldn't be reverse engineered for an on-the-fly decoding?

c) Hardware versus virtual keyboards? What do you think?

d) Sites offering to verify how good/strong your passwords are, aren't they plain collecting points of passwords from candid users?

 

[Grossel]

a: Cannot really know for sure.
b: I see no reason why it should be more difficult to snag passwords from virtual keyboards compared to physical ones.
c: Hardware, it will always be. I type a lot faster on a keyboard where I can actually feel the key presses.
d: I tend to use spechial caracters (very easy simply because there are several characters to use - ÆØÅ) but there is some web pages that doesn't accept those, so in that case the site probably creates a profile, but I never receive a mail to confirm (follow link to activate), resulting in a shadow user with same usermane and mail address, so I cannot try again unless I change both username and mail address.

 

[large_ghostman]

Sites as duduckgo.com say they are not tracking their users. How mere mortals, not conversant on the innards of the Web (my case), could confirm that?

They dont track as such but do collect data, mostly just country and search term. nothing like google

b) Virtual keyboards offered for home banking, couldn't be reverse engineered for an on-the-fly decoding?

Hard or soft keyboard makes no difference

Sites offering to verify how good/strong your passwords are, aren't they plain collecting points of passwords from candid users?

Yes these end up in tools for rainbow cracking passwords, they are not looking to match user to password, they are looking for the most common/most used so tools can be adjusted when password cracking.

Worst thing is fixed lengh passwords, those that make you do say 6 letter one. Straight away a hacker knows to set the tool to try only 6 letter combinations. You would believe how simply most passwords are, make people add a number and 99% choose number? yes 1 ask then to choose 2 numbers and most use? yes 11.

Best password?
One thats unpredictable, it used to be add a special character at the start then a number then the word then at the end a special character then a number. These are now all solid in rainbow tables and take mostly just over 75 mins to crack a hard one using GPU rainbow cracking.

So pick a phrase.........

Lets say its for ETO and you want a length of nine
Pick 2 numbers mid range but not too close or whatever number you want
56
Then the phrase

electronics is my hobby online

Take the phrase and do one of two things
1)EiMhO
2)oHmIe

so now we have 56EiMhO

now two special charaters
not the = sign please!
or !

%£

final password
56EiMhO%£

Try it and see how long to crack, fast machine dual graphics card using Kali linux and rainbow tables and i am already upto 2 hours most hacking machines that would equal around 10 hours work so far and the tables havnt got close yet.

Or you can switch it around a bit, but thats the general idea to make a password you can remember and is hard to crack.

 

[tcmtech]

These are concrete questions, not a rant in disguise.

a) Sites as duduckgo.com say they are not tracking their users. How mere mortals, not conversant on the innards of the Web (my case), could confirm that?

b) Virtual keyboards offered for home banking, couldn't be reverse engineered for an on-the-fly decoding?

c) Hardware versus virtual keyboards? What do you think?

d) Sites offering to verify how good/strong your passwords are, aren't they plain collecting points of passwords from candid users?

The way hacking and ID theft was explained to me is that hackers are rather like martial arts experts. Unless you go and draw attention to yourself very few ever have reason to seriously go after you for anything.

The key to general security is to simply appear to not be worth going after. Afterall, hacking takes some time, resources and risk so simply do not be worth their investing it in you. It's not perfect but statically it's some of the best protection you can have for the least cost.

All locks can be picked, The secret is to know what level of lock you do need for what you are protecting with it.

Believe me, nobody who matters cares what your ETO password is and even if they did get around it how much damage could they do to your account that a moderator couldn't undo in a few minutes? The same reality holds true for the vast majority of your other online activities too.

 

[unclejed613]

my thoughts on these:

1) if you are searching for something, and really don't want to be tracked, use Tor Browser. duck also has an onion domain **broken link removed** this is a hidden service, and there's no transit through the clearweb.

2) and 3) i never use software keyboards or even wireless keyboards for online banking or anything that important. don't use a software keyboard unless you can read the source code to know what's in it. there are any number of wireless keyboard hacks, just go look up videos from the DEFCON, BlackHat and CCC conventions on youtube.

4) such tools as password generators and password analyzers are available on github. again, source code that you can read is important because it can be read and analyzed to confirm it doesn't contain any malicious code.

i realize not everybody can read source code, but the idea behind open source software is that if there's something nefarious or a security hole in a piece of software, somebody will start yelling loudly that there's a problem with it, because there are people that can read source code, that know how to find security problems, and will raise a stink about it until it gets fixed. this is why people use linux, the code is out there publicly, and is constantly getting reviewed by security researchers and various contributors who wish to keep linux moving forward. you don't find a security hole in proprietary systems until somebody stumbles across it, and either uses it maliciously or publishes it. such security holes may also be unintended consequences of something implemented in the software that the user does not know is there, such as the software constantly sending usage data back to the vendor. because the source code is not available, only the vendor knows the "feature" exists.... until somebody figures out a way to exploit it.

 

[dknguyen]

Unless the output from my hardware keyboard never passes through any software whatsoever, I don't see why a virtual keyboard would be any worse.

 

[unclejed613]

most "virtual keyboard" apps are using a touch screen, which has many characteristics in common with a mouse, so yes i would agree with you there. i guess i was assuming that the "virtual keyboard" was using a piece of software installed by the user, and not part of the OS originally.

another possibility with a virtual keyboard, would be that the touch screen has a surface that can emit RF, and as such the RF can be analyzed and keystrokes derived from the noise. however, with that level of snooping, there isn't really much you can do about it, because a wired keyboard is also something that can be monitored, as well as the video displayed on the monitor. the cost of a TEMPEST shielded these days is astronomical. if you think somebody is using that level of technology to hack you and steal passwords, you probably have other problems to deal with that can't be remedied by preventing hacking. are there hackers and identity thieves that use such methods? yes, but sitting on one person's system waiting for card numbers and passwords is actually too expensive and labor intensive. most of the stolen card and password data comes from mass-distributed malware. such malware comes from opening executables or links sent in phishing emails. other malware comes from innocent looking executables you get when you go looking for something like a "virtual keyboard" program. there was a time when you could go to tucows.com or simtel.net and download windows software, and there not be anything malicious in the code, because those two platforms regularly scanned their files for viruses. these days you don't have a clue what's in the program you download unless you get it direct from the author (and even then do you really know?). i've learned to distrust new software unless i can read the source code. for instance, if you could read the source code for a program that does work as a virtual keyboard, and you find the software is opening TCP ports on the network device, you would think "why does it open a network port?". it's a keyboard replacement, and shouldn't need any network hooks. but, in many cases, especially in the Windows world, hardly anything is open source, so you can't look at it. if i find such a piece of software on github, however, i can look and see what's going on inside of it, and if i don't trust the binary, i still can download the source code and compile it.