Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
mystes
May 31, 2006

oh yeah I think it's just written unclearly. Probably they use the email text plus a standard list for email attachments and just use the standard list for files elsewhere.

I guess you could interpret it to meant that they build a list of possible passwords from emails and apply that everywhere but it doesn't sound like that's what they're actually doing

Adbot
ADBOT LOVES YOU

Beeftweeter
Jun 28, 2005

a medium-format picture of beeftweeter staring silently at the camera, a quizzical expression on his face
i guess using a list is possible

i wonder if they do that with any other archive formats then. relatedly, i wonder if there are any that will delete their contents after a brute-force attempt, and if so, would ms then be liable for data loss?

Shaggar
Apr 26, 2006
one drive is pretty integrated w/ email if you're using the full outlook client so its entirely possible that emails related to a onedrive hosted attachment are being scraped for passwords for the attachment.

mystes
May 31, 2006

Beeftweeter posted:

i wonder if they do that with any other archive formats then. relatedly, i wonder if there are any that will delete their contents after a brute-force attempt, and if so, would ms then be liable for data loss?
It's just a file; that doesn't really make sense

infernal machines
Oct 11, 2012

the future has already arrived. it's just not evenly distributed yet.

Beeftweeter posted:

i guess using a list is possible

i wonder if they do that with any other archive formats then. relatedly, i wonder if there are any that will delete their contents after a brute-force attempt, and if so, would ms then be liable for data loss?

they're not liable for just straight up losing your data for any reason at all, and they explicitly tell you to have a backup outside of onedrive/sharepoint, so probably not

Shaggar
Apr 26, 2006
i would imagine deleting known malicious files is probably something mentioned in the terms of service that they do and on top of that its probably against tos to intentionally post those files to one drive.

Beeftweeter
Jun 28, 2005

a medium-format picture of beeftweeter staring silently at the camera, a quizzical expression on his face
yeah i don't mean necessarily malicious files. let's say you have a passworded archive that can somehow delete itself (or, idk, make its contents permanently inaccessible) after, idk, 10 password attempts

you have no reasonable expectation that ms will ever try to access that data, but if they're brute forcing archive files then they might. them accessing it and it blanking itself could possibly get around anything they have in the TOS about simply losing data since they would trigger its "self-destruct"

but either way that's entirely hypothetical since i'm not aware of any formats that are actually capable of this and don't see how an implementation would work anyway

Last Chance
Dec 31, 2004

infernal machines posted:

they're not liable for just straight up losing your data for any reason at all, and they explicitly tell you to have a backup outside of onedrive/sharepoint, so probably not

its fun seeing how many peopel say that they've "backed up their photos/files/wahtever" with onedrive, icloud, and other file sync services lol

Shaggar
Apr 26, 2006

Beeftweeter posted:

yeah i don't mean necessarily malicious files. let's say you have a passworded archive that can somehow delete itself (or, idk, make its contents permanently inaccessible) after, idk, 10 password attempts

you have no reasonable expectation that ms will ever try to access that data, but if they're brute forcing archive files then they might. them accessing it and it blanking itself could possibly get around anything they have in the TOS about simply losing data since they would trigger its "self-destruct"

but either way that's entirely hypothetical since i'm not aware of any formats that are actually capable of this and don't see how an implementation would work anyway

i dont think a zip file can be self deleting like that

infernal machines
Oct 11, 2012

the future has already arrived. it's just not evenly distributed yet.

Last Chance posted:

its fun seeing how many peopel say that they've "backed up their photos/files/wahtever" with onedrive, icloud, and other file sync services lol

yeah, but for most people's purposes it's better than what they'd have otherwise (nothing at all).

for business use, where actual money is involved? not so much, no. you should have another layer or two of backups

Jabor
Jul 16, 2010

#1 Loser at SpaceChem

Beeftweeter posted:

yeah i don't mean necessarily malicious files. let's say you have a passworded archive that can somehow delete itself (or, idk, make its contents permanently inaccessible) after, idk, 10 password attempts

the bytes stored on disk don't change when you try to guess a password.

Jabor
Jul 16, 2010

#1 Loser at SpaceChem
anyway i know security researchers have a lot of trouble emailing malware samples around for collaboration, and putting it in a zip file with a well-known password is the usual way around that. lmao if they just can't do that anymore

sb hermit
Dec 13, 2016





Beeftweeter posted:

yeah i don't mean necessarily malicious files. let's say you have a passworded archive that can somehow delete itself (or, idk, make its contents permanently inaccessible) after, idk, 10 password attempts

you have no reasonable expectation that ms will ever try to access that data, but if they're brute forcing archive files then they might. them accessing it and it blanking itself could possibly get around anything they have in the TOS about simply losing data since they would trigger its "self-destruct"

but either way that's entirely hypothetical since i'm not aware of any formats that are actually capable of this and don't see how an implementation would work anyway

For a standard password protected file, there is no good mechanism to enforce maximum retries. Nothing gets around "copy this file somewhere else and try to unlock it" so no one bothers to implement anything like that.

Now, something that has a 3rd party holding the keys in escrow (like a hardware device or key server, or even just drive or device firmware) is a different matter but then it would (or should, depending on implementation) be impossible for microsoft to just brute force.

sb hermit
Dec 13, 2016





Jabor posted:

anyway i know security researchers have a lot of trouble emailing malware samples around for collaboration, and putting it in a zip file with a well-known password is the usual way around that. lmao if they just can't do that anymore

at this point they may as well just use gpg or s/mime to encrypt the samples despite how annoying it is

or just upload it to a central repository

Beeftweeter
Jun 28, 2005

a medium-format picture of beeftweeter staring silently at the camera, a quizzical expression on his face

Shaggar posted:

i dont think a zip file can be self deleting like that

afaik they can't

Jabor posted:

the bytes stored on disk don't change when you try to guess a password.

sb hermit posted:

For a standard password protected file, there is no good mechanism to enforce maximum retries.

right, right. like i said it was entirely hypothetical. i don't see how something like that could be implemented in an ostensibly read-only environment either

Beeftweeter
Jun 28, 2005

a medium-format picture of beeftweeter staring silently at the camera, a quizzical expression on his face

Jabor posted:

anyway i know security researchers have a lot of trouble emailing malware samples around for collaboration, and putting it in a zip file with a well-known password is the usual way around that. lmao if they just can't do that anymore

they might have to start generating passwords and then sharing links to them on pastebin or something lol. presumably the scanning mechanism doesn't (presently) also follow urls

Chris Knight
Jun 5, 2002

And I'm only saying this because I care.

There are a lot of decaffeinated brands on the market today that are just as tasty as the real thing.


Fun Shoe
blockchain fixes this

sb hermit
Dec 13, 2016





I never quite cared enough to figure it out but realmedia files (yes, THAT realplayer) seemed to corrupt themselves after I played them back enough times.

Knowing how much realplayer was some proprietary piece of poo poo, I would not be surprised if they updated metadata or something on playback and mistakes happen at some point. Or maybe my hard drive was going bad.

N.Z.'s Champion
Jun 8, 2003

Yam Slacker
time to rot13 my email zip passwords

Raere
Dec 13, 2007

Is hunter2 on Microsoftís zip file password list?

spankmeister
Jun 15, 2008






Jabor posted:

anyway i know security researchers have a lot of trouble emailing malware samples around for collaboration, and putting it in a zip file with a well-known password is the usual way around that. lmao if they just can't do that anymore

gmail has been doing this for at least 10 years now.

SlowBloke
Aug 14, 2017
Isn't ZIP files password protection trivially easy to unlock? I remember 7zip clamoring their password protection being the sole decent implementation when it was new :corsair:

Crime on a Dime
Nov 28, 2006
you could use decent encryption on a plain zip if you need to share samples via email for some reason

Diva Cupcake
Aug 15, 2005

Jabor posted:

anyway i know security researchers have a lot of trouble emailing malware samples around for collaboration, and putting it in a zip file with a well-known password is the usual way around that. lmao if they just can't do that anymore

but actually lmao because just encrypt it instead using a dumb zip password.

Soricidus
Oct 21, 2010
freedom-hating statist shill

SlowBloke posted:

Isn't ZIP files password protection trivially easy to unlock? I remember 7zip clamoring their password protection being the sole decent implementation when it was new :corsair:

the classic algorithm, which I donít think anything still uses, was cryptographically broken. modern zip files have to be brute forced, iirc they arenít gpu resistant or anything but a strong enough password can be secure

git apologist
Jun 4, 2003

is there some compression format that supports assymetric keys as encryption/authentication

Hed
Mar 31, 2004

Fun Shoe
.tar.xz.enc

Powerful Two-Hander
Mar 10, 2004

Mods please change my name to "Tooter Skeleton" TIA.


I don't know whether using sharepoint to share malware samples is funny because lol imagine using sharepoint, or because that sounds like the actual peak use of it considering the psychic damage it inflicts on people

SlowBloke
Aug 14, 2017

Soricidus posted:

the classic algorithm, which I donít think anything still uses, was cryptographically broken. modern zip files have to be brute forced, iirc they arenít gpu resistant or anything but a strong enough password can be secure

I think windows explorer still uses the old ZipCrypto method, not AES-256 like winzip or others.

CommieGIR
Aug 22, 2006

The blue glow is a feature, not a bug


Pillbug

Powerful Two-Hander posted:

I don't know whether using sharepoint to share malware samples is funny because lol imagine using sharepoint, or because that sounds like the actual peak use of it considering the psychic damage it inflicts on people

My eye just started twitching, thanks.

Flyndre
Sep 6, 2009
share point is mostly fine for me as a user IMO

Cybernetic Vermin
Apr 18, 2005

kind of uncomfortable sounding that microsoft scans things like that, but seems obviously a not-secfuck in almost every case.

CommieGIR
Aug 22, 2006

The blue glow is a feature, not a bug


Pillbug

Flyndre posted:

share point is mostly fine for me as a user IMO

Its mostly fine, except Sharepoint just gets bastardized in most cases as the new shared drive.

Crime on a Dime
Nov 28, 2006
what if I told u
OneDrive is SharePoint

Shame Boy
Mar 2, 2010

CommieGIR posted:

Its mostly fine, except Sharepoint just gets bastardized in most cases as the new shared drive.

it's called sharepoint, what else is it even for if not the point of share

Shame Boy
Mar 2, 2010

a couple jobs ago i had to simultaneously integrate with both salesforce and sharepoint so they're intimately connected in my head even though they don't really have anything to do with each other

the sharepoint integration was less of a pain in the rear end so it wins

CommieGIR
Aug 22, 2006

The blue glow is a feature, not a bug


Pillbug

Shame Boy posted:

it's called sharepoint, what else is it even for if not the point of share

Its supposed to be a collaboration platform. Again, there's nothing wrong with that, but it just usually gets used as a shared drive with a gui.

sb hermit
Dec 13, 2016





git apologist posted:

is there some compression format that supports assymetric keys as encryption/authentication

pretty sure gpg does a pass at compression before it encrypts anything

Subjunctive
Sep 12, 2006

✨sparkle and shine✨

Cybernetic Vermin posted:

kind of uncomfortable sounding that microsoft scans things like that, but seems obviously a not-secfuck in almost every case.

wonder how much of that scanning is in the kernel!

Adbot
ADBOT LOVES YOU

spankmeister
Jun 15, 2008






SlowBloke posted:

Isn't ZIP files password protection trivially easy to unlock? I remember 7zip clamoring their password protection being the sole decent implementation when it was new :corsair:

It depends. The original ZipCrypto is vulnerable to a known plaintext attack. So if there's a file in the zip that you know (part of) the content of, you can use that to decrypt the rest. There are other flaws but that's the big one.
Newer implementations use AES and the security depends on the quality of the password like anything else.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply