[Gllug] Distribution Pecking Order So far
Richard Cottrill
richard_c at tpg.com.au
Thu Oct 25 14:36:00 UTC 2001
For my own impolite ends I was poking around how to remove a password from
an Excel spreadsheet.
In early (pre 7.0) versions I believe that yes, the password was trivial. In
7 and later it's actually pretty secure. When you look for commercial people
to crack them you start looking at things that read more like brute-force
attacks.
However people who make Excel spreadsheets are generally not the sort who're
familiar with rc4, brute-force attacks, or computer security in general. On
the sheet I was fiddling with the password guesser would have taken under 5
seconds to reply that it had the password, but it wasn't going to hand it
over until I registered the program. I expect that the cracker itself used
real encryption on its rego codes - how I looked for a crack :(
Fortunately I figured that I didn't need to do dodgy stuff to make it do
what I wanted... I was actually disappointed about not being able to slide a
questionable spreadsheet under the noses of finance for a while (it's not
fun, and too dangerous, to do that for more than 'a while' :).
Richard
> -----Original Message-----
> From: gllug-admin at linux.co.uk [mailto:gllug-admin at linux.co.uk]On Behalf
> Of Alex Hudson
> Sent: Thursday, October 25, 2001 2:52 PM
> To: gllug at linux.co.uk
> Subject: Re: [Gllug] Distribution Pecking Order So far
>
>
> On Thursday 25 October 2001 2:27 pm, you wrote:
> > > I would be surprised if they had broken rc4(?) encryption.
> >
> > *blink*
> >
> > *blink again* :-) Where did that come from?
> >
> > They aren't encrypted, they're password protected. The file's left
> > entirely intact, with a flag set in the document
>
> Really... I suppose that's why all those Word/Excel 97/2k crackers run
> dictionary attacks on the file... much more efficient than
> ignoring a flag.
>
> > Furthermore, how do you propose
> > Microsoft exported RC4 from the US to the entire world?
>
> I suspect they probably wrote the software, pressed it to CD-ROM,
> put it in a
> box, and sent it to shops and warehouses. In much the same way as
> exporting
> SSL, except without the download bit. But I may be wrong :P
>
> > On a separate point, that's an information theory issue. While I like
> > stream ciphers - and RC4 - a lot, I'm don't imagine that "we'd have
> > heard about it by now" if they[1] were broken by rand($organisation).
>
> I can't think of a major cipher/system crack that wasn't known
> widely (within
> the community) for a long time after it occured. If you crack
> something, you
> make use of it (it's an advantage, after all). If you make use of
> it, people
> will find you out. And if Sun _had_ broken Excel 97/2k encryption (for
> example), I really _do_ think we would have heard about it....
> Sun aren't
> going to keep marketable anti-Microsoft bluster under their caps...
>
> Cheers,
> Alex.
>
>
> --
> Gllug mailing list - Gllug at linux.co.uk
> http://list.ftech.net/mailman/listinfo/gllug
>
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list