Database Users

PhatNotes Pro - Encryption Good?

Hi Guys, I've been using phatnotes pro 4.7.2 full version, for as long as I remember now even when they were called something else... anyways they have a protect note option, which adds a password to the notes you make.
How STRONG is this password protection? Does it even add encryption or it's just a simple password block and anyone can override and view the notes using a hex editor or text editor???? is it safe to leave a few credit card numbers in there?

Noone knows, the developer uses 'security by obscurity' by refusing to disclose the algorithm used.
The most secure algoritms used (AES Rjindaal, Twofish/Blowfish etc) have been subject to years of public scrutiny. It's the implementation not the algorithm itself that makes the security. There is no security threat form disclosing the algorithm.
I'd recommend staying away from this until the algorithm is disclosed if you want to encrypt your data.

bydandie said:
Noone knows, the developer uses 'security by obscurity' by refusing to disclose the algorithm used.
The most secure algoritms used (AES Rjindaal, Twofish/Blowfish etc) have been subject to years of public scrutiny. It's the implementation not the algorithm itself that makes the security. There is no security threat form disclosing the algorithm.
I'd recommend staying away from this until the algorithm is disclosed if you want to encrypt your data.
Click to expand...
Click to collapse
So are you saying they DO using some form of encryption within their application when password protecting the notes or you don't know? I don't particularly care for what algorithm or encryption method they are using, my main concern is, are they even using encryption at all.
If my phone ever gets lost or stolen, most people who finds/steals it would just hard reset and wipe everything from the phone, so if there is even a slightest form of encryption, my data should be safe.

Depending on how often you use your 'secret' files. I have 1 particular note (in Notes) that I keep my personal stuff like passport number and others stuff that I may be using them, or not (very often, I don't). Hence I use the ccrryyppttoo (`crypto` with every letter doubled). I use this to encrypt that particular note. There is a certain advantages to it. (a) It still sync over outlook without 3rd party software plugin. (b) others still able to see the note, with non-sense short characters on it (eg, I have passport number a lot of other numbers there, which ended up only in 5 characters). There is also a desktop version available, if you wanted to have it tested (or incases where you have lost your phone and your file encrypted in your PC, you can use it to decrypt it).

hanmin said:
Depending on how often you use your 'secret' files. I have 1 particular note (in Notes) that I keep my personal stuff like passport number and others stuff that I may be using them, or not (very often, I don't). Hence I use the ccrryyppttoo (`crypto` with every letter doubled). I use this to encrypt that particular note. There is a certain advantages to it. (a) It still sync over outlook without 3rd party software plugin. (b) others still able to see the note, with non-sense short characters on it (eg, I have passport number a lot of other numbers there, which ended up only in 5 characters). There is also a desktop version available, if you wanted to have it tested (or incases where you have lost your phone and your file encrypted in your PC, you can use it to decrypt it).
Click to expand...
Click to collapse
1. I think your link doesn't work.
2. Thanks for the suggestion! But that means adding another program to my long list of programs, I rather just use phatnotes if they are somewhat secure.
3. That still doesn't answer my original question =(
4. Can you send me the program for me to try? I use my 'secret' note file on my pc and phone so phatnotes keeps them both sync, very convinient.
5. THANKS AGAIN!

The link does works at my end. Here is it again.
http://www.hfrmobile.com/app_CCrryyppttoo_T1/index.htm
Oops, forgot your original question. You can test the encryption yourself. I didn't try out Phatnotes myself, but you can try to locate the file of which Phatnote stores your notes (either 1 file for all notes, or 1 file per note). Password protect this file, send it over to your PC, open it with your Notepad. If it doesn't show what each and every word that you've typed for that note, it is 'encrypted'. Most amateur people will just use this method to get your secret stuff I guess, unless they know there are information on banking details with £10,000 in it

Hmmm great suggestion!! I just did what you said and the unprotected notes are readable by notepad and the protected notes are just garbled text of mostly "?" and "G" letters. So I guess they do have some form of encryption for those notes then. So how good is the encryption on crypto?

Well, I did a trip to search for the answer for your question of "how good is the encryption on crypto", and it seems that the author is using his way of encrypting the file, which I say ought to be safe enough for everyday usage, but good enough for business/military usage, I guess.
Anyway, while I was looking for the 'answer', I bang my head into this
http://tombo.sourceforge.jp/En/
As this is using the standard 128 blowfish algorithm, which has been proven to be strong and fast. It has both desktop and ppc version, which are interchangable (eg. desktop can decrypt the ppc encrypted file). And, it is free!
I found this too, limited-freeware though. http://www.freewareppc.com/docs/visnotes.shtml
Hmm.. freeware file encryption (AES algorithm): http://www.freewareppc.com/utilities/filebarricader2006mobile.shtml
[Update on Tombo]
I did a test drive on it. It is quite alright. It creates a txt file for each of the note you created and put them into structure folder that you made. There are option of making virtual folders as well. So, you can have your notes sync by syncing your My Documents folder, of which you set this Tombo to put all the notes. It encrypts files and have an added feature of scrambling the file name such that people are not able to guess what your file contents are.
However, there are two flaws that I've just found in a 1/2 hour testing
(a) its Unicode encoding is not working. Once you (really) close the application, it will give '?' for all the non-alpha-numeric characters. Weird consider the author is a Japanese.
(b) there isn't an option of wrapping texts without 'dissecting' them.

nombCrypt - beta

Hello Everyone,
I just got my 8525 in the mail yesterday and upgraded the boot loader, radio, and WM6. I had a little trouble but in the end, all that I can't get working right is the internet for Cingular. I really appreciate all the hard work everyone puts into this. Here is my thank you, this is my first app so go easy on me.
nomb
nombCrypt
nombCrypt is an encryption program I originally made for the desktop but then decide to port it over. It uses a password you provide and encrypts either a block of text or files using 256bit Rijndael (AES). This level of encryption was given the ok to encrypt Top Secret documents. It can of course decrypt as well. This is for Windows Mobile 6. Please enjoy and every developer of course likes to get back feedback.
Planned/Requested Improvements
Truecrypt like encrypted containers
Implement Encrypted Backups (P)
Get File Encrypt Status Bar Working (P/R) <-- I'm dreading writing the working class :'(
Use Device ID As Salt Option (P)
Randomize Salt More (P)
Add More Encryption Algorithms (P)
Change File Open Dialog To Open Less (R) completed - now initially looks for *.nen (nombCrypt Enc. Files)
Encryption Password Confirmation (R) completed
Clipboard Paste Button (R) completed
Clipboard Clear Button (R) completed
Take Off Start Menu Icon (R) completed
Change Icon (R) completed
Add Exit To The Menu (R) completed
Add Time Out Feature (R) completed - (see page two for details)
Integrate nombCrypt Into WM6 More (P)
I. Encrypt MS Certificate Store (R)
Other Fixes
Improved Text Encryption So The End TextBox Is Opened Less
Added file error checking to the file decryption process
Two screenshots and the cab file are attached.
I hope you guys enjoy...
nomb

Hey! I wanted to do the same thing too! Just that I use my own XOR method (One Time Pad-like) instead. Of all the thing, it works alright, except that I can't get it to do a Copy-Paste. (see here http://forum.xda-developers.com/showthread.php?t=321014)
Also, from what it seems, I would presume that (since you uses AES), the end result would be in 'relatively' binary format (right?), which may not be very program friendly.
I was going to do about the same thing, except that I'll have my end result Base64 encoded, such that I can have them pasted to Notes and have it sycned to outlook. And I have my PC based software to do the job there (if required).
Previously, I used a software called Ccrryyppttoo, which did quite alright, but it seems that my PC is doing some coding, when synced, that makes it goes funny (i.e. cannot be decrypted anymore).
I'll PM you a demo of what I did (in Java web), of which I intended to do it in PPC

With Rijnael the resulting encrypted string/file gets encoded into base64 as well because if it didn't, all the characters wouldn't be represented. You can paste this into notes just fine.
Mine is programmed in c# so there is a clipboard function which works relatively well. If you'd like to help with this your more than welcome to. Or if you want to join your project with mine that would be cool too. I plan to support all major and a lot of minor encryption algorithms that I can find. Plus people were complaining about how the encrypted backup on the ppc should use the device id to encrypt instead of the randomly generated key so I plan to implement that as well.
I'm looking forward to seeing your demo.
nomb

Hmm.. so it is b64 encoded.. niicceee. Hmmm. . I should try out C# soon.
Anyway, there is a suggestion, I'm not sure if you have the library for it. After my symmetric cipher program, I'm in thinking about a asymmetric-public-private key cipher, which people can exchange short messages in secret (e.g. via email, IM, SMS) without the need to exchange the key/password. It is relatively done now, I'll show you the web base version once it is done. It runs on the Java security class, which I'm not sure if C# has those library or not.
The idea is, Alice go to my page, generate a pair of keys. Alice then send Bob her pub key. Bob use pub key, go to my page, encrypt the message. Send it to Alice. Alice decrypt message at my page. No software to install, no secret key exchanged.

Yup c# has the ability to do that built into its cryptography namespace.
That is a cool idea, but instead of having Alice send the key to him. You should just make a db to keep track of the keys and then have him answer a question about Alice or something like that to use the pub key. that way thats even one less step they have to worry about. Or have Alice put in his email address and have your site auto email him the pub key. That would be good too.
But sweet idea, maybe I'll make my program talk to your site.
Have you tried mine yet?
nomb

I dont like the "answer a question" method, as in that case, you might as well use the answer as the password?
Anyway, the emailing the pub key is an idea
I'm not in my own PC yet, can't send it to my phone from this PC. Will try it out later tonight.

hanmin said:
I dont like the "answer a question" method, as in that case, you might as well use the answer as the password?
Click to expand...
Click to collapse
Ya I'm at work and was hungry so I wasn't thinking strait. I don't like that idea either. ^^
I think my next step in mine is to build the background worker class to update the progress bar when you encrypt/decrypt a file.
If you just point your phone to the cab above it will install it for you. You don't need a comp unless u don't have a dataplan.
nomb

I dont have data in my plan.. although O2 gives me 1MB+ a month free.. I'm not using it.
Anyway, I've tested your software, a few comments.
Slightly major problems:
[1] It is not wise to do a 'All folders' and 'All Files' upon browsing (for file to be de/encrypt). People (e.g. me) has gazillion files around and it may take ages to load the list.
[2] You may want to pop up a Window, asking the user to confirm his/her password upon encryption (one of the thing I intended to add on mine )
[3] I'm not able to paste any data onto the 'start text' area. E.g., I have encrypted my stuff, saved it into Notes. Later, I wanted to get it back, I copy the encrypted code from my Notes, and no way of pasting it into the 'Start text'
[4] You already knew this, but, good to have some kind of progress bar to indicate the progress
[5] Hmmm.. on the browsing, there doesn't seems to have a way to find files on my Storage Card's root directory
[6] For security reason, probably it is good for you to add a 'Clear Clipboard' button?
Minor:
[1] I find it annoying that once I had the software installed, it is on my Start menu
[2] You could use a better icon, I just see a black square on my not so bright screen. I can help you on this.
[3] Add an "Exit" on the menus below?
Other possible suggestions:
[1] Have a time out on your software, such that, e.g. if there is no activity on software after a certain amount of time, it will do one/some/all of these (a) close itself (b) clear the password, input, output (c) clear the clipboard

Good suggestions, I'll have those done by tomorrow. I can't play with the storage card aspect yet because I don't have one. :'( Soon though I'm hoping to get a 4gb. And ya, i can't make icons worth any.
Oh, to past it back I always did ctrl+v from the keyboard. But I'll throw a button up there to do that. And I'll make sure to take it off of the start menu.
1 good comment would have been nice. Altho criticism is good.
nomb

Haha.. sorry for the lack of good comments, I was trying to think of something to suggest. But come to think of it my post on top are good comments (e.g. niiiiccceee Base 64 encoded), and the fact that it has the simple string->string encryption.
I did googling a bit, and found these
http://www.entity.cc/ICONS/security-icons.php
http://www.hscripts.com/freeimages/icons/computer/lock-icon.php
http://icons.qarchive.org/
which you may want to use as your icons?

Ya I was just teasing you. The icon I have now I got off of your last link at somepoint I just don't remember when. But I think I will probably use one of the others. But ya, I'll work on those fixes and then attach the updated program. Then once I get those fixes done, I'll work on adding the differnt encryption algorithms and the encrypted backups.
nomb

Did you wrote any backup software before for the PPC? I'm not really sure, but it seems that backup-ing can have a lot of issues. You have the "Copy everything" backup, the PIM only backup, etc. Some backups are ROM-flashing/upgrading friendly, some are not. You can have a backup software all standalone by itself. I would recommend you to have the backup software seperated and have encryption onto it as a plugin. Take a look at PIM-backup, it is very popular here.

Hi,
This is a very interesting thread. Thanks for your efforts so far (is there a donation link anywhere?)
A basic question...I understood that to carry out really secure encryption it would be necessary to write a filter driver that worked within the core ROM Image. Is this not the case?
Can I encrypt the MS certificate store too? The crypto protection on this store could be beefed up...
Once again I am very pleased that this thread has appeared and will be testing your software with interest,
Well done for your work so far,
Sam.

Hey there PianoSam,
First I just want to make it clear I'm not doing this to make money. If anyone donates I want it to be because they like the software. I am at work so PayPal is blocked but I'll put my donation link on the front page later today.
Also, I am going to try and incorporate the encryption as much as possible. If that is a feature you'd like, then after I get all of the previously requested changes done, I'll start on that for you.
And thank you for your kind words.
nomb
***EDITED***
Sorry I didn't answer you question at first.
Question: A basic question...I understood that to carry out really secure encryption it would be necessary to write a filter driver that worked within the core ROM Image. Is this not the case?
Answer: I pondered over this for a little while and I can't think of a reason this would be necessary. However, I've only had my phone for two days. Can you find where you saw that so I can read it as well and maybe gather a little bit on information so I can do some research on the topic? If thats what needs to be done then thats what I'll do but I can't see why. Let me know!

Added another cab with all the fixes I've completed.
nombCrypt-beta.cab <-- On the front page.

I added the donate link.

I added the timeout feature and thought I would make a comment on it.
It is a two minute timeout. Whenever you fucos on a textbox the timer is stopped and when the textbox looses focus, the timer is on. The downside to this is if you were in the middle of typing and set your device down, it wont timeout. I could make it so when you start typing into the textbox it restarts the two minutes and you have two minutes to complete your message but I didn't know if that was a good idea or not.
Also, when you copy, and go to another program to paste it in, you have two minutes before the clipboard is cleared and the program shutdown.
When the encryption program is encrypting something, the timeout is not running. It starts afterwards.
I can tweak this as much as you guys would like, just let me know.
nomb

I've tested your Beta.. niiiiiccceeeeee.. it is gooood. Almost prefect. Few things (OH NO! )
- The "Clear" button doesn't seems to be working. It is suppose to clear the clipboard only? Should you clear off everything as well?
Other requests/suggestion
<rant>
- I'm not sure why I thought I need it.. but it would be good to have a copy function for the "End Text" as well. I thought I may need it one day. Not sure why. It ought to make the screen a bit crowded, I thought.
Anyway, slightly related to the suggestion above, I've just revisited the design I made on my copy-paste-failed PPC attempt, I have this idea which I thought you might want to use it. For my design, I do not have "Start Text" and "End Text", I only have ONE TextField "Message" (and another for the password). The user enter the encrypted/plain text on this "Message". Click on the button "Encrypt" or "Decrypt", the result will then overwrite whatever that is in "Message" TextField.
Example:
(1) "Message"=<plain text>. User key in password, click "Encrypt", "Message"=<encrypted text>.
(2) "Message"=<encrypted text>. User key in password, click "Dencrypt", "Message"=<plain text>.
In such cases, you only need a pair of copy-paste to perform copy-paste on both (in a way) encrypted and plain text.
</rant>
As for the time out issue, I thought the typing-sensitive time out would be a better choice. The moment that you are worried about your data being seen is when you are away from your phone. You can have focus on your TextField but you can be million miles away from your phone. But, you ought to be around to be typing stuff, right?
BTW, I'm also wondering on the working of this time out feature. I thought there ought to be a 'clock' running and when time's up, it will clear the stuff needed to be cleared, right? So, if I were to forget to switch off the application, the timer will not be another running software that drain my battery, right?
Good work.

hanmin said:
- The "Clear" button doesn't seems to be working. It is suppose to clear the clipboard only? Should you clear off everything as well?
Click to expand...
Click to collapse
The "clear" button is in the clipboard row, i think i tagged it on the left, and only clears the clipboard. If you go to menu->reset it will clear everything like your looking for.
hanmin said:
- I'm not sure why I thought I need it.. but it would be good to have a copy function for the "End Text" as well. I thought I may need it one day. Not sure why. It ought to make the screen a bit crowded, I thought.
Click to expand...
Click to collapse
The "Copy" button copies the end text to the clipboard. Not the start text.
hanmin said:
Anyway, slightly related to the suggestion above, I've just revisited the design I made on my copy-paste-failed PPC attempt, I have this idea which I thought you might want to use it. For my design, I do not have "Start Text" and "End Text", I only have ONE TextField "Message" (and another for the password). The user enter the encrypted/plain text on this "Message". Click on the button "Encrypt" or "Decrypt", the result will then overwrite whatever that is in "Message" TextField.
Click to expand...
Click to collapse
I originally had it setup this way, however there was a time when I had wrote a huge paragraph in it and encrypted it, and then found out I had forgot a line. I switched it so this wont happen.
hanmin said:
As for the time out issue, I thought the typing-sensitive time out would be a better choice. The moment that you are worried about your data being seen is when you are away from your phone. You can have focus on your TextField but you can be million miles away from your phone. But, you ought to be around to be typing stuff, right?
Click to expand...
Click to collapse
The timeout I have running in it now, (new version that isn't up yet), is completely off of the user's actions. Whenever you do anything in the program the timer resets. Except for encrypting/decrypting. The timer is off for those functions incase you encrypt a file that takes longer.
hanmin said:
BTW, I'm also wondering on the working of this time out feature. I thought there ought to be a 'clock' running and when time's up, it will clear the stuff needed to be cleared, right? So, if I were to forget to switch off the application, the timer will not be another running software that drain my battery, right?
Click to expand...
Click to collapse
The timeout feature does not clear everything in the program. I have it so it actually completely closes the program. So if you forget to close it and walk away, the program will end so it doesn't drain your battery.
hanmin said:
Good work.
Click to expand...
Click to collapse
Thanks, wait till you see the next version...
nomb

I got the progressbar working for encryption, now for decryption.

MobilMon - File system monitor utility

To the many excellent folks here at xda-developers.com, I'm releasing MobilMon 0.5 for free.
I wrote a simple app that monitors file system access (specifically, file creation, deletion, or modification). This sort of tool can be invaluable when you are trying to figure out what's happening on your system. You can export the findings to a log file.
It's pretty bare bones at this point, but that was somewhat intentional. I wanted to see what folks wanted out of such an app before spending more development time on it.
Check it out, and let me know what you think: http://www.mobilmon.com

wow! thank you! this is pretty much exactly what i was wishing for ever since i started playing around with new apps and such on my phone.
it's a great help for just before a system backup. for example, i have SPB backup set to run every other morning. let's say it runs on Saturday at 5:00am. I install some apps and do some random things from 8:00am to 9:00am. 9:30am, my phone crashes. I reset to 5:00am, and I lost all that stuff i did from 8 to 9. now i know! thanks for this app.

Feature changes
A couple of things I was considering:
1. CSV EXPORT. Would it be better to leave the plain text formatting for easy readability, or format it for CSV export?
2. DIRECTORY. I was originally going to include the ability to change the directory (i.e. something other than just "\") but that would involve some significant work on my part. And, I'm not sure if you'd really want to do that anyway.
3. VIEW FILE READS. As delivered, it monitors file adds, deletes, and changes - not reads. This was done intentionally for performance reasons. Would people want to see all the file reads, even if it bogged the device down?

This is awesome! I haven't seen anything else like it, so I am really happy to see someone from the xda-forums to make this magic!
I think that you should add in the view file reads, but only as an option. Maybe also an option to select which operations you want logged (eg. when I only want to see the files created, and not deleted). Although being able export to CSV would give me the same results, but with some editing.

3. VIEW FILE READS. As delivered, it monitors file adds, deletes, and changes - not reads. This was done intentionally for performance reasons. Would people want to see all the file reads, even if it bogged the device down?
Click to expand...
Click to collapse
Many thanks for the app.
It would be nice to have (even as a separate app) something like mamaaich's file monitor: http://forum.xda-developers.com/showthread.php?t=247425, with ability to start/stop and good frontend - to capture all file activities in the whole system.
It helps a lot to find frequent, unintended system file reads (in most cases - draining batteries)

monitor lost memory
i wonder if you could add some powerful memory mgmt to check where my pda memory is lost and what is the process,application or service which is causing memory leaks or using too much memory. maybe you could draw a graph or monitor memory usage during time for all processes. when i start my pda i have 48% free ram, after a day i am back to 80% without any visible app running.
Thanks!

Thanks
Thanks for the good feedback; I'll look into making it where you can select the types of events to monitor and then go from there.
Good lead on mamaich's program - I wasn't aware of it. I will take a look. I'm all about working smarter, not harder

Hello,
I stumbled over this (admittedly quite old) thread on the search for a windows-mobile version of something like iTunes FolderWatch or iPad ShutterSnatch.
Would it be possible to extend MobiMon such that an action can be triggered once a new file is found? In my case that action would be to start a picture viewer with the newly created file name as a parameter.
Scenario: Send pictures I take with my camera to my Windows Mobile Phone (HTC HD2) via FTP (MochaFTP) through an Ad-Hoc Network directly from the camera (using Eye-Fi). MobiMon would recognize the new file and fire up the picture viewer. This way, the latest picture taken will be shown on HD2's big display right after the shot was taken.
Of course, if there is a more streight-forward way of doing this (like a picture viewer with integrated FTP-Server ) I'd be more than happy to hear about it!
Regards and a happy new year!
Alex

Yes, it's possible.
In regards to your inquiry, it's programmatically possible, but would require a re-write. This has to do with the way things are instantiated. Whether I could afford the time to do it is a different question
1. What is the target OS?
2. Do you have the means and skills to adjust my code and compile it yourself if I just pointed out the changes needed?

allright, heres my question:
is it possible to add (i.e)tray/taskbar icon showing card r/w activity?
I am thinking not exactly about this specific project, but general idea related to it.

sig theft

So the signature is encoded over the update.zip right so all we need to do is steal the difference between signed and unsigned update files they have to be the same file but uziping and reziping does so. All that needs to be done from there in my thought is calculate each offsets difference and bam signature. Now create a new update.zip with all rooted files. Clockwork and s-off being all we need. Make the update the same size exactly and add the difference we obtained to it and bam rooted it is
Sent from my T-Mobile G2 using XDA App

public key cryptography 101 says it wont work.

Why won't it work if I may ask.
Sent from my T-Mobile G2 using XDA App

What you are proposing sounds acurate in my head, but everything says it doesn't work that way. I guess some things I will never understand..... Women is another one.

Ill do it on my own and test it when I get home again. MORE COFFEEE!!!
Sent from my T-Mobile G2 using XDA App

Chances are the security will relise something is wrong when doing the update even if everything is set perfectly and thus you may end up with a bricked phone.

Yayy for phone insurance claims then
Sent from my T-Mobile G2 using XDA App

More power to you then my friend, go nuts, maybe youll get something out of it that helps with the perm root.

Dom18 said:
Chances are the security will relise something is wrong when doing the update even if everything is set perfectly and thus you may end up with a bricked phone.
Click to expand...
Click to collapse
I highly doubt that will happen. Look at all the failed updates due to the whole goggles thing.

Quick question though how does one set s-off in the image so I can try this. And to clarify I'm using a hex editor to re-add the diff from the signed and unsigned updates so the calculating will be a headache :/
Sent from my T-Mobile G2 using XDA App

Didn't they say decrypting the signature from or the key would take a lot of time, i mean were talking years?

Just incorrect in every way imaginable. That's not how signature verification works. If cryptography could be circumvented that easily no one would use it. I am not going to explain asymmetric encryption in this thread, there are plenty of resources for that. Let's just say what you're proposing here has no chance of working whatsoever.

Start here: http://en.wikipedia.org/wiki/Public-key_cryptography
and here: http://en.wikipedia.org/wiki/Digital_signature
Unless HTC put an idiot in charge of their crypto, what you are proposing won't work.

Yeah, if you are lucky, they will have put jdkoreclipse in charge of that. I think that is the only way the encryption could be done as poorly as you are suggesting.

funkadesi said:
Didn't they say decrypting the signature from or the key would take a lot of time, i mean were talking years?
Click to expand...
Click to collapse
I forget where I suggested this... but I was thinking someone could write one of the [email protected] or bovine (for those who remember) type application, where the client can run on anyone's machine that tries to crack the key by connecting with a central server in a coordinated effort. All of us G2 owners could run the client on 1 or multiple machines 24/7 and we may get lucky and find the real key.
I'm willing to install it on every machine at work if someone will write that client program ;-)
reference: http://www.distributed.net/RC5/en

To the best of my knowledge unzipping and rezipping it wouldn't break the signature...

I don't want to be insulting but if you do not understand PPK cryptography and how cryptographic signatures work please do not try and "break" something that has been evaluated and probed by numerous security experts in an attempt to find vulnerabilities.
It might be possible to crack ppk based signatures but it is not a simple matter of a diff between pre and post signature files. Again, I don't want to hurt anyones feelings but people A LOT brighter than you who actually understand the mathematics involved are not able to do it.
Put simply I will give you 2 documents, a signature for one of the documents, and a public key to verify the signature. If you can derive the key from which the signature is made or a way to create a valid signature for the second without the key you will be famous overnight since you will have found a vulnerability in one of the cornerstones of modern cryptography. Again it is possible but the chance of success without knowledge of the mathematics involved is monumentally small. Even with knowledge of the mathematics such a crack has not been found by people dedicated to researching such vulnerabilities.
Sorry for the rant but voodoo mechanics is a sore subject for me.

The simplest way I can explain it is the following.
Let's say they put a tag in the file that said "Google signed this". All someone would have to do is move that tag to a new file and it would look like Google signed that new file. So, that process doesn't work.
OK, let's say they put a tag in the file and said "Google signed a document that contained these bytes - blah blah blah", well same problem, someone could move the tag and edit the "blah blah blah" part to match their new file, so that doesn't work either.
So, instead Google puts their signature into the file, then they encode that file in a way that only they know how to do, but using an algorithm that they can make public the way to decode it. So, everyone can still get access to the contents, but nobody knows how the magic "encode" process works so nobody can pretend to be Google and produce a file that has their particular encoding. Since their signature is inside the part that was encoded, it is clear that they put their stamp on it prior to running the encode algorithm so you know for a fact that it was "signed at the Google factory".
Someone can try to put Google's signature in another file and then try to figure out how to do that encoding, but they wouldn't be able to mimic the exact way that Google does it so everyone would know that the encoded file came from someone else. Thus they are foiled.
A few details:
- The encode/decode process is actually a backwards encryption algorithm. Google encodes a file by "decrypting" it (i.e. pretending the real data was encrypted and running a decrypt on it and getting some garbage). The public then decodes this file by "encrypting" it (i.e. using the public keys to encrypt a file for Google and running it on the results of their decryption ends up getting back to the original file). Magic
- They don't really encode the entire file as that would be computationally intensive. Instead they generate a "checksum" of the original file that is both fast to compute and unique (i.e. the chances of a different file generating the same checksum is 1 in a HUGE number). They then encode that checksum (which is much, much smaller than the original file) using their special encode mechanism and not only can nobody produce a file that happens to have the same checksum (it is not known how to produce a different data stream that results in the same checksum), but they also cannot reencode the signed checksum due to the properties that make encryption so safe. (Note that the "checksum" algorithm here is quite a bit more complicated than adding up all of the bytes in the data stream - which would be easy to falsify - but it is still easier to compute than an encryption algorithm).

flarbear said:
The simplest way I can explain it is the following.
Let's say they put a tag in the file that said "Google signed this". All someone would have to do is move that tag to a new file and it would look like Google signed that new file. So, that process doesn't work.
OK, let's say they put a tag in the file and said "Google signed a document that contained these bytes - blah blah blah", well same problem, someone could move the tag and edit the "blah blah blah" part to match their new file, so that doesn't work either.
So, instead Google puts their signature into the file, then they encode that file in a way that only they know how to do, but using an algorithm that they can make public the way to decode it. So, everyone can still get access to the contents, but nobody knows how the magic "encode" process works so nobody can pretend to be Google and produce a file that has their particular encoding. Since their signature is inside the part that was encoded, it is clear that they put their stamp on it prior to running the encode algorithm so you know for a fact that it was "signed at the Google factory".
Someone can try to put Google's signature in another file and then try to figure out how to do that encoding, but they wouldn't be able to mimic the exact way that Google does it so everyone would know that the encoded file came from someone else. Thus they are foiled.
A few details:
- The encode/decode process is actually a backwards encryption algorithm. Google encodes a file by "decrypting" it (i.e. pretending the real data was encrypted and running a decrypt on it and getting some garbage). The public then decodes this file by "encrypting" it (i.e. using the public keys to encrypt a file for Google and running it on the results of their decryption ends up getting back to the original file). Magic
- They don't really encode the entire file as that would be computationally intensive. Instead they generate a "checksum" of the original file that is both fast to compute and unique (i.e. the chances of a different file generating the same checksum is 1 in a HUGE number). They then encode that checksum (which is much, much smaller than the original file) using their special encode mechanism and not only can nobody produce a file that happens to have the same checksum (it is not known how to produce a different data stream that results in the same checksum), but they also cannot reencode the signed checksum due to the properties that make encryption so safe. (Note that the "checksum" algorithm here is quite a bit more complicated than adding up all of the bytes in the data stream - which would be easy to falsify - but it is still easier to compute than an encryption algorithm).
Click to expand...
Click to collapse
I wanna add that most of that process is known because of AOSP and how we sign with the test keys. The only piece missing is google's/t-mobile's/htc's private key (because...who knows who really made the one for the G2?).
my 2 cents

Awaiting OPs response

[Q] I'm making a game requiring loading in and searching a large dictionary of words.

Okay, so recently I made a program as part of a course in Java, using Swing, that gave you a prefix and prompted you to come up with as many words using that prefix as you could. To accomplish this, I had it use the dictionary used by Words With Friends (I might switch to a different dictionary like ENABLE, not sure yet), but that's what I've been using so far. I wanted to turn this idea into an Android application, because it seemed challenging enough to be fun, yet not too challenging.
The problem here is, the amount of time it takes a computer to load in an entire dictionary into an array of Strings of 173,139 words delimited by newlines in a .txt file is very small. The amount of time it takes to do the same in Android is slower, not to mention the fact that it needs to do this every time it starts up if I want to keep using the array.
I still wanted to make the app, so initially my idea was to do the array thing but use AsyncTask to show a loadscreen and use binary search to optimize the searching for the word in the dictionary every time the user hits a "Submit" button. This proved to be overly difficult (this is my first real Android app besides "Hello World" and a button that opened a "Hello World"...) and still quite slow.
After some searching, I decided what I really should do is make a database and have it search the database for the word when the user hits "Submit". I'm still going to use AsyncTask for downloading the database (I'd rather not bundle it with the .APK for fear of bloating it) and possibly for checking for the word in the database, depending on how fast the searching of the database ends up going.
Is this the best possible way I could go about doing this? Is there something that could give me better, faster results? From what I've seen, the database seems to be the easiest way to make sure I don't have to load in the list of words each time, but will searching the database be fast enough to appear responsive when a user wants to submit a word and see whether they got it?
I'm about to begin coding it using the database technique, but I thought I'd put this out there in case there's a better way I can accomplish this.
tl;dr: what's the quickest/best way to load in and constantly search a large (173,139 words) dictionary I have?
Thanks!

import antigravity said:
Okay, so recently I made a program as part of a course in Java, using Swing, that gave you a prefix and prompted you to come up with as many words using that prefix as you could. To accomplish this, I had it use the dictionary used by Words With Friends (I might switch to a different dictionary like ENABLE, not sure yet), but that's what I've been using so far. I wanted to turn this idea into an Android application, because it seemed challenging enough to be fun, yet not too challenging.
The problem here is, the amount of time it takes a computer to load in an entire dictionary into an array of Strings of 173,139 words delimited by newlines in a .txt file is very small. The amount of time it takes to do the same in Android is slower, not to mention the fact that it needs to do this every time it starts up if I want to keep using the array.
I still wanted to make the app, so initially my idea was to do the array thing but use AsyncTask to show a loadscreen and use binary search to optimize the searching for the word in the dictionary every time the user hits a "Submit" button. This proved to be overly difficult (this is my first real Android app besides "Hello World" and a button that opened a "Hello World"...) and still quite slow.
After some searching, I decided what I really should do is make a database and have it search the database for the word when the user hits "Submit". I'm still going to use AsyncTask for downloading the database (I'd rather not bundle it with the .APK for fear of bloating it) and possibly for checking for the word in the database, depending on how fast the searching of the database ends up going.
Is this the best possible way I could go about doing this? Is there something that could give me better, faster results? From what I've seen, the database seems to be the easiest way to make sure I don't have to load in the list of words each time, but will searching the database be fast enough to appear responsive when a user wants to submit a word and see whether they got it?
I'm about to begin coding it using the database technique, but I thought I'd put this out there in case there's a better way I can accomplish this.
tl;dr: what's the quickest/best way to load in and constantly search a large (173,139 words) dictionary I have?
Thanks!
Click to expand...
Click to collapse
In my opinion, your best option, especially if you plan on using larger dictionaries over time, would be to have the actual computing done on a server which returns the array in a JSON object that you retrieve from your app.