Boosting Security after being compromised?

Chronologically ordered:

1.)Read up on possible attacks..scary..Man in the middle attack compromises all normal security.

2.)I finally convinced the guy to tell me why he thinks his account was hacked..it seems someone sent idiotic messages to his friends from the id.

Thought it was SMTP but decided to check other possibilities out as well.

3.)Went to his house,the guy is an idiot..he did everything I said..then decided to leave auto-complete on(firefox)..it was probably some relative/friend.

Note:The guy seems to enjoy "twilight"..weird..loads of posters..I ,for some reason,started thinking about matches…:evil:

onejerlo wrote: 3.)Went to his house,the guy is an idiot..he did everything I said..then decided to leave auto-complete on(firefox)..it was probably some relative/friend.

… well that's boring :(

onejerlo wrote: Thought it was SMTP but decided to check other possibilities out as well.

What does a mail protocol have to do with anything? Glad you figured it out, though.

Well,he said that emails were only SENT OUT..and he said he got the info from his friends..which means that they weren't in his sent folder….

And he had full access to his account.

The fellow probably(Relative/friend) deleted the emails in the sent folder.:)

Maybe someone just spoofed his mail address. Lots of spam bots crawl the interwebs for addresses.

Yeah..As I said..that was my first reaction..but the mails were…"idiotic"..not marketing/ads.mostly random things like.."hey,I'm crazy"..

it was probably his little brother..

I have been thinking about the "Man in the middle attack"….

How about if someone sets up a server..installs a program which will allow it to receive encrypted message with the user name/password of his fav. sites..the server logs him in..takes the cookies and sends them to him..so even if someone attempts a man in the middle,he can only stay on for a few minutes..

This would work for most sites except those where the cookies change with the IP.

What would be better is if the sites came up with one time log in codes.. so that the server sends the code to the user,who can use it without ever sending the unencrypted password.

Loads of work but do you think it may work??

1 server would be able to serve a lot of people(even the mangiest of servers can handle multiple reqs. and cipher algorithms.)

since the key/one time pad(one time pad is better),would be decided,no problems.

*Assuming that no connection is thought to be secure..the fellow could also install the prog. by physically accessing the server.:)

For your first scenario, it's not practical to have to manually upload your passwords to a 3rd party machine. To be "secure", this would likely have to be on a completely different router and have the passwords uploaded via physical access. Not everyone can afford two routers and computers, either, or would they be okay with having a bank of your passwords stored on some remote server that's not theirs. There's also another problem with this, discussed a bit farther below.

In your second idea, where the server sends the key to the client, I'm not seeing your logic here. Without the password, how would the server know you are who you say you are? Aside from that part, if the server has to send you the keys, then that means the MitM can also read them. I think I might've misunderstood something in your post for that part.

The other problem with all ideas surrounding Mitm is that there is virtually no way to bypass it. A man in the middle can manipulate your queries in real time, inject/delete text into/from your data stream, change your dns results (facebook.com actually points to an attackers fake site, but you would never know), and read every encrypted transmittion that is sent along the wire.

Unfortunately, there just isn't really any practical setup that would integrate into the already setup framework and still be effective.