On the other hand, this should also provide you with a list of the sites where you should be changing your password.
Hopefully everyone will manage to do that before any of the hashes are cracked (if the crackers managed to get both the algorithm and salt).
I have different concerns with that article.
"Security is not a property of a technical system," she noted in her talk at the Hack in the Box conference in Amsterdam. "Security is the set of activities that reduce the likelihood of a set of adversaries successfully frustrating the goals of a set of users."
No. "Security" does not exist. You can be MORE secure than X or you can be LESS secure than X but you cannot achieve "security".
For me, being MORE secure means that fewer people can successfully attack you (or that the attack requires more of them to work together).
Saitta realized that a lot of what we know in the security world can't be effectively used if someone in the real world is targeted by a determined adversary.
No. That is getting back to the MORE secure or LESS secure. If the attacker has to drop armed forces onto your office building then you are MORE secure than if they exploited a 0-day on your web site.
We shouldn't work on assumptions or go by intuition - we should set aside our egos, and consult with the end users - learn about their goals and adversaries.
I'd say that 99.9+% of them have no idea who their adversaries are. Other than "that asshole Bob" or "the Chinese".
In the case of high-risk users, usable security is a must.
Is there ever a case where unusable security is a must?
As she vividly put it: if you're on a rooftop, trying to get a connection and successfully send out an encrypted message because your life or freedom - or that of others - depends on it, and you know that there are snipers waiting to take a shot at you - there is simply zero room for using a tool as complex as PGP.
Choose the right tool for the job AND LEARN HOW TO USE IT PRIOR TO THE EMERGENCY.
And if her example is, literally, snipers on the rooftops then whomever did the computer security did a fucking great job. This is an example of a win, not a failure.
https://en.wikipedia.org/wiki/Valerie_Plame
If there is a political point to be made, yeah, I'd expect them to name every single one of them.
They'd have nothing to lose and everything to gain.
Let me quote part of that RFC for you.
By default, generate a set of addresses from the same (randomized) interface identifier, one address for each prefix for which a global address has been generated via stateless address autoconfiguration.
Parsing that shouldn't be a problem for anyone with a CCNA or equivalent experience. But there are going to be problems when the average user is trying to set up his home router.
Fat fingers.
...and I don't think we should design the internet with the most basic web surfing home user in mind.
But that is where the most problems will be.
IPv6 will support everyones needs. IPv4 supports only the most trivial.
It is not whether it will support X or not. It is how much expertise it takes to get such support configured AND maintain the same level of security available with IPv4.
With a current home router and IPv4 + "NAT" the average home user can handle everything they know about today. Without having to learn anything new.
The IPs I'm leaving in web server logs are also throw-away addresses - read up RFC-4961.
You may be referencing the wrong RFC. That is more about port numbers than different IP addresses. The IP address of your machine should still be showing up in
Without NAT, you're still hitting the stateful firewall and default deny rule at the edge of my network... Most home routers should default to this sort of behaviour.
Either that breaks most of the functionality of IPv6 or it entails a lot more effort and expertise on the part of the home user.
None of this crap with forwarding port 80 to one box and then... Oh, I need another web server... Hmm. 8080? Other random / arbitrarily selected ports? That sucks! It's broken.
So your hypothetical home user has a single IP address and runs multiple web servers. And you feel that "Most home routers" should default to supporting that?
The difference is, I can open up as many ports as I need with no limitations.
While I can manage as many ports AS I NEED without problems. Even with more than a 1,000 users at a single site.
Which is why IPv6 has been so slow to be implemented. You either lose the benefits in order to get the same level of security you had with IPv4 or you lose that level of security for features that the average person is not demanding today.
My home subnet is 2610:1e8:800:101::/64. Go ahead and tell me how many machines are in there...
Somewhere between 0 and approximately 18,446,744,073,709,551.
But, as always, the issue isn't hiding and hoping that no one finds you. The issue is how do you protect your systems and networks from people who (in the worst case scenario) already know what your IP address is?
With NAT they are attacking a single firewall.
With having all of your systems directly accessible to the Internet, the crackers can attack any and all of them.
Getting your IP address can be as simple as putting up a web server with some stupid content and having
... are just ornamental and serve no other purpose?
You added the "and serve no other purpose" onto the original statement:
Nothing except the ornamental bits.
Everything you listed DOES serve another purpose.
BUT none of them affect the operation of the weapon. I spent 7 years in the Army and I can shoot a weapon with a carrying handle as effectively as one without a carrying handle.
If you perform enough miracles enough times when THEIR decisions have caused (predictable) problems they will start to believe that THEY are the ones performing miracles.
At which point the problems will pile on.
Be ready to leave before that point. If there are certifications, collect them and keep them current.
Try to interview at least once every quarter. Even if you do not intend to leave your job.
I doubt it. It's too easy NOT to be.
Just realize that you are NOT smarter than the people reporting to you. You just happened to get stuck in that management slot.
Next, learn that just because you've been TALKING since you were 2 does not mean that you are a master at COMMUNICATION. Take classes. Read books. LEARN to communicate.
Now you can give rapid feedback to your people. Instead of the once-a-year-review aim for the every-2-weeks-review. That way you will remember all the reasons why the main project was delayed. Remember your new communication skills.
Finally, decide whether you're going to fuck your people in order to make other managers look good or whether you're going to help your people get the skills to move up and onward.
He's part of the "system". Therefore, his view is that anyone who isn't directly supporting the "system" is opposing it. Which means you're opposing him and the "good" work that he is doing. You are friendly to the "terrorists".
"Terrorists" in this case being defined as anyone Mark Rowley does not agree with.
Personally, I think that there are far more corrupt cops and corrupt politicians and so on who would abuse their authority than there are terrorists who can attack us.
She's wrong on a few points.
1. It has ALWAYS been about "Reducing Dependence on Human Workers". A person with years of hand-crafting skill is replaced by someone with months of machine-operating skill. And so forth.
2. Machines are NOT as good as she claims at predicting HUMAN behaviour. They're just getting to be better than the average human (who sucks at it).
3.
Now machines at call centers can be used to seamlessly generate spoken responses to customer inquiries, so that a single operator can handle multiple customers all at once.
No. HUMANS can be forced to read off a script but MACHINES suck at anything more complex than "Did you say "yes"".
It all comes down to proper design and the ability to say "NO".
Security cannot be retro-fitted to a badly designed system.
The person who can demand that you support X in Y configuration NO MATTER WHAT is the person who controls your security. No matter what his/her knowledge level is.
Next, understand that you will (eventually) be cracked. Someone somewhere will make some mistake just long enough. MONITOR for that. KNOW what the regular traffic on your network looks like. PLAN for what you are going to do WHEN that happens.
I hereby claim that I have hands, therefore I am able to stab someone. Should I be detained and my property seized because I am ABLE to commit a crime?
Situational.
The government does NOT do jokes about fucking with airplanes.
I guarantee you that if you were walking around an airport with a knife talking about how you COULD stab then you'd be detained. And they'd probably keep your knife.
Read to the end for a secret revelation.
One for all the various forums, social sites and other crap that is of absolutely no importance to me and if it gets leaked and you use it to log in as me on one of them, you can post comments in my name - omg, the sky is falling.
The problem there is that all it takes is one crap site and an attacker can check all of your "reset answers" (pet's name / mom's name / etc) to see if they can be used for an attack.
One is for sites that I have some stakes in, like accounts in online games and such, where you could do some damage in the sense of destroying something that took me time to create (delete my GW2 characters, I'd hate you for it, but no real damage has been done).
A different password but does it still have the same "reset answers" that the other category does?
And you are depending upon the admins of those sites to correctly secure them and keep them sites secure for THEIR ENTIRE EXISTENCE.
And one I use for sites where you could do some damage that I could probably reverse, but it would take effort and might cause me real-world inconveniences, such as shopping sites where you could order something in my name and I'd have to go and cancel the order or send it back or whatever.
Just about all of the damage can be reversed. It's just a matter of how much time and how much money is lost doing so.
This is about preventing the damage before it costs you time and money.
Your Amazon account should NOT have the same password that your eBay account has. No matter how much you trust either of them.
My PayPal and banking accounts have their own passwords,
...
And they should have their own email accounts tied to them. If someone cracks your GameYouUsedToPlay.com account that should NOT give them the email address you use at your bank.
Now, for the secret revelation!
Passwords WERE once used for security.
NOW they are mostly (99.9%+) used for MARKETING. That is why almost all the sites out there require a unique login. And those sites are very lax with their MARKETING data (your username/password/answers).
Once you understand that (and what information you are leaking when you give it to them) you can make better decisions on how much RE-USABLE information you want to give them.
Think about what the minimum information an attacker would need to access your bank account (either login or social engineering) and then look at how many sites have that information.
It doesn't matter. If someone is cracking your (end-user) password at work then they probably have some other means of attempting it.
1. keylogger
2. some reduction attack
3. pass the hash
4. fake authentication request & server
5. etc
By the time the attacker has copies of the hashes and is trying to use any of the techniques in TFA on them it's too late for you as an end-user.
For non-work websites just remember 2 things:
a. DO NOT USE THE SAME PASSWORD
b. If it is financial, don't use the same username/email-address as other sites.
"The four building blocks of the universe are fire, water, gravel and vinyl." -- Dave Barry
