Forgot your password?
typodupeerror

Comment: Re:Derp (Score 1) 168

by Mathinker (#47533821) Attached to: New Mayhem Malware Targets Linux and UNIX-Like Servers

We're getting spam here because someone, somehow, got our Active Directory mailing list out of Outlook Web Access. I know all of your admin accounts.

Well, well, sounds like both of us are in big trouble because of Microsoft, and not even because of the problem you originally complained about. :-)

Anyway, thanks for the interesting discussion. As someone whose job doesn't include having to worry about Microsoft's idiocies... I wish you the best of luck!

Comment: Re:Derp (Score 1) 168

by Mathinker (#47524799) Attached to: New Mayhem Malware Targets Linux and UNIX-Like Servers

The first part is that the network log-in source can be grouped as an infinite number of terminals--lots of connections--so a per-connection rate limit is useless; thus all network service log-in (caveat: Active Directory handles console log-ins... over network) must be grouped as one thing to be effective.

OK, I agree that your argument here is OK, if the 1-2 second delay is an artificial one generated by the OS (and the OS doesn't sufficiently limit the number of active connections). If the 1-2 second delay comes from actual computational overhead of the authentication process (e.g., PBKDF2), then your argument still fails.

I can lock you out of your server by constantly trying to log into your server, so you can't apply patches anymore. Then I hack it on Tuesday.

Well, if I understand correctly, the lock-out is on a per-account basis, so you'd have to know the usernames of all my admin accounts, so this seems to me to not be very likely to succeed if I have heard about the attack ahead of time (thanks to your post)...

Comment: Re:Derp (Score 1) 168

by Mathinker (#47486131) Attached to: New Mayhem Malware Targets Linux and UNIX-Like Servers

There's this link that references USB-HID specifically at 750 characters per second. I can't find other references to USB HID rates, and the HID protocol is semi-flexible (i.e. it's really fucking hard to implement NKRO on HID, since HID keyboard protocol specifies 6KRO in boot mode; but you're free to implement an alternate HID protocol once your keyboard's out of boot mode).

Thanks for the hint to look at the USB-HIB standard (1.1) in which even high-speed devices are limited to 64KB/s. That's interesting info. Does the USB hardware + operating system on most computers actually enforce that?

OTOH, comparing the "1-2 second turn-around" in your reply to the "750 characters per second" undercuts your original argument as a whole

1-2 second delay is an expected human-facing turn-around: this actually happens on most modern systems. I pointed it out and then theorized eliminating that rate limit entirely, instead relying on the limits of the HID keyboard protocol at 750 characters per second, which is the faster measurement and thus can be taken as a worst case.

You don't actually seem to be addressing my argument here, perhaps you misunderstood? It's clear to me what you did, my argument was that doing what you did made no sense given the "1-2 second delay" you state, and given that datum, your characterizing Windows as "retarded" for not distinguishing between 750 char/s and the much faster network, was illogical.

Your naivety about the average entropy in a typical 8 character password is striking.

We're talking about theoretical password complexity here, not dictionary attacks.

Yes, I am capable of reverse engineering your math. You err, though. "We're talking about..."? No, you're talking about...

I'm not quite getting this. You dismiss the possibility that weak passwords are used, so that hardware password attacks are dismissable, but at the same time address the problem that these same non-weak passwords aren't strong enough to withstand network password attacks without lock-outs? Yes, I suppose there is some real-life situations in which that's true, but why would you rag on Microsoft for trying (in what I agree is not a reasonable way) to cover other possible situations (and, given their user base, much more probable ones)?

Comment: Re:Translation (Score 1) 121

by Mathinker (#47485505) Attached to: New York State Proposes Sweeping Bitcoin Regulations

> The IRS will know who you are when you bought your bitcoin from a regulated exchange.

OK... I suppose so (still doesn't address the "multiplicity of jurisdictions" problem), but that is a quite different scenario than that posed by the poster I replied to, who wanted bitcoin "criminalized and shut down" via legislation.

Your comment was already covered by, for example, this poster.

Comment: Re:Derp (Score 1) 168

by Mathinker (#47485365) Attached to: New Mayhem Malware Targets Linux and UNIX-Like Servers

> That's called a movie plot security threat, and it's not a concern.

Do you always start out your arguments by "poisoning the well"? BTW, the person who coined "movie plot security threat" doesn't exactly agree with you.

> Aside from all the obvious shit like "how do you get in there unnoticed?"

Did you miss the "on a public computer" part of my post? Never heard of social engineering?

> Even without a 1-2 second turn-around for testing a password, keyboards can only enter 750 characters per second.

Where did this "750 characters per second" come from? Is this a limit built into Windows? USB 2.0 runs at 35 MB/s, according to Wikipedia.

OTOH, comparing the "1-2 second turn-around" in your reply to the "750 characters per second" undercuts your original argument as a whole --- if the password check itself is the limiting factor, even for the "slow" keyboard, it make no sense to make a distinction between password attempts from the keyboard and those from the network, so it would be silly to call Windows "retarded" for doing so.

> That's less than 100 password attempts per second for 8 character passwords,
> or 10^12 seconds to try them all. 800,000 years!

Your naivety about the average entropy in a typical 8 character password is striking.

Comment: Re:Derp (Score 1) 168

by Mathinker (#47482719) Attached to: New Mayhem Malware Targets Linux and UNIX-Like Servers

Windows does stupid shit like lock the local console if you set up rate-limit log-in...when logging in through the Microsoft log-in manager. That's retarded. A person is sitting at that console, and can't enter passwords fast enough; it should NEVER BE LOCKED.

You have limited imagination, what about an attack on a public computer via replacing its keyboard with one which includes a CPU + password cracking program?

So Windows isn't quite as retarded as you think; it's just retarded in that it doesn't rate-limit the two kinds of logins separately (i.e., still very retarded).

Comment: Re:Derp (Score 1) 168

by Mathinker (#47482643) Attached to: New Mayhem Malware Targets Linux and UNIX-Like Servers

I think nowadays that one can assume that 1400 random infections (for the botnet in question) on the net would include most countries. Even more so for the larger botnets which exist. So my suspicion is that this tactic has limited utility, possibly so limited that it is no longer worthwhile ("Damn, I forgot to turn off the geoblocking before my unexpected trip to Peru!").

Comment: Re:Translation (Score 1) 121

by Mathinker (#47480691) Attached to: New York State Proposes Sweeping Bitcoin Regulations

No, I won't bite on the Ponzi flamebait. But <sarc>I'm sure Satoshi is quaking in his boots</sarc>.

Er, reality check?

  • Your "little bit of legislation" is only going to affect people in your little bit of jurisdiction.
  • Except for someone who actually is stupid enough to directly declare he has bitcoin, it is trivial to conceal it, and trade/spend it outside problematic jurisdictions.

Are you one of those who also believe that we just have to pass stricter laws and piracy will disappear?

Comment: Re:.. not in italy (Score 1) 151

by Mathinker (#47469259) Attached to: Mt. Fuji Volcano In 'Critical State' After Quakes

> They were convicted for making statements that earthquake will not happen

And they actually made such statements? Or, perhaps they merely said that "as far as science knows, the probability of an earthquake is no larger than, say, last year". The whole thing looked like a witch hunt to blame someone for damages which were caused by natural causes, because no politician is going to get up in front of the electorate and actually tell them "Sorry, there is a very small chance that large numbers of people in our country could die from X, Y, or Z and there is no practical way to prevent these dangers."

It frankly looked like scientists sacrificed on the stage of security theater.

Comment: Re:WAT (Score 1) 59

by Mathinker (#47326537) Attached to: Intuit Beats SSL Patent Troll That Defeated Newegg

> RC4 is math. It's either broken or not-broken. You can't go half way.

Security isn't binary. Cryptography, being targeted for practical application, is different than theoretical mathematical statements, which we all know can be discovered to be either correct or incorre... hang on, Godel is calling me from the afterlife...

(heard from distance) What? Really! Mind-blowing, man. Yes, I know your name has those two funky dots, but Dice thinks "pretty" is more important than "functional", so it might be a while before Slashdot can actually display them...

Comment: Re: the stuff just comes out by itself (Score 1) 83

by Mathinker (#47206505) Attached to: Fuel Cells From Nanomaterials Made From Human Urine

If humanity is ever going to colonize other solar systems with slower-than-light travel, it's a no-brainer that we're going to have to learn how to recycle our waste. In a closed ecosystem, it makes sense to find ways to use urine, or plants/bacteria/yeasts grown using urine, as raw material to produce essential materials for repairs.

CCI Power 6/40: one board, a megabyte of cache, and an attitude...

Working...