Forgot your password?

Comment: Re:Better go kick WSUS into a sync... (Score 1) 176

by WaffleMonster (#48411395) Attached to: Microsoft Releases Out-of-Band Security Patch For Windows

I don't know what the deal is, but it looks like maybe Microsoft stopped testing security patches on August's patch tuesday, or something.

Having recently "downsized" their QA staff testing work has been outsourced to paying customers.

When they say they will release a patch 10 AM PST this represents the time they will have managed to get it to compile.

Comment: Re:Stop trying to host it yourself. (Score 1) 405

by WaffleMonster (#48382791) Attached to: Ask Slashdot: How To Unblock Email From My Comcast-Hosted Server?

Stop trying to host everything yourself. Unless you are a defense contractor or otherwise dealing with extremely sensitive data there is no reason in the year 2014 to run your own mail server.

There is no reason in the year 2014 everyone who wants to should not easily be able to host their own mail servers. None of this is or should be rocket science.

The underlying problem is that SMTP email constitutes the most costly and disastrous failure of any Internet RFC in the history of the world. It needs to be replaced.

I get that you want to. Just stop.

The Internet was never intended to be a network of spectators.

Google is a great provider, has competitive pricing, and great reliability. Their competitors are worth looking at as well.

Google reads your email... not so "great" in my book. The rest are subject to "any tangible thing" / third party doctrine intrusions here in the US... not interested.

Comment: You lost me at (Score 2) 98

by WaffleMonster (#48379835) Attached to: Carmakers Promise Not To Abuse Drivers' Privacy

that the information that their cars stream back to automakers or that is downloaded from the vehicle's computers won't be handed over to authorities without a court order

This is the problem. Record everything and everything becomes discoverable. There is no distance from the man himself standing over your shoulder noting everything you do and everywhere you go.

Use cases for recording all this data are equally pathetic...

"The technology uses a radio signal to continually transmit a vehicle's position, heading, speed and other information. Similarly equipped cars and trucks would receive the same information, and their computers would alert drivers to an impending collision."

If you feel compelled to make drivers safer with computer generated warnings then do so based on observations of the world as it already is. While image/sensor processing is more difficult computationally than recording transmitted signals the supporting hardware costs nothing and software R&D costs maximally benefit from deployment at scale and general interest in image processing across a growing number of domains.

Plus you get capabilities transmitters do not provide such as the ability to react to vehicles or obstructions not transmitting their positions.

"As modern cars not only share the road but will in the not too distant future communicate with one another, vigilance over the privacy of our customers and the security of vehicle systems is an imperative," said John Bozzella, president of Global Automakers, an industry trade association."

Security of vehicle systems will never happen because we have proven ourselves incapable of ever producing a secure anything. There is also a small minor problem of owners of these vehicles themselves not being trustworthy.

Sensors which view the world as it actually is rather than blind assertions of transmitters you have no reason to trust is both more secure and more useful on the context of driving vehicles on paved roads.

The automakers' principles leave open the possibility of deals with advertisers who want to target motorists based on their location and other personal data, but only if customers agree ahead of time that they want to receive such information, industry officials said in a briefing with reporters.

Where have I heard this before? You agree as a condition of purchase or in some fine print most people will never read. Everyone knows the drill by now.

"You just don't want your car spying on you," he said. "That's the practical consequence of a lot of the new technologies that are being built into cars."

Pure bullshit this isn't about technology, the future or in any way leveraging technology to provide additional value to consumers. It is about leveraging technology to provide additional value to manufacturers and their value chain.

You don't need to report your location to view a map of your location. You don't need to report your location to download traffic conditions. You don't need to report your location to calculate the distance to nearest charging stations. You don't need to report your location for safety reasons.

You only need to report your location so others can profit.

Comment: Regulation to the rescue (Score 3, Interesting) 704

by WaffleMonster (#48352269) Attached to: President Obama Backs Regulation of Broadband As a Utility

Would much rather see legislation focus on promoting last mile fiber infrastructure any ISP can compete to light up on a fair and equal basis.

That Net neutrality is even an issue is a symptom of larger problem of market failure. As long as the only viable ISP in town is a national cable company you can legislate till your blue in the face customers are still going to get fucked over as long as there remains no serious alternative.

Comment: Atomic hand warmers (Score 1) 260

While we all love our polonium encrusted static master brushes, americium drenched smoke detectors, tritium and radium enhanced time pieces... what I really want for Christmas this year are a matching pair of plutonium powered hand-warmers.

None of this boiling water to recharge leaky sodium acetate bags made by the lowest bidder, intentionally throwing our smartphones into thermal overload or the mess left behind by paper envelopes filled with iron filings.

Not only do plutonium hand warmers guarantee many years of gentle continuous warmth none of your friends will hassle you to borrow them.

Comment: Re:Time To Change That Windows Icon (Score 1) 192

Come on, it's 2014, and slashdot is still using that broken windows avatar for Windows stories.
Not only it that "joke" not funny anymore, it's not even true. Windows might not be great, but its hardly broken like in the days of 95 or 98.

It is long past time you grow up and use the correct logo.

Hey I like the /. windows logo looks neat.

Much nicer looking than ultra-spartan metro-ized CGA cyan version passing as a logo these days.

Comment: When are they going to disable insecure downgrade? (Score 1) 70

Nice they are disabling SSL 3 however actual problem was not SSL 3 which everyone was on notice for years it was actually Google's intentional action to circumvent secure version negotiation in the first place which enabled SSL 3 to continue to be a problem in 2014.

Comment: Re:Make the salts non-trivial (Score 1) 223

by WaffleMonster (#48247707) Attached to: Passwords: Too Much and Not Enough

Again, you can't do anything for idiots who use permutations of dictionary words. "11elephant82" has about 5 symbols worth of entropy. Pathetic.

The world is full of "idiots" otherwise known as people who have better things to do then remember things they are either incapable or lack sufficient motivation to remember.

For a solution to have value to real people in the real world it can only cost as much in time/money/convenience as people are willing to spend/accept.

Decades of experience makes it crystal clear too many people reject secure passwords and nothing we do or say will ever change that... Calling everyone names or blaming users for their poor choice of passwords after a server compromise is not only worthless waste of time that helps nobody but ignores the fact the systems compromise = epic system/administrator failure + blaming the victim. When you get hacked it isn't the users fault so what business do you have asking more of them to hedge against compromise that should not occur in the first place?

If you use a secret key, it needs to be loaded into memory, as does the password database. Guess what?

No shit. You can still create systems with high security with physical separation of concerns. Here is an example architecture:

Application server + database server teaming with millions of reversibly encrypted passwords.

Separate specialized authenticator server with encryption key and separate trust relationship to application server.

User authenticates using zero knowledge proof method... authentication material passed directly from user, thru application stack to authenticator... authenticator looks up password in application database, completes mutual identity verification and sends approval token to application stack.

The only way compromise of credentials occurs in the above scenario is if the authenticator server which does nothing except authenticate is compromised. Even if the application and data stacks are fully compromised user credentials are still safe for all the good that does.

If the key isn't directly accessible, that means that I have to send the encrypted password to a chip and it has to send the decrypted password back. That's plaintext on a wire and in memory. You've already lost. With proper hashing, the password is NEVER in plaintext. You can even run the hash on the client side so it's never transmitted, if you're extra paranoid.

You have it exactly backwards. The authenticator server or hardware only needs to provide a token to the application stack it is not necessary to send clear text passwords anywhere see my example above.

Your example fails because you have three and exactly three options and **NONE** of them work.

1. Send clear text password from user to compare with stored password...This fails as password is required to be transmitted for comparison operation.

2. Use a challenge/response protocol or ship hashes.. This does not work because all such protocols are subject to offline attack while your logging in an easedropper can obtain enough material to run an offline attack and recover credentials.

3. Use a zero knowledge proof of possession to authenticate. This fails because even if you use a hashed password possession of the hash is what is being verified and so having a copy of the hash becomes just as valuable as having a copy of the plaintext.

Alright, I'm through with this troll. Someone else's turn.

Unfortunately in the real world our fairy tales don't get to come true just because we feel empowered to call our users "idiots" and blame them when we ask too much of them or otherwise provide security solutions that are not operationally practical.

My example architecture allows passwords to be only as secure as necessary to prevent *online* attack and clear separation of concerns prevents system compromise from affecting stored credentials regardless of how complex or vulnerable the application and data tiers become.

Comment: The future sucks (Score 1) 286

by WaffleMonster (#48247331) Attached to: The Airplane of the Future May Not Have Windows

Looking out the window is the only remaining aspect of flying I look forward to even though it's worthless over most of the flight.

No problem in principal with fake windows and fudge-able camera views... some of the Qatar airways planes had down facing camera views that were exceptionally cool.

Only problem this will all be destroyed by advertising, paywalls and whatever annoyances the marketeers dream up to bleed maximum amount of pennies out of everyone while guaranteeing the most annoying and uncomfortable experience imaginable.

Just look at seating layouts in the fucking videos... with Airlines making seats thinner to squeeze in more rows... we'll see planes like this by the year 20never.

Comment: Re:Make the salts non-trivial (Score 1) 223

by WaffleMonster (#48227223) Attached to: Passwords: Too Much and Not Enough

You can't save users who use 'aaaaaa' as a password. No matter what you do. Otherwise,

What about the user who uses 11elephant82 as their password? Are they doomed as well?

you're not going to recover thousands of strong passwords properly salted and hashed. It just isn't going to happen.

It will happen easily. The only thing that isn't *ever* happening is people using strong passwords relative to current and projected cost per transistor.

What are you going to protect with that symmetric key?

The password database? It'd still need to be accessible to the machine holding the database, in order to login.

Yes this is just punting responsibility for keeping a secret. Whether punted to physical keys, operating system keychain, TPM circuits or manual startup inputs all of these things do a better job than tens of thousands to millions of hashes stored in the clear on disk.

Regardless password does not need to be accessible to machine holding the database offering some (small) protection against theft while still being much better than nothing (e.g. hashed passwords with a proven track record of epic fail after epic fail)

Properly salting and hashing is the correct solution. Have you checked your oil lately?

I'm afraid to, daily commute to Langley is taking its toll.

Comment: Re:Why so high? (Score 2) 223

by WaffleMonster (#48227029) Attached to: Passwords: Too Much and Not Enough

I am constantly amazed at the reports that hackers have accessed the passwords of every user on some site or other. I used to work at a financial company where the web server didn't have physical connectivity to the DB, every request had to go through a service that was not only secured itself, but also could only run stored procedures which were in turn secured. The net result was that is (or rather when) the web site got hacked, all the hacker could do *at best* was access some public data for a single user, which never included the stored password

Occasionally I hear people making statements like this and while practically useful *at best* language is a dangerous assumption.

Additionally complexity of a middle tier just for security sake could well provide additional avenues of attack that may not be available in a globally less complex solution but it all depends on specifics of the implementation.

The reason why *at best* is wrong an attacker able to compromise the application, middle or data tier is almost always able to exert complete control over the environment... just not immediately or on demand.

At any tier an attacker may record data persistently over time compromising user credentials and data as they login and use the system... you don't need to select * from users when attackers already have copies of your data mirrored to them over time or are able to impersonate any number of users.

Personally, I think passwords should be stored in plain text in the DB as a reminder to all developers that they need to be protected

Better than delusions of safety.

that storing your DB credentials in your web code was OK as long as you "secured" it. If this is the level of comprehension of security in the web dev community, then I'm not only unsurprised at the number of hacks, but will be using a randomly-generated password for every website that asks me for a password.

Data tier could be made to offer functionally same level of security as an application specific middle tier with view based access and or procedure driven access. Not uncommon to run into systems where user accounts are unable to touch any real table.

Comment: Re:Make the salts non-trivial (Score 1) 223

by WaffleMonster (#48226807) Attached to: Passwords: Too Much and Not Enough

Encrypting the password with a small salt is enough to slow down simple password guessing with rainbow tables.

What is the practical effect on a password list when rainbow tables are taken off the table?

Yes much easier everyone gets what ... what does this actually mean in the real world?

Say I have a password list with 10000 accounts, they are all salted.. I'm still going to be able to recover thousands of passwords without much effort... still adds up to epic failure with or without salts.

such as encrypting with a 64-bit additional site password, tables wouldn't work. Of course, the same password could have been used to encrypt the entire password file in the first place, but this technique allows the password to be stored in the usual way.

Symmetric keys are a much better idea than the dangerous delusion too many people seem to be subscribing to that clear text storage of salted password hashes affords users any meaningful protection.

In that way, 2-factor encoding works for the password data itself.

Nope this counts only as tweaking integrity of a single factor.

No man is an island if he's on at least one mailing list.