Forgot your password?
typodupeerror

Comment: Re:Who cares what method? (Score 1) 409

by gnieboer (#35164310) Attached to: Are You Sure SHA-1+Salt Is Enough For Passwords?

I oversimplified my description. You'd need to do a challenge-response system so that the server sends a random hash, it's hashed with the password on the client, which is returned, hashed with the salt value, and compared with the stored value in the database hashed with the random value

Stored value = Pass Hash + Salt Hash
Client value sent = Pass Hash + Random Hash
Compared values = Pass Hash + Random Hash + Salt Hash.

In addition, even if you didn't do it this way and just hashed the password (which I agree isn't as good as the above), then you still can't just send values from the DB because remember that the DB's values are salted, so are != the pass hash alone.

But if the box is rooted, again, even this approach won't save you because as was mentioned, the box can send malicious web code to the client to execute which will send the plaintext password to wherever the hacker wants it.

Comment: Re:Wha? (Score 3, Interesting) 210

by gnieboer (#35152770) Attached to: JAXA To Use Fishing Nets To Scoop Up Space Junk

Yep, especially #2. Orbital dynamics means your not going just sweep stuff up in the same orbit you are in.

A fun way to see this all demonstrated is a little iPhone game called "Osmos", you're a mote have to go along and try to absorb smaller motes. Many of the scenarios involve a "sun" that everything is orbiting around. It quickly forced me to remember my school day courses on orbital dynamics and how to do a Hohmann transfer, etc. It's decent entertainment (and no I'm not the developer)

But as you'd see in the game, you need to be in a more eccentric orbit and sweep through other orbits if you want to pick other stuff up. And the delta V's involve lead direct to the parent's points #3 and #5... they will go right through the net.

Comment: Who cares what method? (Score 3, Interesting) 409

by gnieboer (#35150328) Attached to: Are You Sure SHA-1+Salt Is Enough For Passwords?

The box is rooted, nothing you do matters. Just change the code...

CHANGE:
string pass = request("userspass")
if UNBREAKABLYGOODHASH(pass, salthash) = RetrieveSaltedDBpasshash(username) {
            UserAuthenticated
}

TO:

string pass = request("userspass")
SendTheHackerThePassword(pass)
if UNBREAKABLYGOODHASH(pass, salthash) = RetrieveSaltedDBpasshash(username) {
            UserAuthenticated
}

And you're done... Just wait for the passwords to come rolling in.

Any rooted machine that handles the user's actual password can be coerced into giving it up. So limit what machines see that password. Have your web client hash the password before if goes to the host (even when it's a secure connection). That would help, though the client machines should be easiest to hack, but at least it takes longer to get the right password.

Comment: Re:We assume that... (Score 4, Interesting) 282

by gnieboer (#35126678) Attached to: US Has Secret Tools To Force Internet On Dictatorships

Why not seed blogs, twitter and facebook...

Because by Executive Order (http://www.fas.org/irp/doddir/army/fm3-05-30.pdf, page 19), "U.S. PSYOP forces will not target U.S. citizens at any time, in any location globally, or under any circumstances"

The internet causes a problem in this regard, as obviously it's designed so that all of it accessible from everyplace else (generally speaking). So while it's possible to put a server someplace that is firewalled to only send/relay info from a range of IP addresses, the military can't do that with Twitter; if they started putting PSYOPS on Twitter, it'd be accessible to US citizens, would could then be considered 'targeted'.

Of course, these restrictions are by executive order, not US law, and they apply to the US Military only.

Side note: on the next page, it spells out copyright issues as an area of concern... don't want to get sued by the MPAA in the middle of WW III because you broadcast a video of Mickey Mouse without permission...

Comment: Re:Riiight...this is going to really work...not... (Score 1) 224

by gnieboer (#35059152) Attached to: Sony Wants To Put Your Game Saves In the Cloud

1- 1,000 people in country "X" are upset at the government, and stage protests
2- Government in country "X" decided to cut the internet off to prevent coordination of bigger protests
3- 100,000 console gamers in country "X" can no longer play their saved games, consoles become useless
4- 100,000 console gamers get very mad and very bored
5- Suddenly 101,000 people are protesting for a change in government.

The Cloud... a tool for democracy...

Comment: citizens can use but the gov't can't... (Score 3, Interesting) 286

by gnieboer (#34927562) Attached to: Google Releases Software To Iran

Let's make a huge assumptions that this IP restriction actually works...

What must it be like to download and use a piece of software that you can use but your own government isn't allowed to use? Takes a way some of the perception of the gov'ts power I'd imagine. A bit emasculating even. Which of course might be the reason the USG is allowing this to proceed. A sanction that is truly against the government, not the people.

Sadly, I don't think a software release will result in a democratic Iran. But it would be nice.

Comment: Re:A Way To Get Around Regulations (Score 2) 529

by gnieboer (#34911874) Attached to: Goldman Sachs Says No Facebook Shares For US Investors

Actually, believe it or not, the SEC is the good guys here...
The SEC thinks that companies that you can buy shares in should be honest about their financial situation.
So they've made it mandatory to disclose said financial stuff.
And they put in a caveat for little business with under 500 investors so the paperwork doesn't drive them out of business.

So Goldman Sachs, whose pure motivation was, and still is, to make money off the deal, and undoubtedly knows the actual financials behind FB, tried to figure out a way to sell to US investors without having to disclose said financial stuff, which would probably cause them to lose $$$.
But in the end, they figured that this time, trying to get around the SEC's rules wasn't worth the risk, so they are bypassing US completely. I'm guessing there have been some serious behind-closed-doors between with the SEC, and I'm guessing some serious threats were made.

So if my assumptions about motivation are corrent, it's the SEC that's basically putting up a shield to prevent US investors from buying a $50B load of twat. The rest of the world may not be so lucky. I certainly won't touch it (if I had enough $$$ to play)

Of course, after Facebook shares have quadrupled in price in the next 5 years, I'll always have a record of this post on the internet I can look back on and cry...

Comment: Re:Probably too obvious of a solution... (Score 1) 398

by gnieboer (#34042614) Attached to: Most Americans Support an Internet Kill Switch

It can route around 'damage' as long as an undamaged route exists.

If you control -all- the border routers, then you can easily isolate yourself from all or a portion of the internet. Of course you have to be able to be completely able to stand alone (DNS servers, etc) to make that work, and have all your critical capabilities inside your 'border'.

Probably in many businesses, productivity would increase in the event of a cyber attack...

Comment: Re:Silly President, streamlining's for wings (Score 1) 246

by gnieboer (#33888700) Attached to: Feds Discover 1,000 More Government Data Centers

1A- How much was left?? TONS of stuff. Same thing in Desert Storm. And that was -with- a plan. Imagine if the military just was told to leave one day?

2A- No issue with states doing it vs federal, but don't see any inherent reason that 50 state governments doing the same thing would be inherently better than a single federal one. The transition is the problem. You can't just stop giving out SSN's without drastic impact, and to give the states a chance to figure it out will take time, and then there's that painful inertia thing again.

3A- I think the line-item veto is the way to go, especially in the current fiscal state we're in. Then the rest is easy and doesn't require the pain and willpower we described.

Don't get me wrong, I agree with the theory of what you are proposing; peace, less waste, balanced budget. I was just trying to show why it's harder than it looks to actually get done.

Comment: Re:Big company (Score 1) 246

by gnieboer (#33884842) Attached to: Feds Discover 1,000 More Government Data Centers

In the "BIG" company, the problem is your definition of "my network". Just who exactly ones the ENTIRE network? The CIO? Sure. So the CIO personally approves each server and VLAN connection? Not likely.

In the government, it's not one network, it's hundreds of networks. Even within the same department, AD Domains don't trust each other, so there is no 'owner'.

So let's say your network is set up according your described rules. That's fine, no rogue servers on your network. Great work. Let's say you've got 1 big-ass data center, and 2 satellite sites. Big bosses come down and want to do an audit. Their criteria means you list the big-ass center. Great. 2 years later they do another audit. Now the criteria has changed. OK, now you list all 3 three.

Slashdot goes nuts because they think you are an incompetent admin who didn't have a clue about the "rogue servers" on your network that weren't reported last time.

Comment: Re:Silly President, streamlining's for wings (Score 2, Insightful) 246

by gnieboer (#33884676) Attached to: Feds Discover 1,000 More Government Data Centers

OK, I'll give you some straight answers as to why that's not going to happen, even if you were president tomorrow:

1- End the Wars. Actually, the wars are ending. But let's say tomorrow is your first day in office. Your order is "Redeploy all the units". The CJCS says "Yes, sir". First they need some time to come up with a plan on how to do what you want. So MINIMUM 60 days. Ever tried to get a family of five in the car for a 5-day road trip?? How many hours did that take? OK, now multiply that by 50,000. Moving a force the size of what we have is not a small feat when it's in a land-locked country halfway around the world and we can't just drive down to the coast and hop on a boat. So to make sure it's done right and we don't give $20B worth of stuff to the Taliban when we leave, a plan is a good thing.
So then they come back with the plan, and say it will be 18 months. You lose your mind and say you want it done NOW (you are the President after all!). The CJCS brings in his Intel guys, who give you an hour long brief on the complexities and fragilities of the Afghan society, and how just leaving out of the blue will destroy all the progress made thus far, result in thousands of Afghan deaths due to the resulting civil war, create a resurgence of the Taliban, etc.. Most presidents at this point realize that these are ACTUAL lives that hang on their personal decision (think the picture of Kennedy in the Oval Office during the Cuban Missile Crisis). No longer an armchair exercise, they realize that there has to be a logical framework for the withdrawal. But like Iraq, it happens, because you are the boss. Just on a timeline tempered with reality and experience. Common Sense Ending...

But for arguments sake, let's say you are fanatical about this (you are the President after all!). You give direct that every available mode of logistics will be used immediately to remove US troops from Afghanistan. OK fine they say, and leave. The CJCS hands in his resignation, as his advice is no longer useful to you. Political mayhem ensues, stuff gets leaked to Congress/the Press, and you spend so much of your time dealing with that you can't keep track of the withdrawal.
You threaten to fire all not obeying your orders, those below you come with briefings showing how they are making progress as best they can, you don't have a clue how logistics works, so you don't know if they are lying or not. So you fire a couple just for good measure... briefings get more and more 'controlled'. Troops end up taking about 24 months to withdraw because of all the mess you made.
So let's say you veto the spending bill. Great idea! Resources are what drives DC. So now there is no funding for the war effort. Pentagon comes to a grinding halt. Problem is that there are still troops in the field (remember land-locked Afghanistan?), who are now dying because of lack of ammunition that you refused to buy them. Pictures of dead GI's come back home. Oh wait, now suddenly your veto gets overridden by Congress.
But you aren't done yet, you use yet more executive power to stop spending any DoD funds. More GI's die. Congress has now had enough, so has the American people, and you are the first to be Impeached/Convicted. And the Brits aren't fond of you either (remember it's a Coalition over there)

(The next 2 are easier)

2- End of Department "X". Which one? Defense? Education? State? Health and Human Services? Yep, you can slay an entire department as President. Problem is that in most areas of government, there is SOME good being done. So it's pretty unlikely you can just kill the whole thing without crippling a vital service people need. OK, no problem... we'll just carve out the fat, right? Trouble is that it's very hard to estimate how many people any department really needs if you aren't in that department (just how many people does it take to keep track of Social Security Numbers, I don't have a clue) And almost no one is coming to come brief you that they need fewer people (and they would benefit how??). So in frustration, you decide to issue a 10% funding cut across the board. So those few naive departments (headed by people like you, no offense) that decided to right-size their manning to exactly what they needed and are proud of how lean they are get swacked another 10% and now are all working 12 hour days with no extra pay. Naive people learn the bureacratic way. (See, they didn't start off that way, they are often made they why by their leadership)
The biggest 'slash' I've seen recently is DefSec Gates recently killed "JFCOM" with is a whole command in the military. Couple thousand people I think? Honestly, that was impressive.

3- Eliminate the Deficit: OK, first off, there is no such thing as a line-item veto. Why? Because Congress won't pass it. So your only tool as President is to veto the entire budget. That's it. Let's say that's exactly what you do. So now the government continues to run on a "Continuing Resolution Authority" (which basically says spend like it was last year's budget) until one gets passed. Congress goes back, and argues for a while, but because everyone has their pet projects and need to get re-elected, they make some cuts, but in your opinion, not enough and not in the right places. Again, veto is your only option. And each veto will cost 30-60 days until you see another budget come up. And in the end, whose fault will it be that the budget isn't signed in the public's eye?? Yours. So you'll lose, because Congress won't be motivated to do what you want. They'll just pass budgets until your approval ratings get so low they can impeach you.

So those are real answers why it's not that simple. The President is the most powerful person in the world, but steering the Titanic takes cunning/skill, not just brute force.

When in doubt, mumble; when in trouble, delegate; when in charge, ponder. -- James H. Boren

Working...