Forgot your password?

Close
typodupeerror

Comment: If you're Google, you can afford your own network. (Score 1, Interesting) 115

by xxxJonBoyxxx (#43732925) Attached to: Google I/O 2013 Underway: Watch For Updates

>> "network environment here isn't friendly"

#1: If you're Google, you should be able to afford your own reliable connection to the Internet, or even to home base, by your keynoter. Especially if you're going to pimp your marketing on SlashDot. Even if it means bribing the union folks at Moscone to let you do it your way.

#2: You think the network environment is ideal out near all those "other 4.5 billion"?

Comment: Acceptable Risk (Score 1) 41

by xxxJonBoyxxx (#43713655) Attached to: Researchers Fake Mini Volcanic Eruptions

>> could help safety officials to decide where to restrict public access at volcanoes such as Italy's Stromboli, where dozens of tourists arrive every night to watch spectacular fire fountain displays

Let's not go there, please. If we lose a couple of dozen tourists, that's an acceptable risk. Hell, there's many things all of us do (skydive, kayak, rock-climb, drive on interstates, eat cheeseburgers, visit hospitals) that expose us to risk...but without those risky experiences, life wouldn't be nearly as much fun.

"Nanny-staters, git off muh lawn!"

Comment: Re:A problem with this is... (Score 1) 110

by xxxJonBoyxxx (#43669555) Attached to: Honeywords — Honeypot Passwords

>> Clearly the "fake cred" would never be a flag in the users table (or even in the same database/system). For example, it could be a process that scans your logfiles and alerts based on username.

That's my point. If you're already doing this, you don't need to inject fake credentials into your databases to detect unusually accurate snooping.

Comment: Re:A problem with this is... (Score 1) 110

by xxxJonBoyxxx (#43668969) Attached to: Honeywords — Honeypot Passwords

>> username/password combinations don't have to be the same

If you've implemented SSO on even groups of systems, they will be the same. :)

>> can be trapped higher up the chain in the code that processes authentication requests so that they can't actually be used to gain access to systems

To do that, you need to set a "fake" flag on the credentials, and bad guys can use that to filter out the fake creds from the store.

>> these act to dissuade attackers in the same way as "sting operations" act to dissuade Johns and car thieves

In other words...they mostly don't? As I said earlier, if your attacker will be trying multiple valid sets of credentials, you can detect them without needing this extra complexity. A smart attacker would also snoop your activity logs before using any stolen credentials to avoid locked or dormant accounts, and to see if he/she can figure out which accounts are automated, maintenance, or otherwise frequently used enough to be of interest. Even with that low level of recon would avoid the control you seek to introduce.

Comment: A problem with this is... (Score 2) 110

by xxxJonBoyxxx (#43668575) Attached to: Honeywords — Honeypot Passwords

When you "seed your authentication databases with fake passwords", you've really just added a bunch of accounts with the same username/password across multiple systems. A smarter (less invasive) approach might be to compare actual hack attempts against existing or recent lists of known usernames; if they're close, that's a tip-off that someone knows more about your authentication store than he or she should.

Comment: What will happen first? (Score 1) 23

a) Someone tries to use it as a meth lab. Shut down.
b) Tenant in building complains. Shut down.
c) Reporter finds that a convicted violent felon is doing something there everyday. Shut down.

I'm very happy that they have $6K, but that probably won't even carry the annual liability insurance for a "public" biology lab.

I feel like I'm in a Toilet Bowl with a thumbtack in my forehead!!

Close