Follow Slashdot stories on Twitter


Forgot your password?

Comment: Re:Hey Wordpress... (Score 1) 103

by yawnmoth (#29328199) Attached to: Warns of Active Worm Hacking Blogs
I don't know that the statement "the salt will always be known" is a valid one. The fact that it's different for each password is what makes it secure.

The statements "the salt will always be known" and "it's different for each password" aren't mutually exclusive. You can have a unique salt for each user / password and still always know the salt for each of those users.

Also, in the case of Wordpress, I imagine the only password an attacker would be interested in would be that of an admin. Presumably you wouldn't be trying to brute force every single users password on a Wordpress installation, anyway. Of course, then again, I'm not sure non-admins have a reason to have an account, anyway, since most Wordpress installs allow unauthenticated users to comment.

Comment: Re:Hey Wordpress... (Score 1) 103

by yawnmoth (#29327929) Attached to: Warns of Active Worm Hacking Blogs

Salted passwords have nothing to do with what essentially is the same thing as obfuscating banners on web or mail servers. Salted passwords significantly improve security.

Do you even know what a salted password is? Instead of brute forcing hash(password) you brute force hash(salt + password). Since the salt is always going to be known, brute forcing hash(salt + password) takes no more time then brute forcing hash(password). All it protects against are run-of-the-mill rainbow table attacks

Obfuscating banners only adds a trivial amount of work to determine the version a server is running.

I assume you're referring to the capability testing that the post mentioned? Tell me - did 2.8.4 even introduce new capabilities? If so, then, presumably, it should have been numbered 2.9.0 - not 2.8.4. And if they didn't add new capabilities, then capability testing wouldn't allow an attacker to figure out if you were running a vulnerable version or not,'s comments notwithstanding.

Comment: Re:Hey Wordpress... (Score 1) 103

by yawnmoth (#29327603) Attached to: Warns of Active Worm Hacking Blogs
I suppose you also think salted passwords are snake oil? Sure, they're not going to stop someone who's brute forcing on-the-fly, but it does make life more complicated for people using rainbow tables.

I only mention salted passwords because Wordpress uses them (see wp-includes/class-phpass.php).

Comment: add more commercials (Score 1) 313

by yawnmoth (#28213449) Attached to: Hulu May Begin Charging For Video Content
TV networks generally have 15 minutes of commercials for every 45 minutes of programming and as loathsome as having that many commercials may be, I'd, personally, rather have that than have to pay $20.00 / month or whatever. And I don't see pirating as a viable alternative, either - however unjustified the penalties for copyright violation may be, the fact remains that if you get caught, you're liable to be fined several thousand dollars.

To the systems programmer, users and applications serve only to provide a test load.