Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Comment FIPS 46 in 1977, IBM before that. I crack, try it (Score 1) 230

It sounds like you saw my correction. I typed 3DES when I meant DES, so I'll reply to your comments DES.

> DES doesn't go back nearly as far as 1972. (nor does DES for that matter)

Below is the official NIST paper describing DES. You'll note that after a four year approval process, DES officially became a government standard in 1977. As described in the paper, IBM was using it by 1974 after it was developed in the years prior.

You could reasonably choose any year between 1972-1977 as the beginning of DES usage, so you're mistaken about "not nearly as far back as 1972, sorry.

> rather a large number of milliseconds

Try cracking a password database sometime. I do this stuff for a living. The larger the database, the faster you'll get working passwords, so we'll give you the benefit of the doubt and use a fairly small database of only 1,000 accounts as an example. We'll also be generous to you and not use a rainbow table. With a small (difficult) database like that, you can expect to get maybe 12 passwords in the first second or two. In the first ten minutes, probably 250 working accounts.

A 100X larger database will yield roughly 100X as many passwords per time - around 1,000 working accounts in the first few seconds, or 2-3ms per account at first.

If we want to go fast, we use a rainbow table. Standard DES password hashing ala crypt() collides at about 1:1000 since it uses only the first eight characters. On modern PCs with GBs of RAM, we can use in-memory tables and crack millions per second. No need for that, though, I don't mind waiting several milliseconds.

Comment Kim Komando is not a "computer security expert" (Score 1) 230

I'm almost offended by your post. Almost, but you did say "so called experts" in one sentence. The linked XKCD comic is right on the money, and experts know that.

Computer geeks and code monkeys are not computer security experts. Security experts know what what entropy is and know that password entropy comes primarily from length.

    "Computer geeks" ala Kim Komando (and many people on Slashdot) go around telling people to use strange mixed case, numbers, punctuation, etc. Code monkeys design login systems that require at least one upper case letter, one lower case, some numbers, some punctuation - and it has to be 6 - 8 characters.

Computer security experts know that 6 -8 characters guarantees weakness, and punctuation increases tech support calls far more than in increases security. (Such requirements often actually DECREASE security by making resets so routine). Experts have known for a long time that the thing to drill into people's heads is "Use LONG passwords! Make it a sentence or phrase. Make it LONG".

The one problem is that a TON of web applications have been authored by coders with almost zero security training. They make an effort to do it right. The encrypt passwords using crypt(). Crypt defaults to a 1972 algorithm that throws away everything but the first eight characters. That thoroughly screws up security.

Comment very few programers trained in security, hire secu (Score 1) 230

Indeed very few programmers are trained in security. Probably a minority have any security training to speak of and darn few are trained to design a security system. Yet, most companies don't hire a security professional, or even bring one in for a consultation. Security is my field. When another division was designing a single-sign-on system, they had me spend an hour with them to avoid the top 10 most common problems. Before bringing me in, they had already planned falling prey to at least two of those "obvious" problems. An hour with a security professional can make all the difference.

Comment Not at all safe in this instance (Score 1) 230

XKCD showed why it's not at all safe in this instance. Here's the table:

email cryptw hint 737462 first apostle 737462 hot neighbor

From the encrypted password, we see that these two users have the same password. Now look at the password hints. What do you suppose is the password they BOTH used?

Comment 90%+ do it wrong - plain text or 3DES from 1972 (Score 2) 230

Of the 12,000 or so sites I've seen, well over 90% do it wrong. I'd estimate 95%. Many store passwords in plain text.
Most use 3DES, which was reasonably secure in 1972. Today, 3DES is cracked in milliseconds.
Sometimes we see an unsalted hash, including MD5.

A few have used MySQL's PASSWORD() and the phpass gimmick scheme which are reasonably secure but non-portable.

I consider "doing it right" to be a salted hash. For new software, bcrypt / blowfish or a SHA primitive.
Preferably, SHA-256 or SHA-512 via crypt($5$salt$, password) for portability and consistency.
For existing code, I consider SALTED MD5 to be acceptable, but the length of the input should certainly be validated.


Comment It means it USED to be "encrypted", a year ago (Score 2) 230

According to Adobe, until a year ago, they were doing it wrong, using the wrong encryption in the wrong way.
The bad guys got a year-old backup, so it was encrypted using the old (wrong) method.

Since the old backup is done wrong, that tells us only that the primary USED TO be done wrong, which is exactly what Adobe is saying. It tells us nothing about the current database.

Comment good argument for anything else, this is enumerate (Score 1) 65

> There's probably also a constitutional argument to be made in the case of the IIRIRA. Practically every policy the Federal
> Government tries to force on the states now is an unconstitutional overreach of their explicitly enumerated powers.

Most are unconstitutional overreach. The Constitution grants only ~18 powers to the federal government.
Regulating immigration happens to be one thing the federal government can and arguably must do. (Consider the effect of article IV otherwise).

One of the enumerated powers is "To establish a uniform Rule of Naturalization". Naturalization means:

1) to confer upon (an alien) the rights and privileges of a citizen. [such as a driver's license]
2) to introduce or adopt (foreign practices, words, etc.) into a country or into general use

Comment the judge know better, based on evidence (Score 1) 599

He boo y trapped the system,locked out other authorized users, etc.
The judge or jury would look at that and determine that either :a) he'slying or
b) forgetting wouldn't be a problem if he hadn't set bobby traps etc., and locking out other users was an intentional criminal act.

It's interesting to me how often people say "just claim that [transparent bullshit]. 99% of the time, judges aren't stupid. Their law degree indicates they have above average intelligence, but sometimes people assume judges must be drooling morons.

Granted, occasionally there are rulings that seem pretty dumb, but even those are normally much less dumb than the headlines make them out to be.

Comment "I stole from an idiot" isn't an excuse, it's wors (Score 3, Insightful) 599

> and not the complete idiots of the company for leaving there passwords with one person, and not having a way to access by way of a default password. his lawyer must have been an idiot as well if he didn't make that argument.

"The victim was stupid" isn't an excuse. If it were, we could legally do anything we want to you.

In fact, it's generally considered an aggravating factor to victimize the mentally challenged because we have a duty to look out for those who are defenseless.

Comment New York is similar, they just ignore laws (Score 1) 65

I just skimmed New York's statue is similar. New York just ignores the law .
They don't follow laws, they don't try to change laws that they think should be changed, they just ignore them.
The majority of New York voters support ignoring the law.

Comment Bezos was a computer science wiz before books (Score 1) 231

I guess you're unfamiliar with Bezos and unfamiliar with how and why Amazon began. Books are not what makes Amazon special. The idea of books came after Bezos designed the system that makes Amazon special.

Bezos studied engineering and computer science at Princeton, graduating magna cum laude.
He then went to work doing IT for Wall Street . From beginning to end, he's been about expanding computer technology. He didn't build infrastructure in order to sell books, he used books and other easily shippable products to monetize a computer based distribution system. You may notice they sell a heck of a lot more than books - because books are an readily replaceable accessory to their actual business. That's why they don't write books, they buy them because books are not what makes Amazon special.

The idea for Amazon came to him while he was traveling a across the country and he heard that the supreme court ruled internet sellers don't have to collect sales tax. He decided to combine that with his skill at building large scale infrastructure and put together a mass market system selling stuff on the internet at a discount. What to sell using the system he designed? It should be valuable enough to ship. You don't sell concrete or soda online, shipping would be a problem. Electronics have high value per pound, but quickly lose value in the warehouse. The post office has a special extra low shipping rate for books, so books were good product to start with. The product was chosen to fit the distribution infrastructure. The infrastructure wasn't built to put his (nonexistent) bookstore online.

Comment sounds like a winner. haven't used (Score 1) 285

--checksum sounds like a winner. I may need to review man rsync, then see if we should be using that anywhere.

>OK, I haven't actually used btrfs (or any other fs with similar snapshot/CoW capabilities

Neither have I, but I don't think we're supposed to admit that on /. I think we're supposed to act as though we're experts on things we've never seen before, since this is Slashdot.

I have read the code for copy-on-write snapshots used by lvm and my understanding is that it's essentially similar.

Slashdot Top Deals

Mathematicians stand on each other's shoulders. -- Gauss