How well do dictionary attacks do against passphrases containing more than 2 words? Each one multiplies the potential complexity by the size of the dictionary. Six words and a million-word dictionary, assuming no semantics, results in (10^9)^6, or 10^54 possible phrases, and if even one of those words is intentionally misspelled...
4212 posts • joined 10 Jun 2009
Re: password hashing
If you have to go that far, why not just use a password keeper and let it generate completely random passwords for each site, taking into account each site's eccentricities? That way you only have to recall one passphrase to open this keep (which you can store locally) which you can make as long and convoluted as you please.
I recall it once termed "memory theater". The problem is that it's meant to recall things in a particular order. That's why you "walk through" your loci mnemonic. Trouble is that, in modern life, things are much more random. You may be asked to recall the 57th password you memorized one day and the 124th one the next, with the 89th demanded after dinner for good measure. So having to walk through your mnemonic to recall something out of order can be time-consuming and prone to mistakes.
Plus, consider the NUMBER of passwords we have to go through each day. I'm pretty sure these phrases run into the point where you have to wonder which mnemonic you used for which site. "Now did I use Mary Had a Little Lamb or Little Jack Horner? Or was it actually Simple Simon?" I'd like to see an effective mnemonic for remembering the credentials for hundreds of arbitrary websites.
Re: Be careful what you wish for...
Which would you rather have? The corrupt King Cobras or the relentless Army Ants? You're dead either way. Even if we tried to make our own mesh, that would take electricity, which means we're beholden to the power companies.
Re: Time to reinvent the wheel...
But cash CAN be stolen...or counterfeited...
Re: "...a skilled hacker will alway get in..."
"1) Fire the employees?
2) Reassign them to non-driving jobs?
3) Train them to drive better?
4) Put bigger bumpers on the vehicles?"
You can't do (1) because they're probably in positions of trust. Fire them and you run the very real risk of retaliatory sabotage, and their position of trust means they can leave secret backdoors in their wake. (2)'s out because they're not stupid. ANY kind of relegation may as well equate to a firing. And they may not be willing to undergo (3). So what happens when you're caught between Scylla and Charybdis: caught with an employee already in a position of trust but now found to not be trustworthy?
"Yes, I'm saying Schneier is wrong on this, and that puts me on the wrong side of a lot of people. But I feel he is. Can we make something 100% "secure"? Probably not. But we always need to try. And we can't take the totally full-a**ed attempts we've been making at something pathetically called "security" and say, "See? It doesn't work!"."
But what happens when the openings come from UP TOP? Plus how do we convince people to care when they'd rather put their effort into deflecting the damage, a la a professional slacker?
I'd hate to be the one to enforce a no-Apple policy when the board uses iPads...
Re: Simple solution @Psyx
"Can they publish a story about not being able to publish a story about not being able to publish a story about X, or is the law recursive?"
I think the law is rather all-encompassing. It prohibits MENTIONING that you can't mention the banned item, meaning any form of recursion is already covered because you have to mention that you can't mention the banned item in order to mention that you can't mention that you can't mention the banned item.
Re: "Court orders received - even if that number is zero."
The requirement ALSO states it must be broad enough that no reasonable conclusion can be drawn from the range. IOW, your range is too specific. They're looking for something more like "between zero and ten million" on the grounds that the mere disclosure of that exact number can tip off criminals.
Re: If you're reading this....
What if they compel you to lie and order you to "not adjust your 'If you're reading this...' in any way"?
Re: Both correct
But as Tim noted, security is computationally-intensive, and recall what the top of the line was in 1990: the 80486, about as big a leap FROM the 6502 as it is TO today's tech. And if this was top end, imagine what else was still in use. Now imagine always-on security in such a world...
As for secure communications, you hit a snag when you have the competing needs of secure communications and efficient communications. Efficiency necessarily leaves telltale trails that can be analyzed (so it's easy to trace something like a video stream since it's time-sensitive) while secure communications necessarily introduces false trails or "chaff" that cost bandwidth and in turn electricity (that's one reason why Freenet's so slow). Plus there's still the matter of subverting endpoints outside the secure network, a practically-intractable problem as long as computers are available to the public. Furthermore, the average user can't be trusted to be perfectly vigilant, which leaves plenty of other openings and instances of being locked out.
Bet the next step will be making alarms too inconvenient by finding ways to "invisibly" trip repeated false alarms all over the place. Alarms won't be able to do much when they cry wolf all the time.
Then how do you UPDATE them when exploits appear, which they ALWAYS will no matter which OS you use (remember, some of the nastiest bugs have been on UNIX-based systems)? Being forced to replace the hardware can be too costly, for example, and perhaps too labor-intensive depending on how it's built.
Re: "32-bit Windows-powered ATM"
"I think I'd rather have no network connection and out of date AV signatures. One less way in for thieves."
Unfortunately, ATMs REQUIRE some form of callback access; otherwise, they can't link back to the banks to verify transactions. That's why ALL ATM's require at least a telephone line.
Re: Epic misunderstanding of email there...
To a point, you are correct. However, the recipient's credentials can be sniffed since POP3 is normally a cleartext connection that requires a login. That's why most ISPs are adding in the STARTTLS extension which allows for transitioning to a secured connection before authentication occurs.
No, more like the flu. You can try to wipe it out but it adapts too quickly. You say UNIX and Win7 are pretty secure...until someone combines a toehold exploit with a privilege escalation and BOOM, you're dead meat again. The thing about this security business is you have to be lucky all the time, they only have to be lucky once. And they have millions of targets (and growing) to choose from.
Perhaps, but by most accounts that better describes a Trojan Horse (a malicious payload disguised as a legit program but not a legit program in and of itself). For it to be a virus, it has to piggyback on a legitimate third-party program or medium the way the flu does.
Re: Spotting the problem is easy.
"So what other solutions are there? Altruistic approaches don't scale beyond small communities as they violate the basics of human nature, communism is far too prone to mismanagement and corruption. Labor-driven free-market economics may be an ultimately self-destructive approach, and require the unhealthy habits of consumerism to function in an age of automation, but it seems to be the only one we have."
What about the unspeakable admission that there are simply too many people for the system to maintain itself and that what's needed is some degree of population reduction?
Re: It's TPTB fault, including the Banksters and the Vatican cult(s).
"This stinking vile mess needs to be demolish ASAP and replaced by something simpler without gangster middlemens' 'help', based on genuine value."
We once did, but the middlemen are like roaches: they keep coming back. No matter how much you try to remove or outlaw them, they'll weasel their way back in. It's part of the human condition; somewhere along the line, someone's gonna cheat...AND get away with it.
Re: Excellent article
"Once a way of producing cheap (relatively) safe energy is discovered, we really won't have any reasonable excuses for consumerism."
Not quite. We'll also need better ways to harness that energy. Converting it to compact and portable petrochemical fuel is a start, but what's needed beyond ubiquitous energy is, as another commenter put it, something approaching the Star Trek replicator: a means of converting energy into arbitrary forms of matter. Or perhaps a lesser stretch, through the use of energy, transforming ubiquitous but not-so-useful matter into not-so-ubiquitous but more-useful matter.
"So far as I can tell - and im in no way a communist, certainly left of center but no ones brother, comrade - the USSR collapsed due to corruption more than anything else, corruption of the founding ideas and global petty corruption on a day to day level."
But that corruption points to a fundamental human condition which makes the Utopia unachievable. Quite simply, humans are animals, and at our basest level, animals will seek to find a way to get a leg up on our fellow man. Why? The ones at the top get to spread the most genes; IOW, it's reproductive and survival instinct so ingrained as to be nigh impossible to root out. I think Karl Marx and Friedrich Engels underestimated our ability to control instinct. We'll band together against threat, as we should which is why you see tremendous organization in war, and threat is what led to the Bolshevik Revolution, not to mention the French and American Revolutions, but in peacetime, it's back to me vs. you at some level. And this conflict will reach across the spectrum, from sibling rivalry to neighborhood spats to community disagreements all the way up to backroom deals, backstabbing, wheeling and dealing at the highest levels of government.
Re: No Solution
"I agree completely with your article but the bit at the end is missing; the solution to the woes that you have pointed out."
Perhaps the lack of a solution points to the real problem behind the problem: the average human seems to lack that critical ability to think beyond tomorrow, either due to stress or due to gross stupidity. Either way, the point becomes, "Why worry about five years when we won't see past tomorrow?"
And that manifests in our growing inability to trust outsiders. It's rapidly becoming a race to full DTA mode. We can't trust private enterprise and the capitalistic model because there's disincentive to think long-term (as I noted earlier, no business can survive on a one-and-done). But the only other institute capable of a long-term solution, the state, isn't trusted either since its very existence (and the stability it provides) rapidly results in cronyism and corruption, undermining the very goals we seek from them. So if you can't trust others, you can't trust the state, and you lack the means to do it yourself, who's left?
Re: never forget though
"you are up against the light bulb principle too"
Hmm, interesting way to put it. West of the Atlantic, it tends to be known as the Vacuum Cleaner Principle, as we're familiar with Kirby and Electrolux vacuum cleaners that have been around for three generations or so, yet you don't see them still being sold today. It's always Hoover or Oreck or whatever. That's the thing about one-offs. Sure, you can steal the market by selling a one-off...but then you starve yourself out of the market because once you sell it, you never hear from the customer again.
Some things just don't work on a capitalistic incentive because the focus will always be on the short term: on repeat business. You need a different incentive to get long-term work done like permanent medical solutions (cures and permanent vaccines vs. treatment regimens).
Re: End to end encryption changes nothing.
And if the very act of getting that warrant tips the crooks off?
But how are we to distinguish if what the person perceives as difference is really difference and not placebo effect (here's a challenge: can the person tell between 'recognize speech" and "wreck a nice beach")? That's why you need multiple people, to average out any bias inherent to an individual.
Re: One thing which hasn't been mentioned re MP3 encoding
Another commenter already tried the Audacity bit, subtract-mixing the encoded file over the lossless one and noted that, especially at high bitrates, the resultant delta is generally very small, like a tiny warble of noise along the centerline of the graph. Admitted, there could be some spikes along the line where perceptual coding can't handle things so well such as at high-frequency noise (eg. cymbals), but is says something to the "pretty good enough" factor.
"Well, all the broadcasters and their roadmaps at IBC involve HEVC. There is equipment available for them that can handle it, and the amount of that will increase quite substantially over the coming years. TV makers are already rolling out HEVC kit (yes, of variable quality in some cases), but it's coming."
OK, so HEVC does have a head start with content and hardware providers. That's significant since it means Google may be late to the party again unless they can steal a march on MPEG-LA (which is still possible, forcing the content providers to scramble), but it would mean Google convincing chip makers to implement VP9 in silicon in volume on both the encoding and decoding end. And hardware is not exactly Google's strong suit. Unlike companies like Apple, Google isn't well-known for dictating exacting hardware terms.
@Charlie Clark: Trouble is, while Android does dominate the mobile market, most of that market is towards the lower end of videos which are still the domain of AVC. Furthermore, a sizeable chunk of that market is still held by Apple, who would sooner see Hell freeze than support The Enemy with their codec because it's Bad For Business, and Apple still has significant pull with content providers. HEVC is going to be, at least at first, primarily used for high-resolution content where mobile data would struggle. This would leave high-speed home networks, which means the playback device will likely be the TV or an STB hooked to it. And the TV end of the market happens to be where HEVC is focusing right now, particularly with content providers and chipset makers.
Re: Dear Faultline
That's the thing. HEVC isn't exactly an established standard yet unless you're saying a slew of HEVC encoding suites are already available to them. Now, granted, MPEG-LA isn't charging a mint for the use of the codec, but Google's offering VP9 gratis and offering a guaranteed line of devices it'll support. Those are two pretty good incentives right there.
Re: What laws?
And if the concrete evidence is in HOSTILE TERRITORY?
Re: Here We Go Again. @Charles 9
"Perhaps you haven't noticed that by simply making the haystack bigger they're not making it any easier to find the needle?"
Perhaps you haven't noticed that the size of the haystack isn't that big of an issue when you've got a magnet, an x-ray machine, or something else that lets you pick out the interesting stuff from all the chaff (that's what the computers are for).
As for the odds, that doesn't mean much either, because you're talking things like plane crashes and meteorite impacts. Sure, the odds are slim, but when they DO happen, they happen BIG (IOW, they're low-incidence but high-consequence). This isn't like your average law-enforcement deal where plods can just investigate things after the fact because after the face is just too damn late when the threat is existential.
Re: It is not my own government I am most worried about.
You'll never convince the software makers to loosen their terms since many of them have captive markets with no honest competition, especially in the professional field. Let's face it. Except for the most basic of things, GIMP is no Photoshop, and I still haven't found anything that approaches the level of features in Premiere or After Effects. All the software maker has to do to (which many are transitioning anyway) is to render all of their transactions leases or subscriptions. At which point, all the buyer can do is accept the limits of the agreement or go without.
When the town only has one well (and practically no way to make another), do you dehydrate yourself to spite its owner?
Re: @FormerKowloonTonger Lest We Forget.
"Wolesale indiscriminate collection of data on the citizens of a country by those who govern is completely different."
So is a world where a single man can potentially ruin civilisation if you're not careful. That's the thing about eternal vigilance. One bad apple can spoil the whole bunch. One determined nihilist with time, and resources can unleash pure hell (and with technology progressing as it is, one cannot discount the possibility of something like a rampant viral plague like avian flu). Know any other way to combat a lone-wolf existential threat?
Re: Here We Go Again.
But what if it's not "a little temporary safety," but "the only thing standing between you and utter oblivion"? We already know some people are insane enough to desire The End of the World as We Know It, and technology is making the possibility easier to reach. Furthermore, it's against our instinct to allow an existential threat to linger.
"I was under the impression that the 'separation' by NAT routers was kinda a byproduct, and can easily be worked into a 6 only router* by just blocking anything coming in over the WAN interface by default, allowing port forwarding much the same as IPv4 + NAT, but just not requiring the IP address MAPPING, as in instead of "anything coming in on the WAN on port 80, map to port 6680 of 192.168.1.230" you'd simply say "Anything coming in on 3D8B:0004:773A:FB01:: port 80, route straight through" ?"
A byproduct, maybe, but a welcomed one, because local net addresses are just that: they're not meant to be exposed to the Internet, and most network stacks will interpret this as such. If not, some link in the chain is likely to realize, "Hey, this isn't a proper internet address" and reject the connection. IOW, odds are if you tried to use a local net address to connect to a LAN address behind a firewall, odds are the firewall won't even be aware of it.
Sometimes, the best defense is stealth, as in making it look as if your machine doesn't exist. Think of it like a hotel or hospital where the rooms can't be direct-dialed from the outside (room-to-room calling is unaffected) but have to go through the front desk first. The front desk is the NAT firewall in this case even if outgoing calls are being routed automatically. If you tried to direct-dial a room, odds are the number is invalid and the phone company will block you, not even reaching the front desk.
There's an IPv4 address space in IPv6, and there are ways to bridge between them. One concern has been firewall penetration, as NAT provided an additional layer of security by separating the address spaces naturally. Also, some businesses run OLD (Pre-IPv6) hardware they can't replace. A sudden changeover would isolate them.
Re: Ban the voice!
"It's about time that the myth was busted over safety concerns. If there was *EVER* the possibility that a PED could have downed an aircraft, they would *NEVER* have been permitted on board. They would have been confiscated at security."
But unlike other things, the PED has several factors that make wholesale confiscation thorny.
1. They're ubiquitous, meaning most passengers have them. The wholesale confiscation of something most passengers have can be ornerous, especially when...
2. They're not easily replaced. People grumble about the liquids bit, but that's offset because one can usually just resupply at their destination. About the only people who have a problem are those with large quantity of prescription fluids. In which case, they'll have to go into checked luggage. But...
3. They're sensitive to temperature extremes AND contain Lithium. Since there's no guarantee a luggage hold will be climate-controlled, the PED might be exposed to damaging temperature extremes and such. Furthermore, lithium is a fire risk (prone to spontaneous combustion), which is why it's banned in luggage holds (at least in a carry-on it can be pulled out in an emergency).
4. They're considered an essential accessory to many: a link back to base. Meaning if they can't take the PED, they're not going. That puts a financial pressure on the airlines catching them between Scylla and Charybdis. If they cave, the PED might down the plane, but if they don't, the lack of passengers might torpedo the business.
Re: Don't get too upset
I don't know. People are used to the lag with video sat phones seen on newscasts. If they're aware of this, they may peg this as the cost of using their phones on an airplane.
Re: Don't get too upset
How did they block Skype if someone was tunneling? Did they block tunnels?
I think the article notes however that domains cost real money and are generally held for a decent length of time (say at least one year), so there's an incentive to reuse the domains, just not right away. IOW, a malcontent wanting to maximize the RoI on the domain will want to figure out how long to lay the domain low before using it again.
Furthermore, the algorithm used to generate the domain names has to be portable since the malware has to know the code, too. This requirement also reduces the odds of changing the algorithm in mid-flight since doing so requires a way to pass along the new technique to the botnet, some nodes of which may fall out of the loop before being updated.
Re: Smartphone vulnerability?
This appears to be specific to custom ROMs. Mine's a lightly-touched TouchWiz job, and bash is missing from it. Which lends credence to my supposition that most Android installs lack bash and are thus safe for now.
Re: Smartphone vulnerability?
I may be wrong, but I think Android's default is the basic Bourne Shell sh. Bash has to be explicitly installed, and I think that takes a rooted phone. Since sh isn't robust enough to be vulnerable to the same problem as bash, most Android implementations should be safe. Besides, most Android rooters tend towards Busybox, which is also safe.
Re: "since most of them can't be patched"
"Can you compile the update of Bash for a BT Home Hub, or do you have to wait for BT to push out a full firmware update?"
Are we SURE this devices uses bash? As the article and several comments note, embedded devices are strapped for space and are more likely to use a compact implementation like that in busybox, which isn't affected. Other network-facing devices are just as likely to be running BSD than Linux, and BSD prefers the C shell csh (usually TENEX C Shell or tcsh) over the Bourne shell sh(and the bug in this case is specific to the Bourne-Again Shell bash).
You can extend this idea even further and ask yourself why pharmaceuticals never put serious work into full cures and permanent vaccines. An economist can easily answer the question: there's no long-term return on a one-and-done. That's why it's always treatment regimens and short-term vaccines where there's always a need for a return trip, guaranteeing one of those economic paradises: a captive market which guarantees repeat business. The only way to break this cycle is to seek an entity that isn't in it for money. About the only type of entity with both enough power and an ability to detach from a money motive is a state.
Re: In the last few years
I suppose this is why no country has gone the extra step to require express, explicit, and direct consent (IOW, full opt-in) in order to obtain any PID or share it anywhere outside the direct context of the site. Also why no country expressly bans requesting such PID as a requirement for the use of a site barring direct commerce (exchanging actual money for goods/services).
The service providers can simply go, "Sod this" and take their ball and go home, blocking all access to that part of the world.
Re: "Fake tape detectors..."
I can understand insertions and distortions, but you're saying these forensics can also detect cuts to existing material (in your case, cutting out the "our opponents would say"), even though nothing was added that was different from the original source material with all its background characteristics?
Re: "Fake tape detectors..."
The part at the end where "doctored" tapes are submitted with cleverly-edited audio and such.
"A common trope in a lot of drama, pirated or otherwise, is where the protagonist hands on a recording that could have been faked, or altered."
Re: Right upto the point where the Netflix exec demonstrated on camera
"They aren't using DPI, they would just use ports to identify types of traffic, so an unencrypted proxy wouldn't change anything. A proxy running on the same port Netflix sends video on would be interesting."
And if the ports are randomized? Or routed through nonstandard ports? Or wrapped in more traditional traffic like HTTP?
Re: Where's Worstall?
"But you must concede, both are on a rather different order of magnitude than things like aluminium or land."
A different order of magnitude, yes...lower. Especially time. "Your days are numbered" comes to mind. No matter how much we want to fight it, our time comes eventually, so every living thing as far as we know has a time limit. Meanwhile, how much energy can one human or one community amass in any given time period and put to practical use?
Re: The Russians are still the best evidence...
"It was a tit for tat agreement - the Russians kept schtum about the hoax Moon landings in return for the Americans not revealing that Sputnik was in fact a balloon."
But that would imply the Russkies threw the Space Race at a time when a lot of national pride was on the line in the middle of the Cold War (not to mention less than a decade after the Cuban Missile Crisis). IOW, the Soviets were competing with the Americans. If the landing was fake all the Russians had to do to deflate the Americans was to film themselves first. Why throw the race if the solution was so simple? If they pulled it off, Sputnik could be safely ignored or simply blown off as American lies.