* Posts by Charles 9

10819 posts • joined 10 Jun 2009

One IP address, multiple SSL sites? Beating the great IPv4 squeeze

Charles 9
Silver badge

Re: End to end is a myth

"Now IF your two machines can communicate via the ISP router then something else is happening."

Like perhaps LEOs are getting involved. Consider THAT.

0
1
Charles 9
Silver badge

Re: End to end is a myth

You don't use EVERYTHING because someone can exploit one of those somethings to get around others (to use cybersecurity parlance, pwn one layer of security and then use it to bypass others). Use ONLY what you need. Plus you have to consider that more hoops to jump irks users who reach their limits and then start creating (exploitable) shortcuts.

0
2
Charles 9
Silver badge

Re: End to end is a myth

"If they are doing that you have other problems a firewall won't protect you from."

And that alone is enough of a threat since they can be coerced by the law. Remember, trust no one.

With routing, you don't NEED to NAT. You GO AROUND it. If you really, REALLY wanted to protect your intranet, don't use NAT. Use a proxy.

PS. ISP's aren't SUPPOSED to route RFC1918 addresses, but many still do. If you take a very close look at a connection log, you'll probably run into some of them at some point.

0
2

Today's WWW is built on pillars of sand: Buggy, exploitable JavaScript libs are everywhere

Charles 9
Silver badge

Re: Perhaps

"If we just scrapped browser support for JavaScript, then created a plugin to enable rich content without the need to be downloading snippets of insecure script from untrustworthy sources."

Serious question. What do you propose as an alternative to interactive websites? Anything else you propose is likely to be holier than a wheel of Emmentaler, given we tried this approach in the past. Remember RealPlayer?

3
1

Brit infosec's greatest threat? Thug malware holding nation's devices to ransom – report

Charles 9
Silver badge

How do you do that when the manufacturer can do a fly-by-night? Or is not based in a country subject to your laws and thus has sovereign protection?

1
0

Smart guns are a neat idea on paper. They'll never survive reality

Charles 9
Silver badge

Re: over engineered

"So, if the primary purpose is to prevent a child/assailant from using your weapon. Wouldn't a simple key combination be sufficient."

Not if the child's precocious enough to figure out the combination AND keep that knowledge that he knows from his parents.

0
0
Charles 9
Silver badge

Re: @AC ... A really smart gun...

The Culture (capitalized) is a novel series by Iain M. Banks. Been writing them since 1987, and his latest is pretty recent (The Hydrogen Sonata, 2012). The title refers to a pretty loose and liberal society of the future (it's post-scarcity, so basic needs are ubiquitous and there's little real "need"). This society includes mechanical entities. Those rating at least 1.0 are considered equal to humans in status. SC refers to Special Circumstances, basically the black ops arm that deals with the most troublesome aspects of Culture-outside relations.

In The Culture, a "knife missile" is a sci-fi smart weapon. It's more than a ballistic knife that you launch and it flies forward. No, knife missiles can act on their own, float in the air, and cut very rapidly using both itself and projected force fields, among other things (equipment varies, but that's the basic function). It's an autonomous device so it's technically a citizen in the Culture. It rates well over 1.0, though, as it's designed specifically for use with Special Circumstances.

0
0

'Password rules are bullsh*t!' Stackoverflow Jeff's rage overflows

Charles 9
Silver badge

Re: Rules and Password Timeouts

ONLY five. Many have enough memory to go back at least ten, by which time you've probably lost track of your original password. And some go even further by not allowing any PARTS of an original password (blocking Password0 -> Password1 as "Password" is in both).

Like I said, there's at least a valid reason to have a change policy: to close or expose undetected breaches.

0
0
Charles 9
Silver badge

Re: We need a browser extension...

If you're forced to allow JavaScript to log onto a site, the malware writers will pwn you with a JavaScript injection attack. Increasing numbers of people want future HTML to be LESS rather than MORE complicated: more passive, with media tasks shunted back to dedicated apps.

"This scheme does _not_ protect against other hazards; hackers can, for example, intercept the hashed password and send it to log into that particular site (i.e., you still need HTTPS) and can keylog, shoulder-surf, etc. I don't see any panaceas. You need complex passwords, salted and hashed so they can't be easily deciphered, limits on how many password attempts are allowed in a particular time interval, 2FA, and HTTPS... even though no one or two of these alone are sufficient."

Except if you make things TOO complicated, you force people to create shortcuts that malcontents can exploit. You need a solution that's strong enough to block anything short of an insider or state yet simple enough that even the dullest drone can and will do it nigh-automatically.

0
0
Charles 9
Silver badge

Re: We need a browser extension...

Like hackers simply attack the extension. Hackers already attack the browsers directly.

0
0
Charles 9
Silver badge

Unless, of course, they downloaded the password database and are cracking it in their own machines, much like a robber managing to take the whole safe with them.

1
1
Charles 9
Silver badge

Re: Can someone please point this out to tucows/openSRS

Um, how else can they deal with unknown hacked accounts, then? Forced password changes either close those doors (the hacked details aren't valid anymore) or draw them into the open (because the hacker is forced to changed the particulars and the real user gets locked out).

0
3
Charles 9
Silver badge

Re: War Games is fake...

"I tell people get something like a verse from your favorite song, favorite bible verse, something a comedian said like "why do you have a hot water heater, you need a cold water heater". Get the point."

Now try repeating that about 100 times or so because you need a different one for EACH site, or when ONE site gets hacked, ALL the ones that used the same password are fair game. And you also have to deal with people with poor memories.

"Remember the hacker unlike War Games does not know anything about the password, including the key and that it was base64 encoded."

But he may know enough about you to find ways to get at that password, perhaps by hacking your home machine or other stuff.

2
1
Charles 9
Silver badge

Re: Users confuse complexity with entropy, no?

With a little practice, I'd say less than ten seconds. Longer if there are caps and punctuation.

0
0
Charles 9
Silver badge

Re: I believe...

Oh, so hackers figure it out, start posing as you, and either slander your image or engage in social engineering attacks?

1
2
Charles 9
Silver badge

Re: 99 ice cream loving honeybadgers ate my hamster!

No, poor memory. As in "CorrectHorseBatteryStaple" turns into "DonkeyEnginePaperclipWrong" one day and "CrankMaybePinMule" the next. Some people's memories are THAT bad (or worse, you have to keep telling them THE SAME THING every single day).

3
3
Charles 9
Silver badge

Re: Why does anybody treat passwords as ASCII FFS

If they set up a keylogger, they can just record the strokes no matter how obscure they are.

0
1
Charles 9
Silver badge

Re: It's 2017 - use FIDO U2F

And what if you lose THAT?

0
1
Charles 9
Silver badge

Re: @Charles 9

"If you haven't already guessed, I use those questions as another layer of password, don't answer them correctly, and keep them in a file like I do the passwords themselves and other data like the account name or whatever."

So what happens WHEN (not if) they pwn your local machine with a drive-by and steal your special file?

0
1
Charles 9
Silver badge

Re: Users confuse complexity with entropy, no?

Except people will just keep using the same one because trying to remember a bunch of them will have people trying to remember correcthorsebatterystaple and instead recall donkeyenginepaperclipwrong. Our memories get muddled and we mess up.

3
3
Charles 9
Silver badge

Re: Personally I find it really annoying when..

Most people don't provide fake information. Some even verify it or record your IP which can be enough of a clue to get more information.

0
4
Charles 9
Silver badge

Even the best encryption in the world is useless if you just wait until it's DEcrypted as a matter of course.

0
3
Charles 9
Silver badge

Re: Files as passwords

The hackers ALREADY have the solution for that: they hack your LIVE session, meaning they get the envelope while it's open. That's the current most-intractable problem with encrypted content: it must be DEcrypted to be useful; hackers just wait until then. The only way around that is to have crypto-chips in our brains a la Ghost in the Shell, and I think Shirow Masamune's timetable for that world was all too optimistic.

0
2
Charles 9
Silver badge

Re: He has a point, but also contradicts himself

Then we're at an impasse because he's saying that anything LESS is crackable within reasonable time. Basically, combining your statement and his, the MINIMUM reasonable standard for security is BEYOND the capability of the average human. Meaning we're basically screwed. And as the saying goes, the hackers only have to be lucky ONCE. That one entry lets them gain enough information to hack other accounts and go from there.

3
0
Charles 9
Silver badge

Re: Human versus machine input

I don't think that will work, either, as the hackers will simply find faster ways to do the hashes. It's basically an intractable siege problem: the besiegers always have the edge against the besieged because the former isn't locked down.

1
0
Charles 9
Silver badge

Re: It only makes it easier to crack...

"We need to give up trying to make people to care about password strength for stupid stuff like online forums. They don't. They shouldn't. Stress that it only matters for really important stuff like online banking, and to stop caring if your Twitter account password is insecure unless you have hundreds of thousands of followers."

You forget that hackers can break into the weak stuff to glean information to use in social engineering attacks to get at the stronger sites. IOW, weak passwords of any sort become gateways. So you must treat the most innocuous site just as much as your most secure one since one can open the way to the other, making the strongest site only as strong as the weakest one.

8
5
Charles 9
Silver badge

Re: 99 ice cream loving honeybadgers ate my hamster!

"This might look like a random title for a comment on this story, but it is an example of a memorable password that I made up for a comment on the story Human memory, or the lack of it, is the biggest security bug on the 'net. Even though I only wrote it once, and that was over a month ago, I can still remember it (though admittedly it is probably too long to be a sensible password)"

Good for you. What about those with POOR memories, or who have to go through hundreds of them in a given month?

5
3
Charles 9
Silver badge

"Yes, anything you care about should be protected by a strong 2nd factor - but it's supposed to be precisely that a second factor. Something you know, and something you have. So the password is still very relevant."

But what if you don't HAVE a second factor: not even a cell phone, because you keep LOSING things? Or you don't trust cell phones? And as for those fobs, what was that RSA hack about again?

1
1

A webcam is not so much a leering eye as the barrel of a gun

Charles 9
Silver badge

Re: Black tape for the mic?

"With respect to the mic, just don't talk to yourself - I know it's hard but you could try."

Not really. Many of us do it on reflex: SUBconsciously, meaning we talk without even realizing we're talking. And what about people who talk in their sleep but have to keep their computers on for overnight jobs?

0
0
Charles 9
Silver badge
Joke

Re: So many options

No because I normally also kick ass. Problem is I usually run out of bubblegum beforehand.

1
0

Most of 2016's holes had fixes the day we knew about 'em. Did we patch? Did we @£$%

Charles 9
Silver badge

Re: Not a Member of the Monoculture

And even that isn't always sufficient if recent government leaks are any indication, as it seems clear states covet zero-days for any and all OS's in operation.

0
0
Charles 9
Silver badge

Re: Why do we patch, or not?

But it's NOT chuckle-worthy. If it's eat a moose turd pie or DIE, guess what happens?

0
1
Charles 9
Silver badge

Re: Why do we patch, or not?

Offer an EMACIATED starving man a moose-turd pie and watch him scarf it down. If you can't be sure of your next meal, anything to stave off starvarion. You see it all the time in animals.

0
1

Sad fact of the day: Most people still don't know how to protect themselves online

Charles 9
Silver badge

Re: online security

"Only when they are prepared and would like to take the extra steps to protect themselves online that we introduce security practice. Otherwise, there's no privacy. You normal people didn't put the effort into getting it. Deal with it."

What if no effort that can be exerted by man is sufficient. What if this is the Global Village now where everything can be read by everyone, even if it was ten years ago, and there's nothing you can do to stop it?

Owen Bytheway, this is stretching beyond the Internet, too. Ubiquitous cameras, microphones, aerial and satellite surveillance that's increasingly able to see through things. Heck, even the idea of "dead drops" is becoming riskier because there's always a chance (and growing) someone or something's there to observe the drops, linking you to it. Let's see you try to keep your privacy in THIS.

0
0
Charles 9
Silver badge

"With the threats consumers face growing everyday, I don't see how encrypting everything can be avoided. It's the only thing that provides the most basic level of security."

Until you realize you can be pwned on the hardware that would be needed to do the encryption. Imagine pwned CPUs, network chips, etc. And the level of technical knowledge (not to mention real, legitimate patents) needed to roll you own silicon puts you in No Man's Land. The ONLY people capable of building the chips that run your machine aren't trustworthy. Heck, even beyond computers, can you trust your letter carriers, postal employees, and so on? Heck, remember village gossips?

Let's face it. Privacy as we know it was a fleeting thing to begin with. And now the global village has caught up.

0
1
Charles 9
Silver badge

Re: Not that surprising...

"The article does give one good piece of advice: keep everything updated. No matter what type of device, OS or applications, keep applying the updates (and ignore those saying to stick with older OS versions)."

But what happens when the updates cripple functions, install spyware, or (worst case) are hijacked and are used to install malware instead?

6
0

'Jarvis' brings AI to the Linux command line, without Iron Man

Charles 9
Silver badge

How long before BAD USB is improved to attack USG as well?

0
0

Family of technician slain by factory robot sues everyone involved

Charles 9
Silver badge

And then the complaints will start flying when those kill switches trigger spontaneously...

0
0
Charles 9
Silver badge

"Taken to the extreme logical conclusion, yes, there'll be a few families who own everything and everything will be 100% automated. So who is left to buy the products and keep the super rich rich?"

Each other. As long as there are at least two such families and each can provide something the other can't, there can be an agreement between them.

Otherwise, the families become self-sufficient and don't need anyone else. Their robots will be strictly for themselves and they won't need to engage in commerce anymore.

0
1

If you bought a dildo in Denver, the government must legally be told

Charles 9
Silver badge

Re: Sigh

No, they'll be worse. And note this entry was posted AFTER Inauguration Day, so there actually IS an Administration in place. AND in many ways it's worse than anticipated.

0
0

FCC under fire for trying to ditch cybersecurity

Charles 9
Silver badge

Except they're ALL we have to work with. Of 535 congresspeople there's (what?) one or two independents in there (and they caucus with the Democrats in any event)? And the whole election system's rigged so badly we'd sooner have a coup d'etat than a peaceful changeover of power to a third party.

Basically, we have to cut this tree down, but the only tools at our disposal are a length of cheap rope and a plastic toy saw. What do we do?

3
0
Charles 9
Silver badge

Then the Democrats simply need to play one of the Republicans' own cards against them. Make the whole deal into a "with us or against us" up-or-down kind of deal, perhaps by adding a sense of urgency or a threat of a Cyber 9/11 so that any attempt to forestall or delay would be painted as itself threatening national security and just as bad as a "no" vote.

This kind of tactic is one reason Republicans are having trouble replacing Obamacare: because it's way too easy for Democrats to cite explicit cases of people who literally depend on Obamacare just to live. Take away Obamacare and people DIE...which won't sit well come midterms (plus there's the risk a law on the books will allow bereaved families to SUE).

0
0

Force employees to take DNA tests for bosses? We've got a new law to make that happen, beam House Republicans

Charles 9
Silver badge

Re: I'll pay the extra.

That assumes you get a choice in the matter...

6
3
Charles 9
Silver badge

Re: Won't past muster.

HIPAA is non-waivable much as ADA isn't, but this Act will create loopholes.

3
0
Charles 9
Silver badge

"Remind me again - the Republicans are the party that believes an individual should be free to live their life without interference from the state?"

And they're REMOVING state interference. They're doing nothing about PRIVATE interference, though.

6
2

MAC randomization: A massive failure that leaves iPhones, Android mobes open to tracking

Charles 9
Silver badge

Re: MAC address changes are pointless because

And is that why RTS can't lie, because at some point the AP has to know the real MAC and there's no way in the spec to prevent it asking early?

0
0
Charles 9
Silver badge

While even a class A network has the same 24-bit subnet limit, consider the Birthday Problem.

1
0
Charles 9
Silver badge

Is there a reason RTS isn't spoofed? Is there some requirement for this in wireless certification?

0
0

Sir Tim Berners-Lee refuses to be King Canute, approves DRM as Web standard

Charles 9
Silver badge

"I remember Adobe giving away Photoshop with breakfast cereals (almost) to ensure their market share and put down Digital Darkroom. IT doesn't seem to have done them any harm."

Are we talking the same Adobe whose key software is now subscribed instead of sold? Much like Office is now subscribed instead of sold? Sounds like what I've said: a movement from selling to leasing.

0
0
Charles 9
Silver badge

"The only way it could work is if the content delivery company encrypts a video feed to a secure monitor and that is not going to happen."

Have you tried looking up HDCP 2.0? The requirements for 4K BluRay players? Both require end-to-end encryption (from player to monitor), and PCs are completely locked out of this loop (exactly BECAUSE users have control of them). Plus, last I checked, trying to capture a raw 4Kx2K screen in realtime involves a pretty intense amount of bandwidth.

0
0

Forums

Biting the hand that feeds IT © 1998–2017