I've scanned the download with CCleaner and it checks out safe.
1990 posts • joined 7 May 2012
I've scanned the download with CCleaner and it checks out safe.
Usually you to both. A secret string known to the server but not in the database, and a secret they is unique to each account. Your goal is to increase the cost of each guess that the bad guys need to make whilst not making your validation unfeasibly slow. They are used for protection against different attack vectors. Both will protect against a rainbow table (just a reverse dictionary measuring in GB or TB of millions or billions of hashes and the corresponding password). The power of a rainbow table is in reusability across multiple attacks and pretty much any reasonable length salt will mean that the hash won't be known up front (ie the bad guys need to invest a lot more, which is good)
A per server salt (rather per environment/application/etc) is useful because your validation logic knows that secret but it isn't in the database. That means that when the mongodb is left open to the world (don't get me started) it is still not possible to find the relation between password and hash.
A per user salt will inevitably require something accessible in the database (either encoded into the hash itself or in a field pertaining to the same field that doesn't change like username). The prime benefit of a per user hash is that if you and I use the same password because we like the same footy team or the same book (and we like most people don't follow recommended practice with password generation) then figuring out my password doesn't give away yours as it would if the hashes matched. Worse still, if my password hint gives away my password and my hash matched yours, that further weakens things. Worse again, I can find common hashes and collate all the password hints and join the dots. A per user hash solves all those.
Either way, don't roll your own scheme. Find a framework and use it. Recommended either bcrypt, scrypt or argon2 which use schemes that are much better at protecting against this and other attack vectors and generally require very little effort to implement.
> Does using dictionary words not simplify the brute force attack?
Reimagine every word as a character in your alphabet, and then the number of words used as the length. Using English and a 50,000 word dictionary and taking 5 words at random*, the number of permutations is 50,000^5 or 54 bits of entropy or roughly the same as an 9 character completely randomly selected password of mixed case and digits.
So it's well beyond brute forcible.
* That is absolutely essential for this scheme. Don't choose them manually because your brain is too predictable.
SoundingSqualidMopeAntler is both easier to remember (you probably already have) and several orders of magnitude harder to brute force than your suggestion.
As long as you choose the words randomly from a dictionary of reasonable size. Even a 5 word pattern from a very modest 10000 word dictionary gets you 1e20 possibilities, and it isn't too hard to use a 50000 dictionary. You might even learn a new word....
... cloudflare would be taking 90+% of your traffic before it even sees AWS?
Wow, what sites are you visiting? I've only got a very modest 123,830*
*On my phone. And that is connected via VPN which itself has built in as blocker.
You are presenting a false choice. The contention being that because dlink were/are dicks that the security researcher isn't acting like one here. My post made it very clear in the very first sentence what my thoughts about dlink's behaviour was.
If I had criticism of the first 8, it would be that he didn't disclose them for far too long a time. But I stand by my other point on the final zero day issue dump. He has a good argument in claiming that their security patching isn't up to snuff. Dumping 8 vulnerabilities after months of inaction would have made that point very well, but on the last one he had given their or droids an out. You now watch them deflect the legitimate concerns we all have with guff about irresponsible disclosure that anyone could be the victim of.
> No, I think you missed the bit where he gave them six months to pull their fingers out on eight other vulnerabilities but they just sat there hoping he would go away.
Firstly, dlink are being dicks by not patching security vulnerabilities in a timely fashion. Nothing I say below detracts from that.
On those 8 vulnerabilities, as long as he warned them that the vulnerabilities would be publicly disclosed (not clear from my reading of TFA), he has done exactly the right thing.
On the latest one (with no vendor notice), I'm afraid to say he is being a dick. Even though past experience it would seem unlikely to receive a prompt patch, you just allow the vendor to argue that irresponsible disclosure put customers at risk, side stepping their responsibility to have a secure product and promptly patch security flaws.
Symantec kicked; in Chrome 66
> Can I just say how comforting it is to be mercilessly pilloried for an errant apostrophe, I would miss this site.
Can you imagine if you had accidentally used a comma instead of a question mark,
They'd love to, but they are stuck on a bunch of 418s in the kitchen.
He sounds like a right Dick!
/Mines the gown with the tie at the back.
Your ADSL is 24? What do you live in the storeroom at the exchange? When I lived 150m from the exchange I got 22.8. Since moving it is closer to 6.
Also, that 100Mbps isn't happening when there is the slightest whiff of contention.
Also, here in the real world, 4G data allowances are sadly still a thing.
Just a slight tweak:
It's almost like different forms of communication on a mobile device have different strengths and weaknesses!
Now you're clear.
> as they invented the hyperlink
But as any fool know, the internet didn't exist until <blink />
Aye sea what you did the-arrh.
> they are quite capable of wiping out a substantial part of the ecosystem because they have no natural predators there. They really are no joke.
¿sɹǝpᴉds ɹno ɟo ǝɯos ʍoɹɹoq oʇ ǝʞᴉl noʎ plnoM
I've definitely seen worse. The per user hash and thousands of rounds do prevent precomputed attacks and would certainly up the cost of any attack on your site. The hash iterations are there primarily to multiply the effort per guess (75K times in your case). That is obviously important but it is based on an assumed CPU time per iteration. You are somewhat limited in your iterations by the capacity of your own server (eg, it probably couldn't be a million iterations or your own server would be too unresponsive). And you are limited to the performance characteristics of a general purpose CPU. The attackers may rather use a GPU cluster or even an ASIC and be able to compensate for the additional rounds.
Other approaches try to max out some other resource (eg RAM). If a given guess expanded out to say 100MB then the idea of tens of thousands of parallel guesses isn't practical.
At the end of the day, use a framework. What you're doing is terrific for learning but it is so easy to stuff up (eg how random is your salt actually). I like the common password idea. We've done something similar. And minimum length is pretty much the most important metric. Mixed case/symbols/digits all simply serve to make your password hard to remember and given people use common substitutions (a/@ etc) they tend to add only limited additional security in practice)
Checkout scrypt, bcrypt or argon2 to handle password storage though rather than something bespoke. It will otherwise end in tears
Disclaimer <- I am not a security guy either
> it is possible to use multiple encryption programs in series (eg use 7-Zip to create a password protected Zip file then use ccrypt to encrypt the Zip file then use OpenPGP to encrypt the output from ccrypt.). Done properly there is no way of recovering the original message without knowing the keys even if one of the programs has a backdoor.
Also your idea whilst stopping attacks on specific ciphers does bit assist when said TLA compromises your RNG.
The proof was much closer than it sounds though. It held for all values of N except N==1.
B+ Good effort
Jail!? But it was rogue engineers m'lord.
That's a very specific number. Do they have receipts or something?
> Why do people who vaccinate their kids care about people who don't?
1. Vaccines work really well to boost your kids'immune systems to fight of some pretty horrible diseases. Really well, but not 100%. You can be vaccinated against say whooping cough but still catch it. Your odds of catching it are much much lower but not zero.
2. Herd immunity means that if less your 'herd' is carrying the virus then you are even less likely to catch it, so that's nice.
3. A very small percentage of the population cannot be immunised. Consider cancer sufferers on medications that suppress the immune system. Also newborns under 6 weeks fall into this category. Their only protection really is herd immunity (newborns might get something via breast milk but it isn't enough). Some people may also be allergic to some ingredients used in the vaccine or as stabilisers or as preservatives, so take them away as well.
4. Treating the disease is massively expensive. Doctors, medications and hospital beds are a financial burden on society and it is frustrating when the majority of cases were cheaply avoidable.
5. Many of these diseases cause long term disability in the survivors and society must pick up the tab on that too. Think polio and even things like rubella can easily kill an unborn child or otherwise cause deafness and heart issues if contacted by a pregnant woman (see point 3, you can't get vaccinated whilst you are pregnant)
6. If you choose to not vaccinate and heaven forbid find yourself watching your child struggle for breath plugged into a million machines or worse, you will have to live with your decisions.
Sounds like their security was really borked!
/Mines the one with the tongs in the pocket.
> is unlikely because if he has a good defence he is less likely to dog on his [alleged] accomplices.
You had it right in the previous paragraph but if he's innocent then he has no accomplices to which to "dog on".
I don't imagine such a patch (for the attack vector) involves pushing anything to a phone. More likely to be patching their automated scanner for their play store with some heuristics to flag up such techniques. But criticism about the difficulty Android manufacturers seem to have in promptly providing patches is definitely warranted.
Well now they have Jesus deciding on the phone so it makes sense. And now Cook is in charge, he doesn't need to enter into arguments over who is the Messiah.
If they want public support, they are going to need to do better than "Section 702 Saves Lives, Protects the Nation and Allies". Try something a bit more personable like Slurpy McSlurpface.
> And where the fuck are the people at GHCQ when we need them?
Er, 'bout that. Maybe you don't want to look at where the Wannacry miscreants stole that exploit from. I'm sure GCHQ would love to give them a stern talking to, just as soon as they finish handing over all the security researchers who have been assisting in other investigations.
Coming soon to elreg.cn
Sorry guys. We've just been so busy figuring out how to compile a list of the most visited sites out there, we haven't had the time to pop a checkbox on the options page.
uBlock origin (for example) is on github and is GPLv3. The moment they stay any funny business will be the same moment the project gets forked. Whilst I'm sure they would appreciate your donations (and need some), the amount they actually need to survive and even thrive works out to be a very small amount by a very small percentage of users.
Asking "how does this thing make money" is never a bad idea though.
7 * 7 = 50, but only for sufficiently large values of 7
> participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation
Shirley it should include the full harassment free experience whether one pads left or right
/I'll grab my coat
A media server with 10TB of storage isn't mainstream. HDD will own that market for a few years. Whilst you are correct that SSD is more likely to just die without warning, you also assume there that a typical user will take action the first time they see an OS not detected press F1 message on boot or hear the click of death. Sorry, not buying it. My experience of typical users has been "oh yeah it did make a funny sound, blue screen, tell me there was no os last week, but I reboot it again and it seemed fine". Even a highly paid software engineer who I was working with (who definitely should have known better) had the click of death whilst I was checking something with her. I said that doesn't sound good. So she did absolutely nothing until a week later when it failed and she lost a day's work. So it's only an advantage if you act on it.
On price, the floor is much lower than a HDD. Whilst they can make a 32GB HDD, they can't do it at the price of the same capacity flash drive. At some point, the amount of storage that your Dell/hp whack into their desktops by default is going to be the same price point. The default purchase will then be a SSD, and you will flick to HDD if you need additional capacity. I don't think that is as far away as presented in the article.
Sure. My issue isn't with being asked. It is with the behaviour when the user doesn't know the option exists. Simply, they are solving the wrong problem. Imagine that you saw the following message after an upgrade.
"We'd love your help. We think we can improve your experience/achieve peace in the Middle East/whatever if we collect information about the websites that you visit.
This is what we will gather...
This is how we will protect your privacy...
Can you help us?
* Yes, sure
* No thanks
* Busy now, ask me tomorrow
As long as Yes, sure is *not* checked by default unless you have previously opted in, I am totally happy to be asked. I will still answer No (which may well be an El Reg commentard thing), but I have no objections being asked.
Don't do it.
> because so few have opted in that it's hard for developers to get a good sample of what causes problems.
Did it occur to them that so few have opted in BECAUSE they don't want it on? If we want to be slurped we would just use chrome.
Love how you can be down voted for asking a question that isn't answered by TFA.
A short correction to my post. It would be 35,000x faster than this (mixing up my GHs and THs). If you mention crypto currency and you aren't talking about Bitcoin, you actually need to state what you mean.
> The result? 407 megahashes per second, if the planets align
That math doesn't look right. The antminer s9 is allegedly good for 14THs (call it 35x faster for somewhere around US $2500). If we're comparing apples and apples then you are going to want a pretty special price or at least another zero in the hashes per second stakes.
Now I just need to learn German.
Not sure who is writing/doodling on their papers during the recording but it is quite noticeable (eg 44 minutes in). Unless it's Greg trying to get out the boot/trunk.
Using the time as a seed is a bad idea™ when you know the time it will be run (or at least can narrow it down to a relatively small window). It lets you rule out a whole swath of possibilities.
> but is over 25km and an hour's drive from Sydney's central business district, and 90 minutes from its airport at peak times. ®
Or about 5 minutes drive from Castle Hill station which is opening in a year or two.
I don't know. Socrates is all Greek to me.
/Sorry, I'll grab my toga*
*which you'll no doubt point is Roman rather than Greek.
"The children now love luxury; they have bad manners, contempt for authority; they show disrespect for elders and love chatter in place of exercise. Children are now tyrants, not the servants of their households. They no longer rise when elders enter the room. They contradict their parents, chatter before company, gobble up dainties at the table, cross their legs, and tyrannize their teachers."
-Socrates (469–399 B.C.)
/Now get off my lawn
Worse. I actually enjoyed your joke, but I think there is a fundamental difference between adware, creepy tracky browsers and something that silently scans your PC to see what is installed, changes your homepage/desktop/toolbars as it sees fit. In one case it is the price* they are asking to use the software. In the other, they are not upfront.
*Whether that price represents good value is left as a judgement call on the reader.
As soon as they started bundling spyware in their installer.
Biting the hand that feeds IT © 1998–2017