* Posts by Adam 1

1990 posts • joined 7 May 2012

You lost your ballpoint pen, Slack? Why's your Linux version unsigned?

Adam 1
Silver badge

it's ok

I've scanned the download with CCleaner and it checks out safe.

30
0

AI slurps, learns millions of passwords to work out which ones you may use next

Adam 1
Silver badge

Re: Hashing and salt

Usually you to both. A secret string known to the server but not in the database, and a secret they is unique to each account. Your goal is to increase the cost of each guess that the bad guys need to make whilst not making your validation unfeasibly slow. They are used for protection against different attack vectors. Both will protect against a rainbow table (just a reverse dictionary measuring in GB or TB of millions or billions of hashes and the corresponding password). The power of a rainbow table is in reusability across multiple attacks and pretty much any reasonable length salt will mean that the hash won't be known up front (ie the bad guys need to invest a lot more, which is good)

A per server salt (rather per environment/application/etc) is useful because your validation logic knows that secret but it isn't in the database. That means that when the mongodb is left open to the world (don't get me started) it is still not possible to find the relation between password and hash.

A per user salt will inevitably require something accessible in the database (either encoded into the hash itself or in a field pertaining to the same field that doesn't change like username). The prime benefit of a per user hash is that if you and I use the same password because we like the same footy team or the same book (and we like most people don't follow recommended practice with password generation) then figuring out my password doesn't give away yours as it would if the hashes matched. Worse still, if my password hint gives away my password and my hash matched yours, that further weakens things. Worse again, I can find common hashes and collate all the password hints and join the dots. A per user hash solves all those.

Either way, don't roll your own scheme. Find a framework and use it. Recommended either bcrypt, scrypt or argon2 which use schemes that are much better at protecting against this and other attack vectors and generally require very little effort to implement.

1
0
Adam 1
Silver badge

Re: XKCD

> Does using dictionary words not simplify the brute force attack?

Reimagine every word as a character in your alphabet, and then the number of words used as the length. Using English and a 50,000 word dictionary and taking 5 words at random*, the number of permutations is 50,000^5 or 54 bits of entropy or roughly the same as an 9 character completely randomly selected password of mixed case and digits.

So it's well beyond brute forcible.

* That is absolutely essential for this scheme. Don't choose them manually because your brain is too predictable.

4
0
Adam 1
Silver badge

Re: Feed this

SoundingSqualidMopeAntler is both easier to remember (you probably already have) and several orders of magnitude harder to brute force than your suggestion.

As long as you choose the words randomly from a dictionary of reasonable size. Even a 5 word pattern from a very modest 10000 word dictionary gets you 1e20 possibilities, and it isn't too hard to use a 50000 dictionary. You might even learn a new word....

3
0

AWS can now bill us if you read this far. This bit will cost us, too

Adam 1
Silver badge

Shirley

... cloudflare would be taking 90+% of your traffic before it even sees AWS?

0
0

Apocalypse now: Ad biz cries foul over Apple's great AI cookie purge

Adam 1
Silver badge

Re: How many ads is too many?

Wow, what sites are you visiting? I've only got a very modest 123,830*

*On my phone. And that is connected via VPN which itself has built in as blocker.

0
0

D-Link router riddled with 0-day flaws

Adam 1
Silver badge

@alan brown

You are presenting a false choice. The contention being that because dlink were/are dicks that the security researcher isn't acting like one here. My post made it very clear in the very first sentence what my thoughts about dlink's behaviour was.

If I had criticism of the first 8, it would be that he didn't disclose them for far too long a time. But I stand by my other point on the final zero day issue dump. He has a good argument in claiming that their security patching isn't up to snuff. Dumping 8 vulnerabilities after months of inaction would have made that point very well, but on the last one he had given their or droids an out. You now watch them deflect the legitimate concerns we all have with guff about irresponsible disclosure that anyone could be the victim of.

3
7
Adam 1
Silver badge

> No, I think you missed the bit where he gave them six months to pull their fingers out on eight other vulnerabilities but they just sat there hoping he would go away.

Firstly, dlink are being dicks by not patching security vulnerabilities in a timely fashion. Nothing I say below detracts from that.

On those 8 vulnerabilities, as long as he warned them that the vulnerabilities would be publicly disclosed (not clear from my reading of TFA), he has done exactly the right thing.

On the latest one (with no vendor notice), I'm afraid to say he is being a dick. Even though past experience it would seem unlikely to receive a prompt patch, you just allow the vendor to argue that irresponsible disclosure put customers at risk, side stepping their responsibility to have a secure product and promptly patch security flaws.

7
14

Google to kill Symantec certs in Chrome 66, due in early 2018

Adam 1
Silver badge

subbie missed a trick

Symantec kicked; in Chrome 66

8
0

User demanded PC be moved to move to a sunny desk – because it needed Windows

Adam 1
Silver badge

Re: Error 524

> Can I just say how comforting it is to be mercilessly pilloried for an errant apostrophe, I would miss this site.

Can you imagine if you had accidentally used a comma instead of a question mark,

12
0
Adam 1
Silver badge

Re: Error 524

They'd love to, but they are stuck on a bunch of 418s in the kitchen.

5
0
Adam 1
Silver badge

WOW

He sounds like a right Dick!

/Mines the gown with the tie at the back.

0
0

Google rushes to curb Oreo's massive appetite for your 4G mobile data

Adam 1
Silver badge

Re: Data allowances

Your ADSL is 24? What do you live in the storeroom at the exchange? When I lived 150m from the exchange I got 22.8. Since moving it is closer to 6.

Also, that 100Mbps isn't happening when there is the slightest whiff of contention.

Also, here in the real world, 4G data allowances are sadly still a thing.

8
0

Dude who claimed he invented email is told by judge: It's safe to say you didn't invent email

Adam 1
Silver badge

Re: To speak to someone?

@just enough

Just a slight tweak:

It's almost like different forms of communication on a mobile device have different strengths and weaknesses!

Now you're clear.

0
0
Adam 1
Silver badge

Re: Where Do I Find These Lawyers

> as they invented the hyperlink

But as any fool know, the internet didn't exist until <blink />

1
0

Sub plot subplot thickens: Madsen claims hatch fumble killed Swede journo Kim Wall

Adam 1
Silver badge

Re: Scraping the bottom of the excuse bilge?

Aye sea what you did the-arrh.

8
0

Thousands of hornets swarm over innocent fire service drone

Adam 1
Silver badge

Re: "Scumbags" is understating matters

> they are quite capable of wiping out a substantial part of the ecosystem because they have no natural predators there. They really are no joke.

¿sɹǝpᴉds ɹno ɟo ǝɯos ʍoɹɹoq oʇ ǝʞᴉl noʎ plnoM

22
0

Crypto-busters reverse nearly 320 MEELLION hashed passwords

Adam 1
Silver badge

@def

I've definitely seen worse. The per user hash and thousands of rounds do prevent precomputed attacks and would certainly up the cost of any attack on your site. The hash iterations are there primarily to multiply the effort per guess (75K times in your case). That is obviously important but it is based on an assumed CPU time per iteration. You are somewhat limited in your iterations by the capacity of your own server (eg, it probably couldn't be a million iterations or your own server would be too unresponsive). And you are limited to the performance characteristics of a general purpose CPU. The attackers may rather use a GPU cluster or even an ASIC and be able to compensate for the additional rounds.

Other approaches try to max out some other resource (eg RAM). If a given guess expanded out to say 100MB then the idea of tens of thousands of parallel guesses isn't practical.

At the end of the day, use a framework. What you're doing is terrific for learning but it is so easy to stuff up (eg how random is your salt actually). I like the common password idea. We've done something similar. And minimum length is pretty much the most important metric. Mixed case/symbols/digits all simply serve to make your password hard to remember and given people use common substitutions (a/@ etc) they tend to add only limited additional security in practice)

Checkout scrypt, bcrypt or argon2 to handle password storage though rather than something bespoke. It will otherwise end in tears

Disclaimer <- I am not a security guy either

2
0

Deputy AG Rosenstein calls for law to require encryption backdoors

Adam 1
Silver badge

Re: Impossible

> it is possible to use multiple encryption programs in series (eg use 7-Zip to create a password protected Zip file then use ccrypt to encrypt the Zip file then use OpenPGP to encrypt the output from ccrypt.). Done properly there is no way of recovering the original message without knowing the keys even if one of the programs has a backdoor.

Obligatory

Also your idea whilst stopping attacks on specific ciphers does bit assist when said TLA compromises your RNG.

0
0

P≠NP proof fails, Bonn boffin admits

Adam 1
Silver badge

Re: Of course P≠NP....

The proof was much closer than it sounds though. It held for all values of N except N==1.

B+ Good effort

19
0

Some positive news: LG, Hitachi, NEC charged $65m in li-ion battery price fixing shocker

Adam 1
Silver badge

Re: Oh, yes

Jail!? But it was rogue engineers m'lord.

3
0
Adam 1
Silver badge

That's a very specific number. Do they have receipts or something?

3
0

Japanese sat tech sinks Sea Shepherd anti-whaling activists' hopes

Adam 1
Silver badge

Re: a matter of pride?

> Why do people who vaccinate their kids care about people who don't?

1. Vaccines work really well to boost your kids'immune systems to fight of some pretty horrible diseases. Really well, but not 100%. You can be vaccinated against say whooping cough but still catch it. Your odds of catching it are much much lower but not zero.

So...

2. Herd immunity means that if less your 'herd' is carrying the virus then you are even less likely to catch it, so that's nice.

3. A very small percentage of the population cannot be immunised. Consider cancer sufferers on medications that suppress the immune system. Also newborns under 6 weeks fall into this category. Their only protection really is herd immunity (newborns might get something via breast milk but it isn't enough). Some people may also be allergic to some ingredients used in the vaccine or as stabilisers or as preservatives, so take them away as well.

4. Treating the disease is massively expensive. Doctors, medications and hospital beds are a financial burden on society and it is frustrating when the majority of cases were cheaply avoidable.

5. Many of these diseases cause long term disability in the survivors and society must pick up the tab on that too. Think polio and even things like rubella can easily kill an unborn child or otherwise cause deafness and heart issues if contacted by a pregnant woman (see point 3, you can't get vaccinated whilst you are pregnant)

6. If you choose to not vaccinate and heaven forbid find yourself watching your child struggle for breath plugged into a million machines or worse, you will have to live with your decisions.

21
0

Huge Apple news CONFIRMED. Software deal with Accenture is official

Adam 1
Silver badge

WOW

> Huge Apple news CONFIRMED

El Reg finally received an invite to WWDC?

8
0

Swedish slip-up leaks hosting company's customer data

Adam 1
Silver badge

Sounds like their security was really borked!

/Mines the one with the tongs in the pocket.

2
0

Crowdfunding scheme hopes to pay legal fees for Marcus Hutchins

Adam 1
Silver badge

Re: Who is benefiting

> is unlikely because if he has a good defence he is less likely to dog on his [alleged] accomplices.

TFTFY.

You had it right in the previous paragraph but if he's innocent then he has no accomplices to which to "dog on".

20
0

Tech firms take down WireX Android botnet

Adam 1
Silver badge

> The botnet was used to launch distributed denial of service attacks by spamming out HTTP GET requests until website connections crumbled under the load

I would have thought that a slowloris DDOS would have been more effective from a mobile device and much harder to detect.

0
0
Adam 1
Silver badge

Re: Patched?

I don't imagine such a patch (for the attack vector) involves pushing anything to a phone. More likely to be patching their automated scanner for their play store with some heuristics to flag up such techniques. But criticism about the difficulty Android manufacturers seem to have in promptly providing patches is definitely warranted.

3
0

New York Police scrap 36,000 Windows smartphones

Adam 1
Silver badge

Re: iPhone?

Well now they have Jesus deciding on the phone so it makes sense. And now Cook is in charge, he doesn't need to enter into arguments over who is the Messiah.

5
1

NSA ramps up PR campaign to keep its mass spying powers

Adam 1
Silver badge

Rank amateurs

If they want public support, they are going to need to do better than "Section 702 Saves Lives, Protects the Nation and Allies". Try something a bit more personable like Slurpy McSlurpface.

1
0

WannaCrypt NHS victim Lanarkshire infected by malware again

Adam 1
Silver badge

Re: Utter Bastards

> And where the fuck are the people at GHCQ when we need them?

Er, 'bout that. Maybe you don't want to look at where the Wannacry miscreants stole that exploit from. I'm sure GCHQ would love to give them a stern talking to, just as soon as they finish handing over all the security researchers who have been assisting in other investigations.

18
0

China to identify commentards with real‑name policy

Adam 1
Silver badge

匿名懦夫

Coming soon to elreg.cn

6
0

Chrome wants to remember which Websites to silence

Adam 1
Silver badge

Re: Hallelujah

Sorry guys. We've just been so busy figuring out how to compile a list of the most visited sites out there, we haven't had the time to pop a checkbox on the options page.

3
0

Ad blocking basically doesn't exist on mobile

Adam 1
Silver badge

Re: Finally I'm the 1%

uBlock origin (for example) is on github and is GPLv3. The moment they stay any funny business will be the same moment the project gets forked. Whilst I'm sure they would appreciate your donations (and need some), the amount they actually need to survive and even thrive works out to be a very small amount by a very small percentage of users.

Asking "how does this thing make money" is never a bad idea though.

2
0

Forget trigonometry, 'cos Babylonians did it better 3,700 years ago – by counting in base 60!

Adam 1
Silver badge

Re: a reasonable builder's approximation

7 * 7 = 50, but only for sufficiently large values of 7

6
0

Node.js forks again – this time it's a war of words over anti-sex-pest codes of conduct

Adam 1
Silver badge

Re: "there are downsides to codes of conduct"

> participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation

Shirley it should include the full harassment free experience whether one pads left or right

/I'll grab my coat

10
0

El Reg gets schooled on why SSDs will NOT kill off the trusty hard drive

Adam 1
Silver badge

Re: What's in it for me?

A media server with 10TB of storage isn't mainstream. HDD will own that market for a few years. Whilst you are correct that SSD is more likely to just die without warning, you also assume there that a typical user will take action the first time they see an OS not detected press F1 message on boot or hear the click of death. Sorry, not buying it. My experience of typical users has been "oh yeah it did make a funny sound, blue screen, tell me there was no os last week, but I reboot it again and it seemed fine". Even a highly paid software engineer who I was working with (who definitely should have known better) had the click of death whilst I was checking something with her. I said that doesn't sound good. So she did absolutely nothing until a week later when it failed and she lost a day's work. So it's only an advantage if you act on it.

On price, the floor is much lower than a HDD. Whilst they can make a 32GB HDD, they can't do it at the price of the same capacity flash drive. At some point, the amount of storage that your Dell/hp whack into their desktops by default is going to be the same price point. The default purchase will then be a SSD, and you will flick to HDD if you need additional capacity. I don't think that is as far away as presented in the article.

3
0

Mozilla ponders making telemetry opt-out, 'cos hardly anyone opted in

Adam 1
Silver badge

Re: NO!

Sure. My issue isn't with being asked. It is with the behaviour when the user doesn't know the option exists. Simply, they are solving the wrong problem. Imagine that you saw the following message after an upgrade.

"We'd love your help. We think we can improve your experience/achieve peace in the Middle East/whatever if we collect information about the websites that you visit.

This is what we will gather...

This is how we will protect your privacy...

Can you help us?

* Yes, sure

* No thanks

* Busy now, ask me tomorrow

As long as Yes, sure is *not* checked by default unless you have previously opted in, I am totally happy to be asked. I will still answer No (which may well be an El Reg commentard thing), but I have no objections being asked.

4
0
Adam 1
Silver badge

NO!

Don't do it.

> because so few have opted in that it's hard for developers to get a good sample of what causes problems.

Did it occur to them that so few have opted in BECAUSE they don't want it on? If we want to be slurped we would just use chrome.

37
0

ASUS smoking hashes with 19-GPU, 24,000-core motherboard

Adam 1
Silver badge

Love how you can be down voted for asking a question that isn't answered by TFA.

A short correction to my post. It would be 35,000x faster than this (mixing up my GHs and THs). If you mention crypto currency and you aren't talking about Bitcoin, you actually need to state what you mean.

0
0
Adam 1
Silver badge

> The result? 407 megahashes per second, if the planets align

That math doesn't look right. The antminer s9 is allegedly good for 14THs (call it 35x faster for somewhere around US $2500). If we're comparing apples and apples then you are going to want a pretty special price or at least another zero in the hashes per second stakes.

0
1

Germans force Microsoft to scrap future pushy Windows 10 upgrades

Adam 1
Silver badge

sweet

Now I just need to learn German.

6
0

Speaking in Tech: I am Wink, Wink.i.am, do you dig my smart home jam?

Adam 1
Silver badge

Not sure who is writing/doodling on their papers during the recording but it is quite noticeable (eg 44 minutes in). Unless it's Greg trying to get out the boot/trunk.

0
0

Lottery-hacking sysadmin's unlucky number comes up: 25 years in the slammer

Adam 1
Silver badge

Using the time as a seed is a bad idea™ when you know the time it will be run (or at least can narrow it down to a relatively small window). It lets you rule out a whole swath of possibilities.

0
0
Adam 1
Silver badge

Shirley, his lawyer, could have got him off with a little more creativity. Your honour, my client was asked to write a function that returns a random number. This was a simple misunderstanding, nothing more.

2
0

IBM likely to close Australian data centre

Adam 1
Silver badge

> but is over 25km and an hour's drive from Sydney's central business district, and 90 minutes from its airport at peak times. ®

Or about 5 minutes drive from Castle Hill station which is opening in a year or two.

0
0

75 years ago, one Allied radar techie changed the course of WW2

Adam 1
Silver badge

I don't know. Socrates is all Greek to me.

/Sorry, I'll grab my toga*

*which you'll no doubt point is Roman rather than Greek.

3
0
Adam 1
Silver badge

"The children now love luxury; they have bad manners, contempt for authority; they show disrespect for elders and love chatter in place of exercise. Children are now tyrants, not the servants of their households. They no longer rise when elders enter the room. They contradict their parents, chatter before company, gobble up dainties at the table, cross their legs, and tyrannize their teachers."

-Socrates (469–399 B.C.)

/Now get off my lawn

31
0

Foxit PDF Reader is well and truly foxed up, but vendor won't patch

Adam 1
Silver badge

Re: dropped it a few years back

Worse. I actually enjoyed your joke, but I think there is a fundamental difference between adware, creepy tracky browsers and something that silently scans your PC to see what is installed, changes your homepage/desktop/toolbars as it sees fit. In one case it is the price* they are asking to use the software. In the other, they are not upfront.

*Whether that price represents good value is left as a judgement call on the reader.

1
0
Adam 1
Silver badge

dropped it a few years back

As soon as they started bundling spyware in their installer.

13
0

Forums

Biting the hand that feeds IT © 1998–2017