Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Formspring Hacked - 420,000 Password Hashes Leaked

ladadadada Re:The immediate question: (68 comments)

The parent mentioned SHA-256, not SHA-1. Your comment is true and would still be true of SHA-256.

If by "Blowfish" you actually meant "bcrypt", then yes. Blowfish is not a hashing algorithm.

more than 2 years ago
top

Anonymous Vows To Destroy Facebook

ladadadada Re:Whose fault is that? (575 comments)

See ? He's right. You have no idea why it's significant.

That was the day Jeff Goldblum proved that aliens use Macs.

more than 3 years ago
top

News Corp. Subsidiary Under Fire For Hacking Dead Girl's Voicemail

ladadadada Why is it so easy to hack into voicemail ? (251 comments)

Something that bothers me about this that I haven't seen mentioned anywhere is that "hacking" in to anyone's voicemail is far too easy to do.

Every voicemail system I have had has used a 4 digit pin to protect it. Many times it comes pre-set with the last four digits of the phone number as the pin or something simple and obvious like 0000 or 1234. As far as I know there is no company that implements throttling or lockout when too many wrong combinations are tried, meaning that using an automated dialer you could try every possible combination in around 10 hours even if you could only try one attempt every 30 seconds.

I don't know what else is required to "hack" into someone's voicemail but I'm tempted to think that if a private investigator could do it, the phone companies are not trying hard enough.

Punishing the people who have committed this crime is appropriate, but it is not sufficient to prevent the crime from being committed again.

more than 3 years ago
top

Was the Early Universe 2 Dimensional Spacetime?

ladadadada Re:The actual article (309 comments)

Thank you. Unfortunately, the paper is hidden behind the customary paywall but the abstract contains enough information to let me know that the summary here has missed the point entirely.

The universe being 1+1 and 2+1 dimensional in its past is not a new theory. You will find it in Stephen Hawking's "A brief history of time" amongst other places. The trouble with the theory has always been that we didn't know a way of testing it. These guys are proposing a way to test it. Well done to them.

more than 3 years ago
top

The Death of BCC

ladadadada Re:BCC still existed? (366 comments)

Have another read of his comment. He sent an email To: one person and Bcc: to that person's boss. The boss receives an email that does not have his email address anywhere in it. When the boss hits reply-all, the email will go to two people: the person who sent the email and the person to whom it was addressed. It was the boss who was in the Bcc field and hence when the boss hits reply, he doesn't send an email to himself.

There is no adding "everyone in by hand" because there are only two people who receive the boss's email and neither of them were in the Bcc field.

more than 3 years ago
top

Sony Gets Geohot's Hardware, But Not YouTube/Twitter User Info

ladadadada Re:Wipe from the internet? (254 comments)

No. That horse has well and truly left the stable. They don't care about the key or the software any more. The key was only useful while it was a secret.

What they want to do now is punish GeoHot in a public way so that people in the future will think of him every time they start down the path of trying to determine signing keys so they can run homebrew software or at least before publishing those keys.

Sony are thinking about the future now, not the past. The best thing for them about this is that the publicity will be exclusively on the kinds of sites frequented by the kinds of people that can find signing keys and will be largely unnoticed by the general purchasing public. If everyone who has ever heard of GeoHot boycotted Sony, Sony would barely notice. But if everyone who has the skill to find the new keys has heard of GeoHot Sony will have less to worry about.

more than 3 years ago
top

Are You Sure SHA-1+Salt Is Enough For Passwords?

ladadadada Re:Of course salt matters (409 comments)

Sorry for the wall of text I posted. To help, I'll extract just the relevant bit that answers this question.

What makes you think that can attacker that can get part-way into your system can't get the rest of the way ?

It's true that for a short while an attacker may have only got part of the way to everything he needs. He has the hashes in your scenario and does not have the source code or the salt. Are we imagining a CMS that allows raw database access and doesn't have a file browser or any upload capabilities ? I've never seen one like that. Either of those capabilities would likely allow for easy and quick privilege escalation.

Hashes are usually not exposed in a CMS and you need to have greater access such as a database connection or file system access to get to them. Although you can create a scenario in which an attacker has the hashes but nothing else, such a scenario won't happen in the real world. If anything, it would make more sense to store the password hash rather than the salt on the more secure internal box, but since they are always needed at the same time, they are always stored together.

That said, there is something to be said for separation of responsibility and least-privilege. In the real world, the extra couple of hours it takes him to get from the web admin to the shell and from the shell on to the authentication box might be just long enough for your sysadmin to notice that something is going on and respond. Your plan will not stop an attacker dead in their tracks by any means but it may slow him down enough that you don't have to tell your customers to reset their passwords.

more than 3 years ago
top

Are You Sure SHA-1+Salt Is Enough For Passwords?

ladadadada Re:Of course salt matters (409 comments)

You're absolutely right about the first part and wrong about the rest.

Any attacker that has access to your hashed passwords will have access to your source code and the salt.
How ? Unless you have exposed your database directly to the internet, he has attacked you through the web-facing part. So he knows how you created your salt because he has the source code that created it and he knows the value of the salt for any password, even if it's in a separate database, because your web application must have it in order to do authentication. If the web application can request it from the other database then so can he. If (as you suggested) the authentication is done on a separate box with a well-defined API, the attacker can happily use that API or simply continue his waltz through your system until he has access to that box as well. Well protected box ? What makes you think that can attacker that can get part-way into your system can't get the rest of the way ?

All of this effort creating a separate database, a separate authentication box, encrypting your salt or attempting to keep it secret, adding weird things like email addresses to your user's passwords and other techniques of that ilk is merely adding complexity that is entirely unnecessary.
Why ? Because you should be using an encryption scheme like bcrypt (there are other schemes that have the same properties). bcrypt allows you to artificially slow down the brute-force discovery of passwords by extending the algorithm that hashes them in the first place. If you aren't happy with attackers being able to brute-force 10,000 potential passwords per second, change the input to bcrypt when hashing the passwords so that it takes 10x as long. Now they can only do 1000 per second. In five years time when computers are 10x faster, just increase the input to bcrypt again to make it 10x slower. Brute forcing them faster would require a breakthrough in the mathematics behind cryptography. There is nothing (apart from using salt) that you mentioned above that can't be adequately achieved by stretching bcrypt out a little further.

Salt is protecting you against exactly one threat and it protects against that threat perfectly when it's random, large and stored right next to the hashed password. Nothing more is required of salt.
How large ? Well, large enough that when combined with the shortest password your system allows, a rainbow table that included every possible salt+password combination would be unfeasibly large. If your salt is any smaller then the attacker can just use a rainbow table.

more than 3 years ago
top

Espionage In Icelandic Parliament

ladadadada Re:Recovery Fairy Tales again (274 comments)

You're right, and I knew it when I wrote that post but I ignored that inkling I had that I shouldn't have included it in the list.

I posted further down the page that it is actually a good rule. It stops teenagers who think they are "good with computers" from pulling the drive apart in their bedrooms and destroying it while allowing people with clean rooms and the required expertise to still participate in a meaningful way.

more than 3 years ago
top

Espionage In Icelandic Parliament

ladadadada Re:Recovery Fairy Tales again (274 comments)

Thanks for reading the post. It always cheers me up when someone does that.

Upon thinking further about the no disassembly rule (except for qualified data recovery company or government agency), I realised that it's actually a good rule. It stops teenagers who think they are "good with computers" from pulling the drive apart in their bedrooms and destroying it. The people mentioned would have clean rooms and the required expertise.

I disagree on the publicity. I'd never heard of this challenge so it's not doing too well there for a start. But money creates headlines. I can't see a newspaper running "Data recovery company recovers data for $40" on their front page. Hell, I can't even see Slashdot putting that in idle. A million dollars would definitely get some headlines. You might be able to get away with less money. You might be better off finding a different incentive than money but the money is creating the publicity here.
The publicity argument doesn't work for government agencies either. In fact, I suspect they'd rather people think that it wasn't possible.

The other problem with publicity is that most people already believe it's possible. A successful demonstration that it is possible is rather anticlimactic because it just confirms everyone's suspicions. Making a headline out of an anticlimax is difficult. Proving that it's not possible is impossible as we know you can't prove a negative so the easy, sensational headline just won't happen.

While I'm trying to improve the challenge, two more improvements occurred to me.

1. Have the money and promotional activities put up by someone with a vested interest in the outcome. Say, a company that provides secure deletion services. Once the data is recovered, they can say "See ? You can't just use zeroes. You must use our product to delete your data."

2. Delete some "diplomatic cables" from the drive and accidentally mail it to China. Make sure that one of the cables contains information that the Chinese government would act upon in a detectable manner. (Substitute whichever state you like instead of China.)

Good luck if you do go ahead with a new challenge. I've never seen "proof" of this sort of thing and I'd love to actually see some or at least a compelling challenge that hasn't been accepted.

more than 3 years ago
top

Espionage In Icelandic Parliament

ladadadada Re:Recovery Fairy Tales again (274 comments)

There are four problems with the Great Zero Challenge that I could identify at a glance:

1. No incentive. The prize is $40. Data recovery companies charge tens of thousands to recover a drive. (Depending on how hard it is.)
2. No disassembly. Any technique that "reads residual magnetism" is going to require custom read heads and access to the platters.
3. No longer running. The challenge ended in January 2009 and only ran for one year. That blog post is from September 2008.
4. Full disclosure. This is a show-stopper. Data recovery companies guard their secret methods very closely. Those secrets are their only competitive advantage. Telling everyone how they did it for $40 ? I don't think so.

In contrast, the James Randi Paranormal Challenge has a $1,000,000 prize, only has rules that disallow cheating, has been running since 1964 and is still running. The fact that no one has passed the preliminary stage of that challenge means something

more than 3 years ago
top

Pot Grower's Privacy Challenged

ladadadada Re:OK, so I don't know the whole story... (477 comments)

Comparing legal pot growers to banks is not a fair comparison.

The money a bank has is worth pretty much the same amount to the banks and to the criminals. With a $10 note you can buy $10 worth of goods.

The pot is worth significantly more to the criminals than to the legal growers. The legal growers probably get 1/10th as much as the illegal sellers for selling the same pot. Hence the criminals will be willing to put a lot more time and effort into stealing the pot and the growers will not have as much money with which to enhance their security.

As an interesting side note: The pot stealing criminals have committed two crimes where the bank robbers have only committed one. Possessing large quantities of cash is not against the law. Possessing large quantities of pot is.

more than 3 years ago
top

Bufferbloat — the Submarine That's Sinking the Net

ladadadada Re:Concerning Boiled Frogs (525 comments)

If you put a frog in a pot of water and don't even bother boiling it, the frog will jump out anyway.

If you were to find a frog in its natural habitat where it's happy to sit all day waiting for food to drift past and boil that environment slowly, you might actually have an experiment on your hands... and an ethics committee on your tail.

Boiling a lagoon is left as an exercise for the reader.

more than 3 years ago
top

New Site Aims To Be iTunes For Exploits

ladadadada Not a bad idea at all (55 comments)

Seems like a nice easy way to make a bit of cash in your spare time without any particularly rare skills needed. Just find a vulnerability from CVE that doesn't have a corresponding Metasploit module, write a Metasploit module and put it up in Exploit Hub.

Since it's not a 0-day, there's nothing to be gained by getting an exclusive purchase so the prices will be reasonable. There's less risk of being sued too because it's not a 0-day; just a bit of code that you can use to test for an already disclosed vulnerability.

  • The company who wrote the vulnerable software will want it to put into their QA cycle to guard against regressions.
  • Anyone who writes penetration testing software will want it to integrate into their product... unless the price is higher than just having their own coders do it.
  • Penetration testers will want it in their arsenal to make sure they get the maximum coverage possible.

The "bad guys" probably won't want it. It's already known and getting patched and they'll have to rewrite it anyway because it will have an easily identifiable signature as it comes from Exploit Hub.

There will still be a market for 0-day exploits, but as the article mentions, it's a finicky market. Setting up a market for turning disclosed vulnerabilities into Metasploit modules is smart.

about 4 years ago
top

Should ISPs Cut Off Bot-infected Users?

ladadadada More problems (486 comments)

Yet another potential problem that no one seems to have mentioned yet is that of shared houses. If my flatmate has a virus (which he doesn't any more because I cleaned it off last night) then the whole house is going to be seen as "infected" and four innocent people will be cut off the internet due to the indiscretions of one person. This could be made all the worse if the person owning the infected computer is on holiday for a week.

ISPs are in a great position to significantly impact bot activity but the first adopters of this kind of policy will lose customers to more forgiving ISPs as customers get angry about being cut off, whether this anger is justified or not. ISPs will have to ease their way into this kind of policy, being very careful not to alienate their customers.

about 4 years ago
top

How Game Gimmicks Break Immersion

ladadadada Re:so true (228 comments)

WoW has two instances of this sort of thing I can think of. The first is that as a rogue, I can pick almost any lock in the game... but certain locks I have to get the right key to open. It would have been simple just to raise the lockpicking skill required for that lock high enough that no one can attain it, but they didn't. They just said "No. You need the right key."

The other one is cold weather flying. One of the four continents requires a new skill to be learned before you can fly there, even if you have learned flying already. The talent is called "Cold weather flying" but there are warm areas of the continent. There are also cold areas of other continents. It's inconsistent and, as the article talks about, it breaks the immersion in the game. It's not quite as easy a fix as the lock one, but given enough thought, I'm sure they could have come up with a way of making it work and still be consistent.

I'd love to see game developers spend more time making games better.

more than 4 years ago
top

Alberta Scientists Discover Largest-Ever Cache of Dinosaur Bones

ladadadada Re:It's not what it would seem. (154 comments)

The only sentence in that entire post I wrote myself is the first one. The rest of them are quoting Bill Hicks, the sadly departed comedian.

Although I will grant you that the reason the word "dinosaur" doesn't appear in the bible is because it hadn't been invented yet, I will not grant you that the one use of the word "behemoth" and the one mention of the word "leviathan" and the dubious references to a dragon are actually evidence that dinosaurs existed at the same time as man. If dinosaurs and man co-existed, the bible would talk about practically nothing else. They would be mentioned on every second page. There would probably be would a mention of them in the chapter about Noah for instance.

As for your assertion that I spend my days glued to Comedy Central; Bill Hicks will never be shown on Comedy Central, I have read significant parts of the bible and I don't own a TV.

more than 4 years ago
top

Alberta Scientists Discover Largest-Ever Cache of Dinosaur Bones

ladadadada Re:It's not what it would seem. (154 comments)

The good man is not a troll and was indeed quoting one of funniest comedians of our time who is also conveniently mentioned in his sig. The follow up line was:

Bill: "I think God put you here to test my faith, Dude. You actually believe that?"
Young earth creationist: "Uh huh."
Bill: "Does that trouble anyone here? The idea that God.. might be...fuckin' with our heads? I have trouble sleeping with that knowledge. Some prankster God running around: "Hu hu ho. We will see who believes in me now, ha HA.”

And now, for some more dinosaur based humour from Bill:

Bill: “You believe the world's 12 thousand years old?"
YEC: "That's right."
Bill: "Okay I got a question to ask you."
YEC: "Okay"
Bill: "It's a one word question."
YEC: "Uh huh."
Bill: "Dinosaurs."

Bill: " You know the world's 12 thousand years old and dinosaurs existed, they existed in that time, you'd think it would have been mentioned in the fucking Bible at some point. "And lo Jesus and the disciples walked to Nazareth. But the trail was blocked by a giant brontosaurus...with a splinter in his paw. And O the disciples did run a shriekin': 'What a big fucking lizard, Lord!' But Jesus was unafraid and he took the splinter from the brontosaurus's paw and the big lizard became his friend.”

more than 4 years ago
top

Developers' New Opportunity — Retailers' Open APIs

ladadadada Re:Is it just me? (45 comments)

The company I work for sells books. One of our developers created a Chrome addon in his own time that looks for ISBNs in every page you view and displays the price for the same book on our website.

No one knew that was going to happen when the API was developed. In fact, Chrome didn't even exist back then. (Although one of the other developers has made a Firefox addon and Firefox certainly did exist.) Companies just provide the API and let the developers come up with the good ideas. They don't expect anything in particular.

more than 4 years ago

Submissions

ladadadada hasn't submitted any stories.

Journals

ladadadada has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?