Slashdot Mirror

Steve Gibson from the Security Now podcast did a lot of work in this arena and found that the password "D0g....................." is harder to break than the password "PrXyc.N(n4k77#L!eVdAfp9". He makes this very clear in his password haystack reference guide and tester: "Once an exhaustive password search begins, the most important factor is password length!"

https://www.grc.com/haystack.htm has an interesting approach.
Which of these: D0g..................... or PrXyc.N(n4k77#L!eVdAfp9 is the more secure?

When I say "early versions of Spinrite", I was talking about SpinRite 1.0 through 3.1. The whole "sector interleave" concept Steve Gibson was playing with in the late 80's seemed to usefully revive things on ancient MFM/RLL drives that no other utility would handle. I'm not sure exactly when those were above and below INT13, but you can see in the history document he was trumpeting operation below the BIOS in the 3.1 release. But any capabilities like that stopped being feasible for anything still working well over 10 years ago, and surely the later versions only do INT13 level work. Gibson built up a lot of goodwill in the industry from his work in the late 80's and early 90's, which he has shamefully kept milking to this day.

SpinRite is the tool I'd try to use recover from more serious errors, especially from really old drives.
2nd on GetDataBack - have had success with it too.

If the drive doesn't spin and the data is worth over $2000, try Kroll Ontrack. Physical drive surgery is expensive, but sometimes works on what you'd think was impossible.

NAT allows devices behind the wall to be addressed by port, sharing a single IP address. At an extreme you could have 65535 addressable devices behind a NAT firewall, exposed to the public internet as one IP address.

In most cases, NAT allows multiple clients behind the address translation, but does not necessarily allow multiple servers, since each service typically can handle only one or a few ports. For instance, how many ftp servers or http servers can you have behind a NAT router? Hint: it's not a large number.

Here's another example of where NAT breaks down: to access our work VPN from home, you connect to an outside box, which sends a token to a third box. That third box then sends an unsolicited packet on port 500/ISAKMP to the IP of the first box. With NAT, the router cannot know where to send this unsolicited packet, since it is sent to the router's IP address. We have to designate a particular internal node as the recipient for unsolicited port 500 packets, and then it works - for that machine. Here's the rub: we have two PCs which we'd sometimes like to connect to the VPN simultaneously (my wife works for the same employer as me), but NAT allows only one to do so at a time, so NAT breaks this function. Port 500 is the standard port used for key exchange in secure VPNs.

Yet this particular combination of features was not industry-wide before the iPhone. And indeed, the iPhone was widely derided at introduction for these features. Multiple pundits predicted that a phone without numerous hard buttons was doomed to failure, while the notion that there was a potential large mass market for any kind of tablet was pretty much universally derided, the conventional wisdom wisdom being that consumers much preferred netbooks. But now, all of this is "obvious" and it's virtually impossible for anybody to imagine any other way of designing such devices.

Perhaps the courts will decide that our patent laws do not in fact protect the risky design choices that Apple made in defiance of conventional wisdom, choices that have already greatly enriched the options available to consumers. But is that really a good thing? Would it really be such a terrible thing of companies that had the courage to challenge the conventional wisdom in ways that seem "obvious" only in retrospect were encouraged by a limited-duration protection against imitation?

Evil #5 includes domain name servers (DNSs) that redirect you to a commercial site when you have requested a non-existent domain. My ISP is Road Runner, whose DNSs do this.

I use GRC's DNS Benchmark to find publicly-accessible DNSs that do not do this, that have quick responses, and that have low error rates. I then change my Internet settings to use those DNSs. I rerun DNS Benchmark about once or twice each month, updating which DNSs I use. These reruns are necessary because the quality of DNSs -- timing and error rates -- is not constant; it varies with time.

See DNS Benchmark at http://www.grc.com/dns/benchmark.htm.

Just because your code is in ROM doesn't mean you can't be hacked. Your stack is still in RAM. If you can find one little exploit that lets you put as little as, say, 12 bytes onto the stack, if you know everything that's in the ROM, you could repurpose the existing ROM code to do whatever you wanted by calling the tail ends of existing functions.

On that link, search forward for "Because they knew this was a voting machine, security was paramount. They made it so that it was impossible to execute code from RAM. They thought, there's no way, there's no reason that anyone has a legitimate reason for executing code from RAM" and read from there. Yes, it's long. Get the MP3 if you'd rather listen.

I changed my passwords according to Steve Gibson's new paradigm of password haystacking. The basic idea is that you start with a short, non-dictionary but still memorable base and then increase the length with padding that is memorable to you. The concept is based on the fact that length trumps entropy when defending against a brute force attack, and that simple length is just as effective as complex length as long as the entire password doesn't appear in a dictionary. He made a page dedicated to the concept, it's worth taking a look at.

https://www.grc.com/haystack.htm

You should check out gibson research's page on password lengths, its over at http://www.grc.com/haystack.htm it's a good read.

Solution: Make a stronger password.

This is interesting, but the premise of the story is old news. There were reports on this when the White House report came out came close to two weeks ago. Some relevant quotes: Countries “have an inherent right to self-defense that may be triggered by certain aggressive acts in cyberspace ... When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country." http://joshuaphilipp.com/2011/05/us-faces-a-long-road-in-implementing-new-cyberstrategies/ Also, the Chinese regime openly announced its cyberwarfare command back in July 2010, and it's cyberwarfare units have been known about as early as 2003. A relevant quote: "The stated missions of the new cyber base appear to complement the PLA's information warfare (IW) units, which the PLA has been developing since at least 2003. The PLA's IW strategy was largely spearheaded by Major General Dai Qingmin, then-director of the PLA’s electronic warfare department (Fourth Department), who advocated a comprehensive information warfare effort (Wall Street Journal, November 1, 2009)." http://www.jamestown.org/single/?no_cache=1&tx_ttnews%5Btt_news%5D=36658&tx_ttnews%5BbackPid%5D=7&cHash=4b1746fecc Adding to this though, it will be interesting to see how much the U.S. actually enforces its new cyberstratey, given that government networks and critical infrastructure are almost constantly hit with cyberattacks from state actors. Back in 2007, Netwarcom was already saying cyber conflicts with China was already at the level of "campaign-style, force-on-force engagement." http://www.grc.com/sn/files/FCW_on_%20Cyber_Warefare.pdf

The podcast called Security Now featuring Leo Laporte and Steve Gibson (famouse for that the "Shields Up!" web page) dedicated episode 287 entirely to bit coin.

I thought steve gave an incredibly well thought out, clear, concise explanation of what bit coin is why it is apparently impossible to "game" the system in anyway. The following episode (288) was the "listener feedback" episode with many listeners expressing doubt and even more excellent explanations from Steve.

Here are the convenient transcripts of these episodes, linked here in the hopes perhaps it will be useful to the slashdot community.

http://www.grc.com/sn/sn-287.htm - main episode

http://www.grc.com/sn/sn-288.htm - Q-and-A episode

In my mind if Steve says it's trustworthy and not a scam, that's good enough for me. But then I've listened to all 300+ episodes and am a big fan so I may be biased.

In fact there was a spike in use after the SN bitcoin episode. It may be wholly or partially due to Steve's apparent endorsement (he says he's going to make his software purchasable via bitcoin).

The podcast called Security Now featuring Leo Laporte and Steve Gibson (famouse for that the "Shields Up!" web page) dedicated episode 287 entirely to bit coin.

I thought steve gave an incredibly well thought out, clear, concise explanation of what bit coin is why it is apparently impossible to "game" the system in anyway. The following episode (288) was the "listener feedback" episode with many listeners expressing doubt and even more excellent explanations from Steve.

Here are the convenient transcripts of these episodes, linked here in the hopes perhaps it will be useful to the slashdot community.

http://www.grc.com/sn/sn-287.htm - main episode

http://www.grc.com/sn/sn-288.htm - Q-and-A episode

In my mind if Steve says it's trustworthy and not a scam, that's good enough for me. But then I've listened to all 300+ episodes and am a big fan so I may be biased.

In fact there was a spike in use after the SN bitcoin episode. It may be wholly or partially due to Steve's apparent endorsement (he says he's going to make his software purchasable via bitcoin).

Excellent explanation of BitCoin on Steve Gibson's Security Now Podcast, episode 287 from February 10 2011.
He details how it works from end to end, how they get round the issue of GPU farms and lots more.
PDF Transcript: Security Now Episode #287 - 10 Feb 2011 - BitCoin CryptoCurrency (pdf) (115k) - Starting on page 10
TXT Transcript: Security Now Episode #287 - 10 Feb 2011 - BitCoin CryptoCurrency (.txt)(63k) look about halfway down.
High quality audio Security Now Episode #287 - 10 Feb 2011 - 61 min. BitCoin CryptoCurrency (.mp3)(9.9MB)
Low quality audio: Security Now Episode #287 - 10 Feb 201 - | 61 min. BitCoin CryptoCurrency (.mp3)(40MB)

Excellent explanation of BitCoin on Steve Gibson's Security Now Podcast, episode 287 from February 10 2011.
He details how it works from end to end, how they get round the issue of GPU farms and lots more.
PDF Transcript: Security Now Episode #287 - 10 Feb 2011 - BitCoin CryptoCurrency (pdf) (115k) - Starting on page 10
TXT Transcript: Security Now Episode #287 - 10 Feb 2011 - BitCoin CryptoCurrency (.txt)(63k) look about halfway down.
High quality audio Security Now Episode #287 - 10 Feb 2011 - 61 min. BitCoin CryptoCurrency (.mp3)(9.9MB)
Low quality audio: Security Now Episode #287 - 10 Feb 201 - | 61 min. BitCoin CryptoCurrency (.mp3)(40MB)

Excellent explanation of BitCoin on Steve Gibson's Security Now Podcast, episode 287 from February 10 2011.
He details how it works from end to end, how they get round the issue of GPU farms and lots more.
PDF Transcript: Security Now Episode #287 - 10 Feb 2011 - BitCoin CryptoCurrency (pdf) (115k) - Starting on page 10
TXT Transcript: Security Now Episode #287 - 10 Feb 2011 - BitCoin CryptoCurrency (.txt)(63k) look about halfway down.
High quality audio Security Now Episode #287 - 10 Feb 2011 - 61 min. BitCoin CryptoCurrency (.mp3)(9.9MB)
Low quality audio: Security Now Episode #287 - 10 Feb 201 - | 61 min. BitCoin CryptoCurrency (.mp3)(40MB)

Excellent explanation of BitCoin on Steve Gibson's Security Now Podcast, episode 287 from February 10 2011.
He details how it works from end to end, how they get round the issue of GPU farms and lots more.
PDF Transcript: Security Now Episode #287 - 10 Feb 2011 - BitCoin CryptoCurrency (pdf) (115k) - Starting on page 10
TXT Transcript: Security Now Episode #287 - 10 Feb 2011 - BitCoin CryptoCurrency (.txt)(63k) look about halfway down.
High quality audio Security Now Episode #287 - 10 Feb 2011 - 61 min. BitCoin CryptoCurrency (.mp3)(9.9MB)
Low quality audio: Security Now Episode #287 - 10 Feb 201 - | 61 min. BitCoin CryptoCurrency (.mp3)(40MB)

LastPass Pasword Service may have been Hacked.

This is a good story, but the story isn't that they were definitely hacked. It's entirely possible that the anomalous data transfers they mentioned were caused by internal testing and not properly documented, based on the limited information we have available.

Here is a transcript wherein Steve Gibson talks at length about why LastPass is secure.

Er "From :" should read

From http://www.grc.com/sn/SN-074.htm:

As for why stuff about this is not readily found, there was a huge crapstorm way back when Vista was in development and after it was released, particularly due to the driver signing thing and the hardware tilt bit thing. And then after Vista was released, people had lots of problems actually viewing HD content because of unsigned drivers and things like no HDCP to their new monitor or their fancy new video card not supporting HDCP. And then I believe some part of the network stack slowed down [more than an order of magnitude] when playing premium content [not a big deal playing video, but it also happened when playing copy-protected audio, so no surfing while listening to music!].

But MS has a long history of rewriting it's past, where it changes directions, and their previous direction can no longer be found.

I was a Mediacom subscriber for years and recently switched to Centurylink which is just as bad, if not worse on 404 redirects. The solution, changing DNS servers. Many options are available here and some even offer filtering for sites that are know to host viruses and even pron. A great little benchmarking utility is available at http://www.grc.com/dns/benchmark.htm that can offer many options and show you just how crappy your ISP's DNS server can be.

Security Now podcast episode #287 was entirely on the BitCoin system, and how well designed it is.

Someone recreated it from this podcast

Why use your ISP for DNS? Chances are their servers suck, and they will insert spam links for failed resolutions to add insult to injury for their horrible service. Find a server that is 1) geographically close and 2) measurably performs well. I personally use this tool for locating a DNS server that measurably works well with my connection: http://www.grc.com/dns/benchmark.htm .

A good application wouldn't allow a user to create a "weak" password. It would check that it had X character, a few upper cases, some symbols, some numbers

Because Abc123. is a great password? And users will never write down complex hard to remember passwords that they have to change frequently?

Trying to make up for a poor authentication method by externalizing a burden upon users of the software is bad design. Kind of like the plumber who designed your house's piping saying... "Oh, by the way, make sure to always keep a pan under this sink and periodically dump it outside. Otherwise it will fill up with water seeping from the sink's drain pipe."

And then somehow claiming when the pan overflows that it's the user's fault, not bad plumbing.

I would suggest you go read So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. and listen to Security Now, Episode #229

it would also disable the account after the user failed to enter the password a few times, completely eliminating the ability to brute force the passwords.

Because legitimate users always remember their strong passwords perfectly never typo their strong password a few times?

Because bad guys never take advantage of account lockout mechanisms to annoy the legitimate user?

Steve Gibson covered this over 3 years ago. https://www.grc.com/sn/sn-082.htm

I'm pretty sure that I've seen this same exact story posted on Slashdot a couple times in the past as well. I'm just not motivated enough to look for it.

OMG!!! Look out!!! Your already-past-end-of-life-OS has something we don't like about it!!! Like, Microsoft should really, like, you know, release a newer OS, like, and stuff. Doh!!

Steve Gibson covered this over 3 years ago. https://www.grc.com/sn/sn-082.htm

...which invariably means it was old news 3 years ago.

Steve Gibson covered this over 3 years ago. https://www.grc.com/sn/sn-082.htm

Generate a unique 63 random ASCII characters passwords with https://www.grc.com/passwords.htm for EVERYTHING

I shall use a web site to generate my password? How do I know I can trust them? And why is this better than just base64-encoding 48 bytes from /dev/random?

Converting anyone who listened to this podcast from Windows to Linux, that is.

http://www.grc.com/securitynow.htm#256

here is a tool that lets you figure out which are the best DNS servers to use for your internet connection.

Human synthesis of Vitamin D precursors is highly insufficient unless you want to sunbathe enough to get a serious risk of skin cancer. You can read all about it at GRC's website.

For a typical office dweller, you should shelve photosynthesis of Vit. D precursors as an impractical-to-exploit curiosity. Make sure you get Vit. D in your diet, or take supplements. And get tested for serum levels of 25-hydroxyvitamin D.

Here's the fine citation from Holick's NEJM article

[...] it has been estimated that 1 billion people worldwide have vitamin D deficiency or insufficiency. According to several studies, 40 to 100% of U.S. and European elderly men and women still living in the community (not in nursing homes) are deficient in vitamin D. More than 50% of postmenopausal women taking medication for osteoporosis had suboptimal levels of 25-hydroxyvitamin D — below 30 ng per milliliter (75 nmol per liter).

Children and young adults are also potentially at high risk for vitamin D deficiency. For example, 52% of Hispanic and black adolescents in a study in Boston and 48% of white preadolescent girls in a study in Maine had 25-hydroxyvitamin D levels below 20 ng per milliliter. In other studies, at the end of the winter, 42% of 15- to 49-year-old black girls and women throughout the United States had 25-hydroxyvitamin D levels below 20 ng per milliliter, and 32% of healthy students, physicians, and residents at a Boston hospital were found to be vitamin D–deficient, despite drinking a glass of milk and taking a multivitamin daily and eating salmon at least once a week.

In all likelihood, you are vitamin D deficient, your health may be suffering for it. This includes mental health!

listen to (or read the transcript) of Security Now episode #293 http://www.grc.com/securitynow.htm#243 . The discussion goes into detail about how governments can compel CAs to issue intermediate level CA certs, and the implications of doing so.

I haven't seen anyone link to Microsoft's temporary fix yet. Essentially you modify the registry to disable the hcp: protocol by deleting the relevant key (they also advise you to export the relevant bit of the registry so you can restore it later, presumably after a real fix is available). Steve Gibson uses the approach of simply renaming the relevant key, although I wonder if that would still be vulnerable to some kind of fuzzing attack. I suppose if you rename it to a key that is really long, it is less likely to be an issue.

One question I haven't fully answered yet is what is actually lost if the hcp: protocol is disabled. The Microsoft advisory says this:

"Impact of Workaround: Unregistering the HCP protocol will break all local, legitimate help links that use hcp://. For example, links in Control Panel may no longer work."

But should I care? Everything I tried in Control Panel seemed to keep working fine. Do they mean if you or some software package put an hcp: link in there? What is there in a default XP install that actually uses hcp: protocol?

As the following blog post http://steve.grc.com/2010/05/24/facebook-and-the-ford-pinto/ points out:

Unfortunately, the only "asset" Facebook has to monetize is the wealth of personal information that has been poured into the system by every one of those 400 million users. Facebook has understood this from day one, its user community has not.

Ditto for Twitter.

Quick! Go read his FAQ! Right there under 'Can I low-level format my drive' it says 'not possible on any modern hardware'. Randomly poking bits at specific PHYSICAL locations (which is what the poster wants to do) is low-level formatting.

Steve Gibson can get it done for you. http://www.grc.com/

Drives just don't work like that any more.

Quick! Someone tell Steve Gibson!

Or are you talking about SSDs? SSDs don't work that way, but hard drives sure do!

The person who would probably know for sure if it is even possible to achieve that level of control is Steve Gibson from grc.com, the author of Spinrite http://www.grc.com/sr/spinrite.htm. Spinrite has some amazing low level hard drive access, that it uses for data recovery and drive maintenance.

Whilst WEP encryption has been shown to be very broken and easily defeated, the flaws found so far in WPA and WPA2 are not nearly as easy to utilise. There was a detailed breakdown of this a few years ago on the 'Security Now' podcast by Steve Gibson of GRC (with a little help from Leo Laporte). Here's the transcript of that episode, along with links to download the audio to listen to.

In short, the combination of AES encryption and a strong password make for a network that is going to require a *lot* of work to break into.

-MT.

http://www.grc.com/ct/ctwho.htm

Steve Gibson, is that you? :)

Steve Gibson, is that you? :)

(Note: I have RTFA, but I'm quoting mainly from the summary here.)

Others have cracked the A5/1 encryption technology used in GSM before, but their results have remained secret.

Feh. Steve Gibson explained the flaws in GSM in very precise, technical detail in his podcast with Leo LaPorte back in September. See episode 213 of Security Now, "Cracking GSM Cellphones". He explained how the algorithm was implemented in hardware, right down to the hardware level.

The GSM Association, the industry group based in London that devised the algorithm and represents wireless operators, called Mr. Nohl's efforts illegal

Oh yes, they'd like us to believe that reverse engineering encryption is illegal. It is not. Eavesdropping on cell phone calls is illegal only because cell phone carriers have always used technology decades behind the state of the art. It's a crappy regulatory patch to a massive technical loophole. It's akin to a law forbidding wifi cards from supporting "monitor mode" because you can use it to eavesdrop on unencrypted wifi traffic. Karsten Nohl is not recommending that anyone eavesdrop on other people's phone calls. He's trying to show the public that their conversations are as good as "in the clear" and gosh darn it, the billion-dollar wireless industry just doesn't like that a bit.

Simon Bransfield-Garth, the chief executive of Cellcrypt, says Nohl's efforts could put sophisticated mobile interception technology -- limited to governments and intelligence agencies -- within the reach of any reasonable well-funded criminal organization.

Nope, even better: it puts GSM decryption technology within the reach of anyone with a 2TB hard disk, $1000 of radio equipment, and the time to figure out some software. And, as I pointed out already, this has been known for some time. Until recently, the weaknesses of GSM has been the skeleton in the closet of the wireless industry. It should have seen the light of day years ago.

This is not an easy problem for them to solve, either. A5/3 is much better encryption, but as I understand it, almost every handset in existence can be forced to fall back to A5/1 (or even A5/0, no encryption) relatively easily.

You can run DNS Benchmark to check the speed DNS servers.

I'll save 'em the full $34.

Go here: https://www.grc.com/passwords.htm

Only an idiot would pay $34 to see if their password was '12345'.

You can get a nice entropic password for free.

but never tought about it dns performance before and it showed one thing tough and that is that my local crappy router sucks . for windows users , try this one http://www.grc.com/dns/benchmark.htm The googgle dns servers performs "ok" , but for me atleast i noticed noticable difference by using my isp dns servers directly.( not by just looking what this prog gave me , but cache lookups is faster on my ISP than on my local router( yah i know my router sucks ) ) ( oh btw , you cant use ping latency to determine if a dns is faster or not )

• ISP: Cashed Name: 1 ms, Uncached Name: 8 ms
• OpenDNS: Cashed Name: 5 ms, Uncached Name: 8 ms
• L-3: Cached Name: 24 ms, Uncached Name: 26 ms
• Google: Cashed Name: 44 ms, Uncached Name: 48 ms

I guess for me it's clear: I'll skip it for now.