Slashdot Mirror

← Back to Stories (view on slashdot.org)

Free Rainbow Tables Looking For New Admin

Posted by kdawson on from the all-the-colors dept.

lee writes "After almost three years online, the admin of Free Rainbow Tables has decided to call it a day, citing a lack of time to keep it running. (I'm sure that you all know a rainbow table is essentially a giant list of precomputed hashes.) This is a shame, as the site is a useful resource for those occasions when you really need an existing password exposed, rather than simply changing it. I'm a Windows admin, and this site has come in very handy in the past. The currently computed tables weigh in at well over half a terabyte, are available as torrents from the site, or from a couple of mirrors (and alternatives are available). When the site was active, it featured a downloadable BOINC client to put your idle cycles to work computing ever-greater tables, and a space-saving format for storing the tables. The admin is willing to hand over source code if you wish to take over, though I suspect hosting is not included!"

95 comments

  1. You know you're hungry when by goobermaster · · Score: 5, Funny

    The headline 'Free Rainbow Tables' makes you immediately think of a table covered in Skittles

    1. Re:You know you're hungry when by mycologistica · · Score: 2, Funny

      wish i could mod this 'tasty'

    2. Re:You know you're hungry when by Em+Emalb · · Score: 3, Funny

      think of a table covered in Skittles

      Billy Mays here for Free Rainbow Tables dotcom. Have you ever needed a giant list of pre-computed hashes? Have you ever forgotten the password to that old Linux box sitting in the corner of the accounting department's coat closet? Then have I got just the thing for you! All you need to do is, and this part's amazing, is go to freerainbowtables.com, that's freerainbowtables.com, enter your hash-string, and voila, there's your password. It's so easy, a paraplegic blind deaf-mute could do it. That's Freerainbowtables.com.

      I'm Billy Mays, and I say, if you don't use this product, the 5th spawn of the Great Satan himself will come to your house and rape your cat....a lot.

      --
      Sent from your iPad.
    3. Re:You know you're hungry when by bertoelcon · · Score: 1

      It's good to know I wasn't alone.

      --
      Anything can be found funny, from a certain point of view.
    4. Re:You know you're hungry when by slyn · · Score: 1

      You forgot to yell.

      HI, BILLY MAYS HERE WITH A FANTASTIC NEW PRODUCT....

      Filter fodder: "Filter error: Don't use so many caps. It's like YELLING."

    5. Re:You know you're hungry when by Chyeld · · Score: 2, Funny

      Billy Mayes didn't yell. It seemed like it because, just like Chuck Norris, when he spoke the rest of the world knew the STFU.

    6. Re:You know you're hungry when by cstdenis · · Score: 1

      It makes me think of smarties you insensitive clod.

      --
      1984 was not supposed to be an instruction manual.
    7. Re:You know you're hungry when by Hurricane78 · · Score: 1

      But if you were hungry, wouldn't you think of actual *food* instead? ^^

      --
      Any sufficiently advanced intelligence is indistinguishable from stupidity.
  2. Support is pending by 192939495969798999 · · Score: 4, Insightful

    I am sure that plenty of groups that may "need an existing password exposed" are interested in anonymously donating hosting for this project.

    --
    stuff |
    1. Re:Support is pending by nametaken · · Score: 2, Insightful

      Or pay-for-download and/or pay-for-lookup service, and keep the site online.

    2. Re:Support is pending by ebuck · · Score: 1

      They already accept money to buy more credits for heavier access of their service. For those that are unwilling to pay in cash, they offer credits for populating their system with hashes through the use of their client.

      Somehow I think that if money were the issue, they would just say they lack money instead of saying they lack time. Considering that they've had two upsets in the last two months, a lack of time sounds like an honest reason.

    3. Re:Support is pending by jDeepbeep · · Score: 1

      Or pay-for-download and/or pay-for-lookup service, and keep the site online.

      In such a case, they would clearly need to change their SLD name, to not have the word 'free' in it.

      --
      Reply to That ||
    4. Re:Support is pending by CarpetShark · · Score: 2, Insightful

      I am sure that plenty of groups...are interested in anonymously donating hosting for this project.

      You think? Personally, I think you'd have to be a glutton for punishment, to want to admin a site for people interested in rainbow tables.

    5. Re:Support is pending by highonv8splash · · Score: 1

      The computer club at Western Michigan University is entertaining the idea of hosting these tables, we've been in contact with the admin over there about the data and bandwidth requirements, and it looks like we have the resources needed to host them. Unfortunately we don't have a quorom to vote on the issue until the fall semester begins and the majority of our members are in town.

    6. Re:Support is pending by jonadab · · Score: 1

      > Personally, I think you'd have to be a glutton for punishment,
      > to want to admin a site for people interested in rainbow tables.

      If it were theoretical information about rainbow tables, how they're used, what implications they have for security, the effects of salt, which common systems use salt and which ones don't, and so on and so forth, the abuse the admin would take might not be so bad. I mean, you'd have some detractors, sure, but it would hopefully be manageable for the most part.

      But yeah, a site that's basically just one great big rainbow table database, that's going to probably draw a lot of negative reactions. It's obvious to anyone who knows what a rainbow table is that the overwhelming majority use case is black-hat in nature. Even assuming the intentions of the administrator are pure, it's still undeniable that most of the users will be using the thing for illegitimate purposes. Sure, they could get the information elsewhere if the site didn't exist; the black-hat crowd always finds ways. Nonetheless, you'd clearly have to be the sort of person who doesn't mind getting hate mail.

      Personally I have a hard time seeing how it could have enough legitimate uses, and sufficiently valuable ones, to be worth maintaining all those tables and the bandwidth costs, and everything, even setting aside the negative publicity. I don't blame the admin for wanting to throw in the towel.

      I mean, really, how often is it that you lose a password, and changing it simply isn't good enough, you've really got to have that original lost password back unchanged? That happens, what, once in every eighty-seven trillion lost password cases? I'm not saying it couldn't ever come in handy, but I question whether such cases would be sufficiently common to justify the effort of maintaining the site. Honestly, I think the resources might be better spent in some other way.

      --
      Cut that out, or I will ship you to Norilsk in a box.
  3. Reading Rainbow Tables by MoldySpore · · Score: 5, Funny

    Buy the domain, contact LeVar Burton to help promote it, and post video testimonials on how great they work.

    LeVar: "Crack passwords now! But you don't have to take my word for it..." *dun dun dunnn!*

    --

    "I hope you know how very lucky you are to know me, because I am so incredibly incredible."

    1. Re:Reading Rainbow Tables by Pezistential · · Score: 1

      Insightful Mod... that's funny... heh

  4. OMG is that annoying... by sunking2 · · Score: 1, Insightful

    If you assume that everyone knows what it means then why are you telling us what it means knowing damned well that probably 99% of the audience doesn't actually know what it means, or cares for that matter. It makes you come across demeaning to the vast majority of people who could give a crap.

    1. Re:OMG is that annoying... by Shikaku · · Score: 5, Insightful

      News for Nerds.

    2. Re:OMG is that annoying... by baka_toroi · · Score: 2, Funny

      Shikaku wa sora, shikaku wa hiroi

    3. Re:OMG is that annoying... by RiotingPacifist · · Score: 3, Insightful

      Because slashdot used to be a site for geeks, however recently anytime somebody uses a simple TLA/ETLA people start bitching that they don't know what it meant and they are too lazy to google and/or wikipeida it, so instead you get a stupid thread full of people who have !RTFA commenting on a subject that is of no interest to them, if it was they would have understood the TLA in TFS, this really annoys the few geeks that actually RTFA as it dilutes the comments. As a TFS contains redundant information to prevent people going "what are rainbow tables?", lets be honest if you're the kind of geek that has ever done any 'cracking' you knew what it mean, if you're not then you don't care.

      p.s irony of this post not lost on me!

      --
      IranAir Flight 655 never forget!
    4. Re:OMG is that annoying... by Obfuscant · · Score: 4, Insightful
      lets be honest if you're the kind of geek that has ever done any 'cracking' you knew what it mean, if you're not then you don't care.

      Let's be honest, I'm a kind of geek that has done cracking, but I don't devote my life to it. I've never heard the term "rainbow table" applied to the lists of precomputed hashes, so it was nice to have a simple hint that said "precomputed hashes", and I do care.

    5. Re:OMG is that annoying... by Anonymous Coward · · Score: 0

      Because slashdot used to be a site for geeks, however recently anytime somebody uses a simple TLA/ETLA people start bitching that they don't know what it meant and they are too lazy to google and/or wikipeida it, so instead you get a stupid thread full of people who have !RTFA commenting on a subject that is of no interest to them, if it was they would have understood the TLA in TFS, this really annoys the few geeks that actually RTFA as it dilutes the comments. As a TFS contains redundant information to prevent people going "what are rainbow tables?", lets be honest if you're the kind of geek that has ever done any 'cracking' you knew what it mean, if you're not then you don't care.

      p.s irony of this post not lost on me!

      But what dose the "Theatre of the Living Arts"* have to do with anything?

      *it was the first result on google for TLA.

    6. Re:OMG is that annoying... by sunking2 · · Score: 1

      What was annoying was not the information, but the presentation. Modify the wording to be along the lines of 'For those unfamiliar, blah blah blah' and the summary changes from demeaning/belittling to those unfamiliar, to informative. This is the sort of thing that keeps the nerd in the corner by himself at a party :)

    7. Re:OMG is that annoying... by b4dc0d3r · · Score: 1

      People start bitching because it's a knee-jerk reaction at this point. We're trying to convince people that it takes less time for them to type 2-3 words explaining it than for thousands of people to Google it and figure out which of the many results are applicable based on context. Would you agree or disagree with this statement?

      Also, just because I'm not familiar with it doesn't mean I won't find it interesting. Especially if I'm interested in it, and used them lots before someone invented a new name for it for no reason.

    8. Re:OMG is that annoying... by geekoid · · Score: 1

      Ok, there must be another meaning besides the literal translation.

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    9. Re:OMG is that annoying... by Chyeld · · Score: 1, Informative

      Maruha medama
      Maruha kirei
      Kuroibudouno
      Amaiagi

      Sankakuha gikan
      Sankakuha hayai
      Sakana no shippono
      Furuekata

      Shikakuha Sora
      Shikakuha Hirui
      Hanawo kandera
      Iinaoi

      3.14159 2653589 7932384
      626433 8327950 28841197 1693993
      751582

      .

      circle is eyeball
      circle is beautiful
      blackberry's sweet taste

      triangle is time
      triangle is fast
      the movement of fish's tail

      square is sky
      square is wide
      it smells good when you smell flowers

      3.14159 2653589 7932384 626433
      8327950 28841197 1693993 751582

    10. Re:OMG is that annoying... by Chyeld · · Score: 1

      3.14 from Cowboy Beebop, the movie. Ed doing what Ed does best, being odd and cute.

    11. Re:OMG is that annoying... by Anonymous Coward · · Score: 0

      Why would you give a crap about X if you don't know what X is, and don't even care to look it up? There's a difference between not knowing something and being an ignorant, you are clearly the latter. Why did you get a Slashdot ID, do you collect memberships?

    12. Re:OMG is that annoying... by Anonymous Coward · · Score: 0

      If you don't know what a rainbow table is, you aren't a nerd. That simple. You might be a gaming dork. Or a technology fan, but not a nerd.

    13. Re:OMG is that annoying... by Anonymous Coward · · Score: 0

      anyone who knows anything about cracking passwords knows what a rainbow table is

    14. Re:OMG is that annoying... by quelrods · · Score: 1

      If you just mentally link rainbow table with precomputed hashes then you have missed the point entirely. Rainbow tables are an entirely new approach to the problem. It isn't simply storing every precomputed hash. It has a few advantages such as much less disk space is needed, much faster due to indexes as well as less to load from disk, etc. It's actually probabilistic in nature and does not guarantee 100% that a given hash is found. You may want to spend the time to read through the FAQ if you are interested.

      One interesting use involves prebuilt cd and dvd isos for windows LM *and* NTLM password recovery.

      With a distributed project like Free Rainbow Tables, it gives people less and less chance to avoid learning what a salt is and I hope will lead to more education of programmers, admins, etc.

      No matter how expensive the hash is in terms of computation, nothing beats a good hash that uses salts for storing passwords. Though, I'd like to websites stop storing plaintext passwords that they email to you for a password recovery :(

      --
      :(){ :|:&};:
    15. Re:OMG is that annoying... by quelrods · · Score: 1

      Please see my comment on the matter of "a new name for it for no reason."

      If it was nothing but precomputed hashes then indeed it would not be very interesting as it is nothing new. However, it's quite a bit different as the lookups are probabilistic, not 1:1 look ups for is the hash there yes/no.

      For that matter educating people to learn how to use salts with their hash for storing passwords is no where near complete even among savy geeks.

      --
      :(){ :|:&};:
  5. Salts? by Sir_Lewk · · Score: 5, Informative

    I thought the prevelance of using salts with hashes obsoleted rainbow tables years ago.

    --
    "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
    1. Re:Salts? by six · · Score: 3, Informative

      Once you've reverted the hash back to salt+plaintext, it's *much* easier to remove the salt (often some string concatenated with the plaintext).

    2. Re:Salts? by l0b0 · · Score: 2, Informative

      Using salts with hashes obsoleted rainbow tables years ago (if you know what you're doing).

      There, corrected it for you.

    3. Re:Salts? by Quantumstate · · Score: 1

      That would be true but with something like a 20 character salt the required rainbow tables to cut down the time to a reasonable level would take a ridiculous amount of storage. You could of course compile a set of rainbow tables for that specific salt but then you may as well give up on rainbow tables.

    4. Re:Salts? by Anonymous Coward · · Score: 0

      Can you explain what you are talking about? Trying to give you the benefit of a doubt considering your low UID.

    5. Re:Salts? by RiotingPacifist · · Score: 4, Insightful

      The site host/cracked NTLM LM MD5

      NTLM is still used in the following situations:
      * The client is authenticating to a server using an IP address.
      * The client is authenticating to a server that belongs to a different Active Directory forest, or doesn't belong to a domain.
      * No Active Directory domain exists (commonly referred to as "workgroup" or "peer-to-peer").
      * Where a firewall would otherwise restrict the ports required by Kerberos (of which there are quite a few)

      So kids getting their teeth wet on home networks, which probably explains why its not being supported. MD5 is still used by applications that arn't quite sure what they are doing/can't do much more e.g grub, im clients, etc.

      Lookup tables are still useful in cracking WPA

      --
      IranAir Flight 655 never forget!
    6. Re:Salts? by Chabo · · Score: 1

      Just because better security exists does not mean that people use it.

      I use a properly secure passphrase on my credit card's website, but on accounts that aren't as critical (Slashdot), I use a simpler password.

      P.S.: It's "hunter2".

      --
      Convert FLACs to a portable format with FlacSquisher
    7. Re:Salts? by zindorsky · · Score: 5, Informative

      I thought the prevelance of using salts with hashes obsoleted rainbow tables years ago.

      True. Correctly salting your password hashes will make rainbow tables useless.

      But ... Guess which system still doesn't salt passwords? Windows!

      --
      If the geiger counter does not click, the coffee, she is not thick.
    8. Re:Salts? by zindorsky · · Score: 4, Insightful

      Once you've reverted the hash back to salt+plaintext, it's *much* easier to remove the salt (often some string concatenated with the plaintext).

      Often? That's the definition of salt.

      Also, rainbow tables don't revert the hash back to salt+plaintext. Rainbow Tables don't work if salt was (correctly) used. Well, I guess you could make a set of RTs for every possible salt value ... if you have an ice age or two to wait.

      --
      If the geiger counter does not click, the coffee, she is not thick.
    9. Re:Salts? by Anonymous Coward · · Score: 0

      the required rainbow tables to cut down the time to a reasonable level would take a ridiculous amount of storage.

      .
      like maybe "over half a terabyte"?

    10. Re:Salts? by Auntie+Virus · · Score: 1

      MMMM Salty Hasssssh

      --
      Why yes, I *AM* new here. Why?
    11. Re:Salts? by ebuck · · Score: 1

      Perhaps that's why they are offering to sell the entire set of indexed hashes for just under $600? (shipped on a 1.5 TB usb disk drive). Considering their relative lack of mark-up on the 1.5 TB usb disk drive, I don't get the impression that these guys were in it for the money.

    12. Re:Salts? by Anonymous Coward · · Score: 1, Informative

      NTLMv1 maybe, but NTLMv2 closed that hole and doesn't use LM hashes.

      It took a few years for the default to be *not* to send the v1 hash, but it has been now since 2003 server (which is why you used to get the problem that early samba implementations don't work with newer windows domains.. the 'workaround' given was to shaft the security of the network, although these days I'd just upgrade samba).

    13. Re:Salts? by Em+Emalb · · Score: 1

      P.S.: It's "*******".

      We don't see your actual password. The website obfuscates it. All we see is ********.

      --
      Sent from your iPad.
    14. Re:Salts? by Dewin · · Score: 1

      Really? Let me try it.

      My password is gj23os5k.

      --
      Of course nobody reads the FAQ! If people read the FAQ, the Questions wouldn't be so Frequently Asked.
    15. Re:Salts? by Otto · · Score: 1

      Lack of markup? Last I checked, a USB 1.5TB drive was around $150, tops. Not $600.

      http://www.newegg.com/Product/Product.aspx?Item=N82E16822148406

      --
      - Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
    16. Re:Salts? by Anonymous Coward · · Score: 0

      You try buying 1.5tb worth of useful data from (a company/companies) who're "in it for the money", see how much it costs. My bet is more than $450.

    17. Re:Salts? by Anonymous Coward · · Score: 0

      Depends on brand choice and features:

      http://www.i-store.com.au/product/?CategoryID=11&productid=7842 (AU$669 ~= US$537.00).

      Though he's using a OneTouch 4 apparently.

      After including the cost of worldwide free shipping, there's not much margin on top of that that'll be donated to running the site.

    18. Re:Salts? by Quantumstate · · Score: 1

      No the tables they are selling on those disks would not cope with a 10 character password. They have a 12 character table listed but that is for pure numeric, the rest have a maximum of 9 characters. Using the calculator http://www.insidepro.com/rainbow.php you can see that to get tables for a 16 character password (which is still a lot less that a password + 20 character salt) you would need more hard disk space than you could expect to be able to buy (several orders of magnitude more). So that leaves the possibility of generating your own tables for that salt and with a proper setup with a unique salt for each password hash then using a rainbow table would not help you since every single password would need a new set of rainbow tables.

    19. Re:Salts? by petermgreen · · Score: 1

      IIRC up to XP (which is still the most common version in buisnesses afaict) windows was still generating relatively weak lm hashes by default.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    20. Re:Salts? by SPBesui · · Score: 1

      "Getting their teeth wet"? I think you mean "getting their feet wet" or "cutting their teeth." Or this is some new expression I'm not familiar with.

    21. Re:Salts? by quelrods · · Score: 1

      Unfortunately not. Programmers and sysadmins alike only sort of seem to know what a salt is. Look at how often an application stores passwords plaintext or with a simple md5 and you'll be happier not knowing. For that matter I seem to recall that buffer overflows were discovered decades ago and yet plenty of new code continues to suffer from the flaw.

      One very interesting place that unsalted hashes seem to stick around are old LDAP directories. I've seen ones with combinations of: MD5, SMD5, SHA, SSHA, and crypt/des. Also, lets say that the LDAP directory only uses SSHA *but* also provides NTLM hashes for windows authentication such as PDC or BDC, well then who cares about the salted sha1 when you can attack the NT hash much faster.

      For that matter only starting with Windows Vista are LM hashes *not* enabled by default. So while 2000, XP, 2003, etc. store the NT hash, storing the LM hash too means no one bothers to crack the NT hash.

      One very good use for rainbow tables like md5 and sha1 are to at least get LDAP directories migrated to a salted variant. Good luck getting all your users to change their password or even remember it since they probably just have it saved in a browser.

      --
      :(){ :|:&};:
    22. Re:Salts? by quelrods · · Score: 1

      "im clients, etc."

      Ha! Seems IM clients tend to just store the passwords plaintext so even unsalted MD5 would be an improvement over the status quo.

      --
      :(){ :|:&};:
    23. Re:Salts? by quelrods · · Score: 1

      AFAIK Vista is the first windows to completely remove LM hashes as the default. Other than that you had to use a password of a certain length to prevent LM hash creation, 16 characters if memory serves me correctly.

      --
      :(){ :|:&};:
  6. Only MD5/LM/NTLM? by AmiMoJo · · Score: 4, Informative

    I was expecting more tables than just MD5 and two types of Windows passwords. You can already download the Ophcrack DVD to do Windows passwords with rainbow tables.

    Renderlab offer wifi WPA rainbow tables: http://www.renderlab.net/projects/WPA-tables/ . I hope whoever takes over takes note of projects like that, and tries to expand the range of tables available.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:Only MD5/LM/NTLM? by quelrods · · Score: 1

      There is some SHA1 as well via the download mirrors in TFA.

      Though, I agree and wouldn't mind to see some old style mysql hashes for instance. It's amazing how few databases actually use the new form. The new form is SHA1 twice with no salt. (Hey more unsalted fodder for rainbow tables.) I don't know if anything else uses this method but I know bad things (TM) can happen when people just create new schemes like double hashing or double encryption. (3DES was suppose to be 168 bits (56 * 3) but turns out to be only 112 bits of security.)

      --
      :(){ :|:&};:
  7. why Rainbow Tables when there is KonBoot? by sammyF70 · · Score: 4, Interesting

    If you need a password to access an account in windows (or linux for that matter), just use Kon-boot instead of messing around with rainbow tables.

    --
    "DRM is like the Ford Pinto: it's a smooth ride, right up the point at which it explodes and ruins your day."-C.Doctorow
    1. Re:why Rainbow Tables when there is KonBoot? by NiteMair · · Score: 1

      Thanks for the eyestrain - after staring at that page for a few minutes I have a headache.

    2. Re:why Rainbow Tables when there is KonBoot? by sammyF70 · · Score: 1

      No problem. At least it's not a white font on a black screen :P Not that I have anything to do with Kon-Boot anyway.

      --
      "DRM is like the Ford Pinto: it's a smooth ride, right up the point at which it explodes and ruins your day."-C.Doctorow
    3. Re:why Rainbow Tables when there is KonBoot? by Rich0 · · Score: 2, Informative

      I can't imagine that a tool like this would allow you to authenticate to the domain controller. Cracking the hash cached on the local system would.

      Unless windows is so insecure that the domain controller just takes the local workstation's word that you successfully logged in. I can't imagine such a design lasting this long. If it did you could get the machine's key off the local hard drive and then authenticate as anybody over the network.

    4. Re:why Rainbow Tables when there is KonBoot? by silent_artichoke · · Score: 2, Informative

      The local machine caches the credentials. We see this with laptop users. They have to be connected to the network here to log on the first time, then they can take it home and log in just fine without a network connection. If they change their password on their work desktop, the laptop still uses the old one until they try to log into the account again while connected to the network. So, the domain controller does not take the local machine's word for it, but the local machine does not necessarily check in with the domain controller.

    5. Re:why Rainbow Tables when there is KonBoot? by sammyF70 · · Score: 1

      Yep. As far as I understand it, Kon-Boot will only allow you to gain root to any computer to which you have *physical* access. So no domain controllers

      --
      "DRM is like the Ford Pinto: it's a smooth ride, right up the point at which it explodes and ruins your day."-C.Doctorow
    6. Re:why Rainbow Tables when there is KonBoot? by querist · · Score: 2, Informative

      Granted, EFS (Encrypted File System - the "encrypt" option on NTFS) isn't the greatest, but it's there, it's included with Windows (and thus, perceived as "free as in beer"), and people use it.

      Kon-Boot will grant you access to the account, but not to anything that the user encrypted using EFS. I have just tested this today to be sure before posting.

      That is one reason why people would want to know the current password rather than just bypass the password, though Kon-Boot certainly still has its uses.

    7. Re:why Rainbow Tables when there is KonBoot? by Rich0 · · Score: 1

      Does the local machine actually cache the network credentials between sessions? I thought that it only kept a hash so that it could verify that a password is valid, but that unless the password itself were supplied it couldn't log into the domain controller.

      If it did cache the actual credentials, then why would we need to crack hashes in the first place? Why not just use the stored credential?

    8. Re:why Rainbow Tables when there is KonBoot? by Anonymous Coward · · Score: 0

      Definitely won't work if you're actively connected to a domain. No EFS access either.

      But, it will work if you log-in to a domain profile with cached creds.

    9. Re:why Rainbow Tables when there is KonBoot? by Anonymous Coward · · Score: 0

      Hey it works on Ubuntu. I forgot my root password for that the moment I installed it.

    10. Re:why Rainbow Tables when there is KonBoot? by kayditty · · Score: 0

      it's very trivial to crack windows hashes or change the password on any operating system if you have physical access, but the first contingent case I thought of was an encrypted filesystem. I initially assumed that any encryption would be separate from login credentials, and most users would probably remember their passphrase or have a USB key for decryption or whatever, but I wasn't aware of the NTFS offering which, according to you, ties login credentials to the encryption key. that sounds like a really inteesting system.

    11. Re:why Rainbow Tables when there is KonBoot? by silent_artichoke · · Score: 1

      One more time with paragraph breaks...

      I think you are correct. The users are able to log into the laptop with the old password as long as they want until they connect to a network. Then the laptop tries to authenticate the password with the domain controller. If it is not the same password as on the domain controller, you get the usual bad username/password error. If you know the old password, you can log in at any time as long as you don't connect to a network. As a bonus, if you connect to a network that is too far removed (expiring TTL, behind a router with strict rules, etc.) you get the wonderful "unable to find the domain controller" error.

      As far as I can tell, the full credentials would need to be cached so that once logged in, you can still access your files via permissions. I'm not really sure how it works past that point as I have not done any real testing, just observations based on irate users who are unable to log in to their computer from home because I forgot to have them log in first at work.

    12. Re:why Rainbow Tables when there is KonBoot? by querist · · Score: 1

      It works quite well against the casual attacker, and even a bit against a more skilled attacker.

      I would try to summarize, but instead here is what i think is the best brief summary

      http://www.petri.co.il/how_does_efs_work.htm

      The super-short summary is as follows:

      It uses your certificate (automatically generated if not available) and the recovery agent (if it exists) certificate to generate a File Encryption Key, which is then used to encrypt the data. Then a special header is added to the file which contains the File Encryption Key encrypted with your certificate and with the Recovery Agent's certificate (if it exists).

      It is similar, in that way, to how PGP works.

      The encryption algorithm itself for the file is DESX.

      The "cool" thing about it is that it is completely transparent to the end user other than checking a little box one on the Properties dialog that says "encrypt". From then on, you have little to no idea that it's happening.

      However, when it fails, it's a major pain.

  8. rainbows@home by Anonymous Coward · · Score: 0

    Talk about a distributed computing idea.

    1. Re:rainbows@home by Anonymous Coward · · Score: 1, Funny

      Well, duh... that's what the site was doing.

  9. Tiny tables? by x78 · · Score: 1

    The currently computed tables weigh in at well over half a terabyte

    Is that actually a lot? I mean that's half of one cheap hard drive, unless it's purely the computational time to generate 500GiB of Rainbow Tables that's impressive here, and if that's the case would it not be better advertising it as such?

    --
    Don't panic
    1. Re:Tiny tables? by Anonymous Coward · · Score: 0

      The problem is compute time, and the bandwidth to host them once computed.

  10. KonBoot - NSFW by Anonymous Coward · · Score: 0

    watch out for that animated gif up top. let it cycle to something less offensive and hit Esc and/or scroll down a few lines.

    looks like a great tool.

    1. Re:KonBoot - NSFW by kayditty · · Score: 0

      I've got image.animation_mode set to "once" in firefox.

  11. Whoops by neokushan · · Score: 4, Insightful

    Slashdotting the site really isn't helping to keep it online.

    --
    +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
  12. rainbow table? by spottedkangaroo · · Score: 2, Informative

    I'm sure a huge precomputed hash database is handy and everything, but are we sure that's what a rainbow table is? I tried very hard to make sense of the Oechslin paper on rainbow attacks and it doesn't mention anything about pre-computing individual hashes. It's about reconstructing cipher chains (or something like that). Perhaps the term has just become diluted over the years. Seems wrong to me.

    --
    Imagine if you weren't allowed to use roads because a bus company complained about your driving 3 times. --skunkpussy
    1. Re:rainbow table? by caramelcarrot · · Score: 1

      You have to pre-generate and store the chains.

    2. Re:rainbow table? by quelrods · · Score: 1

      Yes, the paper is not very clear. The FAQ on freerainbowtables.com comes complete with some diagrams. You are certainly correct that rainbow tables are not just huge precomputed hash databases. Unfortunately, it seems most slashdotters cannot be bothered to actually educate themselves and just like to state that its a term to describe something very basic and old.

      --
      :(){ :|:&};:
  13. Not exactly by Anonymous Coward · · Score: 1, Informative

    (I'm sure that you all know a rainbow table is essentially a giant list of precomputed hashes.)

    The whole point of a rainbow table is that it's not a giant list of pre-computed hashes, though those do exist also. It is a large table, but it's not simply a one-to-one dictionary of plaintext and hashes.

    Anyhoo, though RTs are still valid, they are becoming much less useful as an attack method.

  14. Donate Hosting.. by resorb · · Score: 1

    Resorb Networks, Inc ( www.resorb.net ) would donate hosting...

    1. Re:Donate Hosting.. by resorb · · Score: 1

      nvm, I doubt we would have the computing power to accomplish this enormous task.

  15. gi? kandera? naoi? by Joseph_Daniel_Zukige · · Score: 1

    "amai agi" as in soft "g"? Romanized by an Italian, maybe?

    "hanawo kandara" would be when you bite flowers,
    "hanawo kaidara" would be when you smell them.

    "iina nioi" would be sloppy grammar, but "ii naoi"?

    "ha" and "wo", while not standard, are more literal Romanizations of the two particles.

    Some sort of dialect?

    Author of a manga deliberately breaking rules?

    1. Re:gi? kandera? naoi? by Chyeld · · Score: 1

      Or copied from the only shitty lyrics site I could find that didn't have malware shit going on or a lame javascript protecting the lyrics they ripped off someone else. ^_^

      Attribute all errors to the editor, not the author.

    2. Re:gi? kandera? naoi? by Hurricane78 · · Score: 1

      Uuum, every tried the option under "settings -> content -> extended..." in Firefox? Disable the right-click menu-hiding functionality, and you're good.

      Oh, and Firebug always helps, when nothing else does.

      --
      Any sufficiently advanced intelligence is indistinguishable from stupidity.
    3. Re:gi? kandera? naoi? by Chyeld · · Score: 1

      Was at work, with IE 6. Even without javascript it was a pain.

    4. Re:gi? kandera? naoi? by Joseph_Daniel_Zukige · · Score: 1

      Actually, I was going to rip it apart, but, as I was going through the errors, I realized that the possibilities I suggested were, in fact, possibilities.

      You'd be amazed at the deliberately non-standard Romanization I've seen in use by native Japanese who think it's cool to break rules. (And the particles I mentioned are actually fairly good evidence that it might indeed be cool to break the rules.)

      And, while I don't know of specific dialects in which the odd pronunciations and grammar I pointed out are common, I have heard dialects that do similar strange things. Strange, until you think about it.

      Anyway, that was not intended as a rip. Manga can really be strange, in an interesting sort of way. (Not meaning the soft porn, either.)

  16. at work on IE6? by Joseph_Daniel_Zukige · · Score: 1

    Man. I hardly dare look at lyrics sites from behind a thick filter when I'm using any browser at all on MSWindows.