I'm not sure I know what you mean. Where have I failed to grasp the relevant concepts? I'm merely criticizing the mistaken impression that TFS (which is apparently lifted directly from TFA) gives about what vdW forces are.
I'm saying you do exhibit a basic grasp of relevant concepts, that on Slashdot people who are correct usually get shat upon, and that the "experts" in TFA often don't have a basic grasp of the relevant concepts, as your post illustrates.
Irrelevant - if T-Mobile's T&C says you cannot use the service for bittorrent or other P2P protocols, and the T&C was available at the time the customers signed up, T-Mobile is fully within its remit to throttle these.
Irrelevant - if T-Mobile advertises their shit as "unlimited" then they need to be held to that. Advertising claims, contracts, etc. should be enforced hierarchically, with the largest, loudest, most-repeated, etc. claims ruling over the smaller, hidden, whispered, or quickly-spoken ones.
You're lucky Slashdot doesn't have a "-1: Basic Grasp of Relevant Concepts", because I'm sure you'd be modbombed by it.
Maybe I'm just old, but I'm really sick of seeing articles, interviews, etc. where the "expert", often times an actual degree-wielding scientist, gets fundamental concepts completely wrong. Every time I hear someone explain lift with "air on the top of the wing has to move faster, so... lift!" I want to defecate into their open mouths.
Yup. As soon as I saw "Jezebel" I knew what was up, and I knew that they brought it upon themselves. I also knew that they love it, because they get to play the victim card while spewing their hateful misandrist shit.
What happened here is that the spammers have turned over the fingerprint of their spam directly to the spam stoppers. By emailing these particular addresses they are directly supplying information that can be used to block spam. They don't need to 'confirm' these messages are spam, THEY ARE SPAM, by definition. They don't need to wait for several people to report them as spam, they don't need to manually inspect them or weight them as 'potentially spam'.
Spam one of these addresses then: Your host is instantly on a blacklist in most cases. URLs in the message are ranked as high probability of spam The message is fingerprinted and added to anti-spam software
All of that without any user actually having to report it as spam, and thats just the simple stuff that happens.
This is EXACTLY WHY this list is online, to catch stupid spammers who aren't careful enough to avoid these addresses.
Its working EXACTLY AS DESIGNED. Hitting just one of these fake addresses can save it from hitting MILLIONS of real addresses.
So before calling someone else stupid, look in the mirror, you're at peak ignorant.
100% fucking wrong. They're trying to log into these email addresses. They addresses CANNOT be sent to - they are INVALID addresses for their domains. It's right there in the fucking summary.
Mb? Really? You don't know the difference between Megabits and GigaBytes? You're off by a factor of 8192.
Not quite. You're confusing Mb with Mib and GB with GiB.
There are 1000 MB in a GB, not 1024. This was changed a while ago. I don't know why people haven't adopted the new rules. Science uses 1000 for everything, except for some things where it makes sense like temperature, and some things where other bases are much more convenient, like time.
But for computers we need to use 1000. Even though with computers things are binary and we need to deal with factors of 2 all the time, people might get confused between 1000 and 1024 when they buy a hard drive. So for science purposes we need to use 1000. I know this is confusing, but once everyone starts using 1000 for Kb and 1024 for Kib, and we update all the old references that people already wrote, it'll be much easier for everyone.
The next step is to change a byte to be 10 bits. Don't worry - the IEC and SI are already working on the best way to force this bullshit down your throat, too.
They more accurately measure the age at which you took the IQ test. The younger you are, the higher your score. Your age is nearly as important as your actual answers.
Your initial post in this thread exposed the fact that you don't know what the fuck a hash is, and thus don't know what the fuck you're talking about.
That's weird. My initial post nor the post I responded to said anything about hashes. My initial post was responding to someone talking about using a dictionary attack to get someone's password. I presume you falsely think my "initial post" was the one in response to AC-x which it wasn't. I also very much do know what a hash is. You and him seem to have a reading comprehension problem since you failed to understand my post. The point of my post was to say that, yes, having a password hash which you can use to try to recreate the original password does defeat what I stated, but that is tautological. If you can do an end run around the authentication protections it is no different than, as I said in an analogy, to having someone's PIN to their phone. I never once stated that having a hash was the same as having a plaintext password nor was their any such implication. Him stating that I believed the two were the same is basically a false presumption on his part by failing to understand my analogy.
You should have simply stopped posting, but here you are, digging deeper and deeper, committing more and more errors. You couldn't even quote a post properly.
I only messed up a quote once out of more than a dozen posts. Yeah, I totally don't know how to quote properly. Oh wait, I do.
Do you have an actual argument or just stupid ad homs like AC-x?
The fact that you've made a dozen (and counting) posts trying to re-re-re explain and rectify your mistakes should clue you in to the fact that you got called out for spewing bullshit and no one is buying the repeated attempts to retcon your hilarious error.
To clarify, I should say any brute forcing attacks rather than just dictionary attack. Any authentication program that allows unlimited tries without any rate limiting is totally broken.
You're absolutely fucking retarded and you need to stop. The vast majority of "authentication programs" are nothing more than: if (HASH(inputPW & getSalt(inputUser)) == getHASH(inputUser))
successfulLogin(inputUser); else
unsuccessfulLogin(inputUser);
How the fuck do you think people attack passwords once they have the hash? Rate limiting doesn't stop an offline attacking from succeeding on the first try online after it cracks the password offline. Rate limiting doesn't stop an online attack because an online attack is going to take forever due to the fucking latency. And with no latency, an online brute force or dictionary attack simply turns into a DoS attack if you have rate limiting enabled.
And as I've had to state over and over again (and this isn't meant against you wagnerrp), my statement about rate limiting, etc. was in the context of a post that did not mention an attacker already having compromised the system and having a DB dump with all the password hashes. That is a completely distinct scenario than the one I referred to and obviously would require other mitigations.
B u l l s h i t.
I've never understood why passwords can't be sentences, like "I'm going to take my dog, Spot, to the park today."
They can be, but it would be incredibly stupid to use something like that. A dictionary attack would crack that password in seconds.
What I do is have a single, strong password that I have stored only in my brain and all other passwords are hashed on-the-fly from that and the domain or name of whatever I need the password for. I get unique, strong password for everything, but only have to remember a single one.
Only if you're dumb enough to let authentication program be suspceptible to such an attack. Dictionary attacks can be trivially defeated by rating limiting tries and after, say, 5 tries not allowing any more attempts for some cooldown period. No attacker is going to bother if they can only have 5 tries every 15 to 20 minutes.
The post you replied to only mentioned "dictionary attack". Dictionary attacks are OFFLINE ATTACKS 99.999999% of the time.
The point he was making is that with proper procedure, a hash could never be attacked offline. As soon as the hash database were compromised, all hashes contained therein would be invalidated. The attacker could brute force that database to their heart's content, and no valid passwords would ever result from it.
This of course assumes the administrators are paying close enough attention to notice in short order when the database has been compromised, and that all users define a secondary means of contact through which to send a reset password. It also ignores the issue that most users use the same username and password across multiple sites, such that a pair compromised on one site and invalidated as described would still be valid on another site.
LOLWHAT 99% of the time, you won't notice your shit has been compromised until well after the fact. You typically learn of it when lots of users report that their shit has been stolen. The best an administrator can do is expire the passwords and send a notice out to the registered email addresses of the users with a unique reset link. The attacker likely also knows the email addresses. Any user using the same password for your site and email is fucked if the attacker has cracked their password. The users using the same password for a random site and their email are typically the same users with shitty, easy-to-crack passwords.
The bottom line is that password hashes and salts are only as secure as the passwords themselves.
Hey Desler I really don't get you, you (appear to) know what a salt is yet you don't understand that an attacker would be performing the attack on the hash offline, with their own hardware. Rate limiting their own hardware would be, as you put it, the height of idiocy.
He's furiously reading (but not understanding) wikipedia as he types. It's pretty common on Slashdot, actually.
And before the grammar nazis come out, yes I accidentally typed you're instead of your. Let me go commit seppuku now.
The first rule of holes: When you're in a hole, stop digging. Your initial post in this thread exposed the fact that you don't know what the fuck a hash is, and thus don't know what the fuck you're talking about. You should have simply stopped posting, but here you are, digging deeper and deeper, committing more and more errors. You couldn't even quote a post properly.
Pluto is a planet. The definition of a planet is arbitrary, and always will be.
What makes your arbitrary definition of "planet" - one that allows you to declare without qualification that it is a planet - better than the IAU's?
Trying to forcefully change the definition after it's already in use is fucking retarded and does nothing but cause confusion.
Not when the old definition is itself revealed to be "fucking retarded" (technical term, is that?) and causes more confusion once more data becomes available.
see "non-flammable"
Did you mean "inflammable"?
and the dipshits who insist that a kilobyte is 1000 bytes.
What, like the dipshits at the the International Organization for Standardization? Just because you don't like it, doesn't make everyone else unquestionably wrong.
My definition makes more sense and is better because it's ALREADY IN USE. You can't fucking change the meaning of a word willy-nilly, because that causes ambiguity. Does the speaker/author mean the new definition or the old one? When was this written? What was the more popular definition at the time?
For inflammable, look up the fucking Latin roots inflammare and flamma.
For kilobytes, again, the issue is about what was in use already and how changing shit adds ambiguity. Computer science has damn good reasons for using binary bases, the SI and other such organizations do not own the letters "kilo" not the letter k, such organizations have ambiguity in their own fucking rules, such organizations are not authorities for the language, and the big kicker, of course, is that the units in question aren't kilo, mega, etc, they're kiloBytes, megabits, etc. - there's never any ambiguity because you always have bits or bytes right there. And before you get started on trying to pull out some "gotcha" example where someone mixes them up: modems are rated in baud, not bits, storage manufacturers are liars who caused the mess in the first place, and I don't give a shit about how we have 1000 mbps ethernet or other such standards - it has no bearing on anything. Try again when we have memory measured in "gibibytes" or bus widths in factors of 10.
"Inflammable" means shit is capable of bursting into flames. "Non-inflammable" means it isn't (easily). "Nonflammable" was created by an asshat who wanted to remove confusion (which didn't exist). "Flammable" was then created to be the opposite of the new fake opposite.
"Inflammable" is derived from the Latin inflammare, which means able to be set on fire. This is the correct usage. "Nonflammable" is derived from "non" + "flammare", meaning to set on fire, + "able". This is completely fucking incorrect usage.
Pluto is a planet. The definition of a planet is arbitrary, and always will be. Trying to forcefully change the definition after it's already in use is fucking retarded and does nothing but cause confusion.
For other instances of dipshits trying to hijack language and make it worse, see "non-flammable" and the dipshits who insist that a kilobyte is 1000 bytes.
Your post is completely false, yet in typical Slashdot fashion idiots modded you up. There are different styles of razors for women - your standard razor is identical to a men's razor in basic design. It is used for arms, armpits, legs, crotch, neck, and face. Then there are the larger razors, often with a large block of lubricant surrounding the blades. These have a different handle design and are made for legs.
I'm fucking sick of the Source engine. I was sick of it on day 1. It's the pinnacle of camera-on-a-stick and unnatural movement. Source 2 will be more of the same, just updated for new shit. The engine itself will still feel like the turd it feels like today, and it'll still be terrible easy to hack, and VAC will still be terribly ineffective. No, I don't have a crystal ball, I've just been paying attention.
If the premise is that you don't trust closed hardware or software, then you cannot establish trust by using any closed hardware or software. If you have an open FPGA you'll need to program it with an open design using an open tool running in an open environment on open hardware. Unless you've built your CPU, memory, etc. by hand from open transistors and shit, you can't really trust it. And where are you getting your open electrons from?
I'm not sure I know what you mean. Where have I failed to grasp the relevant concepts? I'm merely criticizing the mistaken impression that TFS (which is apparently lifted directly from TFA) gives about what vdW forces are.
I'm saying you do exhibit a basic grasp of relevant concepts, that on Slashdot people who are correct usually get shat upon, and that the "experts" in TFA often don't have a basic grasp of the relevant concepts, as your post illustrates.
Irrelevant - if T-Mobile's T&C says you cannot use the service for bittorrent or other P2P protocols, and the T&C was available at the time the customers signed up, T-Mobile is fully within its remit to throttle these.
Irrelevant - if T-Mobile advertises their shit as "unlimited" then they need to be held to that.
Advertising claims, contracts, etc. should be enforced hierarchically, with the largest, loudest, most-repeated, etc. claims ruling over the smaller, hidden, whispered, or quickly-spoken ones.
You're lucky Slashdot doesn't have a "-1: Basic Grasp of Relevant Concepts", because I'm sure you'd be modbombed by it.
Maybe I'm just old, but I'm really sick of seeing articles, interviews, etc. where the "expert", often times an actual degree-wielding scientist, gets fundamental concepts completely wrong. Every time I hear someone explain lift with "air on the top of the wing has to move faster, so... lift!" I want to defecate into their open mouths.
No. And I don't own a fedora.
Keep trying though.
Yup. As soon as I saw "Jezebel" I knew what was up, and I knew that they brought it upon themselves. I also knew that they love it, because they get to play the victim card while spewing their hateful misandrist shit.
As if you understand how spam prevention works.
What happened here is that the spammers have turned over the fingerprint of their spam directly to the spam stoppers. By emailing these particular addresses they are directly supplying information that can be used to block spam. They don't need to 'confirm' these messages are spam, THEY ARE SPAM, by definition. They don't need to wait for several people to report them as spam, they don't need to manually inspect them or weight them as 'potentially spam'.
Spam one of these addresses then:
Your host is instantly on a blacklist in most cases.
URLs in the message are ranked as high probability of spam
The message is fingerprinted and added to anti-spam software
All of that without any user actually having to report it as spam, and thats just the simple stuff that happens.
This is EXACTLY WHY this list is online, to catch stupid spammers who aren't careful enough to avoid these addresses.
Its working EXACTLY AS DESIGNED. Hitting just one of these fake addresses can save it from hitting MILLIONS of real addresses.
So before calling someone else stupid, look in the mirror, you're at peak ignorant.
100% fucking wrong.
They're trying to log into these email addresses.
They addresses CANNOT be sent to - they are INVALID addresses for their domains.
It's right there in the fucking summary.
Mb? Really? You don't know the difference between Megabits and GigaBytes? You're off by a factor of 8192.
Not quite. You're confusing Mb with Mib and GB with GiB.
There are 1000 MB in a GB, not 1024. This was changed a while ago. I don't know why people haven't adopted the new rules. Science uses 1000 for everything, except for some things where it makes sense like temperature, and some things where other bases are much more convenient, like time.
But for computers we need to use 1000. Even though with computers things are binary and we need to deal with factors of 2 all the time, people might get confused between 1000 and 1024 when they buy a hard drive. So for science purposes we need to use 1000. I know this is confusing, but once everyone starts using 1000 for Kb and 1024 for Kib, and we update all the old references that people already wrote, it'll be much easier for everyone.
The next step is to change a byte to be 10 bits. Don't worry - the IEC and SI are already working on the best way to force this bullshit down your throat, too.
What tasks are you performing that your performance bottleneck is more often disk I/O than lack of memory?
Are you joking? 99% of shit you run will spend more time reading/writing from disk than waiting for free RAM.
And I have 2 high end SSDs in RAID 0.
It would never work for programmers or secretaries. Both groups rely heavily on punctuation, symbols, and formatting.
They more accurately measure the age at which you took the IQ test. The younger you are, the higher your score. Your age is nearly as important as your actual answers.
Your initial post in this thread exposed the fact that you don't know what the fuck a hash is, and thus don't know what the fuck you're talking about.
That's weird. My initial post nor the post I responded to said anything about hashes. My initial post was responding to someone talking about using a dictionary attack to get someone's password. I presume you falsely think my "initial post" was the one in response to AC-x which it wasn't. I also very much do know what a hash is. You and him seem to have a reading comprehension problem since you failed to understand my post. The point of my post was to say that, yes, having a password hash which you can use to try to recreate the original password does defeat what I stated, but that is tautological. If you can do an end run around the authentication protections it is no different than, as I said in an analogy, to having someone's PIN to their phone. I never once stated that having a hash was the same as having a plaintext password nor was their any such implication. Him stating that I believed the two were the same is basically a false presumption on his part by failing to understand my analogy.
You should have simply stopped posting, but here you are, digging deeper and deeper, committing more and more errors. You couldn't even quote a post properly.
I only messed up a quote once out of more than a dozen posts. Yeah, I totally don't know how to quote properly. Oh wait, I do.
Do you have an actual argument or just stupid ad homs like AC-x?
The fact that you've made a dozen (and counting) posts trying to re-re-re explain and rectify your mistakes should clue you in to the fact that you got called out for spewing bullshit and no one is buying the repeated attempts to retcon your hilarious error.
To clarify, I should say any brute forcing attacks rather than just dictionary attack. Any authentication program that allows unlimited tries without any rate limiting is totally broken.
You're absolutely fucking retarded and you need to stop. The vast majority of "authentication programs" are nothing more than:
if (HASH(inputPW & getSalt(inputUser)) == getHASH(inputUser))
successfulLogin(inputUser);
else
unsuccessfulLogin(inputUser);
How the fuck do you think people attack passwords once they have the hash? Rate limiting doesn't stop an offline attacking from succeeding on the first try online after it cracks the password offline. Rate limiting doesn't stop an online attack because an online attack is going to take forever due to the fucking latency. And with no latency, an online brute force or dictionary attack simply turns into a DoS attack if you have rate limiting enabled.
And as I've had to state over and over again (and this isn't meant against you wagnerrp), my statement about rate limiting, etc. was in the context of a post that did not mention an attacker already having compromised the system and having a DB dump with all the password hashes. That is a completely distinct scenario than the one I referred to and obviously would require other mitigations.
B u l l s h i t .
I've never understood why passwords can't be sentences, like "I'm going to take my dog, Spot, to the park today."
They can be, but it would be incredibly stupid to use something like that. A dictionary attack would crack that password in seconds.
What I do is have a single, strong password that I have stored only in my brain and all other passwords are hashed on-the-fly from that and the domain or name of whatever I need the password for. I get unique, strong password for everything, but only have to remember a single one.
Only if you're dumb enough to let authentication program be suspceptible to such an attack. Dictionary attacks can be trivially defeated by rating limiting tries and after, say, 5 tries not allowing any more attempts for some cooldown period. No attacker is going to bother if they can only have 5 tries every 15 to 20 minutes.
The post you replied to only mentioned "dictionary attack". Dictionary attacks are OFFLINE ATTACKS 99.999999% of the time.
The point he was making is that with proper procedure, a hash could never be attacked offline. As soon as the hash database were compromised, all hashes contained therein would be invalidated. The attacker could brute force that database to their heart's content, and no valid passwords would ever result from it.
This of course assumes the administrators are paying close enough attention to notice in short order when the database has been compromised, and that all users define a secondary means of contact through which to send a reset password. It also ignores the issue that most users use the same username and password across multiple sites, such that a pair compromised on one site and invalidated as described would still be valid on another site.
LOLWHAT
99% of the time, you won't notice your shit has been compromised until well after the fact. You typically learn of it when lots of users report that their shit has been stolen.
The best an administrator can do is expire the passwords and send a notice out to the registered email addresses of the users with a unique reset link. The attacker likely also knows the email addresses. Any user using the same password for your site and email is fucked if the attacker has cracked their password. The users using the same password for a random site and their email are typically the same users with shitty, easy-to-crack passwords.
The bottom line is that password hashes and salts are only as secure as the passwords themselves.
Hey Desler I really don't get you, you (appear to) know what a salt is yet you don't understand that an attacker would be performing the attack on the hash offline, with their own hardware. Rate limiting their own hardware would be, as you put it, the height of idiocy.
He's furiously reading (but not understanding) wikipedia as he types. It's pretty common on Slashdot, actually.
And before the grammar nazis come out, yes I accidentally typed you're instead of your. Let me go commit seppuku now.
The first rule of holes: When you're in a hole, stop digging.
Your initial post in this thread exposed the fact that you don't know what the fuck a hash is, and thus don't know what the fuck you're talking about.
You should have simply stopped posting, but here you are, digging deeper and deeper, committing more and more errors. You couldn't even quote a post properly.
And I would consider them planets.
Pluto is a planet. The definition of a planet is arbitrary, and always will be.
What makes your arbitrary definition of "planet" - one that allows you to declare without qualification that it is a planet - better than the IAU's?
Trying to forcefully change the definition after it's already in use is fucking retarded and does nothing but cause confusion.
Not when the old definition is itself revealed to be "fucking retarded" (technical term, is that?) and causes more confusion once more data becomes available.
see "non-flammable"
Did you mean "inflammable"?
and the dipshits who insist that a kilobyte is 1000 bytes.
What, like the dipshits at the the International Organization for Standardization? Just because you don't like it, doesn't make everyone else unquestionably wrong.
My definition makes more sense and is better because it's ALREADY IN USE.
You can't fucking change the meaning of a word willy-nilly, because that causes ambiguity. Does the speaker/author mean the new definition or the old one? When was this written? What was the more popular definition at the time?
For inflammable, look up the fucking Latin roots inflammare and flamma.
For kilobytes, again, the issue is about what was in use already and how changing shit adds ambiguity. Computer science has damn good reasons for using binary bases, the SI and other such organizations do not own the letters "kilo" not the letter k, such organizations have ambiguity in their own fucking rules, such organizations are not authorities for the language, and the big kicker, of course, is that the units in question aren't kilo, mega, etc, they're kiloBytes, megabits, etc. - there's never any ambiguity because you always have bits or bytes right there. And before you get started on trying to pull out some "gotcha" example where someone mixes them up: modems are rated in baud, not bits, storage manufacturers are liars who caused the mess in the first place, and I don't give a shit about how we have 1000 mbps ethernet or other such standards - it has no bearing on anything. Try again when we have memory measured in "gibibytes" or bus widths in factors of 10.
"Inflammable" means shit is capable of bursting into flames.
"Non-inflammable" means it isn't (easily).
"Nonflammable" was created by an asshat who wanted to remove confusion (which didn't exist).
"Flammable" was then created to be the opposite of the new fake opposite.
"Inflammable" is derived from the Latin inflammare, which means able to be set on fire. This is the correct usage.
"Nonflammable" is derived from "non" + "flammare", meaning to set on fire, + "able". This is completely fucking incorrect usage.
Pluto is a planet. The definition of a planet is arbitrary, and always will be.
Trying to forcefully change the definition after it's already in use is fucking retarded and does nothing but cause confusion.
For other instances of dipshits trying to hijack language and make it worse, see "non-flammable" and the dipshits who insist that a kilobyte is 1000 bytes.
http://image.made-in-china.com...
is angled less than
http://web.tradekorea.com/uplo...
LOL! Are you fucking serious? Your best example is a pair of 10 cent disposable pieces of shit that are nearly identical?
Your post is completely false, yet in typical Slashdot fashion idiots modded you up.
There are different styles of razors for women - your standard razor is identical to a men's razor in basic design. It is used for arms, armpits, legs, crotch, neck, and face.
Then there are the larger razors, often with a large block of lubricant surrounding the blades. These have a different handle design and are made for legs.
I'm fucking sick of the Source engine. I was sick of it on day 1. It's the pinnacle of camera-on-a-stick and unnatural movement.
Source 2 will be more of the same, just updated for new shit. The engine itself will still feel like the turd it feels like today, and it'll still be terrible easy to hack, and VAC will still be terribly ineffective. No, I don't have a crystal ball, I've just been paying attention.
If the premise is that you don't trust closed hardware or software, then you cannot establish trust by using any closed hardware or software.
If you have an open FPGA you'll need to program it with an open design using an open tool running in an open environment on open hardware.
Unless you've built your CPU, memory, etc. by hand from open transistors and shit, you can't really trust it.
And where are you getting your open electrons from?
Nope. They're doing unconstitutional spying, so they deserve to be drawn and quartered in the public square.
Fixed.