It has been a few years since it migrated from a Linux fanboy-only site to a more democratic one. Today, you'll find Linux fanboys, Apple fanboys and surprise! Even Microsoft fanboys! But more importantly, you'll also find people impartial enough to not be fanboy to anything.
You're right about the absence of significant suppression letting the number grow. But unless I'm wrong, at least half of terrorist fatalities are due to suicide attacks. I think it would be unrealistic to say that suicide attack would scale to the point that the statistic would become more significant than it is.
I also have a difficult time imagining non-suicide attacks perpetrated on airplanes coming from one or more passengers. There are hijacks, but they are usually for ransom, not for non-suicide terrorism.
Finally, nobody is saying that we should abandon all measures: just stop the useless harassment. Or in my case, stop pushing the government toward such absurd measures for fear of something so unlikely to kill myself.
To summarize, there's not enough evidence of either one thing or another (yet). So taking conclusions would be premature. Calling it cheating is amusing, tho.
It's not much the government wanting to spy on you to perpetuate itself in power. It's the general populace that is so, oh so much afraid of dying in a terrorist attack that demand actions. Any action!
That people -- the majority of people, it would seem -- will scream and sue if something happens and they have the slightest excuse of saying that the government didn't do enough to keep them safe.
It's the people that won't accept the bargain of having a 20% free country which is 98% secure if they can be 98.1% secure with 10% freedom.
I'm sorry to tell you, but if you accept that bargain, you're the exception.
This fear didn't come from the media nor the government. It came from inside each and every one.
Today's generation can't live with the idea of having a 0.001% chance of dying in a terrorist attack or having a relative falling to that statistic. The vision of TWC crumbling to dust with 5000 people inside is too terrifying.
Before pointing the finger to the government, people should first review their concepts. Get things into perspective.
Getting into a shower and being tentative of the temperature. If you do not have any fear, would it even cross your mind to test the temperature or would you just step in and burn yourself?
I don't fear the pain or the temperature. I know I don't like the pain, so I'll be cautious.
If, in the other hand, I wouldn't take a shower because I once got burned, even if I know that I can control the temperature, that would be pure fear.
In a military setting, would you see a lot more accidental shootings by individuals who do not turn on the safety of their gun? You usually turn the safety on to not misfire the weapon and accidentally shoot someone (ie. afraid of killing someone or afraid of the consequences of shooting someone)
Again, could be fear or a rational decision. "Being afraid of" is often just a figure of speech. The soldier is probably really afraid of being killed, but I'm not so sure he's really afraid of accidentally shooting someone else, except for the reaction of his peers.
People are afraid of dying, yet many would rather not wear the seat belt in cars. Others would not get out of their houses.
Are these choices fear based? How do you differentiate between someone walking into a battlefield and not being afraid of combat versus someone burning or hurting themselves in normal daily life.
You cannot tell if the battlefield guy isn't afraid of combat or if he's just able to rationalize his fear.
Here's my suggestion on how to identify each case:
Fear: a feeling. It makes your heart beat accelerate, can startle, will push you away from the situation regardless of what you think, like people who squeeze the chair's armrest during an horror movie because they think that something startling is going to happen. Rationalization: thought process. Consciously analyzing that if A then B. You know it's just a movie.
What's important isn't when is it fear and when is it rational, but can you rationalize even when you're afraid?
When people identify fear as a negative impulse, they are actually complaining about things that stupid people fear, which are usually artificial constructs, and are usually controlled by fearmongering demagogues spreading propaganda for political purposes.
Most of your argument is the analysis I requested. To me, it's what's important.
This:
Not to mention that I don't see clearing my bank accounts as an unrelated use case. It is a possibility for somebody who can crack the right passwords.
It's unrelated because once the attacker has the password, there's nothing keeping him from using it right away. So changing the password every X time is obviously not effective in this case.
Of course, having our bank accounts safe (not cleared) is important. That's why we have so many security measures being discussed, including changing the password every X time.
In any case, as I said in the end of my first post, I don't get into the merit of the theory. I just question why the "specialists" always seem to analyze the question from unrelated perspectives such as "if you change your password every two months, then the maximum time an attacker will have to use the password (as in the attacker already has it from day 0) is 2 months" instead of "the maximum time an attacker will have to discover and use the password is 2 months".
Simple, there is not only brute force to get a password.
And changing the password every X time is not the only rule employed...
E.g. if the password hash is leaked and there is a matching rainbow table a password for your hash is known immediately
It's a possibility. I have no idea of the likelihood of such a rainbow table also being available along with the password hash. Do you?
(you also forgot, that hash functions are not 1:1 mappings, multiple passwords map to the same hash).
I didn't. I just wanted to make the example simpler and shorter to follow. This could be accounted by my division of the number of necessary attempts by half. Unless you think otherwise?
Similar if the password is captured by a trojan or by a video camera. That is probably the most likely attack vector, brute forcing is very expensive.
I don't know about that either. See the PS3 guy in previous post...
So there are situations, where the password is known from the start.
In that case, changing it every X time has no value, so I don't see the point of investigating this use-case except as a strawman to say that changing every X time has no value per se.
Also your analysis is flawed, you assume an attacker to systematically check all sequences of allowed characters. If you check, you will see, that the programs trying to crack passwords try a dictionary attack and do permutations on the dictionary as most people are not able to memorize a long random string of characters.
If you read the thread, you probably saw that I chose to remove the "easy to get" from the use-case since they also have no value to this discussion. See previous answer and further analysis below.
Your analysis has a second flaw, you assume interest in exactly your password. In most cases that is unlikely, an attacker of a business will try to get hold of one password to get into the system and then try to elevate the privileges, so any password will do, therefor you would go after the weakest, not the strongest.
If the attacker can eavesdrop on you, no password rule applies. Whatever password you use, he'll get. So this use-case is not valid to this discussion.
Now, in a system with the following rules:
1. Password must have at least 8 characters. 2. Password must have lower case, upper case, letters and numbers. 3. Password must not contain dictionary words or names. 4. Password expires after 2 months. 5. Password must not be the same of one of the last 5 used passwords.
I'm looking specifically into the validity of rule 4 in such a system.
I don't think an attacker can use dictionary guessing due to rules 2 and 3.
Rule 5 helps avoiding the use of the same password too soon, so it works along with rule 4.
Due to rule 1, the attacker will rather try to crack each and every password hash he has, all at once, else he would never know if the one password he's brute-forcing is 8-character or 30-character long.
So if he gets hold of 200,000 password hashes, you better multiply the number of hash generation attempts by that, which makes it even longer.
All that considered, I still have the impression that the "specialists" simply focused on the wrong use-case. Then again, I'm not a specialist, so I'm eager to see that better explained than you just tried to do.
I think he got it and was asking for the tries per second on the hash, as in 10, 10000, etc.
The answer is: I don't know. But I can estimate it:
To go over the entire space of one single password with 8 characters by brute-force, considering 64 valid ASCII symbols (could be more, could be less, depending on the system) it should take 64^8, or 281,474,976,710,656.
It should be equivalent to a 48-bit key. For that password to be the equivalent to a 128-bit key, it should take some 22 characters in length.
Since not every password is at the end of the spectrum of the attacker's attempts, I suppose it would be safe to say that it would take half of that, in average. Or 140,737,488,355,328.
If the attacker is concentrating on only one single password, he'd need to be able to make some 27,148,425 attempts per second.
This guy seems to be able to make 1,400,000,000 of them with a PS3, so he'd take about 28 hours.
With a single PlayStation 3.
He says that PS3s are specifically good at that, so maybe that's the best bet. Except for clusters of PS3s.
So, an 8-character password in a system with 64 valid ASCII possible symbols would be the equivalent of a 48-bit key. To have the equivalent of a 128-bit key we'd need a 23-character password. I guess that's why they call it a passphrase...
In that case, the PS3 guy would take 3,853,672,525,287,862,210,347 years. A little extreme.
So how long should the password be in a system with a 2-month change policy to be safe at least from the PS3 guy?
Answer: a 54-bit key, or... 9 characters! Not that bad already...
In any case, as I said in the end of my first post, I don't get into the merit of the theory. I just question why the "specialists" always seem to analyze the question from unrelated perspectives such as "if you change your password every two months, then the maximum time an attacker will have to use the password (as in the attacker already has it from day 0) is 2 months" instead of "the maximum time an attacker will have to discover and use the password is 2 months".
You know, like the kind of analysis that I, non-specialist, just did.
I am not a security specialist. Yet I seem to know something they don't: that "frequently" changing the password is meant to avoid brute-force over the password hash being profitable, not to avoid a person who already knows the password to use it.
Example: excluding the dictionary-based, < 8 length, all lower case letters, etc which are broken easily, let's suppose it takes 2 months to break a good password's hash by brute-force.
If your system obliges you to change your password every 2 months - 1 day, when the attacker finally breaks the old password it's no longer valid. The bonus would be to catch the attacker when he tried to use it.
That's the theory. If it works or is worth the trouble, I don't know. But I'd love to see that being discussed by the so-called specialists instead of unrelated use-cases.
Your example is great, and so is the argument against forbidding locked down devices. But I fail to see the link between that and government involvement.
Unless the government is involved there won't be any of either rights granted.
To me, excluding the government means everybody is free to do whatever they want with zero limits. Your neighbor can kill you and only somebody with a bigger gun will be able to do anything about it.
If you put you and a corporation in that competition, guess who wins...
And code repositories, most businesses uses svn, git or cvs, all of them are open source from what I know.
I regret to tell you that where I work we're forced to use MKS. But the development centers that know what version control is for end up using something else for the day-to-day work (like SVN) then exporting it off to MKS when the work is done, just to conform to Corporate rules.
Slashdot Mirror
It has been a few years since it migrated from a Linux fanboy-only site to a more democratic one. Today, you'll find Linux fanboys, Apple fanboys and surprise! Even Microsoft fanboys! But more importantly, you'll also find people impartial enough to not be fanboy to anything.
You're right about the absence of significant suppression letting the number grow. But unless I'm wrong, at least half of terrorist fatalities are due to suicide attacks. I think it would be unrealistic to say that suicide attack would scale to the point that the statistic would become more significant than it is.
I also have a difficult time imagining non-suicide attacks perpetrated on airplanes coming from one or more passengers. There are hijacks, but they are usually for ransom, not for non-suicide terrorism.
Finally, nobody is saying that we should abandon all measures: just stop the useless harassment. Or in my case, stop pushing the government toward such absurd measures for fear of something so unlikely to kill myself.
Tell that to the people scared of the terrorists... You can also join this chart to your argument.
The reference to Inspector Columbo was just a metaphor :) It doesn't have to be him. Just people with a certain training.
The only reason why a corporation would be kept from abusing you is justice, which depends on laws, which are made by the government.
Remove the government and there will be no laws, hence no justice.
In such a setting, the strongest win. Good luck fighting the corporations then.
Please do call me dense. From you that seems to be a compliment.
I hope that you at least feel better now :P
To summarize, there's not enough evidence of either one thing or another (yet). So taking conclusions would be premature. Calling it cheating is amusing, tho.
You should have tried rebooting... oh wait, wrong thread.
You're all targeting the wrong problem.
It's not much the government wanting to spy on you to perpetuate itself in power. It's the general populace that is so, oh so much afraid of dying in a terrorist attack that demand actions. Any action!
That people -- the majority of people, it would seem -- will scream and sue if something happens and they have the slightest excuse of saying that the government didn't do enough to keep them safe.
It's the people that won't accept the bargain of having a 20% free country which is 98% secure if they can be 98.1% secure with 10% freedom.
I'm sorry to tell you, but if you accept that bargain, you're the exception.
This fear didn't come from the media nor the government. It came from inside each and every one.
Today's generation can't live with the idea of having a 0.001% chance of dying in a terrorist attack or having a relative falling to that statistic. The vision of TWC crumbling to dust with 5000 people inside is too terrifying.
Before pointing the finger to the government, people should first review their concepts. Get things into perspective.
Getting into a shower and being tentative of the temperature. If you do not have any fear, would it even cross your mind to test the temperature or would you just step in and burn yourself?
I don't fear the pain or the temperature. I know I don't like the pain, so I'll be cautious.
If, in the other hand, I wouldn't take a shower because I once got burned, even if I know that I can control the temperature, that would be pure fear.
In a military setting, would you see a lot more accidental shootings by individuals who do not turn on the safety of their gun? You usually turn the safety on to not misfire the weapon and accidentally shoot someone (ie. afraid of killing someone or afraid of the consequences of shooting someone)
Again, could be fear or a rational decision. "Being afraid of" is often just a figure of speech. The soldier is probably really afraid of being killed, but I'm not so sure he's really afraid of accidentally shooting someone else, except for the reaction of his peers.
People are afraid of dying, yet many would rather not wear the seat belt in cars. Others would not get out of their houses.
Are these choices fear based? How do you differentiate between someone walking into a battlefield and not being afraid of combat versus someone burning or hurting themselves in normal daily life.
You cannot tell if the battlefield guy isn't afraid of combat or if he's just able to rationalize his fear.
Here's my suggestion on how to identify each case:
Fear: a feeling. It makes your heart beat accelerate, can startle, will push you away from the situation regardless of what you think, like people who squeeze the chair's armrest during an horror movie because they think that something startling is going to happen.
Rationalization: thought process. Consciously analyzing that if A then B. You know it's just a movie.
What's important isn't when is it fear and when is it rational, but can you rationalize even when you're afraid?
When people identify fear as a negative impulse, they are actually complaining about things that stupid people fear, which are usually artificial constructs, and are usually controlled by fearmongering demagogues spreading propaganda for political purposes.
I knew those spiders were up to no good!!!
Most of your argument is the analysis I requested. To me, it's what's important.
This:
Not to mention that I don't see clearing my bank accounts as an unrelated use case. It is a possibility for somebody who can crack the right passwords.
It's unrelated because once the attacker has the password, there's nothing keeping him from using it right away. So changing the password every X time is obviously not effective in this case.
Of course, having our bank accounts safe (not cleared) is important. That's why we have so many security measures being discussed, including changing the password every X time.
Simple, there is not only brute force to get a password.
And changing the password every X time is not the only rule employed...
E.g. if the password hash is leaked and there is a matching rainbow table a password for your hash is known immediately
It's a possibility. I have no idea of the likelihood of such a rainbow table also being available along with the password hash. Do you?
(you also forgot, that hash functions are not 1:1 mappings, multiple passwords map to the same hash).
I didn't. I just wanted to make the example simpler and shorter to follow. This could be accounted by my division of the number of necessary attempts by half. Unless you think otherwise?
Similar if the password is captured by a trojan or by a video camera. That is probably the most likely attack vector, brute forcing is very expensive.
I don't know about that either. See the PS3 guy in previous post...
So there are situations, where the password is known from the start.
In that case, changing it every X time has no value, so I don't see the point of investigating this use-case except as a strawman to say that changing every X time has no value per se.
Also your analysis is flawed, you assume an attacker to systematically check all sequences of allowed characters. If you check, you will see, that the programs trying to crack passwords try a dictionary attack and do permutations on the dictionary as most people are not able to memorize a long random string of characters.
If you read the thread, you probably saw that I chose to remove the "easy to get" from the use-case since they also have no value to this discussion. See previous answer and further analysis below.
Your analysis has a second flaw, you assume interest in exactly your password. In most cases that is unlikely, an attacker of a business will try to get hold of one password to get into the system and then try to elevate the privileges, so any password will do, therefor you would go after the weakest, not the strongest.
If the attacker can eavesdrop on you, no password rule applies. Whatever password you use, he'll get. So this use-case is not valid to this discussion.
Now, in a system with the following rules:
1. Password must have at least 8 characters.
2. Password must have lower case, upper case, letters and numbers.
3. Password must not contain dictionary words or names.
4. Password expires after 2 months.
5. Password must not be the same of one of the last 5 used passwords.
I'm looking specifically into the validity of rule 4 in such a system.
I don't think an attacker can use dictionary guessing due to rules 2 and 3.
Rule 5 helps avoiding the use of the same password too soon, so it works along with rule 4.
Due to rule 1, the attacker will rather try to crack each and every password hash he has, all at once, else he would never know if the one password he's brute-forcing is 8-character or 30-character long.
So if he gets hold of 200,000 password hashes, you better multiply the number of hash generation attempts by that, which makes it even longer.
All that considered, I still have the impression that the "specialists" simply focused on the wrong use-case. Then again, I'm not a specialist, so I'm eager to see that better explained than you just tried to do.
I think he got it and was asking for the tries per second on the hash, as in 10, 10000, etc.
The answer is: I don't know. But I can estimate it:
To go over the entire space of one single password with 8 characters by brute-force, considering 64 valid ASCII symbols (could be more, could be less, depending on the system) it should take 64^8, or 281,474,976,710,656.
It should be equivalent to a 48-bit key. For that password to be the equivalent to a 128-bit key, it should take some 22 characters in length.
Since not every password is at the end of the spectrum of the attacker's attempts, I suppose it would be safe to say that it would take half of that, in average. Or 140,737,488,355,328.
If the attacker is concentrating on only one single password, he'd need to be able to make some 27,148,425 attempts per second.
This guy seems to be able to make 1,400,000,000 of them with a PS3, so he'd take about 28 hours.
With a single PlayStation 3.
He says that PS3s are specifically good at that, so maybe that's the best bet. Except for clusters of PS3s.
So, an 8-character password in a system with 64 valid ASCII possible symbols would be the equivalent of a 48-bit key. To have the equivalent of a 128-bit key we'd need a 23-character password. I guess that's why they call it a passphrase...
In that case, the PS3 guy would take 3,853,672,525,287,862,210,347 years. A little extreme.
So how long should the password be in a system with a 2-month change policy to be safe at least from the PS3 guy?
Answer: a 54-bit key, or... 9 characters! Not that bad already...
In any case, as I said in the end of my first post, I don't get into the merit of the theory. I just question why the "specialists" always seem to analyze the question from unrelated perspectives such as "if you change your password every two months, then the maximum time an attacker will have to use the password (as in the attacker already has it from day 0) is 2 months" instead of "the maximum time an attacker will have to discover and use the password is 2 months".
You know, like the kind of analysis that I, non-specialist, just did.
This again. Just like that lady from Microsoft which challenged the 7 password rules.
I am not a security specialist. Yet I seem to know something they don't: that "frequently" changing the password is meant to avoid brute-force over the password hash being profitable, not to avoid a person who already knows the password to use it.
Example: excluding the dictionary-based, < 8 length, all lower case letters, etc which are broken easily, let's suppose it takes 2 months to break a good password's hash by brute-force.
If your system obliges you to change your password every 2 months - 1 day, when the attacker finally breaks the old password it's no longer valid. The bonus would be to catch the attacker when he tried to use it.
That's the theory. If it works or is worth the trouble, I don't know. But I'd love to see that being discussed by the so-called specialists instead of unrelated use-cases.
Your example is great, and so is the argument against forbidding locked down devices. But I fail to see the link between that and government involvement.
Unless the government is involved there won't be any of either rights granted.
To me, excluding the government means everybody is free to do whatever they want with zero limits. Your neighbor can kill you and only somebody with a bigger gun will be able to do anything about it.
If you put you and a corporation in that competition, guess who wins...
If you're going the greasemonkey way, just use it to set the rate to whatever you want :)
Wow! This might actually work!
If the only thing I have to fear about is PeekYou, then I'm utterly anonymous.
AIX's SMIT had an option to tell you the command it was about to execute. I wonder if SMIT is still around...
And code repositories, most businesses uses svn, git or cvs, all of them are open source from what I know.
I regret to tell you that where I work we're forced to use MKS. But the development centers that know what version control is for end up using something else for the day-to-day work (like SVN) then exporting it off to MKS when the work is done, just to conform to Corporate rules.
You should work on your sarcasm. It almost made me believe that you were serious.
But of course you aren't. Who would try to beat on a post just because of grammar and say nothing about its contents?
Or worse, who would do it ignoring that "media" is used as a mass noun for the agencies of mass communication and not just as the plural of medium?
because how could they anticipate that someone would want to download a PDF from safari and e-mail it
They may have recognized that copying a link to the PDF and e-mailing that link is probably just as effective for most users.
Try that with a link to an intranet or any site with restricted access. I'd love to hear what your receivers will tell you.
You'd figure on a tech site like /., folks would have a little idea of the amount of volts and amps a lightning bolt carries.
Of course we do! 1.21 gigawatts!
I can't tell, I haven't read it.
In the other hand, I find the Dune books by Frank Herbert an interesting mix of sci-fi and fantasy. I wonder if you agree and if it bothers you?