Done PROPERLY I can see this being a major positive, especially for morale. "Hey, Bob went to pitch his idea today, but it didn't pan out. I think I see what killed it and I might have a solution for that..."
You're "pitching" your idea to the VP of IT. Isn't the VP supposed to be somewhat intelligent on IT subjects?
If someone else can take your idea and successfully "pitch" it with some changes then isn't the VP "playing favourites"?
Otherwise, wouldn't the VP have been able to help you with the problems and get your idea implemented the first time around?
Granted I also expect massive backstabbing if this is implemented wrong. Instead of collaboration it can very quickly devolve into theft and sabotage.
I think it is even worse than that.
"Failure" here is defined as "the VP did not sign off on your idea".
So the only thing being "learned" from this "failure" is how to pitch your idea to that VP (or who gets the most sign-offs vs who gets the least). That's politics. And politics is all about backstabbing and back-room-deals.
You should not be "failing" if you're doing something that 80%+ of the companies have to deal with.
But you are being reactive. Wouldn't it be better to have the ssh user name different from the email name, and really different, so that it is difficult to deduce one from the other?
Being completely non-related to your login ID is okay. I won't hurt anything by having it like that.
But it also won't add any additional security if you follow the other steps I've outlined.
It all comes down to the cracker being able to match (pretty much in order): 1. your SSH server AND 2. legit username on that server AND 3. matching password AND 4. complete the crack before the sysadmin takes action to break the attack.
Note, 2 & 3 can be any authentication method used on that server. Including keys.
That is why, if your server gets cracked via Internet-based brute force SSH attack (not a 0-day exploit or compromised credentials or such) then it is the sysadmin's fault.
Do you have your system set up so that email names are not user names?
At home? Yes.
I think I seen where you're going with that and I don't think you understand. Collecting email login names is easy.
But being able to login to an outward-facing server (email or ftp or ssh or whatever) should be limited to a certain amount of failed logins (no matter from which IP address) per time period.
The crackers would have to go through an ADDITIONAL step to try to match email login names with ssh login names and an ADDITIONAL ADDITIONAL step to match that name to a different type of server (such as ssh).
Let me see if I can illustrate this.
1. Attacking ssh on server A.B.C.D with username aaron - if there's any chance that the cracker can do it then the sysadmin failed. Even more so with "root" or "admin" or such.
2. Collecting username aaron.aaronson via email spammer and then trying to attack ssh on server mail.example.com - more work for the cracker than scenario #1 but still the same as #1. If there is any chance that the cracker can succeed then the sysadmin has failed. SSH should only be allowed on the mail server from the inside interface.
3. Collecting username aaron.aaronson via email spammer and then trying to attack ssh on servers in the block A.B.C.D through A.B.C.Z (and one of those is your SSH server). And the cracker is using multiple machines to make multiple attempts (one per machine) within time period X. - Again, if it works then the sysadmin has failed. Too many attempts in time period X should lock out the account for a set number of minutes. No matter how many IP addresses are involved. -continued- And that depends upon aaron.aaronson being a LEGITIMATE USERNAME ON THAT SYSTEM. Once the sysadmin sees that attack in the logs then the logins to that should be changed (ssh.aaron.aaronson or such) to break that attack if they were not already such. Or change them AGAIN (aaron.aaronson.ssh) and be aware that something leaked somewhere.
4. See #3 except the logins are from multiple machines but only 1 login attempt in time period X so it never triggers the account lockout. Again, change the login names (ssh.aaron.aaronson) to break that attack (and did they leak?).
In summary, getting your system cracked via SSH means that your sysadmin failed so many times.
They'll use a dictionary attack that is spread over some number (dozens or more) of distinct botnet systems, making it very inconvenient for you the admin to try to block all those addresses.
Who cares about blocking them? They're not getting in anyway. Blocking is just additional work that may cause problems.
That said from my experience the botnets usually seem to do a white pages type list of common usernames and then try either blank or extremely common user names to try to get in by.
That's the reason that they're not going to get in. They're using usernames that don't exist (unless the sysadmin is an idiot in which case you have the regular idiot problems and it's probably been cracked already through one of those).
So you may also want to ensure that if you have users who use very common (English) first names as their login names, they are using strong passwords.
If you're using JUST first names or last names as usernames then you have a bigger problem.
Instead use something like one of the following: FIrstnameLastname Firstname.Lastname FirstnameMiddleinitialLastname
You should be able to easily distinguish the potential threats from the random script-kiddies. That being a REAL username on your system with hundreds of login attempts.
And then you deal with that issue by changing the username. Then investigate how that username leaked.
I'm going to guess it was a dictionary attack because otherwise it is even dumber.
That's 6 attempts per minute. 360 per hour 8640 per day 60,480 per week 3,144,960 per year.
So unless you're allowing usernames such as "root" or "admin" or "administrator" AND using dictionary passwords wouldn't this fail? And be obvious in the logs?
Timothy thought it'd make for a quick, silly, completely non-serious video.
How long have you been using teh innerwebs? Any silly video has to have cats or some other cute animal.
Scottevest's whole pitch is clothing that you can store a lot of electronic gadgets in.
So trying to make a "silly" video about using a product in exactly the way that product is MARKETED... and you did not think it would appear as an advertisement?
I don't think you understand what "loud and clear" means.
Believe it or not (and many won't), none of the videos were paid for.
Why wouldn't anyone believe that? Just because they seem to focus less on the tech and more on the commercial product of a specific company?
People have been accusing us of slashvertising for years -- it generally just makes us chuckle, since it's so far removed from reality.
See? If we laugh then it means that you were wrong. Because otherwise we wouldn't laugh, would we?
If some random company -- or some person who happens to work for a company -- is doing something legitimately cool, would you want to hear about it?
Is it something that other companies and other people are ALSO doing?
Let's see a video about the cool new features of The Ford Motor Company's newest, coolest truck, the 2012 Ford Explorer (tm) named North American Truck of the Year in 2011.
That is an advertisement. A video about blue tooth in cars now is an article.
Really, we're just tech nerds who like playing with new gadgets/reading new books/playing new games.
Then you have to be aware that people will try to use you for advertising. Whether they pay in cash or toys or whatever.
What about reviews?
If you do them correctly. What good is a single review of a single product in a single class? That is an advertisement for that product.
In order for it to be a review you would have to compare it to previously reviewed products by other vendors in the same class.
You don't understand that I used a rhetorical device meant to get you to admit unwarranted claims of racism exist in this case.
So you made an unwarranted charge of racism to get me to call you on your unwarranted charge of racism.
My obviously sarcastic (well, for those those who can read) unwarranted claim of racism mirrored the unwarranted claims of racism that sparked this whole issue.
Ah, so when you make a racist statement then it is "sarcastic".
If Zimmerman is correct, then Martin was never a victim.
Did you miss the part where the cop on the 911 call told Zimmerman not to follow Martin?
If Zimmerman was following Martin than Zimmerman was the aggressor.
Laying on your back on concrete getting your face punched tends to bang the back of your head on that concrete, especially if you're trying to raise your head when punched.
Yet the video does not show such damage to the front of Zimmerman's face.
He was shown in the video with a laceration to the back of his head, and he was treated for a broken nose.
Again, the video does not seem to show a broken nose. Nor have such records been released.
Your claims don't seem to be supported by the available evidence.
My question was about how the original victim (Martin) would know that the situation had changed and that he (Martin) (the original victim) was no longer a victim.
On the way back to his truck, that guy confronts him, hits him, knocks him to the ground and begins pounding his head against the concrete.
First off, how was he pounding his head against the concrete? Zimmerman's hair was pretty short. Unless you claim that 160 pound Martin was lifting Zimmerman's torso.
Secondly, did you read my post? How is Martin supposed to KNOW that Zimmerman is not following him any more?
Sounds like a big threat when he's banging your head against the concrete.
You seem focused on that yet the available evidence does not support any means for Martin to accomplish that.
Where, specifically, was Martin grabbing Zimmerman in order to provide the leverage for such?
Say you login to Facebook. Okay. Login complete. One way hash is fine. Now say, Facebook had a feature where it would check your gmail account for you, just provide the password.
Yeah, you might want to look up what "third party" means because you don't seem to understand that it means exactly what you just posted.
So you provide it with your gmail account password. Now how the hell is Facebook going to login to your gmail account if it doesn't have the plain text password?
Simple, encrypt it and store the encrypted value. What's the encryption key? It's based off of your password on MY system (which IS hashed and salted). So I never need to store it.
You login on MY system and your gmail password gets decrypted and sent to gmail to log you in over there.
But Zimmerman's version is that he lost Martin, which legally ends that confrontation.
From Martin's point of view, how would that be possible?
Some guy is pursuing you. You run and hide. You look out and see the guy. How can the guy legally shoot you now?
Remember to ignore the "little kid" image being projected in the press. Martin was 17 years old and 6'2" tall, easily able to be a real physical threat to Zimmerman.
And he weighed either 140 or 160 pounds. That does not sound like much of a threat. Particularly when Zimmerman has a GUN!
If Martin's fingerprints are NOT on the gun then Zimmerman has not excuse for killing Martin.
If Martin WAS smashing Zimmerman's head onto the ground what was Martin holding on to to do so?
Zimmerman's hair from the video was really short. So Martin wasn't holding onto Zimmerman's hair.
Or are people claiming that a 160 pound kid could lift Zimmerman's torso by grabbing Zimmerman's shirt and use that to smash Zimmerman's head onto the ground? That sounds even less likely.
Would you be able to build a system as you described (impersonating you via login credentials to a third party) AND have that system use only hashed passwords?
I could and my programming skills suck.
My point being that hashing passwords does not violate any laws of physics. If they built the system in such a way that it required clear text passwords then that was a decision that they made based off of their limitations and such.
Not necessarily. If your website depends on impersonating you via login credentials to a third party, then without that website's cooperation, the login information is going to have to be stored in the clear.
And after the first fine of $250,000 for losing passwords stored in the clear that entire system is going to be re-evaluated.
That was my only point: The headline and article indicates the FTC fined them because that information was stored in the clear, not gross negligence on the part of the web designer and company which allowed that information to be leaked.
I don't disagree with you on that. But I'm saying that the decision to build the system in that specific way (including the inclusion of the SQL injection vulnerability) is based upon the limitations of the people who made that decision.
Once you add the $250,000 fine and the chance of future fines I'm sure that they will re-visit that entire system and re-build it in such a way that passwords will be hashed.
That is what the FTC should be punishing: Lack of code auditing, lack of access controls, etc. They should be saying the design was defective, instead of saying the data format was.
Again, I'm not disagreeing with you. I'm saying that the decision to build the system in that way (lack of code auditing, lack of access controls, data format, etc) was based upon the limitations of the people making that decision back then... and if they HAD known that they'd be slapped with a $250,000 fine for it they would have done it different.
And I'm sure that part of that different system would have been hashed passwords.
Slashdot Mirror
You're "pitching" your idea to the VP of IT. Isn't the VP supposed to be somewhat intelligent on IT subjects?
If someone else can take your idea and successfully "pitch" it with some changes then isn't the VP "playing favourites"?
Otherwise, wouldn't the VP have been able to help you with the problems and get your idea implemented the first time around?
I think it is even worse than that.
"Failure" here is defined as "the VP did not sign off on your idea".
So the only thing being "learned" from this "failure" is how to pitch your idea to that VP (or who gets the most sign-offs vs who gets the least). That's politics. And politics is all about backstabbing and back-room-deals.
You should not be "failing" if you're doing something that 80%+ of the companies have to deal with.
Being completely non-related to your login ID is okay. I won't hurt anything by having it like that.
But it also won't add any additional security if you follow the other steps I've outlined.
It all comes down to the cracker being able to match (pretty much in order):
1. your SSH server
AND
2. legit username on that server
AND
3. matching password
AND
4. complete the crack before the sysadmin takes action to break the attack.
Note, 2 & 3 can be any authentication method used on that server. Including keys.
That is why, if your server gets cracked via Internet-based brute force SSH attack (not a 0-day exploit or compromised credentials or such) then it is the sysadmin's fault.
At home? Yes.
I think I seen where you're going with that and I don't think you understand. Collecting email login names is easy.
But being able to login to an outward-facing server (email or ftp or ssh or whatever) should be limited to a certain amount of failed logins (no matter from which IP address) per time period.
The crackers would have to go through an ADDITIONAL step to try to match email login names with ssh login names and an ADDITIONAL ADDITIONAL step to match that name to a different type of server (such as ssh).
Let me see if I can illustrate this.
1. Attacking ssh on server A.B.C.D with username aaron - if there's any chance that the cracker can do it then the sysadmin failed. Even more so with "root" or "admin" or such.
2. Collecting username aaron.aaronson via email spammer and then trying to attack ssh on server mail.example.com - more work for the cracker than scenario #1 but still the same as #1. If there is any chance that the cracker can succeed then the sysadmin has failed. SSH should only be allowed on the mail server from the inside interface.
3. Collecting username aaron.aaronson via email spammer and then trying to attack ssh on servers in the block A.B.C.D through A.B.C.Z (and one of those is your SSH server). And the cracker is using multiple machines to make multiple attempts (one per machine) within time period X. - Again, if it works then the sysadmin has failed. Too many attempts in time period X should lock out the account for a set number of minutes. No matter how many IP addresses are involved.
-continued-
And that depends upon aaron.aaronson being a LEGITIMATE USERNAME ON THAT SYSTEM. Once the sysadmin sees that attack in the logs then the logins to that should be changed (ssh.aaron.aaronson or such) to break that attack if they were not already such. Or change them AGAIN (aaron.aaronson.ssh) and be aware that something leaked somewhere.
4. See #3 except the logins are from multiple machines but only 1 login attempt in time period X so it never triggers the account lockout. Again, change the login names (ssh.aaron.aaronson) to break that attack (and did they leak?).
In summary, getting your system cracked via SSH means that your sysadmin failed so many times.
Who cares about blocking them? They're not getting in anyway. Blocking is just additional work that may cause problems.
That's the reason that they're not going to get in. They're using usernames that don't exist (unless the sysadmin is an idiot in which case you have the regular idiot problems and it's probably been cracked already through one of those).
If you're using JUST first names or last names as usernames then you have a bigger problem.
Instead use something like one of the following:
FIrstnameLastname
Firstname.Lastname
FirstnameMiddleinitialLastname
You should be able to easily distinguish the potential threats from the random script-kiddies. That being a REAL username on your system with hundreds of login attempts.
And then you deal with that issue by changing the username. Then investigate how that username leaked.
I'm going to guess it was a dictionary attack because otherwise it is even dumber.
That's 6 attempts per minute.
360 per hour
8640 per day
60,480 per week
3,144,960 per year.
So unless you're allowing usernames such as "root" or "admin" or "administrator" AND using dictionary passwords wouldn't this fail? And be obvious in the logs?
My vote is for on premises. Mostly because I used to be responsible for the email system at a former employer.
The key benefit is the amount of logging you can set. I knew EVERY connection that was made (incoming and outgoing).
If someone complained about email I could tell EXACTLY what was attempted / completed and when and what the error/completion message was.
So I was able to set up a lot of spam trap addresses and use those to improve the filtering in real time (bayesian analysis rocks).
The first link should be to the transcript.
At the top of the transcript should be a link to the video.
If the transcript makes you want to watch the video then you can click on the link at the top and watch it.
And in a related note, NO SLASHVERTISEMENTS that are not clearly labelled as such and blockable.
How long have you been using teh innerwebs? Any silly video has to have cats or some other cute animal.
Scottevest's whole pitch is clothing that you can store a lot of electronic gadgets in.
So trying to make a "silly" video about using a product in exactly the way that product is MARKETED ... and you did not think it would appear as an advertisement?
I don't think you understand what "loud and clear" means.
Why wouldn't anyone believe that? Just because they seem to focus less on the tech and more on the commercial product of a specific company?
See? If we laugh then it means that you were wrong. Because otherwise we wouldn't laugh, would we?
Is it something that other companies and other people are ALSO doing?
Let's see a video about the cool new features of The Ford Motor Company's newest, coolest truck, the 2012 Ford Explorer (tm) named North American Truck of the Year in 2011.
That is an advertisement.
A video about blue tooth in cars now is an article.
Then you have to be aware that people will try to use you for advertising. Whether they pay in cash or toys or whatever.
If you do them correctly. What good is a single review of a single product in a single class? That is an advertisement for that product.
In order for it to be a review you would have to compare it to previously reviewed products by other vendors in the same class.
I'd go further, though.
Tag all the "slashvertisements" as such and allow them to be blocked.
So you made an unwarranted charge of racism to get me to call you on your unwarranted charge of racism.
Ah, so when you make a racist statement then it is "sarcastic".
Keep it going. I'm bookmarking this.
I understand that you made unwarranted allegations of racism.
You are a troll.
You are a troll that makes unwarranted allegations of racism.
I already understand. I'm using this thread to show what a troll you are.
Keep it going.
YOU were the one that accused ME of racism.
You lose. But keep this going because I'm going to bookmark it.
I didn't expect logic from you and I am not disappointed.
Sorry, but when you make unwarranted allegations of racism, you lose.
You lose.
So despite no one else claiming that there are photos. .....
And no one claiming that photos were ever taken.
And no photos being presented as evidence
You still believe that there are photos.
And that the cops are concealing the photos.
Why don't you try that? Pick a woman you don't know and follow her around a bit.
How about you look up the term "stalking"? Not only is it aggressive, it is illegal.
It has been claimed. It has not been substantiated.
From a broken nose? Without any sign of bruising or damage in the video? Those are pretty good paramedics.
Wow! Unwarranted charges of racism now.
But I am not surprised based off of your inability to understand the evidence already provided.
Looks like you lose.
Did you miss the part where the cop on the 911 call told Zimmerman not to follow Martin?
If Zimmerman was following Martin than Zimmerman was the aggressor.
Yet the video does not show such damage to the front of Zimmerman's face.
Again, the video does not seem to show a broken nose. Nor have such records been released.
Your claims don't seem to be supported by the available evidence.
Yeah. I got that.
My question was about how the original victim (Martin) would know that the situation had changed and that he (Martin) (the original victim) was no longer a victim.
First off, how was he pounding his head against the concrete? Zimmerman's hair was pretty short. Unless you claim that 160 pound Martin was lifting Zimmerman's torso.
Secondly, did you read my post? How is Martin supposed to KNOW that Zimmerman is not following him any more?
You seem focused on that yet the available evidence does not support any means for Martin to accomplish that.
Where, specifically, was Martin grabbing Zimmerman in order to provide the leverage for such?
Sooooooo .... they can claim that they have photos that support their actions .... but they are not going to show them to anyone.
Really? That's the best you have?
Yeah, you might want to look up what "third party" means because you don't seem to understand that it means exactly what you just posted.
Simple, encrypt it and store the encrypted value.
What's the encryption key? It's based off of your password on MY system (which IS hashed and salted). So I never need to store it.
You login on MY system and your gmail password gets decrypted and sent to gmail to log you in over there.
From Martin's point of view, how would that be possible?
Some guy is pursuing you.
You run and hide.
You look out and see the guy.
How can the guy legally shoot you now?
And he weighed either 140 or 160 pounds. That does not sound like much of a threat. Particularly when Zimmerman has a GUN!
If Martin's fingerprints are NOT on the gun then Zimmerman has not excuse for killing Martin.
The police have yet to explain all the things that they did NOT do in this case.
No drug/alcohol test for Zimmerman.
No checking Martin's cell phone.
No photos of the damage to Zimmerman that would support Zimmerman's claims.
The cops are looking rather incompetent. So WHY are the cops incompetent?
If Martin WAS smashing Zimmerman's head onto the ground what was Martin holding on to to do so?
Zimmerman's hair from the video was really short. So Martin wasn't holding onto Zimmerman's hair.
Or are people claiming that a 160 pound kid could lift Zimmerman's torso by grabbing Zimmerman's shirt and use that to smash Zimmerman's head onto the ground? That sounds even less likely.
Would you be able to build a system as you described (impersonating you via login credentials to a third party) AND have that system use only hashed passwords?
I could and my programming skills suck.
My point being that hashing passwords does not violate any laws of physics. If they built the system in such a way that it required clear text passwords then that was a decision that they made based off of their limitations and such.
And after the first fine of $250,000 for losing passwords stored in the clear that entire system is going to be re-evaluated.
I don't disagree with you on that. But I'm saying that the decision to build the system in that specific way (including the inclusion of the SQL injection vulnerability) is based upon the limitations of the people who made that decision.
Once you add the $250,000 fine and the chance of future fines I'm sure that they will re-visit that entire system and re-build it in such a way that passwords will be hashed.
Again, I'm not disagreeing with you. I'm saying that the decision to build the system in that way (lack of code auditing, lack of access controls, data format, etc) was based upon the limitations of the people making that decision back then ... and if they HAD known that they'd be slapped with a $250,000 fine for it they would have done it different.
And I'm sure that part of that different system would have been hashed passwords.