Slashdot Mirror


User: plover

plover's activity in the archive.

Stories
0
Comments
7,233
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 7,233

  1. Re:Brute-force password guessing not a problem on GPUs Used To Crack WiFi Passwords Faster · · Score: 2, Interesting

    The old (very old) password cracking programs I've played with allow the user to set up rules to guide guesses. You'd fill out a series of patterns, and if possible base them on passwords you know your target has used in the past. For example, I knew a friend commonly substituted digit 1 for letter i, so added a rule of s/i/1/ to the list of modifications to dictionary words. (I eventually found his password was k3rm1t.)

    Like most things, the answer of "is your security weaker" is "it depends". You certainly aren't doing yourself any security favors by telling us you might have a movie quote as a pass phrase, even in an example. This is information that may have made your router's password significantly more guessable.

    First of all, I'd want to physically locate you first to avoid wasting time cracking the wrong router. That should be fairly easy. Tools like Google and Wigle might help me narrow it down to exactly you. I'd start guessing with the notion that you might use a quote from a movie as your pass phrase, or perhaps the first letters of a quote as a pass phrase. A script running through IMDB could theoretically yield the quote your current pass phrase is based on, and there are dozens of web pages devoted to movie quotes of just about every genre. I'd start with quotes from movies featuring Samuel Jackson, anime movies, and episodes of American Dad and South Park. I would guess you'd write it in all lower case, but anotherTestWithCamelCase is cheap. I know you might also separate the words with some common symbol/number pairs, and that you've done them in 1-2-3 order, so I would add various rules to test the movie phrases that way. Twice in your examples above you've post-fixed a symbol/number to your phrases, so I'd add that pattern, too.

    Failing to find your pass phrase among the movie quotes, I'd move on to video game quotes and slang, maybe some Ozzie lyrics or other metal lyrics, CD liner notes, and possibly even some quotes from literature. The point is the GPU is screamingly fast, and can try billions of permutations of each of these, and the real bottleneck would likely be having to scoop up all these sources of quotations from the net.

    Now, given that you're posting to Slashdot, I'm hoping you'd be a bit more clever than all this, and you've posted the above as a pile of misdirection. I'd only give myself about a 5% chance of actually guessing your pass phrase, even with the tools above and the hints you provided. But those are a hell of a lot better odds than trying to guess a truly random password. The other thing working in your favor is that you're pretty young and thus likely broke, so no serious criminals have the profit motivation to hunt you down and start hacking away at your wireless. Now, if you were "Senator Adams from the Great State of New Jersey," or "Millionaire Adams, the Sausage King of Newark," then there'd be a bit more incentive. That's what happened to both Palin and Obama.

    The thing you should take away from this is: it wouldn't hurt to change your passphrase right now to some cryptographically random value. You've likely given away too much information already. But the chances are greater that nobody really cares what your pass phrase is. :-)

  2. Re:Full disclosure on GPUs Used To Crack WiFi Passwords Faster · · Score: 1

    Think of the tools that aren't released for a reason.

    Not releasing the tools is why we have such big problems. There are bugs identified all the time, but vendors routinely ignore them or just sit on the patches. That means anyone else smart enough to figure out the bugs can abuse them until the vendor issues the fixes.

    The way things effectively get fixed right now is the (good) hackers give advance notice to the vendors, but they also let the vendors know when they're going public with the flaw. When they go public, they have to demonstrate the bug with some exploit code. That code, wrapped in a script, is effectively a tool for the script kiddies. And it doesn't take that much scripting to make a giant, fast tool.

    The professional bad guys already have the malicious code designed, written, and tested. They have their malware servers hosted and on line, and are waiting for clients. That is all done well in advance. But now, they are not just sitting around waiting for the next announcement. They're busy analyzing code themselves, discovering flaws, and exploiting vulnerable equipment. The more victims they can infect before the independent discovery of the bug by a good guy and the deployment of a patch, the more data they can steal, the more money they make, and the worse the real problems are for the rest of us.

  3. Re:Full disclosure on GPUs Used To Crack WiFi Passwords Faster · · Score: 1

    Never underestimate a horde of script kiddies with a good script.

    My point is that horde is acting as the advertisement and providing the impetus for getting the problems fixed. But the problems are never created by the tools, they're just exacerbated by them.

    That's why we should celebrate these cracks, and take advantage of them. If my boss sees a news article that says "Hackers crack bad WPA passwords", I know he'll email me asking me to tell him how we generate our passwords. If I say, "I opened the dictionary to a random page and wrote down the first three words I saw, but it doesn't matter because until you give me a budget increase, we're still running WEP", he'll give me the budget to upgrade the equipment to WPA, then I'll set the passwords to something strong, and then he'll fire me for being an idiot in the first place. But at least he'll do something about it, and that's the key.

  4. Full disclosure on GPUs Used To Crack WiFi Passwords Faster · · Score: 4, Insightful

    People who whine about these being "irresponsible" or "bad for security" always seem to forget that the bad guys may already have written stuff like this and are putting it to use. By publishing this software, it makes everyone aware that it's never safe to turn a blind eye to poor security practices.

    If some security manager reads this, goes back to work, and says "OK, change all our WPA passwords, our current ones may not be secure", he will be making a real improvement to his network. He might even be locking out an existing hacker in the process.

  5. Re:I hate it when people venerate/elevate scumbags on Interview With an Adware Author · · Score: 1

    Bigger problems get more attention. The more people exploit a flaw, the bigger a problem it is.

    This is the fallacy at the root of your idea. In reality, the truth is the opposite: the more people exploit a flaw, the higher the chances it will get fixed.

    How many bank sites were compromised before people found all the flaws in IIS? How many credit cards were stolen from e-commerce sites that had unknown, unidentified, and unpatched flaws? The answer is "we don't know." The worst of the hackers is the one who discovers a flaw, and silently exploits it. Remember the WMF flaw from 2006? The code that was patched was over ten years old. We don't know how many silent exploits used it in the previous 10 years. Zero? Hundreds? But once the malware authors found it and started noisily exploiting it, it was shut down right quick.

    People with an honest desire to protect users act in a very different way.

    I'm not disagreeing, but those honest people didn't find the WMF bug. Those people may have known how to use the registry to install nasty hackish BHOs, but never complained it could have been used for evil purposes. And all the while, the quietest thieves were able to exploit all these flaws.

    Bottom line: what this guy did was clever (along the lines of what any hacker does), but both anti-social and criminally wrong in the sense that he went forward with a deployment of malware that cost millions of people hundreds of millions of dollars in repair bills. For justice to be truly served, he should be sued by his victims. But that's it: he only stole from people (in time and in his paychecks,) but he never murdered or dismembered anyone, so I don't place him in the truly "evil/immoral" category.

  6. Re:"Ecosystem"??? on Interview With an Adware Author · · Score: 1

    Well, if malware keeps just one AOL luser offline, that's one less "me, too!" we all have to put up with. And I think we can all agree that the Internet is a better place as a result.

  7. Re:Microsoft is Harvesting Data on Microsoft Tag, Smartphone-Scannable Barcodes · · Score: 1

    Interesting paper, but the study referenced in section 3 is virtually irrelevant to the point you're trying to make. They were studying the effect of charging the "higher paying" customer the higher price, and noted that the customer would defer the purchase if they thought they wouldn't get a good deal. That's true.

    But real-world frequent shopper programs reward customers who spend more money, not less. That is the reverse of the situation tested in the study. This strategy succeeds even when all participants have full knowledge of how the system works. The customer who spends more money will realize a "bigger" discount, and will continue to participate even if that discount represents only a tiny fraction of the overall price paid. This can be seen in shopper loyalty cards, frequent flyer mile programs, cash-back rewards on credit cards, mail-in rebates, etc.

    The disruptive or anonymizing technologies mentioned in the paper work against receiving a discount. By providing false (or no) information about themselves, they can not receive the personalized message containing the discount, and thus get no benefit. (A shopper loyalty card that automatically gives discounts without an issued coupon, however, is vulnerable to misuse through anonymity. The only way to avoid that is to issue the coupon through an out-of-band channel, such as a mailing, email, or SMS, that proves the function of a method of marketing to the customer.)

    These systems are extremely popular because they produce proven, measurable increases in sales and profit. Targeted advertising, coupons, loyalty programs, discriminatory pricing, all have been shown to increase traffic and revenue. They've also identified the price people are willing to pay in exchange for an effective marketing channel.

  8. Re:Nokia did that already on Microsoft Tag, Smartphone-Scannable Barcodes · · Score: 2, Insightful

    The advantage of keeping the info inside the code is you are not dependant on a serviceprovider to interpret the code. That's maybe a key feature here when involving MS (and Beetagg an a few more).

    Many services uses a subscription based system where a 2D-code, only has a function as long as the subscription beeing paid.

    There are counter arguments that Microsoft would raise against these kinds of objections.

    • They only work when you're on line, or through their service provider. Well, if the advertisers goal is to get you to their web site, they're not going to do them any good when you're offline, no matter who you're offline to. They would push this argument like "well, you depend on DNS, don't you?"
    • You have to pay Microsoft to host the real URL in their service. Microsoft may be trying to offer statistical or other tracking information that could be more valuable to companies than simply a URL. For example, they could deliver geographical information along with the interpreted URL, telling the site what city or cell tower you scanned it from, or passing along your ID plus your scanning history. I'm not saying that's good from a user or privacy perspective, but it sounds great if you're trying to sell services to companies.

    I'm not saying that I disagree with you, I'm just saying that Microsoft is fully aware of the limitations, and will have taken these arguments into account. Microsoft is making a big push to become the SaaS provider to the world, and being the focal point for direct-to-consumer barcode marketing would be very appealing to them.

  9. Re:QR codes are ubiquitous in Japan on Microsoft Tag, Smartphone-Scannable Barcodes · · Score: 1

    And to be honest, I really can't see either catching on...

    Granted, it could all be a mass delusion of marketroids, but I doubt so many companies would go to the effort of putting the codes on--and continuing to put them on year after year--unless there was feedback saying it was effective.

    This could also just be the tail still wagging the dog. The barcode providers are trying desperately to capitalize on these things, and might be continually pushing them on various producers with words like "there's been a big uptick on direct-to-consumer barcodes in Finland, you don't want to miss this opportunity!" There could also be some co-branding going on -- we'll market you as an trend-setting adopter if you print these for free. That could be especially attractive when the codes cost nothing to attach to their packaging or marketing literature.

  10. Re:Perfection Has a Price on More Than Coding Errors Behind Bad Software · · Score: 2, Insightful

    Yes, on the whole applications have become more stable, while growing an order of magnitude more complex. But TFA is not about stability as much as it is about security -- people leaving inadvertent holes in software that a hacker can exploit. You can have a perfectly functioning program, one that passes every test 100% of the time, but it may still have a SQL injection flaw or fail to validate input.

  11. Re:Customer information sharing on Blu-ray Update Sent To User Via Credit Card Records · · Score: 1

    Please don't spread mis information.

    I am spreading no misinformation. Tokenization certainly is a legitimate form of account number storage and transmission, according to many PCI auditors. (David Taylor won't shut up about it! :-) Tokenizing account numbers is actually the method I pictured Best Buy used to perform the matching in TFA. The issue I have is with access to the tokenization routines and to the encrypted databases that are behind the tokens. And I certainly did not say you couldn't store encrypted account numbers.

    Perhaps you were reading the indented, quoted text as mine, which is not the case -- the text I was quoting was the incorrect assumption posted originally by harlows monkeys. Note that Slashdot's "Quote Parent" feature does not include attribution, as it assumes the readers are familiar with the use of the <blockquote> tags.

  12. I'm checking on Abused IT Workers Ready To Quit · · Score: 1

    I'm going to check with my Aussie friend here at work, but I'm pretty sure he won't agree that 25% of the Bruces are actually whiny pussies. All the ones I know are pretty cool.

  13. Re:Customer information sharing on Blu-ray Update Sent To User Via Credit Card Records · · Score: 1

    Actually, no, not every company does this. Companies that don't provide the option for returning customers to use an on-file credit card cannot retain the CC number indefinitely--that would violate the PCI standard, and would get them banned from accepting credit cards.

    Retailers certainly can retain a "token" that represents the card number. That's fully within the PCI DSS guidelines. They just have to limit the people and systems who might have the ability to turn the token back into a card number.

  14. Re:Customer information sharing on Blu-ray Update Sent To User Via Credit Card Records · · Score: 1

    For those companies that ask for a phone number,I don't argue with them. I just give them a fake number (usually a porn site etc).

    I'm impressed. I haven't memorized the phone numbers of any porn sites!

    (I kid, of course, I don't actually read porn sites; I just go to them for the pictures.)

  15. Re:Customer information sharing on Blu-ray Update Sent To User Via Credit Card Records · · Score: 2, Interesting

    I assume you mean eCash. First, DigiCash drove themselves into the ground. They were too advanced for their time, trying to selling a screamingly modern product to an extremely conservative group of bankers. And their headstrong genius inventor was not brilliant enough to understand he needed an independent CEO to run his business. They went bankrupt in 1998.

    More importantly, they probably never would have been allowed to succeed. eCash is simply "too perfect". It offers strong anonymity, and is extremely portable. (With an eidetic memory, you could literally carry a million dollars in your head.) It would be the perfect exchange media for drug traffickers, money launderers, terrorist organizations, and anyone else who usually attracts police interest.

    Many (most?) successful investigations involve following the money trail in some fashion. eCash renders money totally invisible. No government would have endorsed it, and most would probably have outlawed it eventually.

  16. Re:I'm not familiar with Lexus models . . . on Lexus To Start Spamming Car Buyers In Their Cars · · Score: 1

    . . . are they too big to shove up a Lexus executive's ass?

    Given this idea, I'm guessing they're almost exactly the same size.

  17. Re:Tickets & Cellphones on Lexus To Start Spamming Car Buyers In Their Cars · · Score: 1

    "The Lexus Enrichment Center reminds you that the weighted companion cube will never threaten to stab you and, in fact, cannot speak."

    "In the event that the weighted companion cube does speak, the Lexus Enrichment Center urges you to disregard its advice."

    Y'know, I just might opt-in for those.

  18. Re:Stupid on Lexus To Start Spamming Car Buyers In Their Cars · · Score: 1

    My mental picture is that they'll try to make it a Lexus exclusive feature, kind of like Colbert Platinum.

    "Folks, this advertisement is for Lexus Platinum owners only. If you are so poor that you're driving your own Lexus, please change the channel now. I hear NPR is having their pledge drive, why don't you tune into that?

    ...

    Are they gone now? Good. Platinum Lexus owners, don't you think other cars ought to wait at red lights for you? Well now they can, with our Lexus-Opticom Light Changing system. The same system used by police and fire cars to give them green lights can now be yours!"

  19. Re:Amazing on Lexus To Start Spamming Car Buyers In Their Cars · · Score: 5, Funny

    As for sports cars... you are of course, absolutely right.

    Reminds me of a riddle:

    Q: What's the difference between a Porsche and a porcupine?
    A: With a porcupine, the prick is on the outside.

    Thanks, I'll be here all the week. Tip your servers, they work hard.

  20. "Network" on Researcher Says Social Networks Link Terrorists · · Score: 1

    Technically, I've created a network if I plug a crossover cable between two machines.

    Technically, there is "a global network of would-be terrorists" if a jihadist from Pakistan uses a social site to contact anyone else in the world.

    Technically, paranoid people are really stretching the definitions of the word "network".

  21. Re:Fiat? on All of Vietnam's Government Computers To Use Linux, By Fiat · · Score: 1

    "rust-prone" is a damned polite turn of phrase for those iron oxide oxen.

    The passenger floor rusted completely out of my cousin's Fiat. Completely. To sit in the passenger seat meant to straddle a large hole through which I could look down and see road passing beneath my feet. On the rare days it was running, I could have put both feet through the hole and used the Fred Flintstone brakes!

    One day he sanded down the bigger cancer patches from the fenders, doors, hood and roof, then spraybombed the entire car with gloss white Rustoleum. It made a nice difference, as long as you were further than 50 feet from the car.

    Yay, Fiat!

  22. Re:Really? on Green Is In At CES, But Is It Real? · · Score: 2, Informative

    Though, the whole "green" push has turned into "green-washing", where companies are overstating or trying to point out excessively small environmental impacts for the sake of PR.

    And what's wrong with that? If there's no effective difference between Brand X and Green Brand, what is wrong with putting an extra filter on your smoke stack, tossing it in a green bottle and slapping a couple of 'Green Brand saves the planet!' stickers on it? It's Marketing 101 -- differentiate your product. It just has to be factual -- nobody said it had to be meaningful. Really, it just has to get a handful of shoppers to throw your product in their cart rather than the other guy's product. It's all statistics.

    People seem to forget that businesses are in business to make a profit, and that means they have a responsibility to their shareholders to get people to buy their products. Making customers "feel better" because they picked ***TreeHugger Magazine's Greenest Product of the Year!*** is a perfectly legitimate sales tactic (when it's true.)

    Business' other responsibility to their shareholders is frugality. If they can manufacture the product with 10% less energy, they may reduce their power bills. Again, Marketing 101 says "take credit for the action", even though it was done purely to save the company money, and none of those savings were passed on to the customer.

  23. Re:Sounds Good on Mobile Phones To Fill Poor Nations' Healthcare Gap? · · Score: 1

    Once you get mobile phones into the hands of average people, along with the test kits. Then there's the danger of people sharing the devices and transmitting diseases from one to another. I think I would rather get to a hospital, where it could be done right.

    And as a resident of a First World country, and wealthy enough to afford a computer and an internet connection, we may think a hospital is always an option. But in too many places, it is not.

    One step at a time. Get them some handheld tools now, build a hospital later. It's better than waiting around for some millionaire to decide your village is worthy of his donation of a hospital, because those just don't happen as often as everyone would like.

  24. Re:Quick! on Obama Picks RIAA's Favorite Lawyer For Top DoJ Post · · Score: 4, Funny

    Throwing politicians at the problem won't solve anything.

    It will if "problem" is a code-word for a very large furnace.

  25. Oh, Dr. Phil! on Oprah Sued For Infringing "Touch and Feel" Patent · · Score: 2, Funny

    Dr. Phil! Touch me! Feel me!

    Oh, it's not that kind of lawsuit? Yawn.