I love my Kindle. I buy about one book per week. It's gotten to the point where if a book I'm looking for isn't available in ebook format, I simply don't buy that book. I want my entire library available to me anywhere I go. I don't want to haul around dead trees.
The publishers who haven't released their books in ebook format are simply daft.
"That's a theoretical problem" is one of the funniest and most ignorant comments I've ever hear in response to a security evaluation. It is often followed-up by somebody's systems getting owned up and down in a pen test. It's a phrase only the most inept admins use. Congrats.
And so it remains: you wasted company time and sacrificed security by reinventing a reversible password system when one that cannot be practically reversed is already in wide use. No amount of name-calling will change that fact. Give yourself a pat on the back for that, too.
But at any rate, I'm a little tired of explaining, so I'll give you this:
The system you reinvented could be reversed under some conditions. A properly-designed system, like bcrypt, could not be reversed under any conditions. By reinventing an authentication system rather than simply using an existing, secure one, you sacrificed both dollars and security, while gaining nothing.
If you think you have found a flaw in bcrypt or have designed something substantially better, write it up and publish it. You may get invited to speak at BlackHat. Otherwise, don't waste your breath.
When I'm on a pen test, I can generally reverse part of any password database I come across, except for one that uses per-account random salts (as is the case with most unix systems and with bcrypt). What you call "snake oil" I call "a dead end in a pen test."
But by all means, never consult with a security expert. You don't want any of that snake oil in your systems.
Looks like you're having a breakdown. Chill. You haven't reinvented authentication in the worst possible way, but you must admit that it's flawed. Listen: when it comes to crypto, just don't reinvent the wheel. Really. Use something written by a cryptographer.
You're right. The entire field of cryptography is a sham. You have singlehandedly put us all to shame. Any minute now, some men in black suits will arrive at your door to invite you to the NSA so that your amazing insight can give them an edge over the rest of the human race.
The entire exercise is a ruse, if someone has already access to my database, they'll get the information they came for without cracking the passwords, so that's a bunch of crap.
That is not correct. Example 1: A stolen backup tape to a stock trading system won't allow a hacker to enter new trades. Reversed passwords from the system, however, will allow him to do so. Example 2: A hacked web portal contains no sensitive data, however, if its passwords can be reversed, some of those username/password combos can be used to access far more sensitive applications.
Information security is a complex and subtle game. It requires a different mindset from programming. Programmers who assume they can anticipate all possible security faults nearly always get it wrong, as you have just demonstrated. Furthermore, they tend to be handicapped by egos that prohibit them from admitting their mistakes, perpetuating the problem.
You must have a random per-account salt to stop brute-force attacks of your entire password database. Doing so multiplies the cost of cracking the passwords by the number of accounts.
Someone who has your password database probably has your system salt. They can generate a hashtable from that and crack a good number of your passwords very quickly. When using random per-account salts, however, they can't use a hash table or rainbow table. They have to perform a complete brute-force against every single hash.
It is also a mistake to use a cheap hash function, like SHA. You should use an expensive one, like bcrypt.
That is the wrong way to do it. You need to generate a random salt for every single user on the system. Otherwise, someone could generate hash tables to attack it.
They don't actually pay you interest on your cash account these days. And if you're interested in real-time stock prices, you are a trader, and all trading platforms give you access to that data.
Well, since you can crack a password a hundred (or more) times faster with CUDA than with a CPU, they could at least sell a million units to the NSA and the FBI... and the analogous departments of every other country...
I was interested in CUDA until I learned that even the simplest of "hello world" apps is still quite complex and quite low-level.
NVidia needs to make the APIs and tools for CUDA programming simpler and more accessible, with solid support for higher-level languages. Once that happens, we could see adoption skyrocket.
They want to sell tickets (which cost $2,000). It's hard to sell a $2,000 ticket to an event when you can't even tell people what that ticket will buy them.
When I speak about low inflation, I am referring to inflation. Prices. The cost of things. Shiff has been consistently wrong on inflation.
His followers remind me of apocalypse cultists. "Sure the world didn't end back when we said it would. Obviously. Next month it will end.... [next month] Sure the world didn't end..."
Shiff is actually a great example of contrary facts being rejected in the face of ideology. For years he screamed about hyperinflation as part of his internet self-promotion program. When his predictions were proven false by exceptionally low inflation, did he change his tune? No.
It is also amusing that you say Paul is trying to fix the system. He talks about his ideology rather consistently, but he is not trying to fix anything. If he were he, he would be willing to compromise, as that is the only way to see results in a place like Congress.
One would hope that liberty, justice, philosophy, you know--doing "good" would motivate our politicians. It sort of disturbs me that you think stealing the largest slice of the public pie should be the primary motivator.
I want my Senator to protect our rights. I do not want him to do everything he can to buy votes.
The major targets of hackers these days are financial in nature: account numbers or systems authorized to perform wire transfers.
The real solution to security is not to give companies more incentive to secure their information, but to give hackers less incentive to hack. Make a standard, PKI-based, government-regulated solution for financial transactions. Require that all transactions be digitally signed by smart cards, for example. Ensure that someone possessing your account numbers or even your passwords could not use them to transfer money from your account.
It sounds like they are going after the wrong incentives right now...
They are doing this for the same reason senators do anything else: to bring in votes, either by porking jobs to their constituents or by porking funding to their campaign donors.
Slashdot Mirror
I love my Kindle. I buy about one book per week. It's gotten to the point where if a book I'm looking for isn't available in ebook format, I simply don't buy that book. I want my entire library available to me anywhere I go. I don't want to haul around dead trees.
The publishers who haven't released their books in ebook format are simply daft.
"That's a theoretical problem" is one of the funniest and most ignorant comments I've ever hear in response to a security evaluation. It is often followed-up by somebody's systems getting owned up and down in a pen test. It's a phrase only the most inept admins use. Congrats.
And so it remains: you wasted company time and sacrificed security by reinventing a reversible password system when one that cannot be practically reversed is already in wide use. No amount of name-calling will change that fact. Give yourself a pat on the back for that, too.
But at any rate, I'm a little tired of explaining, so I'll give you this:
The system you reinvented could be reversed under some conditions. A properly-designed system, like bcrypt, could not be reversed under any conditions. By reinventing an authentication system rather than simply using an existing, secure one, you sacrificed both dollars and security, while gaining nothing.
If you think you have found a flaw in bcrypt or have designed something substantially better, write it up and publish it. You may get invited to speak at BlackHat. Otherwise, don't waste your breath.
When I'm on a pen test, I can generally reverse part of any password database I come across, except for one that uses per-account random salts (as is the case with most unix systems and with bcrypt). What you call "snake oil" I call "a dead end in a pen test."
But by all means, never consult with a security expert. You don't want any of that snake oil in your systems.
Looks like you're having a breakdown. Chill. You haven't reinvented authentication in the worst possible way, but you must admit that it's flawed. Listen: when it comes to crypto, just don't reinvent the wheel. Really. Use something written by a cryptographer.
You're right. The entire field of cryptography is a sham. You have singlehandedly put us all to shame. Any minute now, some men in black suits will arrive at your door to invite you to the NSA so that your amazing insight can give them an edge over the rest of the human race.
Good day.
That is not correct. Example 1: A stolen backup tape to a stock trading system won't allow a hacker to enter new trades. Reversed passwords from the system, however, will allow him to do so. Example 2: A hacked web portal contains no sensitive data, however, if its passwords can be reversed, some of those username/password combos can be used to access far more sensitive applications.
Information security is a complex and subtle game. It requires a different mindset from programming. Programmers who assume they can anticipate all possible security faults nearly always get it wrong, as you have just demonstrated. Furthermore, they tend to be handicapped by egos that prohibit them from admitting their mistakes, perpetuating the problem.
You must have a random per-account salt to stop brute-force attacks of your entire password database. Doing so multiplies the cost of cracking the passwords by the number of accounts.
Someone who has your password database probably has your system salt. They can generate a hashtable from that and crack a good number of your passwords very quickly. When using random per-account salts, however, they can't use a hash table or rainbow table. They have to perform a complete brute-force against every single hash.
It is also a mistake to use a cheap hash function, like SHA. You should use an expensive one, like bcrypt.
http://www.usenix.org/event/usenix99/provos/provos_html/index.html
(ps: you are not talking to just another programmer. you are talking to an infosec specialist.)
You are confused. The salt is not supposed to be a secret. The purpose of the salt is to make it extremely expensive to crack the passwords.
That is the wrong way to do it. You need to generate a random salt for every single user on the system. Otherwise, someone could generate hash tables to attack it.
That is a terrible auth function. Where is the randomly-generated salt? Where is the expensive hash function, like bcrypt?
They don't actually pay you interest on your cash account these days. And if you're interested in real-time stock prices, you are a trader, and all trading platforms give you access to that data.
The PyCUDA "hello world" involvies inline C code!
Well, since you can crack a password a hundred (or more) times faster with CUDA than with a CPU, they could at least sell a million units to the NSA and the FBI... and the analogous departments of every other country...
I was interested in CUDA until I learned that even the simplest of "hello world" apps is still quite complex and quite low-level.
NVidia needs to make the APIs and tools for CUDA programming simpler and more accessible, with solid support for higher-level languages. Once that happens, we could see adoption skyrocket.
They want to sell tickets (which cost $2,000). It's hard to sell a $2,000 ticket to an event when you can't even tell people what that ticket will buy them.
When I speak about low inflation, I am referring to inflation. Prices. The cost of things. Shiff has been consistently wrong on inflation.
His followers remind me of apocalypse cultists. "Sure the world didn't end back when we said it would. Obviously. Next month it will end. ... [next month] Sure the world didn't end..."
Shiff is actually a great example of contrary facts being rejected in the face of ideology. For years he screamed about hyperinflation as part of his internet self-promotion program. When his predictions were proven false by exceptionally low inflation, did he change his tune? No.
It is also amusing that you say Paul is trying to fix the system. He talks about his ideology rather consistently, but he is not trying to fix anything. If he were he, he would be willing to compromise, as that is the only way to see results in a place like Congress.
Apple had lawyers involved.
If this guy knew a lawyer, he could probably sue John Doe then subpoena the ISP to get the billing address of that IP address.
Then he would have evidence to turn over to the police, and/or evidence to bring to court as part of a lawsuit.
One would hope that liberty, justice, philosophy, you know--doing "good" would motivate our politicians. It sort of disturbs me that you think stealing the largest slice of the public pie should be the primary motivator.
I want my Senator to protect our rights. I do not want him to do everything he can to buy votes.
The major targets of hackers these days are financial in nature: account numbers or systems authorized to perform wire transfers.
The real solution to security is not to give companies more incentive to secure their information, but to give hackers less incentive to hack. Make a standard, PKI-based, government-regulated solution for financial transactions. Require that all transactions be digitally signed by smart cards, for example. Ensure that someone possessing your account numbers or even your passwords could not use them to transfer money from your account.
It sounds like they are going after the wrong incentives right now...
They are doing this for the same reason senators do anything else: to bring in votes, either by porking jobs to their constituents or by porking funding to their campaign donors.
The Intel Atom netbook and nettop computers require 32 bit OSs. So there really are new, popular computers being shipped which just can't run 64bit.
Congrats! A macro can ace your tests.
A creationist would argue that the lord sent AIDS to punish sinners.