> Do you know were I can pick up a Cray for the house?
Sure, try eBay.
> And while you're out shopping, can you pick up a connection machine as well?
That will be harder.:-)
The researchers studied user dynamics and determined that the timing information of the keystrokes leak information about the key sequences typed at about 1 bit of information about the content per keystroke pair. Because the entropy of passwords is only 4-8 bits per character, this 1 bit per keystroke pair information can reveal significant information about the content typed.
So, let's say you have an 8 character password now. That's 7 key pairs (1-2, 2-3...7-8). So, you lost 7 bits of "randomness" in your password. Add two more randomish characters, and, assuming that you get 4 bits of entropy per character, you're now better off than you were before. And the brute force is now harder than it was before this attack was considered. 10 characters isn't that much worse than 8.
Actually, Opera can do anti-aliased text too. There is a screenshot floating around somewhere too, but i can't find a link at the moment.
As a sidenote, there's a new "technology preview" version of Opera for Linux out now.
Oh,
They don't just request checksums of aim.exe, they're currently requesting checksums of part of proto.ocm, and can probably request any file in the aim distribution they like. (the extension isn't actually sent, tcpdump shows "proto*" and the offset/length coming from the server during the request for an md5sum).
so it's _considerably_ much worse than your calculations.
The easy way out is to grab the latest libfaim from cvs, merge it with whatever fairly newish version of gaim you prefer- and then look at faimtest to see how it answers the md5 requests, and fix gaim appropriately. Then, find the aim binaries you need, put them where they're useful, and you're all set. (I've been connecting like this for a few weeks now).
Or, older versions of gaim (i know gaim-0.9.20) have working oscar, and weren't affected apparently by the md5 digest thing, but newer versions of gaim are prettier/have more features/etc.
Of course, current gaim clients are working fine right now.
But, actually taking the checksums of the client is a slightly better fix (not perfect, but better).
I'm not a big fan of this "central server distributing md5 sums" thing.
hmm...
Using v. 1.1.112 of the official client for Linux (not the java client), it hangs on "Verifying username and password" for me. Which it didn't do a week ago. And gaim/toc can login with this username. Maybe I'm just having odd problems though:)
But the official Win32 client will run under wine, so if all else fails, that should keep working fine. (for those who need to read away messages, or for whatever other reason need OSCAR)
oh yeah...
and the official AIM linux client is broken now too I do believe.:)
great luck huh?
at least toc still works, and the same trick won't work there. (tik is the legacy client that they won't (i hope) break support for- and it's open-source).
Well, this number (call it N) is not neccesarily prime really, it could be divisible by a prime not on your list (which also shows that the primes are infinite).
Example: 2*3*5*7*11*13+1=30031=59*509.
More a little technicality than anything- the number itself is not always prime, but it does have a least divisor D (other than 1) such that D is not on your list and D is prime. (D can be N itself if N is prime).
That said, the comment you replied to didn't say the primes were finite.
Digital (Tru64) UNIX 4.0F: TCP Sequence Prediction: Class=random positive increments Difficulty=355 (Medium) Remote OS guesses: Digital UNIX OSF1 V 4.0,4.0B,4.0D,4.0E, Digital UNIX OSF1 V 4.0-4.0F
Linux 2.2.18: TCP Sequence Prediction: Class=random positive increments Difficulty=3738947 (Good luck!) Remote OS guesses: Linux 2.1.122 - 2.2.14, Linux kernel 2.2.13
I don't have much else to test, but it seems to me that the Linux TCP/IP stack uses significantly better random numbers than OpenBSD, as shown by nmap. I'd wager some others do too.
There's a list of most of the currently supported architectures available here, mentioning the architectures actually in the kernel tree, and some that aren't. Of course, this is not all of them, S/390 is even missing.
And uLinux runs on architectures like the DragonBall, and other things too. I don't know of a complete list anywhere.
The little thread this started noted discrepancies in the number of CPUs reported in the bootlog (4, 8, and 1). There are 4 CPUs in the machine, it supports 8, and the native 64bit Linux port supports 1. But the 32bit Linux port (emulates 32bit on the Power3) supports SMP. I'd be interested to see a performance comparison between the 64bit native and 32bit emulation kernels.:) Of course, I assume SMP will be arriving sometime shortly.
md5sum is a hash, meaning that it's a one way algorithm (it's believed impossible (very difficult) to get back the original text from the hashed text. Rijndael is a symmetric cipher, with a variable key length, meaning that, given knowledge of the key, it is trivial to get the plaintext (that's the whole point of it:). I'm not sure if Rijndael can be easily made into a hash (I would guess it could- maybe encode "" using the cleartext as the key?) On an somewhat unrelated sidenote: OpenBSD uses blowfish (by default) to encrypt passwords (cat/etc/passwd.conf). So I would _guess_ that it's apparently easy to transform a symmetric cipher into a hash. Although- I'm not a crypto expert. Although I have no idea on the relative security provided by Rijndael and MD5, I think Rijndael is considerably better, but that MD5 should suffice for typical systems.
Some of these mirrors are mighty broken: 230- ftp.cybertrails.com 230-Due to limited disk space at the moment, 230-we have had to discontinue our gnome.org 230-mirror for a month or so.
Actually, the article is more about "White House," although "Starry Night" is mentioned in passing. The original link is the correct one, of "White House."
Marten, who has been working with three dolphins at the park, says the dolphins already recognize and repeat the artificial whistles he has devised.
However, they have yet to relate the whistles to the objects they refer to -- this will be the next goal of the research. "The second stage is to see if the dolphins recognize what the whistles stand for..."
And then they claim that:
"We'll be able to ask questions and they will be able to answer in very simple terms."
All they have so far are dolphins mimicking sounds- no evidence that the dolphins can understand it at all. Like parrots.
I noticed on 2/2/01, when sunhelp.net mentioned it, and downloaded it (x86 only) the next day I think, to run on a laptop for a little bit (I have no Sparc hardware). So it's been a little while now, but not too long.
Slashdot Mirror
> Do you know were I can pick up a Cray for the house? :-)
Sure, try eBay.
> And while you're out shopping, can you pick up a connection machine as well?
That will be harder.
So, let's say you have an 8 character password now. That's 7 key pairs (1-2, 2-3...7-8). So, you lost 7 bits of "randomness" in your password. Add two more randomish characters, and, assuming that you get 4 bits of entropy per character, you're now better off than you were before. And the brute force is now harder than it was before this attack was considered. 10 characters isn't that much worse than 8.
Actually, Opera can do anti-aliased text too. There is a screenshot floating around somewhere too, but i can't find a link at the moment.
As a sidenote, there's a new "technology preview" version of Opera for Linux out now.
For those who can't read Japanese, you could try Babelfish, although the translation is quite terrible.
int dow(int m,int d,int y)
{y-=m<3;return(y+y/4-y/100+y/400+"-bed=pen+mad. "[m]+d)%7;}
Even though it only works for "a restricted range." This comes from here, which has some other information too.
Linux won't run on the 3000/300L now either. :)
That pesky TURBOChannel bus.
(The one on my desk is running OSF/1 at the moment)
Oh,
They don't just request checksums of aim.exe, they're currently requesting checksums of part of proto.ocm, and can probably request any file in the aim distribution they like. (the extension isn't actually sent, tcpdump shows "proto*" and the offset/length coming from the server during the request for an md5sum).
so it's _considerably_ much worse than your calculations.
The easy way out is to grab the latest libfaim from cvs, merge it with whatever fairly newish version of gaim you prefer- and then look at faimtest to see how it answers the md5 requests, and fix gaim appropriately. Then, find the aim binaries you need, put them where they're useful, and you're all set. (I've been connecting like this for a few weeks now).
Or, older versions of gaim (i know gaim-0.9.20) have working oscar, and weren't affected apparently by the md5 digest thing, but newer versions of gaim are prettier/have more features/etc.
Of course, current gaim clients are working fine right now.
But, actually taking the checksums of the client is a slightly better fix (not perfect, but better).
I'm not a big fan of this "central server distributing md5 sums" thing.
slashdot is currently in waltham, massachusetts eastern time.
md5 digests are 128 bits.
hmm... :)
Using v. 1.1.112 of the official client for Linux (not the java client), it hangs on "Verifying username and password" for me. Which it didn't do a week ago. And gaim/toc can login with this username. Maybe I'm just having odd problems though
But the official Win32 client will run under wine, so if all else fails, that should keep working fine. (for those who need to read away messages, or for whatever other reason need OSCAR)
oh yeah... :)
and the official AIM linux client is broken now too I do believe.
great luck huh?
at least toc still works, and the same trick won't work there. (tik is the legacy client that they won't (i hope) break support for- and it's open-source).
Well, this number (call it N) is not neccesarily prime really, it could be divisible by a prime not on your list (which also shows that the primes are infinite).
Example: 2*3*5*7*11*13+1=30031=59*509.
More a little technicality than anything- the number itself is not always prime, but it does have a least divisor D (other than 1) such that D is not on your list and D is prime. (D can be N itself if N is prime).
That said, the comment you replied to didn't say the primes were finite.
Again, IIRC, OpenBSD's stack uses some of the best random numbers (as shown by nmap when it tries to predict the OS of the target.)
Other than that, thanks :) I was curious as to why OpenBSD was rated so much lower. (although it's all relative)
Background research for slashdot? What a strange idea. :)
#nmap -O hostname
OpenBSD 2.8:
TCP Sequence Prediction: Class=random positive increments
Difficulty=28836 (Worthy challenge)
Remote operating system guess: OpenBSD 2.6
Digital (Tru64) UNIX 4.0F:
TCP Sequence Prediction: Class=random positive increments
Difficulty=355 (Medium)
Remote OS guesses: Digital UNIX OSF1 V 4.0,4.0B,4.0D,4.0E, Digital UNIX OSF1 V 4.0-4.0F
Linux 2.2.18:
TCP Sequence Prediction: Class=random positive increments
Difficulty=3738947 (Good luck!)
Remote OS guesses: Linux 2.1.122 - 2.2.14, Linux kernel 2.2.13
I don't have much else to test, but it seems to me that the Linux TCP/IP stack uses significantly better random numbers than OpenBSD, as shown by nmap. I'd wager some others do too.
There's another list here, with some other ports mentioned, that a quick google search turned up.
Of course, this is not all of them, S/390 is even missing.
And uLinux runs on architectures like the DragonBall, and other things too. I don't know of a complete list anywhere.
The little thread this started noted discrepancies in the number of CPUs reported in the bootlog (4, 8, and 1). There are 4 CPUs in the machine, it supports 8, and the native 64bit Linux port supports 1. But the 32bit Linux port (emulates 32bit on the Power3) supports SMP. I'd be interested to see a performance comparison between the 64bit native and 32bit emulation kernels. :)
Of course, I assume SMP will be arriving sometime shortly.
md5sum is a hash, meaning that it's a one way algorithm (it's believed impossible (very difficult) to get back the original text from the hashed text. Rijndael is a symmetric cipher, with a variable key length, meaning that, given knowledge of the key, it is trivial to get the plaintext (that's the whole point of it :). I'm not sure if Rijndael can be easily made into a hash (I would guess it could- maybe encode "" using the cleartext as the key?) /etc/passwd.conf). So I would _guess_ that it's apparently easy to transform a symmetric cipher into a hash. Although- I'm not a crypto expert. Although I have no idea on the relative security provided by Rijndael and MD5, I think Rijndael is considerably better, but that MD5 should suffice for typical systems.
On an somewhat unrelated sidenote: OpenBSD uses blowfish (by default) to encrypt passwords (cat
ftp> cd pub/gnome/stable/betas/gnome-1.4beta2
550 pub/gnome/stable/betas/gnome-1.4beta2: No such file or directory
ftp> open slave.opensource.captech.com
ftp: slave.opensource.captech.com: Host name lookup failure
download.sourceforge.net (ftp) doesn't have beta2 yet either, just the first. And rpmfind has too many users already. :)
So, good luck finding a mirror :)
230- ftp.cybertrails.com
230-Due to limited disk space at the moment,
230-we have had to discontinue our gnome.org
230-mirror for a month or so.
can't find epoch.res.cmu.edu: Non-existent host/domain
gnomeftp.blue-labs.org doesn't have beta up yet...
Well, i think you get the picture, lots of broken mirrors.
Actually, the article is more about "White House," although "Starry Night" is mentioned in passing. The original link is the correct one, of "White House."
What if I owned the copyright to this hypothetical song, and forbade modifications to the file, would they be allowed to add this "protection layer?"
Just a couple more thoughts, other than the ease of getting past it.
From the article:
Marten, who has been working with three dolphins at the park, says the dolphins already recognize and repeat the artificial whistles he has devised.
However, they have yet to relate the whistles to the objects they refer to -- this will be the next goal of the research. "The second stage is to see if the dolphins recognize what the whistles stand for..."
And then they claim that:
"We'll be able to ask questions and they will be able to answer in very simple terms."
All they have so far are dolphins mimicking sounds- no evidence that the dolphins can understand it at all. Like parrots.
Seems vaporous to me. Or maybe I'm just cynical.
I noticed on 2/2/01, when sunhelp.net mentioned it, and downloaded it (x86 only) the next day I think, to run on a laptop for a little bit (I have no Sparc hardware). So it's been a little while now, but not too long.