To clarify my earlier response, I understand the thinking that any position can contain upper/lower case, special character, or number increases the combinatorials greatly, and requiring a number or special character eliminates dictionary searches.
Beyond that I don't understand how the given rules would make a password harder to break. On the other hand, it's hard for me to envision a crack program being able to do anything but consider that every position can have every combination, whether 1 of any other type or 3 of every type is required.
But I am not a mathemetician or someone who writes crack programs. All I know is is that passwords will be tricked out of people in any number of ways, and used successfully once stolen, but failed login attempts should be limited to three attempts anyway and the IP address blocked after that until reset by the help desk, so this is all goofy stuff to me.
I agree, the set of special characters is less than 26, and the set of single digit numbers is less than 26, so yes, there would be less total combinations.
And excluding the banned dictionary words and names limits the total even more. That's assuming these things are that clear, which they aren't. For example, I doubt this dictionary/name thing is programmatically enforced, on the other hand, as I posted somewhere the special characters and numbers rules it out anyway.
Really goofy stuff, almost in the realm of security by urban myth.
or eliminate the learning curve. I think the Borland (Inprise) $1000 price was based on "distribute your Windows app to Linux".
I am glad to see in this thread that Delphi 5 and its apps run under WINE. I think that basically was the intent of Kylix, so WINE has come to the point of doing it much cleaner directly with Delphi.
And I have a $1000 paperweight, or from the size of the box, boat anchor.
The trick is telling them "Protect that password like you protect your social security number."
I agree with that. I don't have my SSN in my wallet either. An unmemorizable password that must be used to login will be kept somewhere within reach of the keyboard, "hidden", but within reach.
Any IT security type too ignorant to understand that will be ignorant enough to come up with unmemorizable passwords.
I can't comment on the C++ personality or Kylix 1 and 2. I guess they must have been pretty awful for Kylix getting such a bad reputation.
I bought the Kylix 1 version when first announced. Cost USD $1000. I would like to say I did great things with it or at least that it crashed so much I couldn't, but I didn't get to it, so it's still boxed up.
There was the announcement of a Delphi / Kylix compatible version (apparently Kylix 3) which I called Borland about. They wanted USD $600 more to upgrade. I told them they already had $1000 from me. The tele-talkers who answered could have cared less.
As others have noted, the *real* answer is "Stop using easily stolen single factor authentication credentials, dumbass!" Smartcard + PIN is my choice (I'm not a biometric fan; too easy to spoof still).
I agree, that's the right combination. All the technology for it is standard too.
I'm no web programmer, but (and correct me if I'm reading this wrong) I'm not a huge fan of the government using ANY kind of "web interfaces", enhanced or not. I don't think the problem is Microsoft, I don't think the problem is government, I think the problem is that any system is hackable. It's one thing for thousands of laptops to get encrypted, but it's another thing entirely to open your network up to potentially millions of people who want nothing more than to claim they "hacked" the U.S. government. I suppose a thin client would work, but I'd want to make sure it was modified so extensively that no outside software or hardware could recognize it.
This is an excellent point. I wish this were crystal clear to every software decision maker in government.
You have to keep in mind that this is the government we're dealing with here. See, what you're saying actually makes sense, so obviously it's completely out of the question.
Reading the government document link is what would actually make sense.
I'm no crypto expert and my combinatorics is a bit rusty, but don't those constraints actually *reduce* the complexity of the password?
I'm not either, but the answer is no. The purpose of requiring case sensitive keys with special characters and numbers is to add to the number of possible combinations.
With special characters and numbers, the "not in a dictionary" requirement is redundant as it's impossible, but in an environment where numbers and special characters aren't required, the "dictionary" ban is in a way a "less complex" ban, that is, password cracking can't be accomplished by going through a dictionary rather than all combinations.
I think the whole thing is silly. I doubt the people that come up with this stuff have any idea of a real cracker with a program that uses a dictionary instead of combinatorials. Most passwords are going to have some kind of name and numbers in them.
The whole dictionary thing is as stupid as the people that come up with it.
I had the same thought as you. Encryption is solving the wrong problem. Why on earth should the laptop even have this information on it?
That's what the Mandate addresses. A mobile device with sensitive data taken off premises has to be encrypted. Therefore sensitive data on mobile devices to be unexpectedly taken off premises will be questioned and need to be justified, as it should be.
A previous poster gave some examples of when working with sensitive data offsite is part of the job, and those devices would be encrypted.
ding ding ding! we have a winner. Although it was funny, the way you stated that as an OR question. The encryption issue will help solve the problem of the stolen laptop. But not necessarily the problem of misused/leaked data. This is a typical government IT kneejerk reaction to something that is best addressed by proper use, practice and policy, rather than the opted for expensive technical fix. Well, at least someone's going to make a boatload of money.
And your post is a loser. Look at a few informative posts in this thread, they explain why both the use and excryption of data on mobile devices is nexcessary, and not a "kneejerk reaction".
And where did you come up with this "leaked" data thing?
It's not 'dragging this stuff home', it's people who go out in the field to do their job - One simple example is FEMA. When they go to a disaster they take along thousands of laptops in order to register people who need aid. There isn't a LAN they can "SSH into" and they can't phone this stuff in. Another example might be the IRS who would visit individuals and businesses to perform audits.... The list goes on.
Yes, and very appropriate that those laptops are encrypted. Thanks for the info.
It's actually more secure to have an essentially random password that people secure on a laminated card in their wallet (appropriately obfuscated of course) than have passwords that people can easily remember. When you think about it, people are actually very good at securing their wallet independently of their laptops.
I can't believe this is considered insightful. Having to write a password down anywhere is less secure than not having to write it down because you can remember it.
Having an impossible to remember password will be written down in much more accessible places than wallets appropriately obfuscated.
The Army is adopting the 15 character password policy as well. Additionally most systms are now auto-generating these passwords instead of allowing the user to create them. This means that for people with multiple accounts they have totally dissimilar 15 character passwords to "remember" and by remember I mean either write down in easy to grab notebooks, or composing emails to themselves listing all their passwords in them. Moronic.
It truly is, and these are IT people who are the morons coming up with this. This is all about computations of how many decades of number crunching it would take to crack a password, and no computation whatsoever on how insecure an entire workforce is made when they can't remember their passwords.
And I don't mean psychologically insecure.
Every IT security person who comes up with password requirements that result in passwords that can't be remembered by the workforce should be made *the* helpdesk person for "can't login" problems.
And yes, for all 32,000 of them they'll get the first day. Just bury the moron in help tickets until he figures out he's an idiot.
To address the issue of data leaks of the kind we've seen so often in the last year because of stolen or missing laptops, writes Saqib Ali, the Feds are planning to use Full Disk Encryption (FDE) on all Government-owned computers. "On June 23, 2006 a Presidential Mandate was put in place requiring all agency laptops to fully encrypt data on the HDD.
Who is Saqib Ali, and is he getting this "all Government-owned computers" thing from the referenced Mandate (which refers to mobile devices with sensitive agency data on them) because of a reading comprehension problem or knows something not in the Mandate?
Sorry to reply to your insightful post, but you're the first post.:)
This is the goofiest slashdot thread I've ever seen. I clicked on the link to the directive and it is a simple order to:
Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary.
It goes on to talk about:
Personally Identifiable Information (PII) categorized in accordance with FIPS 199 as moderate or high impact that is either:
Accessed remotely; or Physically transported outside of the agency's secured, physical perimeter (this includes information transported on removable media and on portable/mobile devices such as laptop computers and/or personal digital assistants).
This is just common sense, and a direct result of the VA laptop that was stolen.
The bottom line. Personally Identifiable Information won't be carried out of buildings anymore or FTP'd elsewhere like home, which was a mandate anyway.
In the rare case it is required, the device will be encrypted.
For the first time ever, a government document makes more sense than a slashdot thread.
As long as a copy of Windows costs more than someone earns in a month (6 months in some countries), piracy is not going away.
If someone in the US were to buy a copy of Windows, it would cost almost as much as a new PC. That's no accident, of course.
I personally think (and suggested in posts) that Windows 98 SE should have been taken from MSFT as the penalty for their criminal conviction, and that those binaries be freely available to the world. MSFT was well past selling it at the time, and they've made their money on it, criminally it turns out.
As stated in a recent/. thread, hopefully WINE in Linux will handle that for the world as far as running existing Windows software, and new Linux apps picks up from there.
The result is that Windows PCs over here are a huge playground for American spammers. They get their backdoor software installed on the machines and then use them to fire buttloads of spam back across the Pacific at the USA.
So I take it you see attacks from Americans night and day while we see attacks from Reds (Chinese and Russians) night and day?
You might be able to fly that by the locals, but it ain't going to fly here.
... the only 2 cables that are available are simply being OVERLOADED with unexpected traffic.
I am wondering how far along outsourcing IT to China has got, and if some major companies got hammered in being able to communicate with their outsourcers, how this is going to affect outsourcing decisions in general.
Slashdot Mirror
Ads are like having prostitiution support your schools.
Am I the only one who missed the connection here?
Yes, prostitiution is tit tuition from pros, but must be at least 2000 feet from the nearest school.
rd
Would slashdot be as appealing to you if the community was only a handful of people, the news comes late, and you don't even get the whole story.
Well, one out of three isn't bad.
rd
So if I use Ad block extension, it means I'm having sex with prostitutes for free?
No, the prostitutes would be blocked, so you'd be having sex with... hmmmm
But it'd be free.
rd
To clarify my earlier response, I understand the thinking that any position can contain upper/lower case, special character, or number increases the combinatorials greatly, and requiring a number or special character eliminates dictionary searches.
Beyond that I don't understand how the given rules would make a password harder to break. On the other hand, it's hard for me to envision a crack program being able to do anything but consider that every position can have every combination, whether 1 of any other type or 3 of every type is required.
But I am not a mathemetician or someone who writes crack programs. All I know is is that passwords will be tricked out of people in any number of ways, and used successfully once stolen, but failed login attempts should be limited to three attempts anyway and the IP address blocked after that until reset by the help desk, so this is all goofy stuff to me.
rd
I agree, the set of special characters is less than 26, and the set of single digit numbers is less than 26, so yes, there would be less total combinations.
And excluding the banned dictionary words and names limits the total even more. That's assuming these things are that clear, which they aren't. For example, I doubt this dictionary/name thing is programmatically enforced, on the other hand, as I posted somewhere the special characters and numbers rules it out anyway.
Really goofy stuff, almost in the realm of security by urban myth.
rd
...and wanted kylix to lower the learning curve.
or eliminate the learning curve. I think the Borland (Inprise) $1000 price was based on "distribute your Windows app to Linux".
I am glad to see in this thread that Delphi 5 and its apps run under WINE. I think that basically was the intent of Kylix, so WINE has come to the point of doing it much cleaner directly with Delphi.
And I have a $1000 paperweight, or from the size of the box, boat anchor.
rd
Although the premise of the thread was bogus, I'm glad I got to see your posts, Terje.
rd
The trick is telling them "Protect that password like you protect your social security number."
I agree with that. I don't have my SSN in my wallet either. An unmemorizable password that must be used to login will be kept somewhere within reach of the keyboard, "hidden", but within reach.
Any IT security type too ignorant to understand that will be ignorant enough to come up with unmemorizable passwords.
rd
I can't comment on the C++ personality or Kylix 1 and 2. I guess they must have been pretty awful for Kylix getting such a bad reputation.
I bought the Kylix 1 version when first announced. Cost USD $1000. I would like to say I did great things with it or at least that it crashed so much I couldn't, but I didn't get to it, so it's still boxed up.
There was the announcement of a Delphi / Kylix compatible version (apparently Kylix 3) which I called Borland about. They wanted USD $600 more to upgrade. I told them they already had $1000 from me. The tele-talkers who answered could have cared less.
rd
As others have noted, the *real* answer is "Stop using easily stolen single factor authentication credentials, dumbass!" Smartcard + PIN is my choice (I'm not a biometric fan; too easy to spoof still).
I agree, that's the right combination. All the technology for it is standard too.
rd
I'm no web programmer, but (and correct me if I'm reading this wrong) I'm not a huge fan of the government using ANY kind of "web interfaces", enhanced or not. I don't think the problem is Microsoft, I don't think the problem is government, I think the problem is that any system is hackable. It's one thing for thousands of laptops to get encrypted, but it's another thing entirely to open your network up to potentially millions of people who want nothing more than to claim they "hacked" the U.S. government. I suppose a thin client would work, but I'd want to make sure it was modified so extensively that no outside software or hardware could recognize it.
This is an excellent point. I wish this were crystal clear to every software decision maker in government.
rd
You have to keep in mind that this is the government we're dealing with here. See, what you're saying actually makes sense, so obviously it's completely out of the question.
Reading the government document link is what would actually make sense.
rd
I'm no crypto expert and my combinatorics is a bit rusty, but don't those constraints actually *reduce* the complexity of the password?
I'm not either, but the answer is no. The purpose of requiring case sensitive keys with special characters and numbers is to add to the number of possible combinations.
With special characters and numbers, the "not in a dictionary" requirement is redundant as it's impossible, but in an environment where numbers and special characters aren't required, the "dictionary" ban is in a way a "less complex" ban, that is, password cracking can't be accomplished by going through a dictionary rather than all combinations.
I think the whole thing is silly. I doubt the people that come up with this stuff have any idea of a real cracker with a program that uses a dictionary instead of combinatorials. Most passwords are going to have some kind of name and numbers in them.
The whole dictionary thing is as stupid as the people that come up with it.
rd
I had the same thought as you. Encryption is solving the wrong problem. Why on earth should the laptop even have this information on it?
That's what the Mandate addresses. A mobile device with sensitive data taken off premises has to be encrypted. Therefore sensitive data on mobile devices to be unexpectedly taken off premises will be questioned and need to be justified, as it should be.
A previous poster gave some examples of when working with sensitive data offsite is part of the job, and those devices would be encrypted.
rd
ding ding ding! we have a winner. Although it was funny, the way you stated that as an OR question. The encryption issue will help solve the problem of the stolen laptop. But not necessarily the problem of misused/leaked data. This is a typical government IT kneejerk reaction to something that is best addressed by proper use, practice and policy, rather than the opted for expensive technical fix. Well, at least someone's going to make a boatload of money.
And your post is a loser. Look at a few informative posts in this thread, they explain why both the use and excryption of data on mobile devices is nexcessary, and not a "kneejerk reaction".
And where did you come up with this "leaked" data thing?
rd
It's not 'dragging this stuff home', it's people who go out in the field to do their job - One simple example is FEMA. When they go to a disaster they take along thousands of laptops in order to register people who need aid. There isn't a LAN they can "SSH into" and they can't phone this stuff in. Another example might be the IRS who would visit individuals and businesses to perform audits.... The list goes on.
Yes, and very appropriate that those laptops are encrypted. Thanks for the info.
rd
It's actually more secure to have an essentially random password that people secure on a laminated card in their wallet (appropriately obfuscated of course) than have passwords that people can easily remember. When you think about it, people are actually very good at securing their wallet independently of their laptops.
I can't believe this is considered insightful. Having to write a password down anywhere is less secure than not having to write it down because you can remember it.
Having an impossible to remember password will be written down in much more accessible places than wallets appropriately obfuscated.
rd
The Army is adopting the 15 character password policy as well. Additionally most systms are now auto-generating these passwords instead of allowing the user to create them. This means that for people with multiple accounts they have totally dissimilar 15 character passwords to "remember" and by remember I mean either write down in easy to grab notebooks, or composing emails to themselves listing all their passwords in them. Moronic.
It truly is, and these are IT people who are the morons coming up with this. This is all about computations of how many decades of number crunching it would take to crack a password, and no computation whatsoever on how insecure an entire workforce is made when they can't remember their passwords.
And I don't mean psychologically insecure.
Every IT security person who comes up with password requirements that result in passwords that can't be remembered by the workforce should be made *the* helpdesk person for "can't login" problems.
And yes, for all 32,000 of them they'll get the first day. Just bury the moron in help tickets until he figures out he's an idiot.
rd
To address the issue of data leaks of the kind we've seen so often in the last year because of stolen or missing laptops, writes Saqib Ali, the Feds are planning to use Full Disk Encryption (FDE) on all Government-owned computers. "On June 23, 2006 a Presidential Mandate was put in place requiring all agency laptops to fully encrypt data on the HDD.
Who is Saqib Ali, and is he getting this "all Government-owned computers" thing from the referenced Mandate (which refers to mobile devices with sensitive agency data on them) because of a reading comprehension problem or knows something not in the Mandate?
rd
Sorry to reply to your insightful post, but you're the first post. :)
This is the goofiest slashdot thread I've ever seen. I clicked on the link to the directive and it is a simple order to:
Encrypt all data on mobile computers/devices which carry agency data unless the data
is determined to be non-sensitive, in writing, by your Deputy Secretary.
It goes on to talk about:
Personally Identifiable Information (PII) categorized in accordance with FIPS 199 as
moderate or high impact that is either:
Accessed remotely; or
Physically transported outside of the agency's secured, physical perimeter (this
includes information transported on removable media and on portable/mobile
devices such as laptop computers and/or personal digital assistants).
This is just common sense, and a direct result of the VA laptop that was stolen.
The bottom line. Personally Identifiable Information won't be carried out of buildings anymore or FTP'd elsewhere like home, which was a mandate anyway.
In the rare case it is required, the device will be encrypted.
For the first time ever, a government document makes more sense than a slashdot thread.
rd
As long as a copy of Windows costs more than someone earns in a month (6 months in some countries), piracy is not going away.
/. thread, hopefully WINE in Linux will handle that for the world as far as running existing Windows software, and new Linux apps picks up from there.
If someone in the US were to buy a copy of Windows, it would cost almost as much as a new PC. That's no accident, of course.
I personally think (and suggested in posts) that Windows 98 SE should have been taken from MSFT as the penalty for their criminal conviction, and that those binaries be freely available to the world. MSFT was well past selling it at the time, and they've made their money on it, criminally it turns out.
As stated in a recent
rd
The result is that Windows PCs over here are a huge playground for American spammers. They get their backdoor software installed on the machines and then use them to fire buttloads of spam back across the Pacific at the USA.
So I take it you see attacks from Americans night and day while we see attacks from Reds (Chinese and Russians) night and day?
You might be able to fly that by the locals, but it ain't going to fly here.
rd
... the only 2 cables that are available are simply being OVERLOADED with unexpected traffic.
I am wondering how far along outsourcing IT to China has got, and if some major companies got hammered in being able to communicate with their outsourcers, how this is going to affect outsourcing decisions in general.
rd
Due to a lack of non sea cable bandwidth, there is no re-route possible.
Thanks for that post. Hopefully you'll get mod points soon.
rd
Start with good wireless, perhaps?
And who's going to pay for guaranteed attacks from China and Russia?
rd