The password hash is easily available on desktops as well and it's only an account escalation away from some one from the outside. The true solution is salted password hashes which most decent OS's use anyway... and by decent I mean *BSD, Mac OS X, Solaris, Sun, and some Linux distros (I don't know which because I don't use Linux).
I am also aware of a half measure implemented by Microsoft but I don't know what exactly it is or how to turn it on.
I am also vaguely aware of a demonstrated Time-Memory trade-off attack on an oracle database but I did not see it, I only read about it.
Sounds like you need to read up on brute-force and Time-Memory Trade-Off attacks. The number of tries "the system" gives you is irrelevant to these attacks as they don't use "the system".
I find it fascinating... go read up on it... you may find it interesting and it may help you secure your computer or your applications.
My point is a brute-force attack has nothing to do with the number of attacks it takes for the password verification component to lock the account, no matter what the back-end architecture is. In fact the attack doesn't have to even occur on the target's hardware (although it can) nor does it have to use the target's OS (although it can). And as far as I know any OS which does not salt the password hash is susceptible... all of Microsoft's offerings, nearly all Linux distros (SELinux maybe?) and Mac OS X. I do know that OpenBSD does salt the password hash by default. I don't know about Sun or Solaris.
So any computer which an attacker can perform an account escalation on, or has physical access to, is vulnerable. I've seen it done... it took less than 15 minutes to recover every password stored on the box.
You obviously don't understand how "brute force cracking" works. The cracker *never* uses the MS Windows password entry UI. The average time to crack Windows passwords is minutes. So your company's recommendations are useless... which is more or less the point of the article.
That's very close to my work environment except the cleaning crew works during the day and has keycards but not keys. If my office is not open it doesn't get cleaned... so just by random chance I think they get it once a week. A different sort clean the labs because not only are they bonded they are also trained in basic lab and infectious disease safety.. anyway given the difficulty in getting to an actual computer with network connectivity (particularly without having the security system record your entry) my keycard (or any of my assistants') should be enough to access the actual computer and that would be a far sight better than the post-it note somewhere in the desktop debris strata.
Oh absolutely! But I don't think this has ever been a technology problem. Most of the network has no route to the outside world and those ports that do are all behind locked (as in need a metal key) doors. Actually the only ports outside of keycard protected areas are attached to printers. So essentially the only real difference between having my password and not, is the ability to impersonate me... I doubt they could find something to email to CEO that I would truly object to.
I swear some days it's like someone has read some of Bruce Schneier's stuff and is actively trying to implement the "don't do this" list.
Years ago a new admin saddled us with ridiculous & onerous password requirements and when numerous people complained and wanted an explanation the official party line was that it was up for discussion. So more or less instantly they alienated anyone with any tenure and passwords have been on post-it notes on desks ever since. Because we have no input in these sorts of decisions most of us feel like it's not our problem. When the story broke about people giving their passwords to strangers who asked for them in the lobby (for a chocolate) the general consensus around here was despite the fact that we all knew what was going on, if our backups were up to date we'd give our passwords to anyone for the asking... again it's not our problem (once the data for your project is backed up).
And in a real sense, in our environment, passwords are nearly useless. In order to open the door to the building you either have to have a keycard or have the security man to let you in. To get into the lobby you have to have a keycard or an escort from security. To get to my department you have to pass through two more secured doors, the door to my lab requires a keycard and the door to my office requires a real key. By then if you are there and you shouldn't be you are starring in Mission Impossible and a small thing like me having a password with 12 alphanumerics (1 capitalized) and 1 symbol isn't going to slow you down much.
So like I said some person in the lobby asking for passwords is a stooge for the IT group and they better have good chocolate.
That that this is directly related... but it is interesting and related in the sense that my first effort in DSP work was moer or less bottlenecked at the ISA bus... and lately have been tinkering with a design that certainly would be by a PCI-X or PCI-e bus.
Wow so many folks sort of missed the point here...
Felton's description of the weaknesses of DHCP handshakes is of only one potential attack. Combined with other attacks and it's entirely possible that a group effort could crank out new secret vectors faster than the M.A.F.I.A.A. could revoke known compromised ones.
For example: If more was known (than I know) about the encryption algorithm used (AKA "the hdcpRngCipher") work could be started on creating dense & smart Time-Memory Trade-Off tables. This is a non-trivial task involving tens of thousands of CPU hours... a perfect thing for a validating distributed computing application (oh. this. has. so. been. done. before).
Also a HDMI repeater or splitter isn't very far from being a sniffer... I think all it lacks is a little I2C to USB help. This, the tables above, & a HDCP device will net you all the vectors you need to employ Felton's attack. Once one set has been compromised and the methodology worked out it's just a matter of turning the crank to get more and potentially very, very quickly.
The utility of these attacks goes well beyond being able to view 1080p on a non DHCP device... one could render revocation useless be attacking high-end components sold by M.A.F.I.A.A. members (i.e. Sony). This eventually must lead hardware devices running out of un-revoked vectors and becoming inoperable... an untenable situation for the M.A.F.I.A.A.
Now, if such a concerted attack is organized on the hi-def media... I feel that we will be right where we are now... a reasonably astute person can watch any DVD wherever they want and they can retain a backup of that media in a format of their choosing.
On your scenario... I think there's a bit more between Encryption and Subpoena Compliance.... Mostly because *no one* wants Subpoena Compliance.
Honestly all the ISP's need to get out of the unlimited business, because we all know it isn't unlimited. This business model in the US is just plain stupid.
I have metered access during the day and un-metered at night this is exactly what paid for and my ISP & I don't have a problem with each other. Grant it I probably pay a bit more per month than the average USian Slashdoter (49 Euros) but it's fast and I don't get hassled.
I've thought "Ubiquitous Mesh Networks" would be an interesting thing for a while... particularly combined with "Ubiquitous Access Points". I'm sure some USian will call me a commie bastard but the more of the network owned by the collective users the less corporations can whine about what we do. I live in a college town, so I'm sure my mesh experience will be limited to freaky German porn, Heavy Metal Electronica music and every warez'd game known to man... oh well.
When I can buy a SATA Optical Drive & I can walk down to the Videothek and rent a *good* movie and mount it on my OpenBSD system, then I will be interested.
I am not buying a HD-DVD player, I will not mount any rented media, BluRay, HD-DVD, or just plain DVD, on my PowerMac (which is the device that dives my HDTV).
oh... an I plan on buying another Hi-Def display from an early adopter who has discovered that legal media would display properly on it... this may not be happening next weekend but it will happen eventually
I don't get what you're whining about... It's fair that people pay for excessive transfer volumes. The ISP connection packages in the US have always baffled me... there are so few choices.
Here in Austria we may have fewer ISPs but the number of available packages dwarfs what is available in the US... For example my mum has a package with medium bandwidth but very low transfer volume, this gives her a nice experience on the internet (and the computer updates actually get done) for the nearly the same price as dial up. I have a high bandwidth with a "Fair Use" transfer volume that is un-metered during off hours, and my little brother has the high bandwidth unlimited transfer volume package for his attempt to collect all the porn in the known universe.
It's not the paying for transfer volume that's bad... it's the unethical business practices of American businesses that's bad.
As an old hippy socialist Apple user I completely agree with pretty much everything you said. Although some of the ideas that caught my interest in the IBM PPC970 apparently can be found in this latest Intel offering... still I'm mostly in the middle of my upgrade cycle... and I expect quad cores before I upgrade my PowerMac and a second generation of widescreen MacBook before I update my laptop.
Also I would be interested in a Cell / Power based content creation workstation --- but not from Sony, I've given up on them.
Slashdot Mirror
I'm not sure why digg is such a big deal. It's extremely susceptable to haters & greifers.
Worse it suffers even more from poor headlines & summaries and dupes.
The only advantage I see is stories here always appear on digg first... no amount of site UI redesign is going to change that.
You could always have another contest for the icons... say with a prize of a root account on the laptop on odd numbered days.
I kid, I kid!
Yes but when my GF looks at my motorcycle, my car, my paraglider, and my bike she seems to think it does.
The password hash is easily available on desktops as well and it's only an account escalation away from some one from the outside. The true solution is salted password hashes which most decent OS's use anyway... and by decent I mean *BSD, Mac OS X, Solaris, Sun, and some Linux distros (I don't know which because I don't use Linux).
I am also aware of a half measure implemented by Microsoft but I don't know what exactly it is or how to turn it on.
I am also vaguely aware of a demonstrated Time-Memory trade-off attack on an oracle database but I did not see it, I only read about it.
I'm still trying to findout why in the hell they are so expensive... I'd have one right now if it was around 18,000.
Sounds like you need to read up on brute-force and Time-Memory Trade-Off attacks. The number of tries "the system" gives you is irrelevant to these attacks as they don't use "the system".
I find it fascinating... go read up on it... you may find it interesting and it may help you secure your computer or your applications.
Ahh ha! Since MAC OS 10.3 Apple has added a 12bit salt to the password hash.
I have no idea about Linux but presumably FreeBSD & NetBSD do too.
My point is a brute-force attack has nothing to do with the number of attacks it takes for the password verification component to lock the account, no matter what the back-end architecture is. In fact the attack doesn't have to even occur on the target's hardware (although it can) nor does it have to use the target's OS (although it can). And as far as I know any OS which does not salt the password hash is susceptible... all of Microsoft's offerings, nearly all Linux distros (SELinux maybe?) and Mac OS X. I do know that OpenBSD does salt the password hash by default. I don't know about Sun or Solaris.
So any computer which an attacker can perform an account escalation on, or has physical access to, is vulnerable.
I've seen it done... it took less than 15 minutes to recover every password stored on the box.
Go read up on it.
do you people have any clue how a brute-force attack is carried out?
One does not use the password entry UI of the system.
You obviously don't understand how "brute force cracking" works. The cracker *never* uses the MS Windows password entry UI. The average time to crack Windows passwords is minutes. So your company's recommendations are useless... which is more or less the point of the article.
you should read up on it...
That's very close to my work environment except the cleaning crew works during the day and has keycards but not keys. If my office is not open it doesn't get cleaned... so just by random chance I think they get it once a week. A different sort clean the labs because not only are they bonded they are also trained in basic lab and infectious disease safety.. anyway given the difficulty in getting to an actual computer with network connectivity (particularly without having the security system record your entry) my keycard (or any of my assistants') should be enough to access the actual computer and that would be a far sight better than the post-it note somewhere in the desktop debris strata.
Oh absolutely!
But I don't think this has ever been a technology problem. Most of the network has no route to the outside world and those ports that do are all behind locked (as in need a metal key) doors. Actually the only ports outside of keycard protected areas are attached to printers. So essentially the only real difference between having my password and not, is the ability to impersonate me... I doubt they could find something to email to CEO that I would truly object to.
I swear some days it's like someone has read some of Bruce Schneier's stuff and is actively trying to implement the "don't do this" list.
Years ago a new admin saddled us with ridiculous & onerous password requirements and when numerous people complained and wanted an explanation the official party line was that it was up for discussion. So more or less instantly they alienated anyone with any tenure and passwords have been on post-it notes on desks ever since. Because we have no input in these sorts of decisions most of us feel like it's not our problem. When the story broke about people giving their passwords to strangers who asked for them in the lobby (for a chocolate) the general consensus around here was despite the fact that we all knew what was going on, if our backups were up to date we'd give our passwords to anyone for the asking... again it's not our problem (once the data for your project is backed up).
And in a real sense, in our environment, passwords are nearly useless. In order to open the door to the building you either have to have a keycard or have the security man to let you in. To get into the lobby you have to have a keycard or an escort from security. To get to my department you have to pass through two more secured doors, the door to my lab requires a keycard and the door to my office requires a real key. By then if you are there and you shouldn't be you are starring in Mission Impossible and a small thing like me having a password with 12 alphanumerics (1 capitalized) and 1 symbol isn't going to slow you down much.
So like I said some person in the lobby asking for passwords is a stooge for the IT group and they better have good chocolate.
I would dearly love a cryptoprocessor and looking at the specs it doesn't look at that far away.
Because it appears to be a windows only solution
That that this is directly related... but it is interesting and related in the sense that my first effort in DSP work was moer or less bottlenecked at the ISA bus... and lately have been tinkering with a design that certainly would be by a PCI-X or PCI-e bus.
http://www.drccomputer.com/pages/products.html
I think you will that the case *any time* a politician says something about "protecting the children"
Wow so many folks sort of missed the point here...
Felton's description of the weaknesses of DHCP handshakes is of only one potential attack. Combined with other attacks and it's entirely possible that a group effort could crank out new secret vectors faster than the M.A.F.I.A.A. could revoke known compromised ones.
For example: If more was known (than I know) about the encryption algorithm used (AKA "the hdcpRngCipher") work could be started on creating dense & smart Time-Memory Trade-Off tables. This is a non-trivial task involving tens of thousands of CPU hours... a perfect thing for a validating distributed computing application (oh. this. has. so. been. done. before).
Also a HDMI repeater or splitter isn't very far from being a sniffer... I think all it lacks is a little I2C to USB help. This, the tables above, & a HDCP device will net you all the vectors you need to employ Felton's attack. Once one set has been compromised and the methodology worked out it's just a matter of turning the crank to get more and potentially very, very quickly.
The utility of these attacks goes well beyond being able to view 1080p on a non DHCP device... one could render revocation useless be attacking high-end components sold by M.A.F.I.A.A. members (i.e. Sony). This eventually must lead hardware devices running out of un-revoked vectors and becoming inoperable... an untenable situation for the M.A.F.I.A.A.
Now, if such a concerted attack is organized on the hi-def media... I feel that we will be right where we are now... a reasonably astute person can watch any DVD wherever they want and they can retain a backup of that media in a format of their choosing.
actually he's been in a bit of slump lately...
On your scenario... I think there's a bit more between Encryption and Subpoena Compliance.... Mostly because *no one* wants Subpoena Compliance.
Honestly all the ISP's need to get out of the unlimited business, because we all know it isn't unlimited. This business model in the US is just plain stupid.
I have metered access during the day and un-metered at night this is exactly what paid for and my ISP & I don't have a problem with each other. Grant it I probably pay a bit more per month than the average USian Slashdoter (49 Euros) but it's fast and I don't get hassled.
I've thought "Ubiquitous Mesh Networks" would be an interesting thing for a while... particularly combined with "Ubiquitous Access Points". I'm sure some USian will call me a commie bastard but the more of the network owned by the collective users the less corporations can whine about what we do. I live in a college town, so I'm sure my mesh experience will be limited to freaky German porn, Heavy Metal Electronica music and every warez'd game known to man... oh well.
I thoght it was well established that Hi-Def was still MPEG-2 encoded regardless of the media (Blu-Ray or HD-DVD)
When I can buy a SATA Optical Drive & I can walk down to the Videothek and rent a *good* movie and mount it on my OpenBSD system, then I will be interested.
I am not buying a HD-DVD player, I will not mount any rented media, BluRay, HD-DVD, or just plain DVD, on my PowerMac (which is the device that dives my HDTV).
oh... an I plan on buying another Hi-Def display from an early adopter who has discovered that legal media would display properly on it... this may not be happening next weekend but it will happen eventually
I know of none... but I'd be interested in a H.264 encoder
And this forces you to execeed 15~25 gigs in one month? Obviously you belong to the same group as my yonger brother!
I don't get what you're whining about... It's fair that people pay for excessive transfer volumes. The ISP connection packages in the US have always baffled me... there are so few choices.
Here in Austria we may have fewer ISPs but the number of available packages dwarfs what is available in the US... For example my mum has a package with medium bandwidth but very low transfer volume, this gives her a nice experience on the internet (and the computer updates actually get done) for the nearly the same price as dial up. I have a high bandwidth with a "Fair Use" transfer volume that is un-metered during off hours, and my little brother has the high bandwidth unlimited transfer volume package for his attempt to collect all the porn in the known universe.
It's not the paying for transfer volume that's bad... it's the unethical business practices of American businesses that's bad.
As an old hippy socialist Apple user I completely agree with pretty much everything you said. Although some of the ideas that caught my interest in the IBM PPC970 apparently can be found in this latest Intel offering... still I'm mostly in the middle of my upgrade cycle... and I expect quad cores before I upgrade my PowerMac and a second generation of widescreen MacBook before I update my laptop.
Also I would be interested in a Cell / Power based content creation workstation --- but not from Sony, I've given up on them.