There is some SHA1 as well via the download mirrors in TFA.
Though, I agree and wouldn't mind to see some old style mysql hashes for instance. It's amazing how few databases actually use the new form. The new form is SHA1 twice with no salt. (Hey more unsalted fodder for rainbow tables.) I don't know if anything else uses this method but I know bad things (TM) can happen when people just create new schemes like double hashing or double encryption. (3DES was suppose to be 168 bits (56 * 3) but turns out to be only 112 bits of security.)
Yes, the paper is not very clear. The FAQ on freerainbowtables.com comes complete with some diagrams. You are certainly correct that rainbow tables are not just huge precomputed hash databases. Unfortunately, it seems most slashdotters cannot be bothered to actually educate themselves and just like to state that its a term to describe something very basic and old.
AFAIK Vista is the first windows to completely remove LM hashes as the default. Other than that you had to use a password of a certain length to prevent LM hash creation, 16 characters if memory serves me correctly.
Unfortunately not. Programmers and sysadmins alike only sort of seem to know what a salt is. Look at how often an application stores passwords plaintext or with a simple md5 and you'll be happier not knowing. For that matter I seem to recall that buffer overflows were discovered decades ago and yet plenty of new code continues to suffer from the flaw.
One very interesting place that unsalted hashes seem to stick around are old LDAP directories. I've seen ones with combinations of: MD5, SMD5, SHA, SSHA, and crypt/des. Also, lets say that the LDAP directory only uses SSHA *but* also provides NTLM hashes for windows authentication such as PDC or BDC, well then who cares about the salted sha1 when you can attack the NT hash much faster.
For that matter only starting with Windows Vista are LM hashes *not* enabled by default. So while 2000, XP, 2003, etc. store the NT hash, storing the LM hash too means no one bothers to crack the NT hash.
One very good use for rainbow tables like md5 and sha1 are to at least get LDAP directories migrated to a salted variant. Good luck getting all your users to change their password or even remember it since they probably just have it saved in a browser.
Please see my comment on the matter of "a new name for it for no reason."
If it was nothing but precomputed hashes then indeed it would not be very interesting as it is nothing new. However, it's quite a bit different as the lookups are probabilistic, not 1:1 look ups for is the hash there yes/no.
For that matter educating people to learn how to use salts with their hash for storing passwords is no where near complete even among savy geeks.
If you just mentally link rainbow table with precomputed hashes then you have missed the point entirely. Rainbow tables are an entirely new approach to the problem. It isn't simply storing every precomputed hash. It has a few advantages such as much less disk space is needed, much faster due to indexes as well as less to load from disk, etc. It's actually probabilistic in nature and does not guarantee 100% that a given hash is found. You may want to spend the time to read through the FAQ if you are interested.
One interesting use involves prebuilt cd and dvd isos for windows LM *and* NTLM password recovery.
With a distributed project like Free Rainbow Tables, it gives people less and less chance to avoid learning what a salt is and I hope will lead to more education of programmers, admins, etc.
No matter how expensive the hash is in terms of computation, nothing beats a good hash that uses salts for storing passwords. Though, I'd like to websites stop storing plaintext passwords that they email to you for a password recovery:(
In fact this already exists. Read up on AFS. Not only does it provide the same services that samba or NFS provide it does so ENCRYPTED and can be used remotely across the net! It has full support on FreeBSD, OpenBSD, windows, and linux afaik.
And ANYONE can produce a JVM - the spec is open for anyone to create. Sun don't have to do anything to allow that (you did notice that Apache are producing a FOSS JVM, didn't you?)
The ability to do something is not the same as having a fully functioning OSS solution. Yes the apache group is trying to get tomcat running without requiring sun java. All the various things that sun did that are not documented are sure to create fun compatability woes.
Secondly, the fact that GCJ isn't complete yet doesn't mean fuck all
I fail to see how the lack of existance of an OSS compiler and vm doesn't mean anything. That's exactly my point since everyone likes to rely on sun and we're left with a compiler and vm that runs only where the wims of sun take it.
Additionally, people aren't supposed to use the Sun classes, they're not part of the spec, they're glue between Java and the OS.
Exactly, congratuations to them for never worrying about portability because there was only sun.
I've been coding C for two decades, C++ for about 12 years and Java for about 8. I'm glad your schooling helped you to know everything.
I take offense that you thumb your nose at me. Though, I can't be that dumb since I am apparantly worth the time to write a response to. Further, I certainly do not claim to know everything.
Yeah right. Did your teacher give you that opinion too?
No my opinion that all the java trolls/zealots just tell everyone who does not agree with their point to not use java is entirely my own.
Also, want to talk java hell? I've wasted countless hours going back and forth with the Zend support guys attempting to get Zend Studio running on my FreeBSD workstation at the office. The platform is supported as a server but not as a client.
um proof of concept?
Have you ever tried using gjc? Don't talk to me until you have. I was attempting to get Zend Studio (the only way to get code profiling in stack traces in php) working and guess what gjc couldn't get me anywhere. In order to even get the damn thing installed I had to install the sun java jre. Please link to docs where the spec is 100% open. Perhaps the "spec" is open but guess what all the classes that sun wrote and everyone uses sure aren't. I wasted a lot of time at University using java before I switched to a school that taught everything c/c++ based. Please don't lie about the supposed portability of java. The facts tend to tell more than the theory.
Apache is producing their own JVM? You do realize tomcat (the apache java servlet container) doesn't really work without sun java, right?
Finally, I don't use java every experience is infuriating. Unfortunately the attitude of don't use it if you don't like it is the way that trolls try to claim it's portable. Guess what, if it were portable I COULD use it.
Except that java is one of the most non-portable solutions ever. Sun java runs on exactly:
windows x86, windows ia64, linux x86, linux ia64, solaris sparc32, and solaris sparc64. Some decently written C code easily runs on more systems that that while only requiring a compile. Java is only in theory portable. Unless sun opens the jvm it will never be fully portable.
I completely agree that OSS propogates through the gateway drug phenomenom. Originally everyone tried the RMS 100% free approach but that lead to no acceptance outside of the geeks. As programs like firefox, gaim, OO, etc. become popular on windows we erode the closed source based until familiarity with OSS apps makes the switch of the underlying OS trivial and unoticable.
I was about to make a similar remark but thank you for stating it! While some code may "work" in one place this by no means makes it bug free. There are many instances of bad code working but sheer luck and only under a specific arch/platform. By ensuring code works under multiple architectures you will help eradicate bugs that may be exploitable. For example when a program seg faults repeatadly under OpenBSD I know that the program in question is not managing memory correctly. (OpenBSD with its memory protection refuses to allow reads/writes to illegal addresses that on other platforms could have resulted in exploitable holes.) While I have written many a fix for such programs it is nice to easily identify which programs/developers have a clue and which do not.
Overall the arguement is mostly bogus. For example many linux developers have trouble writing code that even compiles under any of the *bsds. That is just sloppy coding. If everyone got in the habbit of at least writing code that doesn't use system specific includes (linux developers seem the worst at this) and compiled with gcc -strict -Wall or something similar it wouldn't be much of any issue. While I can see that a request to make something work on OpenBSD VAX might be better ignored I fail to see how supporting at the very least linux/*bsd (Open, Net, Free) on ppc, sparc, sparc64, and x86 is supporting a minority. Overall OSS users/developers ARE a minority and to argue over which minority beats who is silly. Also, to only bother to support linux is no better than only bothering to support windows!
Actually computer hacking skills can get you a girl. It is all about how you sell it. If you sell yourself as a geek, you're SOL. However, if they see hacking as this glamerous/dangerous activity they're interested. I speak from first hand experience for myself as well as noticing the same effect happening for a few friends.
By closed architectures are you referring to the PPC? This is not produced by Apple but by IBM and the architecture docs are quite good (IBM will mail you a hardcopy set of the books for free.) In fact AMD and Intel for the x86 have docs on par with IBM for the PPC. I think you meant to say that some of their peripherials are closed products (like their wireless.)
Why is this person moderated informative? He doesn't even know the basics of WOL.
Hell I have a box that multiboots win98, 2k, xp, debian linux 2.4 or 2.6, obsd, and netbsd on my internal network. (Yes all those os' are one one system with one hard drive.) I ssh in to my firewall and then use a perl one liner to send a WOL packet to the system. Then I use cu or tip (serial port programs) and I get a grub prompt over the serial and pick the os to boot. After that I can vnc to the windows installs or ssh to the *nix installs.
Try it sometime:
1) make sure the NIC supports WOL
2) connect WOL cable from motherboard to NIC
3) check BIOS power management settings and be sure WOL can be used when the system is off (some BIOS have this off by default)
4) send magic packet like this:
perl -MNet::Wake -e "Net::Wake::by_udp(undef,'target_mac_addy_here')"
I suppose now you're going to tell me how it isn't possible to have a multiboot system or use a serial port to pick an os via a boot manager or vnc into a windows box or ssh into a *nix box, right?
Heh I doubt it but we can hope. The lawyer that drafted my previous employers NDA cost $150/hr and man they couldn't even get basic english correct. There were so many holes and absurdities in it that it would have probably been laughed out of court. When presented with it I started looking for a new job. (The previous job was soul-sucking for many other reasons but the lawyer/NDA part was the final straw.)
Exactly! After the technique to use timestamps to count hosts behind nat OpenBSD added tcp options to the scrub directive. For all my isp knows I have a single box since I have the firewall generating strong ISN's as well as scrubbing timestamps.
Slashdot Mirror
There is some SHA1 as well via the download mirrors in TFA.
Though, I agree and wouldn't mind to see some old style mysql hashes for instance. It's amazing how few databases actually use the new form. The new form is SHA1 twice with no salt. (Hey more unsalted fodder for rainbow tables.) I don't know if anything else uses this method but I know bad things (TM) can happen when people just create new schemes like double hashing or double encryption. (3DES was suppose to be 168 bits (56 * 3) but turns out to be only 112 bits of security.)
Yes, the paper is not very clear. The FAQ on freerainbowtables.com comes complete with some diagrams. You are certainly correct that rainbow tables are not just huge precomputed hash databases. Unfortunately, it seems most slashdotters cannot be bothered to actually educate themselves and just like to state that its a term to describe something very basic and old.
AFAIK Vista is the first windows to completely remove LM hashes as the default. Other than that you had to use a password of a certain length to prevent LM hash creation, 16 characters if memory serves me correctly.
"im clients, etc."
Ha! Seems IM clients tend to just store the passwords plaintext so even unsalted MD5 would be an improvement over the status quo.
Unfortunately not. Programmers and sysadmins alike only sort of seem to know what a salt is. Look at how often an application stores passwords plaintext or with a simple md5 and you'll be happier not knowing. For that matter I seem to recall that buffer overflows were discovered decades ago and yet plenty of new code continues to suffer from the flaw.
One very interesting place that unsalted hashes seem to stick around are old LDAP directories. I've seen ones with combinations of: MD5, SMD5, SHA, SSHA, and crypt/des. Also, lets say that the LDAP directory only uses SSHA *but* also provides NTLM hashes for windows authentication such as PDC or BDC, well then who cares about the salted sha1 when you can attack the NT hash much faster.
For that matter only starting with Windows Vista are LM hashes *not* enabled by default. So while 2000, XP, 2003, etc. store the NT hash, storing the LM hash too means no one bothers to crack the NT hash.
One very good use for rainbow tables like md5 and sha1 are to at least get LDAP directories migrated to a salted variant. Good luck getting all your users to change their password or even remember it since they probably just have it saved in a browser.
Please see my comment on the matter of "a new name for it for no reason."
If it was nothing but precomputed hashes then indeed it would not be very interesting as it is nothing new. However, it's quite a bit different as the lookups are probabilistic, not 1:1 look ups for is the hash there yes/no.
For that matter educating people to learn how to use salts with their hash for storing passwords is no where near complete even among savy geeks.
If you just mentally link rainbow table with precomputed hashes then you have missed the point entirely. Rainbow tables are an entirely new approach to the problem. It isn't simply storing every precomputed hash. It has a few advantages such as much less disk space is needed, much faster due to indexes as well as less to load from disk, etc. It's actually probabilistic in nature and does not guarantee 100% that a given hash is found. You may want to spend the time to read through the FAQ if you are interested.
:(
One interesting use involves prebuilt cd and dvd isos for windows LM *and* NTLM password recovery.
With a distributed project like Free Rainbow Tables, it gives people less and less chance to avoid learning what a salt is and I hope will lead to more education of programmers, admins, etc.
No matter how expensive the hash is in terms of computation, nothing beats a good hash that uses salts for storing passwords. Though, I'd like to websites stop storing plaintext passwords that they email to you for a password recovery
We aren't necessarily falling behind. Though, we may be a few years away from catching up to China.
In fact this already exists. Read up on AFS. Not only does it provide the same services that samba or NFS provide it does so ENCRYPTED and can be used remotely across the net! It has full support on FreeBSD, OpenBSD, windows, and linux afaik.
You must not have lived in TX during the summer.
Lets go back to your parent post.
And ANYONE can produce a JVM - the spec is open for anyone to create. Sun don't have to do anything to allow that (you did notice that Apache are producing a FOSS JVM, didn't you?)
The ability to do something is not the same as having a fully functioning OSS solution. Yes the apache group is trying to get tomcat running without requiring sun java. All the various things that sun did that are not documented are sure to create fun compatability woes.
Secondly, the fact that GCJ isn't complete yet doesn't mean fuck all
I fail to see how the lack of existance of an OSS compiler and vm doesn't mean anything. That's exactly my point since everyone likes to rely on sun and we're left with a compiler and vm that runs only where the wims of sun take it.
Additionally, people aren't supposed to use the Sun classes, they're not part of the spec, they're glue between Java and the OS.
Exactly, congratuations to them for never worrying about portability because there was only sun.
I've been coding C for two decades, C++ for about 12 years and Java for about 8. I'm glad your schooling helped you to know everything.
I take offense that you thumb your nose at me. Though, I can't be that dumb since I am apparantly worth the time to write a response to. Further, I certainly do not claim to know everything.
Yeah right. Did your teacher give you that opinion too?
No my opinion that all the java trolls/zealots just tell everyone who does not agree with their point to not use java is entirely my own.
Also, want to talk java hell? I've wasted countless hours going back and forth with the Zend support guys attempting to get Zend Studio running on my FreeBSD workstation at the office. The platform is supported as a server but not as a client.
um proof of concept? Have you ever tried using gjc? Don't talk to me until you have. I was attempting to get Zend Studio (the only way to get code profiling in stack traces in php) working and guess what gjc couldn't get me anywhere. In order to even get the damn thing installed I had to install the sun java jre. Please link to docs where the spec is 100% open. Perhaps the "spec" is open but guess what all the classes that sun wrote and everyone uses sure aren't. I wasted a lot of time at University using java before I switched to a school that taught everything c/c++ based. Please don't lie about the supposed portability of java. The facts tend to tell more than the theory. Apache is producing their own JVM? You do realize tomcat (the apache java servlet container) doesn't really work without sun java, right? Finally, I don't use java every experience is infuriating. Unfortunately the attitude of don't use it if you don't like it is the way that trolls try to claim it's portable. Guess what, if it were portable I COULD use it.
Except that java is one of the most non-portable solutions ever. Sun java runs on exactly: windows x86, windows ia64, linux x86, linux ia64, solaris sparc32, and solaris sparc64. Some decently written C code easily runs on more systems that that while only requiring a compile. Java is only in theory portable. Unless sun opens the jvm it will never be fully portable.
I completely agree that OSS propogates through the gateway drug phenomenom. Originally everyone tried the RMS 100% free approach but that lead to no acceptance outside of the geeks. As programs like firefox, gaim, OO, etc. become popular on windows we erode the closed source based until familiarity with OSS apps makes the switch of the underlying OS trivial and unoticable.
I was about to make a similar remark but thank you for stating it! While some code may "work" in one place this by no means makes it bug free. There are many instances of bad code working but sheer luck and only under a specific arch/platform. By ensuring code works under multiple architectures you will help eradicate bugs that may be exploitable. For example when a program seg faults repeatadly under OpenBSD I know that the program in question is not managing memory correctly. (OpenBSD with its memory protection refuses to allow reads/writes to illegal addresses that on other platforms could have resulted in exploitable holes.) While I have written many a fix for such programs it is nice to easily identify which programs/developers have a clue and which do not.
Overall the arguement is mostly bogus. For example many linux developers have trouble writing code that even compiles under any of the *bsds. That is just sloppy coding. If everyone got in the habbit of at least writing code that doesn't use system specific includes (linux developers seem the worst at this) and compiled with gcc -strict -Wall or something similar it wouldn't be much of any issue. While I can see that a request to make something work on OpenBSD VAX might be better ignored I fail to see how supporting at the very least linux/*bsd (Open, Net, Free) on ppc, sparc, sparc64, and x86 is supporting a minority. Overall OSS users/developers ARE a minority and to argue over which minority beats who is silly. Also, to only bother to support linux is no better than only bothering to support windows!
Actually computer hacking skills can get you a girl. It is all about how you sell it. If you sell yourself as a geek, you're SOL. However, if they see hacking as this glamerous/dangerous activity they're interested. I speak from first hand experience for myself as well as noticing the same effect happening for a few friends.
By closed architectures are you referring to the PPC? This is not produced by Apple but by IBM and the architecture docs are quite good (IBM will mail you a hardcopy set of the books for free.) In fact AMD and Intel for the x86 have docs on par with IBM for the PPC. I think you meant to say that some of their peripherials are closed products (like their wireless.)
only 600? Ah, it appears so Though, I think all ethernet over power line and/or internet is over AC.
What's the voltage of them? Internet via power lines (even 500k volt high tension wires) exists in some parts of the country.
Why is this person moderated informative? He doesn't even know the basics of WOL.
Hell I have a box that multiboots win98, 2k, xp, debian linux 2.4 or 2.6, obsd, and netbsd on my internal network. (Yes all those os' are one one system with one hard drive.) I ssh in to my firewall and then use a perl one liner to send a WOL packet to the system. Then I use cu or tip (serial port programs) and I get a grub prompt over the serial and pick the os to boot. After that I can vnc to the windows installs or ssh to the *nix installs. Try it sometime: 1) make sure the NIC supports WOL 2) connect WOL cable from motherboard to NIC 3) check BIOS power management settings and be sure WOL can be used when the system is off (some BIOS have this off by default) 4) send magic packet like this:
perl -MNet::Wake -e "Net::Wake::by_udp(undef,'target_mac_addy_here')"
I suppose now you're going to tell me how it isn't possible to have a multiboot system or use a serial port to pick an os via a boot manager or vnc into a windows box or ssh into a *nix box, right?
Ya, strangely enough my uses of bittorrent are almost exclusively for iso's and other free content.
Heh I doubt it but we can hope. The lawyer that drafted my previous employers NDA cost $150/hr and man they couldn't even get basic english correct. There were so many holes and absurdities in it that it would have probably been laughed out of court. When presented with it I started looking for a new job. (The previous job was soul-sucking for many other reasons but the lawyer/NDA part was the final straw.)
Exactly! After the technique to use timestamps to count hosts behind nat OpenBSD added tcp options to the scrub directive. For all my isp knows I have a single box since I have the firewall generating strong ISN's as well as scrubbing timestamps.
"Slow painful death" I read that an just thought "The castle ARGGGG" "what?" "he must have died while carving it!"