even non-dictionary words can be in a "dictionary-attack" dictionary.
My wordlist-dictionary has things like tuxuser, bsd, and pr0ns1te in it - I'm guessing there are many things not in a dictionary but worth guessing passwords for.
How many slashdot accounts do you think I could get with the "MicrosoftSux" password, for example?
Damn good idea. For anyone with PGP6.0, you get an encrypted disk for free. Now on that disk (with a 3-word+2 digit password) you keep a file with all your passwords, usernames, etc. in it.
Encrypted disks are great for so many things... too bad they're not easy to find anymore (not on latest PGP, not on GPG, and scramdisk's become commercial)
(a) How many passwords per second can you try? If it's crypto (pdf, doc etc) then it's probably a lot more than 1000 (elcomsoft.com)
(b) How many guesses are you allowed? On a networked system typically 3. On a *nix system it's a 3-second wait if you type the wrong one. On my dad's car, it's 3 seconds first time, 10 minutes second time, and 24 hours the third time
I have a crappy password, but don't consider myself a luser. I use it for my yahoo account because I don't trust yahoo with my real password.
I have an even crappier password for throwaway sites like NYTimes, where I really don't care if someone uses my password.
The idea being, yahoo can't just use the password I supplied for their account to open my PGP key. I'm sure if you had the list of NYTimes' passwords and people's email addresses, you could just go to each email provider in turn and type in the person's NYT password.
The problem isn't just with crappy passwords, it's with the way that even secure passwords get kept for years.
"I use my dog's name as a password. Fetch, qloaah292!"
Well java will -always- be slow and bloated, that's what the virtual machine's for. And given that Sun aren't letting anyone license the processors to run java code directly, we're not going to see fast java code anytime soon.
Keeping an email address secret is security through obscurity. Yes, it's been published on slashdot, but even if it weren't, I still receive emails with awhite@yahoo.com, bwhite@yahoo.com, cwhite@yahoo.com, dwhite@yahoo.com... in the headers.
Do people actually harvest email addresses from slashdot? I'd imagine you could get into a lot of trouble targeting the hackers, sysadmins and anti-spam campaigners who post here. Not to mention the number of email addresses which resolve to uce@ftc.gov, bg1@microsoft.com or whatever/.
I'm planning to install lycoris (redmond linux) on my sister's PC when she gets it, but I've never seen it myself. But you say you use it. So can I be cheeky and ask you for an opinion of it?
I've never read much in the way of reviews for this distribution, so can you give me any tips on how well it works, and how good it might be for a newbie (even to windows) to use?
As I say, offtopic, but it would be nice to hear from a real lycoris user. lyc@blibbleblobble.co.uk if you want to email
Can you check your hotmail account with a POP-client? (I know yahoo-mail users can, but I'm not sure about hotmail)
If you can, you can get an email program with good filtering (even outlook express can filter well enough) and write some rules for it.
Start off with: delete anything with html, img, remove, unsubscribe, US code,.tw, 'this is not spam', and the like. Modify it as you need it.
I know from experience how much an early hotmail account is worth; I'm still fighting to keep owhite@yahoo.com usable. But it becomes an awful lot easier if you can write your own filters.
I guess at work it's easier with an at-work-address, but you need a hotmail account to stop the company reading your personal email. As you say, it's an arms-escalation, and it'll take a while to resolve. Try a POP-client to read hotmail, and delete any HTML mail. That should remove most spam
Only in the sense that using foobar/foobar password combination to log-in-to nytimes.com is misrepresenting your identity.
Of course, if you put someone's name into the "From" headers to deluge them with complaints from newbie recipients (as someone did to linux.org, see their page) then that -is- a form of identity theft.
You have to pay 28p for each letter by convential mail. You can't just write one and say "would you mind forwarding this to my list of 20,000 people" as you can with email.
Just like marketing phone calls. Put the phone down on your desk, let them talk on their own money, and if they're still there after 5 minutes, hang up.
So use a text file. Or am I misunderstanding something? Most email clients allow you to cut and paste text.
Text files are best anyway for archiving emails: they can be arbtary size, they can be searched, and they can be read using whichever os you decide to boot that day.
And of course, text files can be encrypted, or put onto an encrypted disk. I suppose that email folders could too, but it's not so convenient
Slashdot Mirror
even non-dictionary words can be in a "dictionary-attack" dictionary.
My wordlist-dictionary has things like tuxuser, bsd, and pr0ns1te in it - I'm guessing there are many things not in a dictionary but worth guessing passwords for.
How many slashdot accounts do you think I could get with the "MicrosoftSux" password, for example?
Like the obvious? If they have access to your desk, they have access to your diary, your wallet, and your credit card ;-)
Now if you could do morse-code on the shift key... that wouldn't show up on keyloggers
You don't even need that: morse-code on any key would work. The keylogger would just record kkkkkkkkkkk and have no idea how long between each one.
Nice idea. Can I patent it?
Damn good idea. For anyone with PGP6.0, you get an encrypted disk for free. Now on that disk (with a 3-word+2 digit password) you keep a file with all your passwords, usernames, etc. in it.
Encrypted disks are great for so many things... too bad they're not easy to find anymore (not on latest PGP, not on GPG, and scramdisk's become commercial)
okay then:
(a) How many passwords per second can you try? If it's crypto (pdf, doc etc) then it's probably a lot more than 1000 (elcomsoft.com)
(b) How many guesses are you allowed? On a networked system typically 3. On a *nix system it's a 3-second wait if you type the wrong one. On my dad's car, it's 3 seconds first time, 10 minutes second time, and 24 hours the third time
I've used such a system, and it's -really- annoying!
Try it, and see how your tech support like the hundreds of "what the 4893's my password?!?" phone calls they get per day...
I have a crappy password, but don't consider myself a luser. I use it for my yahoo account because I don't trust yahoo with my real password.
I have an even crappier password for throwaway sites like NYTimes, where I really don't care if someone uses my password.
The idea being, yahoo can't just use the password I supplied for their account to open my PGP key. I'm sure if you had the list of NYTimes' passwords and people's email addresses, you could just go to each email provider in turn and type in the person's NYT password.
The problem isn't just with crappy passwords, it's with the way that even secure passwords get kept for years.
"I use my dog's name as a password. Fetch, qloaah292!"
Well java will -always- be slow and bloated, that's what the virtual machine's for. And given that Sun aren't letting anyone license the processors to run java code directly, we're not going to see fast java code anytime soon.
Keeping an email address secret is security through obscurity. Yes, it's been published on slashdot, but even if it weren't, I still receive emails with awhite@yahoo.com, bwhite@yahoo.com, cwhite@yahoo.com, dwhite@yahoo.com... in the headers.
Do people actually harvest email addresses from slashdot? I'd imagine you could get into a lot of trouble targeting the hackers, sysadmins and anti-spam campaigners who post here. Not to mention the number of email addresses which resolve to uce@ftc.gov, bg1@microsoft.com or whatever/.
I don't know about VA, but in England we don't really have lawyers.
:-p
Go figure
signing authority? How about www.linux.org/apps ?
Are you one of the few who read the EULA? I know I am, and it confuses the hell out of some workmates! ;-)
As my boss says, "you agree to sell your soul to microsoft, right?" <click!>
Okay: offtopic, but burn my karma:
I'm planning to install lycoris (redmond linux) on my sister's PC when she gets it, but I've never seen it myself. But you say you use it. So can I be cheeky and ask you for an opinion of it?
I've never read much in the way of reviews for this distribution, so can you give me any tips on how well it works, and how good it might be for a newbie (even to windows) to use?
As I say, offtopic, but it would be nice to hear from a real lycoris user. lyc@blibbleblobble.co.uk if you want to email
Can you check your hotmail account with a POP-client? (I know yahoo-mail users can, but I'm not sure about hotmail)
.tw, 'this is not spam', and the like. Modify it as you need it.
If you can, you can get an email program with good filtering (even outlook express can filter well enough) and write some rules for it.
Start off with: delete anything with html, img, remove, unsubscribe, US code,
I know from experience how much an early hotmail account is worth; I'm still fighting to keep owhite@yahoo.com usable. But it becomes an awful lot easier if you can write your own filters.
I guess at work it's easier with an at-work-address, but you need a hotmail account to stop the company reading your personal email. As you say, it's an arms-escalation, and it'll take a while to resolve. Try a POP-client to read hotmail, and delete any HTML mail. That should remove most spam
As the karma-burners say, mod this up. It's a valuable well-thought opinion against the flock of slashdotters' group-opinions.
As they say, "Freedom of speech is great... right up there with the freedom not to listen"
Never confuse your right to write with the lack-of-right to spraypaint that message on your neigbours' walls.
Only in the sense that using foobar/foobar password combination to log-in-to nytimes.com is misrepresenting your identity.
Of course, if you put someone's name into the "From" headers to deluge them with complaints from newbie recipients (as someone did to linux.org, see their page) then that -is- a form of identity theft.
There's probably a difference between your emails (which they read and respond to) and spam emails, which they delete without reading.
On the other hand, they're lawyers, so expect them to conjure-up a figure.
You have to pay 28p for each letter by convential mail. You can't just write one and say "would you mind forwarding this to my list of 20,000 people" as you can with email.
Just like marketing phone calls. Put the phone down on your desk, let them talk on their own money, and if they're still there after 5 minutes, hang up.
As Mr Twain said, "if you can only think of one way to spell something, you lack imagination"
Now go away and hide in your vocabulary-crippled cave, where only dictionary.com words are allowed
Saxoamerican or Usaian. No need to insult those from south and central america by calling Saxoamericans "Americans(tm)"
"...the plans to bomb a MacDonald for providing the world with bad food..."
I'm guessing you're French?
Given the stories, you'd be quite insane to put any significant amount of money into PayPal
And if you're buying a license to listen to the CD, it follows that you can make your own copies of it... just like microsoft CD/license separation.
So use a text file. Or am I misunderstanding something? Most email clients allow you to cut and paste text.
Text files are best anyway for archiving emails: they can be arbtary size, they can be searched, and they can be read using whichever os you decide to boot that day.
And of course, text files can be encrypted, or put onto an encrypted disk. I suppose that email folders could too, but it's not so convenient