Slashdot Mirror


User: s.petry

s.petry's activity in the archive.

Stories
0
Comments
6,967
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 6,967

  1. Re:Why? Simple bullshit is why. on Hackers Behind Biggest-Ever Password Theft Begin Attacks · · Score: 1

    For posterity, it's not just the off line attack that's become a problem. There are numerous attacks that occur over huge IP ranges. If you locked the account at a few bad attempts most users would be perpetually locked out. Hackers are now hitting an account from thousands of IP addresses to brute force. They rate throttle to reduce detection, most connecting once every 30-60 minutes. The really stealthy attacks may have a single IP connecting once per day for 1 account, the next day the same account will be hit from a different IP, and the next day a new IP.

    If you don't have a vigilant watch on log data, someone in your perimeter will be hacked in time. Some network devices (I won't give sales pitch for free) will help quite a bit, but we still manually block a whole lot of IPs that the devices miss.

  2. Stat is very wrong.. on Hackers Behind Biggest-Ever Password Theft Begin Attacks · · Score: 1

    I'm not sure you ever tried to write a brute force tool, let alone run one. I'm not saying your method is horrible, but it is nowhere near as secure as you think. The actual strength is (dictionary_words)^4. The statistic you gave is not even accurate as a 26 character randomized password, which would be 26^26 (given that you are only using lower case letters). Your strength statistic is absolutely wrong.

    There are many ways to make strong passwords. If you want to use words like that, mixing in what I gave as required makes a huge difference. 'R3defined?display/Parcel5suiteD' makes a massive difference to your 4 words. I can't use a dictionary alone to break it, I have to use brute force methods.

    I personally prefer a math/programming method of making passwords. '21Y=acos[n-1]' for example is going to be a nasty amount of effort for someone to break. 'Fling[p00,u]' is another, and if you want to make it harder in your passwords change one of the brackets/parenthesis to an alternate. E.G. '{N-33]=Pi*qq'.

    Some people prefer phrases and transformation. 'Mary had a little lamb, it's fleece was white as snow' would be 'Mhall,ifwwas' which again is not using dictionary words and going to be hard to break.

    Stringing 4 words is not 'bad', because you are making it harder for a hacker than 'password1'. Being more secure than that person is what has kept your password safe, not the method of construction you gave here. Well, that and the fact that people shut down brute force attacks when they are detected normally.

  3. Why? Simple bullshit is why. on Hackers Behind Biggest-Ever Password Theft Begin Attacks · · Score: 4, Informative

    The first report was bullshit by some nobody to make money, nothing more and nothing less. This is more of the same bullshit to make bogeymen, and Russia has been a good target lately. I have worked in IT security for nearly 3 decades, so yes I do have some knowledge.

    The 1.2 billion "credentials" was nothing to worry about (see disclaimer below), and still isn't. Hackers move massive lists of email addresses all the time, and try to run brute force attacks all the time. We block hundreds of thousands of these attacks every day. The majority are [email_addr@domain] with a password of 'password1'. Most of the time these are easy to see, as neither the user or domain exist on the targeted servers. Even the legit addresses are easy to detect, because hackers will use the top 25 worst passwords (just like you can find in articles every year, no I'm not kidding). Rarely do I ever see anything complex, like .00001% of the time rare, where there is actually a worm running on the back end (think John the Ripper).

    If I was a conman and wanted to make fast cash, I could start dumping all of these email addresses to a DB, and say "Oh Noez! This email account is haxxored! When in reality, there is no such compromise. To fluff numbers, I hash 'password1' in SHA, MD5, CRYPT, and maybe even use plain text. 300 million accounts has now given me a claim of 1.2 billion 'credentials', and you can hopefully see that the claim is complete shit! I can gather that 300 million addresses in a week without breaking a sweat.

    Disclaimer. You should be changing passwords for anything you care about frequently. 8 character passwords every 90 days, 14-16 character every 6 months. If you are using a strong password and are up for a change, go do so, no big deal. Since I write this shit for policies regularly, a "strong" password consists of the following.
    1. No dictionary words, proper names or common acronyms in forward or reverse.
    2. No QWERTY keys, including qazwsx, 54321, etc...
    3. Contains at least 1 special character, 1 number, 1 upper and 1 lower case character.
    4. Is not 'p@SSw0rd' or some other l337 speak that would be in a cracklib dictionary, and there is plenty there.

    There are obviously restrictions in some places, so if you can't use certain characters make a longer password. If you can't make a longer password change the password more frequently. The majority of 'hackers' are script kiddies, not hackers. If you make things hard, they find a different target. There are numerous people out there that use 'password1' for their password, don't be one of them.

  4. The Double Standard keeps growing on Deputy Who Fatally Struck Cyclist While Answering Email Will Face No Charges · · Score: 1

    As you said, this is clearly a double standard. I believe your use of "sued" is incorrect, because there was no stop of a civil trial just criminal. It's not an easy thing to change when corruption is this deep in the legal system, but people need to get out and start protesting and getting people on ballots to oust the cronies.

    I wish I could say this was just a training issue, but clearly this goes well beyond a training issue. The DA just let all cops know that if they drive distracted "too bad" even if it costs a completely innocent person their life.

  5. Says you on Yahoo Stops New Development On YUI · · Score: 1

    Chrome is is just like IE for more operating systems, no thanks I won't touch the stuff. Rating things on a combination of user security and functionality, Opera is hard to beat with Firefox in a close 2nd. I don't care how fast Chrome can load pages, I don't sit and watch memes flash by all day.

  6. Re:That's nice, but... on Microsoft Defies Court Order, Will Not Give Emails To US Government · · Score: 4, Insightful

    Dunno, the Russian FSB has actually wrung Windows code reviews out of Microsoft so if they didn't find any back door in that code I'd say there are none to find..

    A viable alternative is that they found and use the same back doors available to the NSA. It's speculation either way, because there are no independent reviews of Microsoft's source code and shipped binaries. The released binaries may not even match the source they provided for review.

  7. Re:Congressional Pharmaceutical Complex on States Allowing Medical Marijuana Have Fewer Painkiller Deaths · · Score: 1

    I didn't say it was bad to have some statistics, I said it was bad to have this study focus on one statistic. You know as well as I do that if the numbers are off, people against legalization will jump all over the study just to wreak havoc on the legalization. Illegal marijuana was (and in many places still is) a huge revenue source for both the criminal side and the law enforcement side (and yes, we would probably agree that the line between those two elements is crossed very often).

  8. Re:Congressional Pharmaceutical Complex on States Allowing Medical Marijuana Have Fewer Painkiller Deaths · · Score: 1

    Yeah, and the ATF and DEA were still raiding shops as recently as 2 years ago in spite of California's laws legalizing marijuana. Normalization is not recent.

  9. Re:It probably can. on Hidden Obstacles For Google's Self-Driving Cars · · Score: 1

    So they just drove over the same "few thousand miles of roadway" again and again and again and again? Until they got to 700,000 miles?

    I think you meant this as sarcasm, but that one is mostly correct. These cars are not doing cross country trips, so claiming a few thousand miles of roadway is probably an overestimate. They drive the same roads and areas over and over and over again.

    As it should. Because you don't know if that piece of paper is covering a rock or a pothole or whatever.

    I have been tempted to carry a bucket of chaff and just see how well a Google car handles it, but then again rain and snow are problems so the experiment is really not needed.

    The point here is that a human can notice things that a current auto driving car can not. Not all humans pay attention, but for the percentage that do you can tell when a paper bag is blowing around on the freeway. Human reaction to those things is generally measured and controlled much better than a google car. In time, I am sure it will get better but you need to discuss what is there today, not what we wish it had and are working for.

    So they cannot deal with new stop LIGHTS but they can deal with new stop SIGNS. WTF?

    I'm not sure how much you drive around California, but if you ever do you will see why this one is an issue. Many traffic lights in Mountain view for example are angled downward, so you have to be at a certain distance to see the color. There is one by Shoreline and Central that you can't see until you are about 40-50 feet away (for those interested, east bound traffic at the fire station).

    Compare that issue with scanning for a red octagon pattern, and is should become obvious why stop signs are much easier to do. Traffic lights would be easy if they broadcast a signal, but they don't.

    Overall, I'm not against self driving cars as long as we can choose between modes of operation. I think we are a long way off in terms of technology to make them safe in all environments, that does not imply even decades. I am mostly concerned with the health impact of all those radars and sensors broadcasting everywhere, but that's mostly due to my own ignorance (I have not taken any time to study since they are extremely rare).

  10. Allergies? on Hidden Obstacles For Google's Self-Driving Cars · · Score: 1

    I'll guess allergies, and building those little straw men triggered them.

  11. Re:Congressional Pharmaceutical Complex on States Allowing Medical Marijuana Have Fewer Painkiller Deaths · · Score: 1

    I won't argue that the war on drugs is a huge failure, but that's a different argument in my opinion. The primary argument here is whether or not marijuana legalization has reduced deaths from prescriptions.

    Given legalization is extremely new, the conclusion of the article and study is grossly premature. Making matters worse in my opinion, is that the study only looks at a single element of drugs, and not the complete impact.

    As with my opening paragraph, I'm not pro drug war or anti marijuana. I simply think that these types of studies would be better to include other impacts, because in 3 years the stats may show something completely different. Studies should include things like crime reduction and savings to law enforcement due to crime reduction, local economy impact (Dorito sales!!), overall health of patients receiving and using medical marijuana, etc...

    The war on drugs is a failure for many reasons, and single impact studies won't flesh all of those out.

  12. Maybe, but I don't think that any real discussion could be had about our megacity future based on this type of video game. Notice there is no food growing anywhere, very little greenery (think pollution), every inch of terrain was flattened, there was no water, etc..

    Don't get me wrong, I think SimCity is a cool game. I don't think it's simulation software, and therein lies the big issue.

  13. Re:More useless statistics... on Canada Tops List of Most Science-Literate Countries · · Score: 1

    What is more hilarious is your ignorance regarding education required for a job(feigned or otherwise). If you have a mechanical engineering degree, you are not going to go out and be a plumber (at least legally in most places). Plumbing requires trade school and certification, not a mechanical engineering degree. As with college, that requires money and time to achieve.

    After you get your apprentice certification, you will work on your Journeyman certification, then you will be working toward master certification. None of this will be applied to a PHD.

    The hype about STEM is mostly just hype. Society can not function if everyone is a brain surgeon, ever. You need plumbers, welders, mechanics, farmers, textile industry, etc.. etc... and the education for those types of jobs is very different from that of a nuclear physicist.

  14. Re: It's OK to attack mythology and superstition.. on Drought Inspires a Boom In Pseudoscience, From Rain Machines To 'Water Witches' · · Score: 1

    You forget that aliens are often branded as "science" (minus the fiction of course). Watch a few Discovery and National Graphic TV shows, and remember that those are supposed to be our "educational programming" networks.

    Prefixing an argument with "Scientists believe that" is an easy way to dupe people that want to believe they are more intelligent than those other people. That particular appeal to authority is used quite often with good effect.

  15. Re:It's OK to attack mythology and superstition... on Drought Inspires a Boom In Pseudoscience, From Rain Machines To 'Water Witches' · · Score: 1

    The ignorant just keep re-inventing things, convincing themselves that it really works (this time).

    You are attacking the wrong target. The intelligent people repackage these and create new rhetoric to convince the ignorant that they work. Normally they can become pretty wealthy before they are told to stop, which only happens after enough of the ignorant petition grievances.

  16. Re:More useless statistics... on Canada Tops List of Most Science-Literate Countries · · Score: 1

    I don't judge Canada poorly by people from Windsor, those were the people I referred to as mostly like Americans. IMHO the worst part of Canada is in French Quebec, and not because of guns or violence but because the people there hate anyone that's not a French speaker from Quebec (and have no problem spitting on people and telling them to get the fuck out of Quebec).

    My family is mostly blue collar workers from Detroit, and most people in Windsor are similar blue collar types.

  17. More useless statistics... on Canada Tops List of Most Science-Literate Countries · · Score: 1

    No offense intended to any Canadians, I spent a good amount of time in Windsor when I lived in Michigan and long time family friends are from Windsor. Better beer than the US, and not much different than folks in the US (minus the "aboot time" and "eh", but we have people in the US with their own quirks).

    The study is by the Council of Canadian Academies. An immediate question of bias should pop into your head with that little fact. There was exactly one person on the council not from Canada, who happened to be from London.

    Where did Canada really rank #1 (p19)? 93% said they were interested in scientific discoveries and technological developments. Big whoop to that, I know lots of people believe "The Big Bang Theory" is where they should learn science. Interest levels help for sure, but if there is no market for scientists then they will have Big Bang for entertainment and learn jobs that are actually available. This brings us to their other number one.

    #1 with tertiary education. Considering that they rank 22nd with the percentage of population working in science and technology, most of that tertiary education is _NOT_ in science or technology.

    There are some very questionable measures overall, but we can skip those for now. I think the most telling is that the numbers they are comparing are to other countries from 2005 answers to similar questions. Discussing GMO today compared to 9 years ago is going to provide drastically different results in all countries (one example of a bad statistic). If you are doing a study and claiming you are now smarter than someone, at least test them at their current level too.

  18. Re:Seems good to me. on The American Workday, By Profession · · Score: 1

    It's one thing to be compensated more for working an off hours shift. It's quite another to be paid minimum wage and either work the shift or get fired. The majority of the jobs where people work holidays and off hours is the latter, not the former.

  19. Re:old but somewhat effective on FBI Investigates 'Sophisticated' Cyber Attack On JP Morgan, 4 More US Banks · · Score: 1

    Russia didn't just annex Crimea?

    Crimea voted with a 90% margin to annex from Ukraine, this was not "Russia" doing anything. This vote happened after a bloody and violent coup in Ukraine. The voting process has not been demonstrated to be incorrect by anyone, the fact that they annexed at all is what is questioned.

    If you want to play the game and cry foul, you need make sure you account for US involvement in Libya, Egypt, and every other country where we have cried foul after a vote goes against US interests. This is not something recent, it goes all the way back to at least the 1950s. I'd be willing to bet I have more knowledge on world history than you, so play smart.

    That columns of Russian armor with their insignia painted over didn't just roll across the border into southeast Ukraine?

    I know, I know.. the white cat worked before so it should work again. We have no US military intelligence backing the claim that Russia invaded the Ukraine. If you want to talk about border runners I think that's possible, but then why don't we start war rhetoric against Pakistan that harbors all kinds of terrorists crossing their border to fight and hide, and has harbored them since at least the first gulf war?

    If you want to bang the drum for war, do it fairly. If you don't then you are not working for altruistic goals, you are maneuvering. The US has been caught, since again at least the 1950s repeatedly doing the latter, while claiming the former. No matter what you say, facts state that Saddam did not have WMDs, North Vietnam never fired on US ships, and the US installed Governments in numerous countries has failed and backfired over time.

    What you're saying is so blatantly false and disingenuous on the face of it that - unless you are actually delusional -

    Really, I'm delusional because I demand facts over a claim from sources that have willfully provided false information on numerous occasions? You should really find a good mirror and take a long look before making such accusations. Make sure you actually read the definition of delusion before tossing it out as an ad hominem as well. Not only am I more knowledgeable on history than you, but I am better trained in rhetoric.

    I'm happy to debate political science with you, but make it a real debate instead of baseless accusations and fabrications. If I really wanted the latter I would listen to Fox or CNN.

  20. old but somewhat effective on FBI Investigates 'Sophisticated' Cyber Attack On JP Morgan, 4 More US Banks · · Score: 1

    The fear and war mongering is coming from all fronts currently. For a decade it was mostly middle east. Now they are ratcheting up the propaganda against Russia. Partially due to people realizing that the US is training and arming the "terrorists" in the middle east causing many of the problems, and partially due to needing a bigger threat. So yes, people are getting wise to the games. John Kerry and his constant screaming for a white cat has become blatantly obvious.

    Until recently China and Japanese skirmishes over islands would occasionally pop up as a "big threat", but it was nothing that could be sustained as war propaganda. Russia on the other hand, what an easy target. Far enough away and little enough interaction that most people are ignorant, and was a technological threat for long enough for people to believe a bit more of the rhetoric.

    I also believe the media controllers are getting worse at propaganda, but blame this on desperation because more people are wise to the propaganda. How many times will we hear a claim of "Russia invaded the Ukraine" and have that proven false before people ignore it completely? I'm pretty sure we are capped out at the limit.

    Lets not forget the obvious alternative motive for this particular propaganda. It takes the blame off these large banks that continue to violate the law and/or not correct major security problems. Execs make more cash because they don't have to spend money correcting problems, and all the blame goes to "those guys". Convenient for both sides.

  21. Reduce the footprint on U.S. Senator: All Cops Should Wear Cameras · · Score: 1

    You won't ever get a perfect law. An easy addition would be to include in the law a simple addition to the law (or secondary law). Any law enforcement persons found to be tampering with, disconnecting, hindering, or intentionally destroying the cameras and associated equipment for transmitting, encoding, decoding, viewing, or storing video will be subject to a penalty of 5-10 years imprisonment.

    This is still not perfect, but if you are a good citizen and see a cop off in an alleyway tampering you can film the act and call it in.

    I fully agree that this is still subjective and some cops will take the chance. That said, changing the corruption in the system has to start somewhere. If people at the bottom start getting taken out, people above them will start to be sucked out with them. Kind of cool how reduced sentences encourage lower level criminals to turn in the bigger bosses right? Corrupt cops are criminals too.

  22. Re:Red Hat move too slowly on How Red Hat Can Recapture Developer Interest · · Score: 1

    Ha ha! Believe the anonymous coward because they claim they are truthful. Believe the anonymous coward that implies that karma is the devil, yet countless people log in and use the karma system without problem. And you sure as hell did not give any thought to claiming that group think changes based on your personal anonymity. Finally, closing with an appeal to emotion does nothing to add any credibility.

    Like the person you responded to we don't use Ubuntu because even the LTS version requires lots of tweaking. Occasionally it simply halts with no message, no error. It's not hardware, because a fresh Debian install corrects all the issues we have with Ubuntu. Further, I have to shut off daemons and remove software that should not be running on a server without me adding them. Ubuntu has phoned home by default since 10, and that is not allowed on my servers (Not just a personal preference, but a compliance requirement in many cases).

    It's amazing how many nobodies claim Ubuntu is so great, yet are responsible for supporting a whole personal workstation or two running Linux.

  23. Re:flash is horrible on Slashdot Talks WIth IBM Power Systems GM Doug Balog (Video) · · Score: 1

    flash is nothing more than Powerpoint with two bad copies of javascript and a heap of vulnerabilities added.

    FTFY

    FT FTFY!

  24. Re:Refreshingly 'normal' interview on Slashdot Talks WIth IBM Power Systems GM Doug Balog (Video) · · Score: 1

    IBM was kind enough to invite me to the launch of the Pure systems, and it was well done also. The majority of the speakers were the engineers that designed and tested the systems, and it was very much a show for techies. Launch means sales, so of course there was some of that but it was not the majority and not the highlights.

  25. Reality check on Slashdot Talks WIth IBM Power Systems GM Doug Balog (Video) · · Score: 1

    I call bullshit! I worked with a team that had this believe at a very large telecom in San Jose. They swore that their off brand servers were just as good as name brand but cheaper. Of course we had to ignore the fact that every machine came with different LOM cards, most of which didn't work at all. That itself should have been a dead giveaway, but oh no.. can't convince these guys that their cheap custom built servers are any different than an enterprise class system.

    Until of course we started adding 10Gb cards and could not get images to work on most machines. Drivers would fail for unknown reasons and a bit different on every box. Then after some digging we find out that every box has a slightly different mother board, slightly different NIC cards, slightly different memory, slightly different 10Gb NIC cards, etc.. etc.. because of course they are built for price as one off systems.

    Since the project was to build out a large simulation cluster the boxes had to have identical loads, so we scrapped 200,000 worth of "cheap" servers that at least a dozen people fought tooth and nail to get because they were "just as good as other enterprise systems but cheaper".

    If you want to claim that your cheap stuff is "enterprise ready" I demand you prove it.

    As a caveat, I don't have anything against those types of systems for special purposes. Special purposes are not "enterprise class" systems, they are custom built for a specific purpose. I am not confident, but I do hope, that you can distinguish the difference between the two.