They are traitors and should be jailed. In fact, since they believe they're involved in a "war on terror", maybe we should try them for treason under military law.
Also, I wouldn't trust the statement that the chancellors office didn't know anything.
The real people to throw in jail are the ones who made it possible. The guys who deregulated the markets so much, the ones in oversight of the finance system who didn't see these things approaching and the people who dissolved all the protections of the real economy against the finance market because they were greedy for quick bucks.
Politicians, mostly, but we should also go after the lobbyists and their employers who influenced them.
Of course, that will never happen. Society rarely becomes self-conscious enough to get rid of its parasites.
That is exactly what I mean. I would even go one step further at the end: Without the risk of the computer compromising the user. Because the computer in itself is worth its scrap metal value and that's it. Everything of actual value is in the user - the data, the communication, the access to 3rd party networks and services. Not that one particular user in front of the machine, maybe, but a user.
I've exited the security industry after 15 years, no longer believing that it does any good. And TFA is pretty spot on.
The issue is that security is both wide and deep. You need to cover all your weak spots, and you need to cover them completely. As an industry, we have succeeded in finding technical solutions to almost every challenge, but we've failed in creating a systematic approach to the field. Look at the "best practice" documents - they are outdated and mostly a circle-jerk. I did a quick study some months ago checking the top 100 or so for what the academic or scientific or just substantiated-through-sources basis is, and the result is pretty much: None at all. Even the different standards, including the ISO documents, are collections of topics, not systematic wholes. It's like high school physics: This month you get taught optics, next month Newton mechanics, the third month electromagnetism. The only thing they have in common is the class room.
Nowhere is it more visible than our treatment of the user. It's clear that most security professionals treat users as disturbances, as elements outside their field of security. I imagine what roads would look like if their planners would look at accidents and say "cars are a threat to our road system. They clog it up and very often they crash into each other and cause serious issues to traffic. We need to protect the road system against cars. Can we automate roads so they work without cars as much as possible?"
We need a much more systematic, holistic view on the whole field than we have right now. In a pre-scientific field, snake oil is the norm. It was the same in medicine (where the term originates), in chemistry (alchemy), in psychology (astrologie, numerology, one hundred other primitive attempts at understanding and predicting human behaviour) and virtually every other field, even many non-scientific areas, such as religion/magic.
So, your average software developer. Which explains a lot about why software quality sucks so much. (and then someone writes six code analysis tools and ten testing tools to at least catch the shit before it hits the fan).
Same reason that fascism and communism are unlikely to win any elections anytime soon - the name has been tainted by a horrible first version, even if you came up with a perfect current version, nobody would believe it.
Whilte it originally was introduced in order to execute painlessly, following basically your logic, it has since turned out that this is not true and the Guillotine is actually a fairly cruel execution method.
It is great for market-square entertainment, though. Maybe that's what you're really after?
Actually much more interesting than I thought at first glance.
The game is designed intentionally with computational complexity in mind. It failed. The rules (WP has them, or a dozen other sites) are mostly designed to increase the search space. For example, instead of the fixed setup in chess, you get basically the same pieces, but you can put them into your 2 rows in any way you want. I'm too lazy to calculate the initial starting positions, but thanks to the Internet, someone else did it and came up with ~10^15. That makes an opening library practically impossible.
However, I'm a hobby game designer, so I look at rules with slightly different eyes. The complexity of the game is largely artificial. Brilliant minds will, like in a badly designed crypto-cipher, find tons of places where the complexity can, for the practical purpose of actually playing and winning a game, be reduced dramatically. Remember that in theory chess has 20 valid opening moves for white. The vast majority of them you will never seen in any real game.
I'm also bothered by the fact that complexity is reached by the addition of rules, instead of the subtraction. Go is a perfect example for how you can reach complexity with very simple rulesets. When building games, especially board games, you generally strive to keep the ruleset as simple as possible and check every rule for whether or not it adds anything worthwhile to the gameplay or not. For a simple, conventional style 2-player board game, the ruleset is overly complex IMHO. Maybe that's why I never heard about this game before - it doesn't actually appeal to many human players, except those interested in not being beaten by a computer.
New at Steam: We replace people who don't give a fuck with people who really don't give a fuck.
No, don't get me wrong, it's a step in the right direction. But the step itself begs questions. In general, the great firewall is the first cent - people who spend nothing at all and people who spend something, no matter how much. If you don't believe me, try charging 10 cents or something ridiculously small for any free web service you offer, and you'll find your user numbers drop through the floor.
I don't think there's a measurable difference between $5 and $4 or $3 -- the number is entirely arbitrary. A psychological barrier would be $10 (the two digits, the reason almost nothing in any shop in the world costs $10, it will always be $9.99 or $9.95).
Compensation has been commensurate to your skills for hundreds of years.
Your argument smells.
Yes, more skilled people in general earn more. But (and in the words of Ben Goldacre: It's a big but) there are exactly two issues with this in our modern hypercapitalism, and they are related:
a) A class of very low skilled workers has moved to the top of the food chain and takes a massive part of the total wages for itself
b) The general level of pay is staggeringly low. If you compare the wealth of your western nations to the wealth of the average individuals within, you should be frightened. Most western countries can spend a few billions here and there without so much as shrugging. As nations, we have more, much much much more money available than ever in history. The most lavish spending of any king in history pales compared to everyday infrastructure, science or military projects of today. As people, we are richer than the average middle ages peasant, but in comparison to our nations wealth, we have less.
Then another site I used got hacked. And at that point I decided I was better off using a password manager and using different passwords for each site.
Yeah, that sucks.
I use a password manager as well, mostly because I'm lazy typing. It gives me the added benefit that if one of the sites gets hacked, I can check the PW manager to see where else I use the same PW.
You can use different passwords, if you like. I don't do it because it would mean that when I find myself without my PW manager, I'd be fucked. And it happens quite often that I do.
The problem there is that all it takes is one crap site and an attacker can check all of your "reset answers" (pet's name / mom's name / etc) to see if they can be used for an attack.
These bullshit "security questions" are actually the weakest link. I don't use them. If the site enforces it, I fill them with noise.
Think about what the minimum information an attacker would need to access your bank account (either login or social engineering) and then look at how many sites have that information.
Depends on your bank. Mine doesn't let me log in with username or password or any such crap. Also, every bank worth its money these days will use 2-factor authentication, or send a TAN by SMS or something like that. More and more banks will also send you SMS to inform you about every transaction made, so you can stop any abuse immediately.
Banks are among the few who actually take security seriously. They're not perfect, not by far, but they are still among the only commercial entities to use one-time-passwords (those TAN lists) and were among the very first to use 2-factor authentication.
So, to answer your question: What do you need to access my bank account? Nothing you would find on any of the forums, games sites or even my Amazon or iTunes account.
Changing passwords doesn't make them magically more secure.
What do you hope to accomplish? If you have a good reason to change, change. If you don't, you change for prophylaxis, to stop someone who may have been using your account for something. But if you didn't even notice, what's the damage? And if he's a pro, he's also changed the password reset email address, at least on sites that don't send a notice to the old address.
You're doing a lot of effort for - what? If you can't answer that question, don't do it.
Because 9 orders of magnitude applied down towards zero would give you 3.
But the population of the US is closer to the zero point than the naive complexity estimate. To give a proper comparison of "we are wrong by relatively this much", you have to scale the offset correspondingly.
The problem is techies thinking in techie terms. What would help is get a normal user into the room and give him an actual voice in the matter, when the policy is decided. You know, not John from the call center, but Frank the philosophy doctor who's now head of product management.
The point of password complexity requirements has nothing to do with security. It's about the check box some auditor or lawyer needs to check. People assume it leads to security, but only because they see it in a vacuum.
That's consultant bullshit. The legal requirements are nowhere near this specific. It's only consultants that turn them into this nightmare of nonsense. I've worked in IT Compliance (SOX) for years. As long as you can describe why your password policy is good, it doesn't matter what it actually is. The problem is too many people don't invest the time to think a bit and simply take a so-called "best practice" and apply it. In way too many cases without reading to the end and realizing that this "best practice" was published in 1998 and may be a little outdated.
Still waiting for an article (actually, the posts so far also seem devoid) about pass-acronyms. "mhallifwwas" will pwn any brute force, any attack table (well, not any more) and it's a fscking nursery rhyme.
You can wait a long time, because there are too few computer scientists on the intersection of poetry, linguistic analysis and computer security to make that happen. You would need a good estimate of likely sentences used for input and that requires skills far outside the computing sphere.
A statistical analysis will likely reduce the set of probably letter combinations somewhat, but probably not by more than one or two orders of magnitude. An analysis of word-beginning distribution of letters will gain you more. Taking all that into account, my best gut feeling is that you'll end up somewhere in the area of 10^10 in complexity for an 8-character output. Better than passwords (which I've repeatedly estimated at around 10^7) but still not so great and probably much less than you'd expect.
Also, taking into account psychology and the fact that a fairly small set of phrases is much more popular than all the others combined, and that many users will choose a popular phrase instead of a personal one, you would also end up with the "password"-as-my-password problem in that a lot of accounts would have phrases from a list of maybe 1000 popular ones.
Been there, done the math, and I can confirm that the guy is 100% spot on. According to the slides of my last keynote on the subject, it basically goes like this:
We think the complexity of a password made in accordance to a typical password policy (at least 8 letters, at least 2 of them special characters or numbers, mixed upper and lower case) is on the order of 10^16.
What users actually read is more along the lines of "take a word, maybe abbreviate it, add one number and one of the easy-to-type special characters", giving us a complexity in the order of 10^7.
That's not a small difference. That's 9 orders of magnitude. That's like thinking the population of the USA is around 3000 people. That's how far off we are when we think about complexity of passwords in purely cryptoanalysis terms, without taking user preferences into account.
What this guy did is really great, I wish I had time to do such a proof-of-concept instead of just speaking about it every time I get an opportunity.
Your first comment is close. Yes, a serious attacker has many better ways than cracking your password. In fact, I've given another speech on this a few months ago where I basically said that we should drop brute-force as a threat scenario from our password strength estimations, because any software that even allows a brute-force attack to be run is fundamentally broken and needs to be discarded.
Same for cracking hashes, btw. If your software does not properly salt and hash, it's broken. It's 2015, not 1995.
Your second comment is totally wrong and one of the reasons we have so many bad passwords. We tell normal human beings to use a different password for each of the 200 or so sites that they have an account on, many of which they use once a year. That's idiotic, and users are telling us we're insane by ignoring it.
I use 3 different passwords for 90% of the accounts I have. One for all the various forums, social sites and other crap that is of absolutely no importance to me and if it gets leaked and you use it to log in as me on one of them, you can post comments in my name - omg, the sky is falling. One is for sites that I have some stakes in, like accounts in online games and such, where you could do some damage in the sense of destroying something that took me time to create (delete my GW2 characters, I'd hate you for it, but no real damage has been done). And one I use for sites where you could do some damage that I could probably reverse, but it would take effort and might cause me real-world inconveniences, such as shopping sites where you could order something in my name and I'd have to go and cancel the order or send it back or whatever. My PayPal and banking accounts have their own passwords, as do my user accounts, database accounts and such. But for 90% or so of accounts, you don't really need a seperate password (and using password managers ties you to them, which is why many people don't do it).
And I'm a security expert giving speeches at conferences about these topics. I'm just not a blind one-trick-pony who knows all about cryptography and nothing about anything else. If you begin to figure in psychology, HCI and other topics as diverse as design and linguistics, a lot of what's wrong with IT security begins to emerge more clearly.
The Georgian's career is now under a microscope. His two national titles are under suspicion.
Also under suspicion: The intelligence of his opponents in those tournaments, because they apparently didn't notice the most obvious strange behaviour ever.
Slashdot Mirror
They are traitors and should be jailed. In fact, since they believe they're involved in a "war on terror", maybe we should try them for treason under military law.
Also, I wouldn't trust the statement that the chancellors office didn't know anything.
The argument by HFT traders is that reduces the liquidity and efficiency of the stock market.
And people still fall for that argument, which amazes me to no end.
Yes, markets need liquidity.
No, markets do not need 5000% liquidity.
Everything is toxic in overdose, even water.
The real people to throw in jail are the ones who made it possible. The guys who deregulated the markets so much, the ones in oversight of the finance system who didn't see these things approaching and the people who dissolved all the protections of the real economy against the finance market because they were greedy for quick bucks.
Politicians, mostly, but we should also go after the lobbyists and their employers who influenced them.
Of course, that will never happen. Society rarely becomes self-conscious enough to get rid of its parasites.
That is exactly what I mean. I would even go one step further at the end: Without the risk of the computer compromising the user. Because the computer in itself is worth its scrap metal value and that's it. Everything of actual value is in the user - the data, the communication, the access to 3rd party networks and services. Not that one particular user in front of the machine, maybe, but a user.
I've exited the security industry after 15 years, no longer believing that it does any good. And TFA is pretty spot on.
The issue is that security is both wide and deep. You need to cover all your weak spots, and you need to cover them completely. As an industry, we have succeeded in finding technical solutions to almost every challenge, but we've failed in creating a systematic approach to the field. Look at the "best practice" documents - they are outdated and mostly a circle-jerk. I did a quick study some months ago checking the top 100 or so for what the academic or scientific or just substantiated-through-sources basis is, and the result is pretty much: None at all.
Even the different standards, including the ISO documents, are collections of topics, not systematic wholes. It's like high school physics: This month you get taught optics, next month Newton mechanics, the third month electromagnetism. The only thing they have in common is the class room.
Nowhere is it more visible than our treatment of the user. It's clear that most security professionals treat users as disturbances, as elements outside their field of security. I imagine what roads would look like if their planners would look at accidents and say "cars are a threat to our road system. They clog it up and very often they crash into each other and cause serious issues to traffic. We need to protect the road system against cars. Can we automate roads so they work without cars as much as possible?"
We need a much more systematic, holistic view on the whole field than we have right now. In a pre-scientific field, snake oil is the norm. It was the same in medicine (where the term originates), in chemistry (alchemy), in psychology (astrologie, numerology, one hundred other primitive attempts at understanding and predicting human behaviour) and virtually every other field, even many non-scientific areas, such as religion/magic.
So, your average software developer. Which explains a lot about why software quality sucks so much. (and then someone writes six code analysis tools and ten testing tools to at least catch the shit before it hits the fan).
Same reason that fascism and communism are unlikely to win any elections anytime soon - the name has been tainted by a horrible first version, even if you came up with a perfect current version, nobody would believe it.
Whilte it originally was introduced in order to execute painlessly, following basically your logic, it has since turned out that this is not true and the Guillotine is actually a fairly cruel execution method.
It is great for market-square entertainment, though. Maybe that's what you're really after?
Actually much more interesting than I thought at first glance.
The game is designed intentionally with computational complexity in mind. It failed. The rules (WP has them, or a dozen other sites) are mostly designed to increase the search space. For example, instead of the fixed setup in chess, you get basically the same pieces, but you can put them into your 2 rows in any way you want. I'm too lazy to calculate the initial starting positions, but thanks to the Internet, someone else did it and came up with ~10^15. That makes an opening library practically impossible.
However, I'm a hobby game designer, so I look at rules with slightly different eyes. The complexity of the game is largely artificial. Brilliant minds will, like in a badly designed crypto-cipher, find tons of places where the complexity can, for the practical purpose of actually playing and winning a game, be reduced dramatically. Remember that in theory chess has 20 valid opening moves for white. The vast majority of them you will never seen in any real game.
I'm also bothered by the fact that complexity is reached by the addition of rules, instead of the subtraction. Go is a perfect example for how you can reach complexity with very simple rulesets. When building games, especially board games, you generally strive to keep the ruleset as simple as possible and check every rule for whether or not it adds anything worthwhile to the gameplay or not. For a simple, conventional style 2-player board game, the ruleset is overly complex IMHO. Maybe that's why I never heard about this game before - it doesn't actually appeal to many human players, except those interested in not being beaten by a computer.
New at Steam: We replace people who don't give a fuck with people who really don't give a fuck.
No, don't get me wrong, it's a step in the right direction. But the step itself begs questions. In general, the great firewall is the first cent - people who spend nothing at all and people who spend something, no matter how much. If you don't believe me, try charging 10 cents or something ridiculously small for any free web service you offer, and you'll find your user numbers drop through the floor.
I don't think there's a measurable difference between $5 and $4 or $3 -- the number is entirely arbitrary. A psychological barrier would be $10 (the two digits, the reason almost nothing in any shop in the world costs $10, it will always be $9.99 or $9.95).
But the act in question here would be the writing of a dictionary, and even in the most totalitarian states, that is not a crime.
Compensation has been commensurate to your skills for hundreds of years.
Your argument smells.
Yes, more skilled people in general earn more. But (and in the words of Ben Goldacre: It's a big but) there are exactly two issues with this in our modern hypercapitalism, and they are related:
a) A class of very low skilled workers has moved to the top of the food chain and takes a massive part of the total wages for itself
b) The general level of pay is staggeringly low. If you compare the wealth of your western nations to the wealth of the average individuals within, you should be frightened. Most western countries can spend a few billions here and there without so much as shrugging. As nations, we have more, much much much more money available than ever in history. The most lavish spending of any king in history pales compared to everyday infrastructure, science or military projects of today. As people, we are richer than the average middle ages peasant, but in comparison to our nations wealth, we have less.
Then another site I used got hacked. And at that point I decided I was better off using a password manager and using different passwords for each site.
Yeah, that sucks.
I use a password manager as well, mostly because I'm lazy typing. It gives me the added benefit that if one of the sites gets hacked, I can check the PW manager to see where else I use the same PW.
You can use different passwords, if you like. I don't do it because it would mean that when I find myself without my PW manager, I'd be fucked. And it happens quite often that I do.
The problem there is that all it takes is one crap site and an attacker can check all of your "reset answers" (pet's name / mom's name / etc) to see if they can be used for an attack.
These bullshit "security questions" are actually the weakest link. I don't use them. If the site enforces it, I fill them with noise.
Think about what the minimum information an attacker would need to access your bank account (either login or social engineering) and then look at how many sites have that information.
Depends on your bank. Mine doesn't let me log in with username or password or any such crap. Also, every bank worth its money these days will use 2-factor authentication, or send a TAN by SMS or something like that. More and more banks will also send you SMS to inform you about every transaction made, so you can stop any abuse immediately.
Banks are among the few who actually take security seriously. They're not perfect, not by far, but they are still among the only commercial entities to use one-time-passwords (those TAN lists) and were among the very first to use 2-factor authentication.
So, to answer your question: What do you need to access my bank account? Nothing you would find on any of the forums, games sites or even my Amazon or iTunes account.
Changing passwords doesn't make them magically more secure.
What do you hope to accomplish? If you have a good reason to change, change. If you don't, you change for prophylaxis, to stop someone who may have been using your account for something. But if you didn't even notice, what's the damage? And if he's a pro, he's also changed the password reset email address, at least on sites that don't send a notice to the old address.
You're doing a lot of effort for - what? If you can't answer that question, don't do it.
You're right on that. If you have an account on some random forum, you should treat the password you use there as if it has already been compromised.
Sorry that I thought that's so obvious it doesn't need to be mentioned.
Because 9 orders of magnitude applied down towards zero would give you 3.
But the population of the US is closer to the zero point than the naive complexity estimate. To give a proper comparison of "we are wrong by relatively this much", you have to scale the offset correspondingly.
No, it wouldn't help.
The problem is techies thinking in techie terms. What would help is get a normal user into the room and give him an actual voice in the matter, when the policy is decided. You know, not John from the call center, but Frank the philosophy doctor who's now head of product management.
The point of password complexity requirements has nothing to do with security. It's about the check box some auditor or lawyer needs to check. People assume it leads to security, but only because they see it in a vacuum.
That's consultant bullshit. The legal requirements are nowhere near this specific. It's only consultants that turn them into this nightmare of nonsense. I've worked in IT Compliance (SOX) for years. As long as you can describe why your password policy is good, it doesn't matter what it actually is. The problem is too many people don't invest the time to think a bit and simply take a so-called "best practice" and apply it. In way too many cases without reading to the end and realizing that this "best practice" was published in 1998 and may be a little outdated.
Still waiting for an article (actually, the posts so far also seem devoid) about pass-acronyms. "mhallifwwas" will pwn any brute force, any attack table (well, not any more) and it's a fscking nursery rhyme.
You can wait a long time, because there are too few computer scientists on the intersection of poetry, linguistic analysis and computer security to make that happen. You would need a good estimate of likely sentences used for input and that requires skills far outside the computing sphere.
A statistical analysis will likely reduce the set of probably letter combinations somewhat, but probably not by more than one or two orders of magnitude. An analysis of word-beginning distribution of letters will gain you more. Taking all that into account, my best gut feeling is that you'll end up somewhere in the area of 10^10 in complexity for an 8-character output. Better than passwords (which I've repeatedly estimated at around 10^7) but still not so great and probably much less than you'd expect.
Also, taking into account psychology and the fact that a fairly small set of phrases is much more popular than all the others combined, and that many users will choose a popular phrase instead of a personal one, you would also end up with the "password"-as-my-password problem in that a lot of accounts would have phrases from a list of maybe 1000 popular ones.
Been there, done the math, and I can confirm that the guy is 100% spot on. According to the slides of my last keynote on the subject, it basically goes like this:
We think the complexity of a password made in accordance to a typical password policy (at least 8 letters, at least 2 of them special characters or numbers, mixed upper and lower case) is on the order of 10^16.
What users actually read is more along the lines of "take a word, maybe abbreviate it, add one number and one of the easy-to-type special characters", giving us a complexity in the order of 10^7.
That's not a small difference. That's 9 orders of magnitude. That's like thinking the population of the USA is around 3000 people. That's how far off we are when we think about complexity of passwords in purely cryptoanalysis terms, without taking user preferences into account.
What this guy did is really great, I wish I had time to do such a proof-of-concept instead of just speaking about it every time I get an opportunity.
Your first comment is close. Yes, a serious attacker has many better ways than cracking your password. In fact, I've given another speech on this a few months ago where I basically said that we should drop brute-force as a threat scenario from our password strength estimations, because any software that even allows a brute-force attack to be run is fundamentally broken and needs to be discarded.
Same for cracking hashes, btw. If your software does not properly salt and hash, it's broken. It's 2015, not 1995.
Your second comment is totally wrong and one of the reasons we have so many bad passwords. We tell normal human beings to use a different password for each of the 200 or so sites that they have an account on, many of which they use once a year. That's idiotic, and users are telling us we're insane by ignoring it.
I use 3 different passwords for 90% of the accounts I have. One for all the various forums, social sites and other crap that is of absolutely no importance to me and if it gets leaked and you use it to log in as me on one of them, you can post comments in my name - omg, the sky is falling. One is for sites that I have some stakes in, like accounts in online games and such, where you could do some damage in the sense of destroying something that took me time to create (delete my GW2 characters, I'd hate you for it, but no real damage has been done). And one I use for sites where you could do some damage that I could probably reverse, but it would take effort and might cause me real-world inconveniences, such as shopping sites where you could order something in my name and I'd have to go and cancel the order or send it back or whatever.
My PayPal and banking accounts have their own passwords, as do my user accounts, database accounts and such. But for 90% or so of accounts, you don't really need a seperate password (and using password managers ties you to them, which is why many people don't do it).
And I'm a security expert giving speeches at conferences about these topics. I'm just not a blind one-trick-pony who knows all about cryptography and nothing about anything else. If you begin to figure in psychology, HCI and other topics as diverse as design and linguistics, a lot of what's wrong with IT security begins to emerge more clearly.
The challenge of miniature devices both for chess analysis and for communication with analysis occurring elsewhere can't be so easily met
Nonsense. The time of naked chess has finally arrived.
You know, just like the TSA will soon make naked flying mandatory.
The Georgian's career is now under a microscope. His two national titles are under suspicion.
Also under suspicion: The intelligence of his opponents in those tournaments, because they apparently didn't notice the most obvious strange behaviour ever.
No they can't, the law also states a deadline by which they have to answer and he made sure the deadline is ahead of the exam.