False assumption. The endpoint PC is compromised in way more cases than the middleman router.
Encryption alone buys us nothing. Or wait -- it buys us key manangement hell.
Perhaps you should read what I was replying to before you start flaming me.
Yes, and that's what we should advocate. Everyone build a secure encrypted network. Ready.....GO!
I was merely replying to the general sentiment here that 'oh noez! the networks are compromised!!!111'
Anyone with half a brain knows that any effective security posture is done with defense in depth on the perimeter along with good endpoint security and user awareness.
As long as my computer and the server I connect to are malware free asymmetric cryptography (public-private keys) prevents an attacker from eavesdropping on the session.
You don't NEED packet injection, you just need it if you want to break into the network anytime soon. Sitting and listening to normal traffic will eventually get you enough packets to attempt to break it.
For WPA you don't even need packet injection, just deauth a client that is connected, collect their reconnection packets, and then run a dictionary/brute force attack against the handshake.
(4) You running some sort of extremely mission critical server where shelling out $2500 a year is chump change compared to the cost having that thing stay down and/or telling management "I'm googling how to fix it" might not fly.
The real reason for a support contract is so when your mission critical server shits the bed, the internet isn't providing an answer, and management is breathing down your neck, you have someone to help figure out WTF happened and get it back online.
plenty of production sites use CentOS, several of my clients do that as well as my employer. Search engines plus forums beat a RedHat help desk 99 times out of 100; I've never needed RedHat support.
True but that one time where the shit really hits the fan and the interweb does not provide you a solution having that tech support (especially if you shelled out enough for the 24x7 phone tech support) might save your skin. Or at least let you foist blame.
I would always ask management for a Red hat license over just going with CentOS so when Armageddon hits the server room I can say "6 months ago when we bought these machines I requested X number of RedHat seats in case something happened, and that was denied."
We run CentOS, which half of the techs that I have talked to have never heard of. They have flatly told me that they are a "Microsoft shop" and they can't help with Linux..
This is kind of the trade off you get when going with CentOS instead of an actual RedHat install, you can't just call tech support if something is broken (and Redhat has pretty damn good tech support).
Or you could just lie to Dell and say you have Redhat installed and see if they will help you figure it out.
Even if you wanted to leave the States - saying "I don't like the government so I want to leave the country" will probably get you put on the Terrorist Watch list, strip searched at the airport, abused and arrested for an indisclosed period of time.
It's more like Love it or else.
Please, show me one case of where this happened.
Paranoia is all good, but most people hate the government, and the government realizes it. "I hate the government and want to leave to prove it" Will get you ignored. "I hate the government and want to blow something up to prove it." Will get you attention.
I wasn't challenging the laws of thermodynamics, I was challenging the parent comment "It is currently illegal to resell electricity that you generate using waste".
As for my resume', I'll spare you the details, but my background is in energy and energy transmission contracts- more specifically, natural gas sourced co-generation.
Besides the "illegal" comment from the parent post, the statement "You don't have much incentive to install a way to reprocess that heat", is BS. There are thousands of facilities here in California selling electricity produced from 'waste' heat as a bi-product of their primary business. There are incentives for doing this- specifically, decreased natural gas transmission costs for BTUs put back on to the grid in the form of electricity (electricity that they market themselves or sell through marketers). Check out http://www.cpuc.ca.gov/ and search 'cogeneration'. It's a huge industry here in CA and is heavily 'incentive-ised' and subsidized as an alternative to building power plants.
Hi. Welcome to Slashdot. We don't believe in Santa Clause, the Tooth Fairy, good Republicans, or a rational argument.
Cyberwarfare between countries isn't likely to happen until other, cheaper methods of warfare somehow become ineffective.
And how is a $569K cruise missile to destroy a powerplant cheaper than having someone hack into their systems and leave a program behind to brick the whole thing on invasion night?
In America, the votes that really count are whoever has the most lobbyists with the biggest bags of money. We common citizens just can't afford to by a bunch of congresspeople like the media giants.
More like "We the common citizens don't care enough to get away from our reality TV shows on Election Day."
The *only* way to destroy a democracy from the inside is an apathetic electorate.
I believe a lot of those are insensitive to case, so does that mean that are stored as text and not as a hash (is hash the right word)? If so, would typing your password in those fields make your password more vulnerable?
You are absolutely correct.
A hash, by definition, is a one way mathematical algorithm that can take any amount of data and convert it to a fixed size string. Unless the algorithm has been broken, looking at the hash can not tell you what the input text was. Breaking a password database involves running a dictionary file through the hash and whatever salt accompanied the program. This is why passwords normally are required to be over a certain length and include numbers and special characters.
HOWEVER, the security question answers are probably encrypted (a two way function) in the database, but any encryption is only as secure as how safe you keep your keys.
So the real question is "How secure are the keys that decrypt the answers to your password reset questions?"
Of course if I loose my file, I'm screwed, but that's what backups are for.
Store them all in a TrueCrypt volume and email it to yourself in a public email periodically. That way you only have to memorize one strong password, and not worry about losing it.
And even if someone gets into your email, good luck cracking a AES-Twofish-Serpent volume with a 30 character password.
Slashdot Mirror
False assumption. The endpoint PC is compromised in way more cases than the middleman router.
Encryption alone buys us nothing. Or wait -- it buys us key manangement hell.
Perhaps you should read what I was replying to before you start flaming me.
Yes, and that's what we should advocate. Everyone build a secure encrypted network. Ready.....GO!
I was merely replying to the general sentiment here that 'oh noez! the networks are compromised!!!111'
Anyone with half a brain knows that any effective security posture is done with defense in depth on the perimeter along with good endpoint security and user awareness.
( further reading for the interested http://www.symantec.com/connect/blogs/its-all-about-endpoints )
Are you suggesting we shouldn't have a hearing for it?
All hearings are these days is a convoluted way for politicos to take cheap shots at someone to boost their popularity at home.
Yes, and that's what we should advocate. Everyone build a secure encrypted network. Ready.....GO!
It's called TLS/SSL. http://en.wikipedia.org/wiki/Transport_Layer_Security
As long as my computer and the server I connect to are malware free asymmetric cryptography (public-private keys) prevents an attacker from eavesdropping on the session.
You run the attack against wireless packets you captured. When it goes from encrypted garbage to normal, unencrypted traffic you know it worked.
by blood or by words if necessary. that is as important as any independence struggle in the history of universe.
You. Are. High.
Keep in mind how many regular non geek people probably get the net for the following reasons:
1. ebay
2. espn
3. *porn*
Call me a puritan, but most porn is exploitative of women,
Some people want to be exploited ... like factory workers.
You don't NEED packet injection, you just need it if you want to break into the network anytime soon. Sitting and listening to normal traffic will eventually get you enough packets to attempt to break it.
For WPA you don't even need packet injection, just deauth a client that is connected, collect their reconnection packets, and then run a dictionary/brute force attack against the handshake.
(4) You running some sort of extremely mission critical server where shelling out $2500 a year is chump change compared to the cost having that thing stay down and/or telling management "I'm googling how to fix it" might not fly.
The real reason for a support contract is so when your mission critical server shits the bed, the internet isn't providing an answer, and management is breathing down your neck, you have someone to help figure out WTF happened and get it back online.
plenty of production sites use CentOS, several of my clients do that as well as my employer. Search engines plus forums beat a RedHat help desk 99 times out of 100; I've never needed RedHat support.
True but that one time where the shit really hits the fan and the interweb does not provide you a solution having that tech support (especially if you shelled out enough for the 24x7 phone tech support) might save your skin. Or at least let you foist blame.
I would always ask management for a Red hat license over just going with CentOS so when Armageddon hits the server room I can say "6 months ago when we bought these machines I requested X number of RedHat seats in case something happened, and that was denied."
We run CentOS, which half of the techs that I have talked to have never heard of. They have flatly told me that they are a "Microsoft shop" and they can't help with Linux. .
This is kind of the trade off you get when going with CentOS instead of an actual RedHat install, you can't just call tech support if something is broken (and Redhat has pretty damn good tech support).
Or you could just lie to Dell and say you have Redhat installed and see if they will help you figure it out.
Even if you wanted to leave the States - saying "I don't like the government so I want to leave the country" will probably get you put on the Terrorist Watch list, strip searched at the airport, abused and arrested for an indisclosed period of time.
It's more like Love it or else.
Please, show me one case of where this happened.
Paranoia is all good, but most people hate the government, and the government realizes it. "I hate the government and want to leave to prove it" Will get you ignored. "I hate the government and want to blow something up to prove it." Will get you attention.
...government agencies have big, big pools of informant money.
Citation desperately needed.
Lighten up, Francis....
I wasn't challenging the laws of thermodynamics, I was challenging the parent comment "It is currently illegal to resell electricity that you generate using waste".
As for my resume', I'll spare you the details, but my background is in energy and energy transmission contracts- more specifically, natural gas sourced co-generation.
Besides the "illegal" comment from the parent post, the statement "You don't have much incentive to install a way to reprocess that heat", is BS. There are thousands of facilities here in California selling electricity produced from 'waste' heat as a bi-product of their primary business. There are incentives for doing this- specifically, decreased natural gas transmission costs for BTUs put back on to the grid in the form of electricity (electricity that they market themselves or sell through marketers). Check out http://www.cpuc.ca.gov/ and search 'cogeneration'. It's a huge industry here in CA and is heavily 'incentive-ised' and subsidized as an alternative to building power plants.
Hi. Welcome to Slashdot. We don't believe in Santa Clause, the Tooth Fairy, good Republicans, or a rational argument.
If you have solar panels there is a situation where you could /possibly/ be producing more energy than you are consuming.
True deregulation combined with the wonder of fiber would be that anyone with enough capital could start laying down lines and start their own ISP.
Sadly, most places have a government encouraged monopoly.
Even if he is right, the reason for Cuccinellis witch hunt is political.
[citation needed]
Did it ever occur to anyone that maybe this guy is right, even if he is a douchebag?
Fraud for a good cause is still fraud, damnit.
Cyberwarfare between countries isn't likely to happen until other, cheaper methods of warfare somehow become ineffective.
And how is a $569K cruise missile to destroy a powerplant cheaper than having someone hack into their systems and leave a program behind to brick the whole thing on invasion night?
The problem exists between keyboard and chair.
An OS is only as secure as the person who uses it.
Anything else is fanboyism.
In America, the votes that really count are whoever has the most lobbyists with the biggest bags of money. We common citizens just can't afford to by a bunch of congresspeople like the media giants.
More like "We the common citizens don't care enough to get away from our reality TV shows on Election Day."
The *only* way to destroy a democracy from the inside is an apathetic electorate.
I believe a lot of those are insensitive to case, so does that mean that are stored as text and not as a hash (is hash the right word)? If so, would typing your password in those fields make your password more vulnerable?
You are absolutely correct.
A hash, by definition, is a one way mathematical algorithm that can take any amount of data and convert it to a fixed size string. Unless the algorithm has been broken, looking at the hash can not tell you what the input text was. Breaking a password database involves running a dictionary file through the hash and whatever salt accompanied the program. This is why passwords normally are required to be over a certain length and include numbers and special characters.
HOWEVER, the security question answers are probably encrypted (a two way function) in the database, but any encryption is only as secure as how safe you keep your keys.
So the real question is "How secure are the keys that decrypt the answers to your password reset questions?"
Of course if I loose my file, I'm screwed, but that's what backups are for.
Store them all in a TrueCrypt volume and email it to yourself in a public email periodically. That way you only have to memorize one strong password, and not worry about losing it.
And even if someone gets into your email, good luck cracking a AES-Twofish-Serpent volume with a 30 character password.
I would rather not have someone recording every page I visit, which is what opera does with its man-in-the-middle attack is a feature browser.
Like your ISP's DNS server?