But again, it goes back to how do we make sure that a dealer backdoor isn't stolen from a dealer and then used to steal cars?
Heh. Heh. Heh.
Your keys are marked with a short numerical code on them. This is often also printed in various places on the car itself. You can go purchase the books (these days, software) which lists out the codes according to year, make, model, and code and what bitting goes with each one. You don't need to be a dealer or a certified anything to purchase them, at least where I'm from.
You thought this stuff was actually hard to get? My ribs hurt.. I'm going to go fall over now. It's textbook insecurity through obscurity.
And master-keying a pin tumbler comes with the caveat that you multiply the number of keys which can open a given door. If you use multi-level master keying, you wind up with potentially dozens of key bittings that you didn't intend to allow but will also open such a lock.
Theoretically, we should be able to avoid that problem with a challenge/authentication protocol. Of course, I'm still skeptical of it being implemented well any time in the near future. For now, I'll stick with my crusty old sidebar wafer locks.
Oh yeah, any halfway competent locksmith (not these fly-by-night people) can open most of your physical locks without any real effort. The only reason they're drilling is to save a few minutes. And if we're talking about a car, it's usually faster to use some other sort of opening tool. Heck, my old Subaru, you could bend the window out with your bare hands and shove your whole arm in to unlock the door.
Locks keep honest people honest. They barely slow down a professional.
We fault them because they design the system expressly to create loopholes that only they can afford to exploit, via legalized bribery and the good 'ol boys network.
Stop being an apologist shill. Fuck off. You're never going to be that rich unless you're a sociopath who doesn't mind screwing over everyone in your path.
So, you're saying that a totally broken scheme which doesn't rely on the password at all is totally broken? Color me surprised! The solution is to throw out the broken scheme, not to make vague gestures about "doom for anything password protected".
Because everyone writes absolutely perfect code, no one ever loses anything, and there are no exploits out there.
When your server gets hacked or sysadmin/DBA gets disgruntled and steals your password database, you'd better hope they're salted with a strong salt, per-user, and hashed with a function like bcrypt or PBKDF2. Your online attack which didn't allow for a brute force attack suddenly turned into an offline attack which does.
You can keep pushing the problem off to other places, but at some point, somewhere down the line, you're going to need a password, even if only to secure your private key for your SSH session for when you lose the token it's stored on. There aren't any magical solutions.
The salt is a public value. You're not hiding it. It's stored in plaintext with each entry of the password DB. It's unique per-user. Its only purpose is to eliminate the generation of one-size-fits-all rainbow tables.
No password is complex enough to survive a brute-force attack.
Um, that's complete BS. I suggest you replace "No password is" with "Many passwords aren't". Most proofs in cryptography are based on assuming that you can convert a significant fraction of the Universe's resources into an attack on a given password/key. The idea is that the heat death of the Universe would happen sooner than a brute force attack.
The way we decrease the time needed to attack a given algorithm is by finding a flaw in the algorithm which reduces that complexity. A blanket statement that "no password is complex enough to survive a brute-force attack" is ignorant at best. Most attacks aren't true brute force attacks, but attacks which reduce the search space/complexity first, and THEN perform a much more limited brute force attack.
Then you've accomplished essentially the same thing as salting, because you'll need to store the number of times hashed along with the password entry in the database. Why not just make life simple and use something designed for hashing passwords, like bcrypt and a salt?
Frankly, you're overcomplicating things. Complicating your security scheme is a bad idea, like inventing your own crypto. As a hobby, I study cryptography and write crypto code, but I would never use one of my own homebrewed schemes in production or for anything important. The chance of screwing up something non-obvious is far too high.
The fact that you would choose to parse it that way shows that you have no idea what you're talking about. The topic at hand is passwords and security. The phrase "offline attack" has a specific meaning within that context. More to the point, only you used the word "offline" all by itself.
You must be trolling. This is an incredible level of stupid or purposeful ignorance. I'm done trying to fix that much stupid.
No, it doesn't mean what you think it means. It has a specific meaning in relation to security. It has absolutely nothing to do with whether or not a box is connected to a network.
You're showcasing your complete incompetence by talking out of your ass. Just shut up already.
Do you know what an OFFLINE attack is? Hint: it's one where you're NOT sitting at a login prompt.
Wow.. the stupid in this one is strong. Let me explain it: an offline attack is where you have the password database itself and don't need to wait for a login program. You're free to hash things as fast as you like.
Until someone generates a rainbow table for that. More important is to salt passwords individually and use a hash function with a work factor, instead of a hash designed to be run quickly.
Random tidbit, though I didn't think of this when I was posting: my username is from Old English (the modern English would be 'wellaway', though it's archaic at best). I found it in the OED during an etymology course years ago and it's stuck around. I often have people ask me if it's Chinese or something. Ah, well...
I think you misunderstood. The concept is called Treble Damages. The GP worded it poorly, so I can see where confusion might have arisen. Essentially, they should have been paid 3x the difference between what they should have made and what they actually did make. So, $8.00-$1.21 = $6.79. Then, multiply that by 3. So, $6.79 * 3 = $20.37/hr for the first 40 hours. Additionally, this doesn't take into account overtime (remember those 120 hour weeks?) which (at least in MA, where I'm from--not CA!) is 1.5x the base rate. However, IIRC, certain states (not sure about CA) have exemptions which allow companies to get away with not paying programmers overtime wages. That figure should also have been tripled (as well as the fine against the company should have been tripled). What it boils down to is that they got screwed left, right, and sideways by both the company they worked for and the courts.
The five most widely spoken Romance languages by number of native speakers are Spanish (386 million), Portuguese (216 million), French (75 million), Italian (60 million), and Romanian (25 million)
English is not a Romance language (it's derived from Old Low German), but due to many accidents of history, it has accumulated an incredible number of words directly from Romance languages or derived from words in Romance languages (as well as other families of languages).
Hope that helps. You seem to be doing quite well with English! Keep it up.:)
So, I'm not Mr. AC up there, but you seem to be unwilling to read simple English. Let's try this again... (I'm probably feeding a troll, but hey, worth a shot, right?)
You said, "Like, you know, that nasty foreign company Intel?" They said, "Intel isn't necessarily interested in making the chips that the Gov't wants, or this article would probably not exist." Then, you replied, "So what do you call Intel?"
They already told you what they call Intel. A company that isn't interested. Yeah, sure, they do large scale chip manufacturing, but if they're NOT INTERESTED in making THOSE SPECIFIC CHIPS, then they might as well not exist for the purposes of this discussion.
Their comment didn't ignore you. You ignored them, not once, but TWICE now (also counting the comment I'm replying to, since you clearly didn't re-read their comment).
I know reading is a lost art, and it's practically sacrilege on Slashdot, but give it a shot sometime.
Slashdot Mirror
But again, it goes back to how do we make sure that a dealer backdoor isn't stolen from a dealer and then used to steal cars?
Heh. Heh. Heh.
Your keys are marked with a short numerical code on them. This is often also printed in various places on the car itself. You can go purchase the books (these days, software) which lists out the codes according to year, make, model, and code and what bitting goes with each one. You don't need to be a dealer or a certified anything to purchase them, at least where I'm from.
You thought this stuff was actually hard to get? My ribs hurt.. I'm going to go fall over now. It's textbook insecurity through obscurity.
And master-keying a pin tumbler comes with the caveat that you multiply the number of keys which can open a given door. If you use multi-level master keying, you wind up with potentially dozens of key bittings that you didn't intend to allow but will also open such a lock.
Theoretically, we should be able to avoid that problem with a challenge/authentication protocol. Of course, I'm still skeptical of it being implemented well any time in the near future. For now, I'll stick with my crusty old sidebar wafer locks.
Oh yeah, any halfway competent locksmith (not these fly-by-night people) can open most of your physical locks without any real effort. The only reason they're drilling is to save a few minutes. And if we're talking about a car, it's usually faster to use some other sort of opening tool. Heck, my old Subaru, you could bend the window out with your bare hands and shove your whole arm in to unlock the door.
Locks keep honest people honest. They barely slow down a professional.
I'm all for it if it comes with a free bucket of tomatoes for the spectators.
But can we hit 88 MPH first?
We fault them because they design the system expressly to create loopholes that only they can afford to exploit, via legalized bribery and the good 'ol boys network.
Stop being an apologist shill. Fuck off. You're never going to be that rich unless you're a sociopath who doesn't mind screwing over everyone in your path.
But how do you keep them from clogging the barrel from all those donuts, let alone them expanding into the lower pressure?
spending their time on actual problems, instead of trite crap
No True Scotsman. Score: 0/10.
Nice No True Scotsman you got going there.
So, you're saying that a totally broken scheme which doesn't rely on the password at all is totally broken? Color me surprised! The solution is to throw out the broken scheme, not to make vague gestures about "doom for anything password protected".
Now. No other options. This shit has gotta stop.
No, they're selling the fab division and keeping the R&D division. They're turning into a design house, like ARM.
Because everyone writes absolutely perfect code, no one ever loses anything, and there are no exploits out there.
When your server gets hacked or sysadmin/DBA gets disgruntled and steals your password database, you'd better hope they're salted with a strong salt, per-user, and hashed with a function like bcrypt or PBKDF2. Your online attack which didn't allow for a brute force attack suddenly turned into an offline attack which does.
You can keep pushing the problem off to other places, but at some point, somewhere down the line, you're going to need a password, even if only to secure your private key for your SSH session for when you lose the token it's stored on. There aren't any magical solutions.
The salt is a public value. You're not hiding it. It's stored in plaintext with each entry of the password DB. It's unique per-user. Its only purpose is to eliminate the generation of one-size-fits-all rainbow tables.
This is not a "tiny extra step".
No password is complex enough to survive a brute-force attack.
Um, that's complete BS. I suggest you replace "No password is" with "Many passwords aren't". Most proofs in cryptography are based on assuming that you can convert a significant fraction of the Universe's resources into an attack on a given password/key. The idea is that the heat death of the Universe would happen sooner than a brute force attack.
The way we decrease the time needed to attack a given algorithm is by finding a flaw in the algorithm which reduces that complexity. A blanket statement that "no password is complex enough to survive a brute-force attack" is ignorant at best. Most attacks aren't true brute force attacks, but attacks which reduce the search space/complexity first, and THEN perform a much more limited brute force attack.
Then you've accomplished essentially the same thing as salting, because you'll need to store the number of times hashed along with the password entry in the database. Why not just make life simple and use something designed for hashing passwords, like bcrypt and a salt?
Frankly, you're overcomplicating things. Complicating your security scheme is a bad idea, like inventing your own crypto. As a hobby, I study cryptography and write crypto code, but I would never use one of my own homebrewed schemes in production or for anything important. The chance of screwing up something non-obvious is far too high.
Stick with the tried and true.
The fact that you would choose to parse it that way shows that you have no idea what you're talking about. The topic at hand is passwords and security. The phrase "offline attack" has a specific meaning within that context. More to the point, only you used the word "offline" all by itself.
You must be trolling. This is an incredible level of stupid or purposeful ignorance. I'm done trying to fix that much stupid.
Again, the phrase "offline attack", which is what the AC used is NOT the same as the word "offline" used all by itself.
How hard is that to grasp for you? You're here spouting off suggestions for cryptography/security without knowing the most basic terms.
The phrase "offline attack" is not the word "offline". Tough concept, I know. The AC above said "offline attack", not "offline".
You need to shove it, because you have NO IDEA what you're talking about.
No, it doesn't mean what you think it means. It has a specific meaning in relation to security. It has absolutely nothing to do with whether or not a box is connected to a network.
You're showcasing your complete incompetence by talking out of your ass. Just shut up already.
Do you know what an OFFLINE attack is? Hint: it's one where you're NOT sitting at a login prompt.
Wow.. the stupid in this one is strong. Let me explain it: an offline attack is where you have the password database itself and don't need to wait for a login program. You're free to hash things as fast as you like.
Until someone generates a rainbow table for that. More important is to salt passwords individually and use a hash function with a work factor, instead of a hash designed to be run quickly.
Random tidbit, though I didn't think of this when I was posting: my username is from Old English (the modern English would be 'wellaway', though it's archaic at best). I found it in the OED during an etymology course years ago and it's stuck around. I often have people ask me if it's Chinese or something. Ah, well...
I think you misunderstood. The concept is called Treble Damages. The GP worded it poorly, so I can see where confusion might have arisen. Essentially, they should have been paid 3x the difference between what they should have made and what they actually did make. So, $8.00-$1.21 = $6.79. Then, multiply that by 3. So, $6.79 * 3 = $20.37/hr for the first 40 hours. Additionally, this doesn't take into account overtime (remember those 120 hour weeks?) which (at least in MA, where I'm from--not CA!) is 1.5x the base rate. However, IIRC, certain states (not sure about CA) have exemptions which allow companies to get away with not paying programmers overtime wages. That figure should also have been tripled (as well as the fine against the company should have been tripled). What it boils down to is that they got screwed left, right, and sideways by both the company they worked for and the courts.
Google is your friend. The Romance languages are those that came from common (everyday/"Vulgar") Latin.
From Wiki:
The five most widely spoken Romance languages by number of native speakers are Spanish (386 million), Portuguese (216 million), French (75 million), Italian (60 million), and Romanian (25 million)
English is not a Romance language (it's derived from Old Low German), but due to many accidents of history, it has accumulated an incredible number of words directly from Romance languages or derived from words in Romance languages (as well as other families of languages).
Hope that helps. You seem to be doing quite well with English! Keep it up. :)
So, I'm not Mr. AC up there, but you seem to be unwilling to read simple English. Let's try this again... (I'm probably feeding a troll, but hey, worth a shot, right?)
You said, "Like, you know, that nasty foreign company Intel?"
They said, "Intel isn't necessarily interested in making the chips that the Gov't wants, or this article would probably not exist."
Then, you replied, "So what do you call Intel?"
They already told you what they call Intel. A company that isn't interested. Yeah, sure, they do large scale chip manufacturing, but if they're NOT INTERESTED in making THOSE SPECIFIC CHIPS, then they might as well not exist for the purposes of this discussion.
Their comment didn't ignore you. You ignored them, not once, but TWICE now (also counting the comment I'm replying to, since you clearly didn't re-read their comment).
I know reading is a lost art, and it's practically sacrilege on Slashdot, but give it a shot sometime.