Yeah, that's entirely your IT department and not Exchange or Outlook at all. For saved e-mails, you can consider using Outlook's Archiving feature perhaps. What it does is take the files off the server (they won't be available in webmail or backed up on the server anymore though) and store them locally on your desktop's copy of Outlook. This is what I do for my long term archiving at work.
As an owner of all the consoles, the PS3 has superior hardware, the 360 has superior software, the exclusive games for each make the real personal difference for most people I know. Most console gamers seem to prefer the 360 where as most PC gamers that switch over seem to prefer the PS3 for the raw power. Sony's treatment of customers is very rapidly moving me towards avoiding them for some things, but in some cases they also do make very nice products that they don't abuse their customers over (I'm thinking of my Sony A/V receiver, my various Sony burners and my Bravia. I got all at unbeatable prices and very good quality.) That said, I have moved away from console gaming as a whole and back towards PC gaming due to many of these issues. The cost is higher, but for me cost isn't really much of an issue since I also do a/v and graphics work that needs the same kind of hardware.
Except that you are able to play offline with any of Valve's games that I know of. Sure you have to connect on occasion, but that really isn't super unreasonable as long as they provide unlocked copies if they ever have to shut down the auth server.
Sounds like your Outlook isn't set up properly. You should not be needing to go to a website to change your password and while it is not the same as Groupwise, many of the changes are for the better once you get used to them. This is coming from a former Netware/Groupwise admin who now adores Windows Server/Exchange.
While a lot of the article seemed pretty fluffy and paranoid, I do think there is a lot to be said about simplicity vs control. The growing trend with systems like iOS and even Android to a lesser extent is to give control over to a manufacturer to do what is in your best interest. People give up the ability to know what their device is doing in order to have a simpler experience. I do think simplification of technology is critical to mass acceptance, but I don't think that getting rid of the ability to access (and change) the details is ever in the best interest of consumers.
As far as the common sense, technology just makes the failures more spectacular. People haven't changed and aren't changing. Instead of failing to use common sense and making stupid mistakes, people fail to use common sense, think they are doing ok because of technology and do the same thing they would have done anyway, just technology lets more people know about it when it happens.
Actually, there is demand for people with the jobs and no supply. That doesn't mean that they will pay substantially more for the jobs. If there was demand for an education in those fields, then there would not be a demand for workers in those fields. If universities want the programs to continue then they should drop costs rather than raise them and if they don't, the poster is exactly correct that it will kill their departments in the long term.
The FBI actually pays pretty well. Most agents make $80k within 3 years if they do well and the upward limits can get over $130,000. The hours kind of suck (50 hours a week) but the retirement is insanely good.
Yeah, agreed. That's why I really want to know if and how they were hashed. I'm trying to figure out the personal impact on me here and if I should be almost able to ignore it other than asking for a new CC number or if I should be freaking out that I need to change my password on any other accounts that shared that password or security questions.
Yes, I'm familar with dictionary attacks and mentioned them in my previous post. You are also correct that it is possible to brute force an individual password, but it would be time consuming and expensive to do it if it is immune to dictionary attacks and properly salted. It is very much computationally feasable to run all the permutations for one, but becomes increasingly less computationally feasable to do it on a large scale. Say you can crack a properly salted hash in an hour that isn't dictionary crackable. Now multiply that by 77 million. I don't really need to worry about my password being cracked any time soon even if they can do it 1 per minute.
In that sense, the bandaid example wouldn't stand up either though as it is a bandage for first aid. (Band)(Aid). It is perhaps a half step removed from app store true, but it is pretty close. That said, I agree that App Store should not be trade markable, but I'm not sure that it isn't legally trade markable.
It does take a different way of thinking but is nice once you have it working. I do some consulting work with it and it is one of the better platforms I've found to work on, but only after really learning the ins and outs of it.
It is safest to assume everything is plaintext, yes, but it is also not accurate to say that hashing makes no difference. Proper hashing combined with proper password selection is still pretty secure at least outside a directed attack at you personally.
Except in a breach like this, they change the salt for the algorithm, invalidating all existing hashes. The only real possible problem with a breach like this and passwords is that the passwords would be usable on non-breached sites. Good hashing practice and non-dictionary passwords is pretty strong mitigation even with existing hash vulnerabilities.
According to some of the posts I read, they did e-mail affected users. I'm hoping this means I'm not affected since I didn't get an e-mail. I'll probably call them later to see if they can verify.
Yes and no, I agree for the average user, assume the worst is good, but for someone like me who takes precautions to make sure my passwords will hash securely, I'm comfortable not changing non-financial passwords in the event of a disclosure as long as they were hashed. It's a very significant and important distinction for those who take carefully controlling our security seriously but don't obsess over having it take over the usability side. (ie, change every password every time any possible breach may or may not have occurred on every account regardless of sensitivity.)
Your in the clear example seems flawed though. All you really need is a shared secret in addition to the hash value. This could be accomplished with two different hash algorithms being used, one for the actual transmission and one for the signing. The client would still know both the shared key and be able to generate the matching hash for the actual hash storage of the password. The server would have the shared key hash stored and also have the password hash to validate. This way a storage breach gives nothing and yet you still have the advantages of both systems.
It really isn't though. If hashed, great, they have a hash of my password. There are many many possible combinations that could map to my password. There are existing attacks to quickly find A value that will match to the hash, but not actually the original password. (At least not unless I missed some breakthrough in the last 2 years or your password is weak to dictionary attacks.) For example, my password 123 hashes to abc. The attacker obtains abc and determines that 098 also hashes to abc. However since site B uses a different seed in their hash, 123 hashes to def for them and 098 hashes to xde so no match is found and the login is safe. The hash issues I'm aware of are only an issue when the compromise is unknown and done by a man in the middle. (ie, I intercept your traffic and your password was hashed at the client side and sent clear. In this case I could generate my own hash to match yours. It is also an issue in situations like a signature on a download where I can modify the file but still have it match the signature.)
Someone can correct me if I'm wrong, but I'm not aware of any technique to get an actual true password out of a one way hash.
If wide paper is your concern, printers with legal size paper or continuous paper plotters work better wonders. You are right that dot matrix isn't going away for a long time due to the carbon copy capability of impact printing though.
In fairness, the tools wouldn't be replaced if the new tools were not better at doing the job. My question would be in the case of a sociopath, do conditions exist that need to be broken down though? Immersive media does wonders for allowing someone to build up tolerances to a situation they find uncomfortable. (ex, soldiers being able to kill other people because it is necessary for their job) but it does not remove it. The need to protect is higher than the need to not kill, but it is still a barrier that has to be overcome, even with desensitization. If this is true, then how can the same thing push someone to do something without the justification unless they a) didn't have anything to be desensitized to or b) had a warped sense of justification that would have gotten there anyway.
I think you completely missed the point of why most people don't upgrade from XP. Consumers don't care because it works fine for them on their existing hardware and will get an update when they get a new computer but since new computers aren't necessary very often anymore, you don't see OS replacement often either. For corporations/business, it is all about product and infrastructure compatibility. Microsoft did something different with Vista and 7 and did away with a lot of the cruft that had built up in XP, but the problem with that is that a lot of (bad) critical infrastructure depends on that. It takes time and money to replace that infrastructure so businesses stay on XP. Swapping to a platform like Apple or Linux would only compound that problem further. I say this as a software developer working on my XP box at a company that still has dos apps that won't run right under Vista or 7 as part of our critical infrastructure. My previous job was a similar situation and many people I know also work in similar situations. We're working on replacing it, but it takes time (years) and money (millions of dollars) to do since it is basically rebuilding business systems from the ground up.
I think that the quality of the entertainment is a measure too though. I may be able to kill a couple hours with a stupid $1 app store game, but it isn't something I'll look forward to or remember or probably ever want to come back and play again. It's just something to kill time that I would otherwise be bored. Major game titles on the other hand, I look forward to for months (on some titles), truly enjoy playing and would actively take time to play and will likely come back and play multiple times in the future.
The movie to tv comparison was a really good one, but I'd compare it to a well written, well produced blockbuster film vs a cheap television soap opera. Sure if you have time to kill and nothing better to do, the soap may entertain to pass the time, but it's not exactly quality entertainment and really is not comparable in the slightest.
Slashdot Mirror
Yeah, that's entirely your IT department and not Exchange or Outlook at all. For saved e-mails, you can consider using Outlook's Archiving feature perhaps. What it does is take the files off the server (they won't be available in webmail or backed up on the server anymore though) and store them locally on your desktop's copy of Outlook. This is what I do for my long term archiving at work.
As an owner of all the consoles, the PS3 has superior hardware, the 360 has superior software, the exclusive games for each make the real personal difference for most people I know. Most console gamers seem to prefer the 360 where as most PC gamers that switch over seem to prefer the PS3 for the raw power. Sony's treatment of customers is very rapidly moving me towards avoiding them for some things, but in some cases they also do make very nice products that they don't abuse their customers over (I'm thinking of my Sony A/V receiver, my various Sony burners and my Bravia. I got all at unbeatable prices and very good quality.) That said, I have moved away from console gaming as a whole and back towards PC gaming due to many of these issues. The cost is higher, but for me cost isn't really much of an issue since I also do a/v and graphics work that needs the same kind of hardware.
Except that you are able to play offline with any of Valve's games that I know of. Sure you have to connect on occasion, but that really isn't super unreasonable as long as they provide unlocked copies if they ever have to shut down the auth server.
Sounds like your Outlook isn't set up properly. You should not be needing to go to a website to change your password and while it is not the same as Groupwise, many of the changes are for the better once you get used to them. This is coming from a former Netware/Groupwise admin who now adores Windows Server/Exchange.
While a lot of the article seemed pretty fluffy and paranoid, I do think there is a lot to be said about simplicity vs control. The growing trend with systems like iOS and even Android to a lesser extent is to give control over to a manufacturer to do what is in your best interest. People give up the ability to know what their device is doing in order to have a simpler experience. I do think simplification of technology is critical to mass acceptance, but I don't think that getting rid of the ability to access (and change) the details is ever in the best interest of consumers.
As far as the common sense, technology just makes the failures more spectacular. People haven't changed and aren't changing. Instead of failing to use common sense and making stupid mistakes, people fail to use common sense, think they are doing ok because of technology and do the same thing they would have done anyway, just technology lets more people know about it when it happens.
Are we talking about the same government?
Actually, there is demand for people with the jobs and no supply. That doesn't mean that they will pay substantially more for the jobs. If there was demand for an education in those fields, then there would not be a demand for workers in those fields. If universities want the programs to continue then they should drop costs rather than raise them and if they don't, the poster is exactly correct that it will kill their departments in the long term.
The FBI actually pays pretty well. Most agents make $80k within 3 years if they do well and the upward limits can get over $130,000. The hours kind of suck (50 hours a week) but the retirement is insanely good.
Yeah, agreed. That's why I really want to know if and how they were hashed. I'm trying to figure out the personal impact on me here and if I should be almost able to ignore it other than asking for a new CC number or if I should be freaking out that I need to change my password on any other accounts that shared that password or security questions.
Yes, I'm familar with dictionary attacks and mentioned them in my previous post. You are also correct that it is possible to brute force an individual password, but it would be time consuming and expensive to do it if it is immune to dictionary attacks and properly salted. It is very much computationally feasable to run all the permutations for one, but becomes increasingly less computationally feasable to do it on a large scale. Say you can crack a properly salted hash in an hour that isn't dictionary crackable. Now multiply that by 77 million. I don't really need to worry about my password being cracked any time soon even if they can do it 1 per minute.
In that sense, the bandaid example wouldn't stand up either though as it is a bandage for first aid. (Band)(Aid). It is perhaps a half step removed from app store true, but it is pretty close. That said, I agree that App Store should not be trade markable, but I'm not sure that it isn't legally trade markable.
It does take a different way of thinking but is nice once you have it working. I do some consulting work with it and it is one of the better platforms I've found to work on, but only after really learning the ins and outs of it.
It is safest to assume everything is plaintext, yes, but it is also not accurate to say that hashing makes no difference. Proper hashing combined with proper password selection is still pretty secure at least outside a directed attack at you personally.
Except in a breach like this, they change the salt for the algorithm, invalidating all existing hashes. The only real possible problem with a breach like this and passwords is that the passwords would be usable on non-breached sites. Good hashing practice and non-dictionary passwords is pretty strong mitigation even with existing hash vulnerabilities.
According to some of the posts I read, they did e-mail affected users. I'm hoping this means I'm not affected since I didn't get an e-mail. I'll probably call them later to see if they can verify.
Yes and no, I agree for the average user, assume the worst is good, but for someone like me who takes precautions to make sure my passwords will hash securely, I'm comfortable not changing non-financial passwords in the event of a disclosure as long as they were hashed. It's a very significant and important distinction for those who take carefully controlling our security seriously but don't obsess over having it take over the usability side. (ie, change every password every time any possible breach may or may not have occurred on every account regardless of sensitivity.)
Over the phone is simple, don't display it to the rep. Have the rep enter the answer same as the client would.
Why can't you use two different hashes, and use one hash which is never seen by the outside world as your mutual shared key?
Your in the clear example seems flawed though. All you really need is a shared secret in addition to the hash value. This could be accomplished with two different hash algorithms being used, one for the actual transmission and one for the signing. The client would still know both the shared key and be able to generate the matching hash for the actual hash storage of the password. The server would have the shared key hash stored and also have the password hash to validate. This way a storage breach gives nothing and yet you still have the advantages of both systems.
It really isn't though. If hashed, great, they have a hash of my password. There are many many possible combinations that could map to my password. There are existing attacks to quickly find A value that will match to the hash, but not actually the original password. (At least not unless I missed some breakthrough in the last 2 years or your password is weak to dictionary attacks.) For example, my password 123 hashes to abc. The attacker obtains abc and determines that 098 also hashes to abc. However since site B uses a different seed in their hash, 123 hashes to def for them and 098 hashes to xde so no match is found and the login is safe. The hash issues I'm aware of are only an issue when the compromise is unknown and done by a man in the middle. (ie, I intercept your traffic and your password was hashed at the client side and sent clear. In this case I could generate my own hash to match yours. It is also an issue in situations like a signature on a download where I can modify the file but still have it match the signature.)
Someone can correct me if I'm wrong, but I'm not aware of any technique to get an actual true password out of a one way hash.
If wide paper is your concern, printers with legal size paper or continuous paper plotters work better wonders. You are right that dot matrix isn't going away for a long time due to the carbon copy capability of impact printing though.
Or if they did, it could be blamed on bad OCR.
In fairness, the tools wouldn't be replaced if the new tools were not better at doing the job. My question would be in the case of a sociopath, do conditions exist that need to be broken down though? Immersive media does wonders for allowing someone to build up tolerances to a situation they find uncomfortable. (ex, soldiers being able to kill other people because it is necessary for their job) but it does not remove it. The need to protect is higher than the need to not kill, but it is still a barrier that has to be overcome, even with desensitization. If this is true, then how can the same thing push someone to do something without the justification unless they a) didn't have anything to be desensitized to or b) had a warped sense of justification that would have gotten there anyway.
I think you completely missed the point of why most people don't upgrade from XP. Consumers don't care because it works fine for them on their existing hardware and will get an update when they get a new computer but since new computers aren't necessary very often anymore, you don't see OS replacement often either. For corporations/business, it is all about product and infrastructure compatibility. Microsoft did something different with Vista and 7 and did away with a lot of the cruft that had built up in XP, but the problem with that is that a lot of (bad) critical infrastructure depends on that. It takes time and money to replace that infrastructure so businesses stay on XP. Swapping to a platform like Apple or Linux would only compound that problem further. I say this as a software developer working on my XP box at a company that still has dos apps that won't run right under Vista or 7 as part of our critical infrastructure. My previous job was a similar situation and many people I know also work in similar situations. We're working on replacing it, but it takes time (years) and money (millions of dollars) to do since it is basically rebuilding business systems from the ground up.
I think that the quality of the entertainment is a measure too though. I may be able to kill a couple hours with a stupid $1 app store game, but it isn't something I'll look forward to or remember or probably ever want to come back and play again. It's just something to kill time that I would otherwise be bored. Major game titles on the other hand, I look forward to for months (on some titles), truly enjoy playing and would actively take time to play and will likely come back and play multiple times in the future.
The movie to tv comparison was a really good one, but I'd compare it to a well written, well produced blockbuster film vs a cheap television soap opera. Sure if you have time to kill and nothing better to do, the soap may entertain to pass the time, but it's not exactly quality entertainment and really is not comparable in the slightest.