Interesting comments (except that one anon creature).. Yes, when one has access to the hashed password files, the test is a lot easier than a wholesale crack.
And the net is not exactly a place to send anything that one doesn't want snniffed, is it.
But by leaving us to guess why & how, Debian did leave the door open to speculation on just what they did that opened this vulnerability and what they did to "determine" there were weak passwords. And I was not knocking the Debian code, just the management errors that led to this particular problem.
And the question about the kernekl version is also a valid curiosity, isn't it. btw do they actually know that this was a hack from outside, entirely outside?
As to credibility, would rather see a good open discussion than waste time with name calling any day.
not interesting. So as an amateur you use Debian? Is that it?
my my my...... why not answer the question?? how after the fact does their "investigation" determine that a password is weak without cracking it, looking in clear text login lists, snooping on their developers as they log on? Point is that they don't know what passwords are if they are properly created & stored securely. But they do know, if they are keeping some kind of an improper record.
So at best if they kew when the hack happened they might know who was logged in. That would give them a shorter list of passwords to try and crack to find the weak ones. Or if they had that logged in list they might have just called each develper and asked what their passwrods were.
But they didn't have that or they could have just locked out the developers that were on the logged at the time.
Interesting that Debian seems to know that passwords were "weak". Only 1 poster here seems to have picked up on that curiosity. How do they know after the fact that a password was weak?
Unless Debian is doing something very stupid like keeping passwords in clear text, hashing passwords reversibly, hashing passwords to their original length, or something else equally amateurish(sp).... Then the vulnerability is in fact in the Debian system, in their management's soul, & they have some pretty bad techs...
This sounds like a "no excuses" mistake by Debian, that has been followed by an equally damaging admission of their mishandling of passwords. kind of disappointing actually both are very disappointing......
But even the MS link above actually wants two JS accesses allowed ??? Strange that Logic and Consistancy do not seem to apply very many places, isn't it??
Zonk,
Why would you post a link that requires javascript to get anything other than a blank page??? It just wastes our time !!! ##@@!!!##@@
Story sounds interesting but are you going to vouch for the link and come over to fix a hacked system?? If not, then either mention the link is script only or don't bother to post it.
YAMSIS Yet Anoither MicroSoft Inane Solution ??YAMSIS submitted to slash-dot but rejected (Cmdr Taco got it in first)
Bretheren of the tech, YAMSIS is among us again.
Yet Anoither MicroSoft Inane Solution
Once again, instead of implementing repairs to its patch ridden world dominating OS, MS has instituted a sneaky attack on users in the name of "protecting" itself. Hope you don't have Automatic Updates turned on.
It must be too much to expect them to protect us, fix a few holes, stop monopolizing, or correct the mistakes made by their programers. {btw has anyone kept track of how many of the "flaws" are related to failures to "validate" inputs? Isn't that something that is taught on the first day in the first hour of programer school?}
MS is now sneakily downloading onto users machines a bit of code that will regularly evaulate whether your Windows is legitimate. To the average "joe or Jane" this may sound OK. But is it really what we paid for when we bought our OS? NO !!!! The last thing we need is another TSR calling home! Why do we need another headache. Now we have to tell users to turn off Automatic updates. Not exactly what we need for the "average home user" is it? And What is next?
Given that MS thinks that you should buy a new OS everytime you replace components in your PC, this is scary. What's next? The possibilites are endless and pretty scary. IF MS can force users or trick them into accepting the "license" for this new "addition" which they only show in that tiny box (bifocals hate that), they can give you anything they want. So heaven help us, let alone the small company tech, who has to replace a motherboard that died. Soon MS will have to give their permission first. At least none of us use this software for anything critical like work, do we?
Well it's not "no big deal". It is YAMSIS !!!
Acc7
Slashdot Mirror
Reply posters,
Interesting comments (except that one anon creature).. Yes, when one has access to the hashed password files, the test is a lot easier than a wholesale crack.
And the net is not exactly a place to send anything that one doesn't want snniffed, is it.
But by leaving us to guess why & how, Debian did leave the door open to speculation on just what they did that opened this vulnerability and what they did to "determine" there were weak passwords. And I was not knocking the Debian code, just the management errors that led to this particular problem.
And the question about the kernekl version is also a valid curiosity, isn't it. btw do they actually know that this was a hack from outside, entirely outside?
As to credibility, would rather see a good open discussion than waste time with name calling any day.
not interesting. So as an amateur you use Debian? Is that it?
my my my...... why not answer the question?? how after the fact does their "investigation" determine that a password is weak without cracking it, looking in clear text login lists, snooping on their developers as they log on? Point is that they don't know what passwords are if they are properly created & stored securely. But they do know, if they are keeping some kind of an improper record.
So at best if they kew when the hack happened they might know who was logged in. That would give them a shorter list of passwords to try and crack to find the weak ones. Or if they had that logged in list they might have just called each develper and asked what their passwrods were.
But they didn't have that or they could have just locked out the developers that were on the logged at the time.
my my my my isn't forensics interesting
Interesting that Debian seems to know that passwords were "weak". Only 1 poster here seems to have picked up on that curiosity. How do they know after the fact that a password was weak?
Unless Debian is doing something very stupid like keeping passwords in clear text, hashing passwords reversibly, hashing passwords to their original length, or something else equally amateurish(sp).... Then the vulnerability is in fact in the Debian system, in their management's soul, & they have some pretty bad techs...
This sounds like a "no excuses" mistake by Debian, that has been followed by an equally damaging admission of their mishandling of passwords. kind of disappointing actually both are very disappointing......
Here Here !!!! Totally Agree !!!! :)
But even the MS link above actually wants two JS accesses allowed ??? Strange that Logic and Consistancy do not seem to apply very many places, isn't it??
:(
Zonk, Why would you post a link that requires javascript to get anything other than a blank page??? It just wastes our time !!! ##@@!!!##@@
Story sounds interesting but are you going to vouch for the link and come over to fix a hacked system?? If not, then either mention the link is script only or don't bother to post it.
disappointed
YAMSIS Yet Anoither MicroSoft Inane Solution ??YAMSIS submitted to slash-dot but rejected (Cmdr Taco got it in first)
4 /microsoft_expands_antipiracy_p.html
0 6/04/22/microsoft-is-taking-wga-to-the-next-level/
0 6/04/21/almost-20-of-windows-fail-to-validate-wga/
0 5/08/19/why-microsoft-introduced-wga-now/
Bretheren of the tech, YAMSIS is among us again. Yet Anoither MicroSoft Inane Solution
Once again, instead of implementing repairs to its patch ridden world dominating OS, MS has instituted a sneaky attack on users in the name of "protecting" itself. Hope you don't have Automatic Updates turned on.
It must be too much to expect them to protect us, fix a few holes, stop monopolizing, or correct the mistakes made by their programers. {btw has anyone kept track of how many of the "flaws" are related to failures to "validate" inputs? Isn't that something that is taught on the first day in the first hour of programer school?}
Hats off to the GRC poster "RETIRED" for bringing attention this last nite, in his/her post Subject: MS Expands Anti-Piracy Program, Reissues Patch in GRC.privacy newsgroup at news.grc.com. And to Cmdr Taco who beat me to the line in posting about this. The reference links=
http://blog.washingtonpost.com/securityfix/2006/0
http://www.aviransplace.com/index.php/archives/20
http://www.aviransplace.com/index.php/archives/20
http://www.aviransplace.com/index.php/archives/20
MS is now sneakily downloading onto users machines a bit of code that will regularly evaulate whether your Windows is legitimate. To the average "joe or Jane" this may sound OK. But is it really what we paid for when we bought our OS? NO !!!! The last thing we need is another TSR calling home! Why do we need another headache. Now we have to tell users to turn off Automatic updates. Not exactly what we need for the "average home user" is it? And What is next?
Given that MS thinks that you should buy a new OS everytime you replace components in your PC, this is scary. What's next? The possibilites are endless and pretty scary. IF MS can force users or trick them into accepting the "license" for this new "addition" which they only show in that tiny box (bifocals hate that), they can give you anything they want. So heaven help us, let alone the small company tech, who has to replace a motherboard that died. Soon MS will have to give their permission first. At least none of us use this software for anything critical like work, do we?
Well it's not "no big deal". It is YAMSIS !!!
Acc7