| View previous topic :: View next topic |
| Author |
Message |
Nico Kadel-Garcia
Guest
|
 Posted: Fri Sep 26, 2008 1:02 pm Post subject: Re: Possible attack? |
 |
|
Tim Greer wrote:
| Quote: | Moe Trin wrote:
On Tue, 23 Sep 2008, in the Usenet newsgroup comp.os.linux.security,
....
The sticky-note on the monitor, or on the bottom of the keyboard (or
mouse) had a fairly short life here - we got tagged in a government
security audit many years ago, and there was hell to pay. We _try_ to
help our users by having a regular hand-out that shows ways to create
and remember more difficult passwords - the "n'th letter of the words
of a phrase/song" seems to be tolerable, and a heck of a lot more
secure than the phone number of the bookie, pizza-joint, or what-ever.
Old guy
If you have people using a lot of different passwords each, or several,
want them to remain unique, but be secure, then in an office
environment, I always have complex passwords, but simply have the user
keep them in a PGP encrypted file that they would use their one single
complex, yet easily enough to remember, password for viewing. But, of
course, there are always problems with trying to get an office or
company full of people to remember passwords and store them safely.
|
Heh. I'm remembering a password based on 'The curious incident of the dog in
the night-time', where the password owner was talking about the book, and
didn't know that it's a famous Sherlock Holmes quote. |
|
| |
|
 Back to top |
Moe Trin
Guest
|
| Posted: Sat Sep 27, 2008 12:58 am Post subject: Re: Possible attack? |
|
|
On Thu, 25 Sep 2008, in the Usenet newsgroup comp.os.linux.security, in article
<gDOCk.1757$Pv5.1318@edtnps83>, Unruh wrote:
| Quote: | You might want to use my program wgen which generates "words" based
on a dictionary. It takes the dictionary and calculates the occurance
of the "trigrams-- combinations of three letters, including a double
init to indicate the beginning of the word.
|
You demonstrated that in one of the Usenet newsgroups some time ago,
and one of our admins adopted your concept - it's one of the choices
offered on that handout (there are others, including 'intermingling'
letters from two or more words, as in CdAoTg). I don't know that we
can tell what mechanism the individual has chosen to form their
password. The internal (company) auditors have run something similar
to John-the-Ripper to see if st00pid passwords are used anywhere. They
haven't clouded up and crapped all over us, so apparently they're not
have a significant amount of luck guessing passwords.
| Quote: | Throw in a few capitals or even punctuation, and you might get that
up to 45 (but it is harder than you think to "throw in random
punctuation"..
|
Someone has done statistics and found that in those situations
"requiring" a capital letter, the result is almost always the first
letter, rarely the second. When punctuation and a digit is required,
the result is usually a password ending in ".1". Users are somewhat
predictable. The problem is quite simple - the password has to be
rememberable - that _USUALLY_ means it has some memory jogger
characteristics. Being pronounceable is one, being formed from some
manipulations of words/phrases/what-ever that are themselves
memorable is another. Unfortunately, it's also true that the most
common passwords are memorable to a user because the components that
make up the password (and more often, the password itself) is
meaningful/related specifically to that user.
| Quote: | It is also better to use longer dictionaries (I have one with 400,000
words) as it makes rarer combinations more likely.
|
[selene ~]$ cat /net/james.webb/downloads/mwords/[0-9u]* | sort -uf | wc -l
602351
[selene ~]$
http://www.dcs.shef.ac.uk/research/ilash/Moby
Old guy |
|
| |
|
| Back to top |
Moe Trin
Guest
|
| Posted: Sat Sep 27, 2008 1:01 am Post subject: Re: Possible attack? |
|
|
On Fri, 26 Sep 2008, in the Usenet newsgroup comp.os.linux.security, in article
<48DC9722.7080007@gmail.com>, Nico Kadel-Garcia wrote:
| Quote: | Tim Greer wrote:
Moe Trin wrote:
We _try_ to help our users by having a regular hand-out that shows
ways to create and remember more difficult passwords - the "n'th
letter of the words of a phrase/song" seems to be tolerable, and a
heck of a lot more secure than the phone number of the bookie,
pizza-joint, or what-ever.
If you have people using a lot of different passwords each, or
several, want them to remain unique, but be secure, then in an
office environment, I always have complex passwords, but simply have
the user keep them in a PGP encrypted file that they would use their
one single complex, yet easily enough to remember, password for
viewing.
|
We do suggest this, but primarily that's for "home" use. We use a
central authentication scheme, so (for example) I have to remember
four usernames (the normal one, plus three "role" usernames), and
four authentication tokens. I'm using the ""n'th letter of words"
style, with recent passwords derived from pre-WW2 Broadway show, movie.
and period songs - hey, it's something _I_ can remember ;-)
| Quote: | But, of course, there are always problems with trying to get an
office or company full of people to remember passwords and store them
safely.
|
especially when people can't see a (direct) reason for all this
hassle. How soon people forget the (windoze) "Deloader" worm.
| Quote: | Heh. I'm remembering a password based on 'The curious incident of the
dog in the night-time', where the password owner was talking about
the book, and didn't know that it's a famous Sherlock Holmes quote.
|
"Sherlock" who???  I can't even _remember_ when I read that...
and only vaguely remember the clue Holmes was talking about... wasn't
that the fact that the dog didn't bark, and Holmes inferred that it
was the dogs owner or something... Lessee, that was "Silver Blaze"
according to the local library search engine. A quick search in their
on-line catalog says that the book ("The memoirs of Sherlock Holmes")
is currently checked in at the main library down-town... and I also own
a copy, but it's hidden somewhere in my sister's house on the other
side of the continent.
Old guy |
|
| |
|
| Back to top |
Nico Kadel-Garcia
Guest
|
| Posted: Sat Sep 27, 2008 6:08 am Post subject: Re: Possible attack? |
|
|
Moe Trin wrote:
| Quote: | On Fri, 26 Sep 2008, in the Usenet newsgroup comp.os.linux.security, in article
48DC9722.7080007@gmail.com>, Nico Kadel-Garcia wrote:
Heh. I'm remembering a password based on 'The curious incident of the
dog in the night-time', where the password owner was talking about
the book, and didn't know that it's a famous Sherlock Holmes quote.
"Sherlock" who??? I can't even _remember_ when I read that...
and only vaguely remember the clue Holmes was talking about... wasn't
that the fact that the dog didn't bark, and Holmes inferred that it
was the dogs owner or something... Lessee, that was "Silver Blaze"
according to the local library search engine. A quick search in their
on-line catalog says that the book ("The memoirs of Sherlock Holmes")
is currently checked in at the main library down-town... and I also own
a copy, but it's hidden somewhere in my sister's house on the other
side of the continent.
|
It's also a famous quote, famous enough to name a book title for it, that is
an excellent tool in investigating security incidents. I consider it,
therefore, a relevant quote for this newsgroup. The idea that the systems
didn't hiccup when interfered with, and that it was therefore an inside job,
has stood me in good stead over the years. |
|
| |
|
| Back to top |
hong.niu4
Guest
|
| Posted: Mon Oct 13, 2008 3:09 pm Post subject: Re: AIR Jordan Fusion, Nike AIR MAX 90, AIR Force 1 |
|
|
please look our website ,have more mode shoes clothing hat cap bags !
http://www.shoestrade.biz www.shoestrade.biz
Air Max
Air Max 87 shoes http://www.shoestrade.biz/index.asp
Air Max 90 shoes http://www.shoestrade.biz/index.asp
Air Max 91 shoes http://www.shoestrade.biz/index.asp
Air Max 93 shoes http://www.shoestrade.biz/index.asp
Air Max 95 shoes http://www.shoestrade.biz/index.asp
Air Max 97 shoes http://www.shoestrade.biz/index.asp
Air Max 2003 shoes http://www.shoestrade.biz/index.asp
Air Max 360 shoes http://www.shoestrade.biz/index.asp
Air Max 180 shoes http://www.shoestrade.biz/index.asp
Air Max TN shoes http://www.shoestrade.biz/index.asp
Air Max TN2 shoes http://www.shoestrade.biz/index.asp
Air Max TN3 shoes http://www.shoestrade.biz/index.asp
Air Max TN6 shoes http://www.shoestrade.biz/index.asp
Air Max TN8 shoes http://www.shoestrade.biz/index.asp
Air Max 1 id shoes http://www.shoestrade.biz/index.asp
Shox
Shox NZ shoes http://www.shoestrade.biz/index.asp
Shox R4 shoes http://www.shoestrade.biz/index.asp
Shox TL3 shoes http://www.shoestrade.biz/index.asp
Shox TL4 shoes http://www.shoestrade.biz/index.asp
Shox TL shoes http://www.shoestrade.biz/index.asp
Shox OZ shoes http://www.shoestrade.biz/index.asp
Shox Rival shoes http://www.shoestrade.biz/index.asp
Shox Classic shoes http://www.shoestrade.biz/index.asp
Shox Energia shoes http://www.shoestrade.biz/index.asp
sony PSP sp2 ps3 http://www.shoestrade.biz/index.asp
MP3 MP4 http://www.shoestrade.biz/index.asp
ipod nano 3 8gb 16gb 32gb
ipod touch http://www.shoestrade.biz/index.asp
Mobile phone http://www.shoestrade.biz/index.asp
iPhone 8gb 16gb http://www.shoestrade.biz/index.asp
nokia 8800 http://www.shoestrade.biz/index.asp
nokia 8800 Sirocco http://www.shoestrade.biz/index.asp
nokia 8800 Sapphire Arte http://www.shoestrade.biz/index.asp
nokia n95 8gb http://www.shoestrade.biz/index.asp
nokia n93i http://www.shoestrade.biz/index.asp
nokia n73 http://www.shoestrade.biz/index.asp
nokia n96 http://www.shoestrade.biz/index.asp
NOKIA 5700 http://www.shoestrade.biz/index.asp
NOKIA 6300 http://www.shoestrade.biz/index.asp
Nokia 7500 http://www.shoestrade.biz/index.asp
NOKIA N76 http://www.shoestrade.biz/index.asp
NOKIA N77 http://www.shoestrade.biz/index.asp
NOKIA N81 http://www.shoestrade.biz/index.asp
NOKIA N800 http://www.shoestrade.biz/index.asp
NOKIA e90 http://www.shoestrade.biz/index.asp
NOKIA N77 http://www.shoestrade.biz/index.asp
NOKIA N92 http://www.shoestrade.biz/index.asp
NOKIA N8600 http://www.shoestrade.biz/index.asp
NOKIA AEON http://www.shoestrade.biz/index.asp
CECT http://www.shoestrade.biz/index.asp
VERTU http://www.shoestrade.biz/index.asp
dopod http://www.shoestrade.biz/index.asp
iPhone 16gb http://www.shoestrade.biz/index.asp
MOTO 1200 http://www.shoestrade.biz/index.asp
VERTU Vertu Ti http://www.shoestrade.biz/index.asp
VERTU Constellation Rococo E http://www.shoestrade.biz/index.asp
VERTU Constellation Monogram http://www.shoestrade.biz/index.asp
VERTU Vertu Constellation Ro http://www.shoestrade.biz/index.asp
http://www.shoestrade.biz/index.asp http://www.shoestrade.biz/index.asp
http://www.shoestrade.biz/index.asp |
|
| |
|
| Back to top |
Cork Soaker
Guest
|
| Posted: Thu Dec 04, 2008 8:34 am Post subject: Re: |
|
|
Good Soldier Schweik wrote:
| Quote: | Or the Internet worm, written by Robert Morris and released on 2 Nov
88 that brought the Internet to a stop for several days and ran on
Unix.
Given Linux is simply a clone of Unix it is doubtful that it is
inherently immune to virus attacks and as open licence software
becomes more common the level of Linux virus will attain a parity with
Windows.
|
Was there any need to secure Unix in 1988 in a way that parallels
security requirements for Linux today?
I think a lot has changed in twenty years! |
|
| |
|
| Back to top |
Christopher Hunter
Guest
|
| Posted: Thu Dec 04, 2008 2:41 pm Post subject: Re: |
|
|
Cork Soaker wrote:
| Quote: | Given Linux is simply a clone of Unix it is doubtful that it is
inherently immune to virus attacks and as open licence software
becomes more common the level of Linux virus will attain a parity with
Windows.
Was there any need to secure Unix in 1988 in a way that parallels
security requirements for Linux today?
I think a lot has changed in twenty years!
|
It's an "apples and oranges" comparison. Linux, Unix, BSD and Solaris all
have a permissions structure that prevent virus attacks on all but the
current user's data - there have not been /any/ successful "elevation of
privilege" attacks and /none/ at system level. The ancient attacks on Unix
machines were rendered ineffective by patches as soon as they were discovered
(wholly unlike "patch Tuesday"), and modern versions of these operating
systems employ "best practice" in security design.
With Windows, where the vast majority of users have administrative rights (by
default), attacks at system level are commonplace. The lack of sensible
demarcation between processes, the use of a centralised Registry, and a whole
series of stupid choices (made in the pursuit of "ease of use") render it
open to trivially simple attacks.
C. |
|
| |
|
| Back to top |
Nico Kadel-Garcia
Guest
|
| Posted: Fri Dec 05, 2008 5:57 am Post subject: Re: |
|
|
Cork Soaker wrote:
| Quote: | Good Soldier Schweik wrote:
Or the Internet worm, written by Robert Morris and released on 2 Nov
88 that brought the Internet to a stop for several days and ran on
Unix.
Given Linux is simply a clone of Unix it is doubtful that it is
inherently immune to virus attacks and as open licence software
becomes more common the level of Linux virus will attain a parity with
Windows.
Was there any need to secure Unix in 1988 in a way that parallels
security requirements for Linux today?
I think a lot has changed in twenty years!
|
Heh. Heh-heh-heh. BWA-HA-HA-HA!!!!!
I'm sorry, but I got hit by the Morris worm in 1988. It was one of my first
security messes to deal with, *after* I'd been specifically blocked from doing
security updates to our core servers by an internal policy of "don't patch
what isn't broken".
Some things remain an issue: password security, system software updates being
rigorously applied, running only those services you absolutely need exposed to
the Internet at large, not opening your internal systems wide "because they're
inside our firewall and we trust the people we work with", etc., etc., all
remain valid concerns. And given that some idiots still run their external
systems using unencrypted protocols like telnet, many of the technical issues
remain in force. |
|
| |
|
| Back to top |
|
