Messages

76

Living Room / Re: Password Managers ... vs. Not

« on: June 06, 2017, 10:21 AM »

Of course the above is simplistic, and you can do things like uppercasing and other character manipulations - but an extended alphabet will always require (quiiiite a bit) more effort for a string of the same length.

-f0dder (June 06, 2017, 02:44 AM)

I'm sure that technically you have foundation for your argument(s).  But people live day to day fine with getting home from work and using a house key to get into their house/condo/apartment.  It does not stress them that a guy with a couple of battery powered drills can drill out the front door lock in about 30 seconds if he has practiced the procedure.  But the owner/renter can get in his own place in the most likely event terrorists are not waiting inside.

-MilesAhead (June 06, 2017, 07:06 AM)

I'm sorry, but that is a silly attempt at an analogy.

Getting your credentials leaked is a very real risk - just look at the monster breaches various big sites have had over the last few years. You really should consider your password hashes to have been breached, and better hope you haven't used any sites negligent enough to use weak hashing (or no hashing at all, or reversible encryption instead of hashing).

So you need to pick your passphrases under the assumption that it will be suffering an offline attack.

There's a balance point past which the customer exists to serve the service instead of the other way around.  We have already tipped the scales in many areas.

-MilesAhead (June 06, 2017, 07:06 AM)

Password hygiene has nothing to do with "customer serving the service", but you're right that there's a balance - that balance is between how much effort you put into securing credentials for Site X vs. how much it would hurt if that set of credentials are breached.

For most people, getting facebook or their primary email account taken over can lead to a lot of hurt.

Using a password manager to have unique, strong passwords per-site really isn't much of a hassle. Adding 2-factor authentication is a minor annoyance, but it's worth doing for "primary" accounts like mail, facebook, github and the likes.

77

Living Room / Re: Password Managers ... vs. Not

« on: June 06, 2017, 02:44 AM »

My point was that although passwords that are made of actual words were more vulnerable than those "secure" generated ones, if you do not limit the number of attempts at cracking them then nothing is secure.  Also the same thing applies to hijacking the encrypted database.  If the brute force method can be applied offline then just because the passwords have no vowels and some numbers and symbols sprinkled in that will not long delay the cracking.

-MilesAhead (June 05, 2017, 04:30 PM)

That is wrong, though - and it all comes down to the number of guesses you have to make.

Assuming a dictionary of ~171k enlighs words and stringing five of them together (one more word than XKCD's Correct Horse Battery Staple) gives 171000^5 permutations. I don't know what the average word length is, but let's be (very) generous to the string-words-together method and compare to a 20-character random string of base64 alphabet - which gives 64^20 permutations. That's 9.091.152.181 times as many password attempts.

Of course the above is simplistic, and you can do things like uppercasing and other character manipulations - but an extended alphabet will always require (quiiiite a bit) more effort for a string of the same length.

Seems to me setting delays on IPs and domains generating invalid logon attempts would be more secure.

-MilesAhead (June 05, 2017, 04:30 PM)

False dilemma - using secure passphrases doesn't remove rate limiting. And while rate limiting definitely should be implemented, it only protects against remote bruteforcing of the lamest of lame passwords. Strong passwords guard against offline attacks.

78

ProcessTamer / Re: when Explicit Rule set to Force Low, application still running at 90% cpu...

« on: June 06, 2017, 02:38 AM »

For video encoding, if you're not worried about temperature, just setting the encoder process to a low priority should still keep the machine usable, though.

79

Living Room / Re: Password Managers ... vs. Not

« on: June 05, 2017, 11:02 AM »

Plain bruteforcing has to search a much bigger keyspace than a smart dictionary-based attack.

-f0dder (June 04, 2017, 09:37 AM)

See your previous comment about off line attach modes.

-MilesAhead (June 05, 2017, 06:57 AM)

I'm not sure what you're trying to say here? I thought you were wondering why "unmemorable passwords" were any better?

80

General Software Discussion / Re: Still using Chrome? Enjoy being watched.

« on: June 04, 2017, 11:46 PM »

I'm usually wearing pants at work, though...

-f0dder (June 04, 2017, 09:56 AM)

Usually? 

-wraith808 (June 04, 2017, 01:00 PM)

There was this one time when a co-worker finger-gun-pointed at me and said "hands up or pants down", which I obviously couldn't let go uncontested.

81

General Software Discussion / Re: Still using Chrome? Enjoy being watched.

« on: June 04, 2017, 09:56 AM »

My point above being: A security flaw opening a webcam while I am sitting in a cubicle is way different than if I am sitting at home (may be that's just me though)

-rgdot (May 31, 2017, 01:37 PM)

Nah, I think they're the same.

-wraith808 (May 31, 2017, 02:07 PM)

I'm usually wearing pants at work, though...

82

Living Room / Re: Can I trust bookdownloadforfree > filesfetcher?

« on: June 04, 2017, 09:48 AM »

Curt, how would a "download files to centralized location and let you download from there later" kind of service allow you to get an ebook for free? 

83

ProcessTamer / Re: when Explicit Rule set to Force Low, application still running at 90% cpu...

« on: June 04, 2017, 09:46 AM »

I'm more interested in arguments for limiting a process in using the available cpu power. Do you buy a car with hundreds of hp, just to keep the hand-brake on all the time to get a slower acceleration?

-Ath (May 28, 2017, 01:56 PM)

I guess it could be useful in a few scenarios for keeping the thermal output lower - like if you have a long-running job on your laptop that you don't need finished as fast as possible, and would rather not get it running blisteringly hot?

84

General Software Discussion / Re: Record whatsapp calls software

« on: June 04, 2017, 09:39 AM »

Keep in mind that this is a somewhat dodgy thing to be doing, so appstores are pretty sure to be full of pretty dodgy applications claiming to be able to do it.

85

Living Room / Re: Password Managers ... vs. Not

« on: June 04, 2017, 09:37 AM »

1) Why is the server allowing thousands of attempts on your account so that the entire dictionary is traversed until a successful hit is achieved?

-MilesAhead (June 03, 2017, 07:53 AM)

Rate-limiting the service doesn't help if hackers are able to exploit servers and snatch the entire (encrypted) database and do offline attacks.

2) What is to stop the dictionary attackers from just using permutations of numbers and letters just like the unmemorable password generators produce?  If the server is going to allow thousands of logon attempts to the same account why not just brute force it?

-MilesAhead (June 03, 2017, 07:53 AM)

Plain bruteforcing has to search a much bigger keyspace than a smart dictionary-based attack.

Lately there seems to be a tendency to make using the internet and computers generally nearly more of a pain in the ass than it is worth.  Especially with phone logon it is a real pita to have to fat finger passwords with mixed case letters plus numbers and funky symbols.  It just seems like it is getting to the point where everyone can get into my account but me.

-MilesAhead (June 03, 2017, 07:53 AM)

Your definition of worth is probably different from other people's. Getting key email accounts breached could be enough to cause severe financial harm for some companies, or even death for individuals.

Proper 2-factor authentication is one of the most effective ways to stay safe even in the face of password breaches. I'm pretty happy about services that offer YubiKey (or other FIDO device) with Google Auth (or other TOTP app) as backup.

86

General Software Discussion / Re: Security vulnerability found in movie subtitle files

« on: May 27, 2017, 09:36 AM »

I would have thought UTF-8 subtitles and buffer overruns leading to code execution - specifically mentioning .zip downloads makes me think otherwise.

It could be several different bugs in different players - it could be absolute paths in zip files? - it could be one ore more bugs in one or more common subtitle handling libraries.

Interesting!

87

Living Room / Re: [Breaking News] Cyber Attack cripples UK NHS.

« on: May 27, 2017, 09:28 AM »

"The same" or "a similarly bad and wormable" security hole?

88

Living Room / Re: Good News! US Supreme Court disallows jurisdiction shopping in patent disputes

« on: May 23, 2017, 03:32 PM »

Woohoo!

89

Living Room / Re: [Breaking News] Cyber Attack cripples UK NHS.

« on: May 18, 2017, 02:28 AM »

A toothbrush is a product, and electricity produced by a nuclear power plant is a product, but the latter produces nuclear waste as a side-effect that will be causing a headache for our progeny for tens of thousands of years. So you can't just leave it up to the companies or the markets.

-dr_andus (May 17, 2017, 06:25 PM)

The comparison of the current situation to nuclear powerplants is... bordering crazy.

Let's reiterate:

• XP has had longer general support than most Long-Time-Support OS versions.
• Product roadmap has been available for ages, EOL is no surprise to anyone.
• "Special Snowflake" support has been available at a very reasonable pricetag.
• For "can't upgrade" scenarios, third-party (irresponsible!) vendors are responsible.
• Mitigations are available for "can't upgrade" scenarios, and there's been plenty of time to implement them.

And it's not unreasonable that security patch wasn't initially released to the general public - XP is EOL, after all. And there's an insane amount of testing needed before releasing a GA patch - can you imagine the outcry if Microsoft released a patch that broke people's systems?

90

Living Room / Re: [Breaking News] Cyber Attack cripples UK NHS.

« on: May 15, 2017, 02:24 AM »

It isn't malware research - they actually produced the malware that was used by the hackers. As far as I am aware they weren't reporting the security issue to MS but rather keeping it quiet so that they could illegally exploit it themselves.

-Carol Haynes (May 14, 2017, 08:18 PM)

Oh, but it *is* malware research - and weaponization of the bugs found. And that's fine, really, it's part of what a national security agency should be doing. We're a lot better off with this model than having intentional backdoors inserted by government agencies.

Of course it's bloody bad that agencies have had their malware treasure troves robbed and leaked by bad actors, but there's no guarantee that the exploits wouldn't have been found by somebody else. You can be sure that the cybercriminals have people hunting for 0days.

Your "govt must have access to everybody's data" worries is something I share, but it's a different issue from TLAs hunting for bugs and weaponizing them.

91

Living Room / Re: [Breaking News] Cyber Attack cripples UK NHS.

« on: May 14, 2017, 11:12 AM »

f you have a product (e.g. Win XP) that has fundamentally changed the world and the world in its current form still relies on it to function, then you (MS) can't just decide for commercial reasons to entirely abandon it (and the world). I mean you can, but it is not right and it will have consequences, including commercial ones.

-dr_andus (May 14, 2017, 06:37 AM)

I quite disagree.
Windows XP is 15+ years old, has had way longer support lifetime than you get for LTS version of other software, and there's been a very clearly planned and communicated timeline for support EOL. Now, it would be interesting if some product liability (within limited timeframe) was introuced - Poul-Henning Kamp of FreeBSD frame has some thoughts on this that are worth reading, but for a product as antiquated as WinXP, it really is the fault of the victims for not upgrading.

As I've said, and Stoic Joker confirmed, there's good reasons why some equipment is not upgraded, and it's not easy to secure those machines - but it's not impossible, either. Virtualization, network segragation, proper backups, etc... and obviously a lot of the photos we've seen the last couple of days show pwned machines where there really aren't any good excuses for not having patched.

Anyway, the bugs exploited are pretty bad - the SMBv1 used for worming isn't exactly XP-only, and the Windows Defender/Anti-Malware exploit is probably the worst I've seen in... 10+ years, I reckon.

It is the US governments fault for legislating that the NSA can snoop on American citizens that ultimately got stolen by/leaked to hackers (which everyone knows is inevitable) - this is going to happen more oftne inthe US and UK and we should all be railing against the decimation of our rights and privacy as citizens.

-Carol Haynes (May 14, 2017, 08:25 AM)

NSA does what National Security Agencies do - I'm appalled at how they're doing mass surveillance of honest citizens, but NSA doing offensive malware research is not a problem - the bugs were there, it's only a matter of time before somebody found and exploited them.

92

Living Room / Re: [Breaking News] Cyber Attack cripples UK NHS.

« on: May 13, 2017, 12:18 AM »

An OS that was released over 15 years ago, in an age where people pay for latest phones, latest consoles and other gadgets ... sorry but that's silly.

-rgdot (May 12, 2017, 04:33 PM)

Yes and no.

In general, I agree that it's silly to cling on to an operating system that's that old - but there might be good reasons for it at a hospital. They have special equipment that sometimes, unfortunately, need drivers that haven't been updated for modern systems.

93

General Software Discussion / Re: Massive vulnerability in Windows Defender leaves most Windows PCs vulnerable

« on: May 10, 2017, 01:21 PM »

This is a pretty, pretty bad vulnerability, and I'm glad Natalie Silvanovich and Tavis Ormandy found it before it was wormed.

It's yet another example of why it's so bloody dangerous to run complex code in privileged (whether that's kernel-mode or "just" administrator/root privileges) accounts. Researches have generally called Windows defender the "least bad" security wise (3rd-party AV tools tend to do way too much stuff in kernelmode for their own good, and some of them fuck your browser security) - but obviously when something of this scale is found, it's terribad because of the scale of deployment.

Hopefully Microsoft will eventually get all the file-format parsing, untrusted code evaluation (etc.) for antimalware running in a non-privileged sandbox.

EDIT: kudos to Microsoft for fixing this very fast. Four day turnaround.

94

Announce Your Software/Service/Product / Re: Kryptos - A tiny yet efficient encryption tool.

« on: May 10, 2017, 01:06 PM »

I was wondering the same as Deozaan

Having system info was probably fun to code, but it seems strangely out of place in your tool.

Also, you should probably remove 3Des - it's not suitable for use anymore. If somebody has a cryptic and arcane use for it, it's better that they go find arcane and cryptic software rather than offering an insecure algorithm in a general-purpose application.

And finally, you should document the cipher mode and key derivation functions you're using - both are pretty important with regards to the effective security of the encryption.

95

General Software Discussion / Re: Apple does it again - this time, they re-invent the context-sensitive F-key

« on: May 10, 2017, 12:57 PM »

The only good thing about the touchbar is being able to run NyanCat on it.

I hate the idea, and IMHO crApple is pissing on developers (and other non-sheeple consumers) by taking out the hardware Escape key - which is far more useful than the preserved caps lock.

96

General Software Discussion / Re: Video: Rich Code for Tiny Computers: A Simple Commodore 64 Game in C++17

« on: May 07, 2017, 07:51 AM »

That is absolutely crazy, and super cool!

p3lb0x told me about the video a while ago, but didn't get around to watching it until now. The focus on zero-overhead abstractions in C++ is one of the extremely strong features of the language, and something I haven't really seen in other languages.

Oh, and translating x86 assembly to 6510? Pretty cool, even though it's just a subset - pretty interesting that it was more viable than a LLVM codegen

97

Found Deals and Discounts / Re: Antivirus

« on: April 27, 2017, 05:27 PM »

I haven't tried MSE myself but regular posters on several Windows Support Forums swear by it.  I just never got around to checking it out.  It can't be a total piece of crap because the regulars who praise it are no dummies.  If you have a pre W10 system you may want to download MSE.

-MilesAhead (April 27, 2017, 04:12 PM)

It's not as much of a "MSE is super cool and catches everything" as it's a case of "Pretty much everything else has a high snake-oil factor, and is so hopelessly engineered that it creates more security problems than it fixes".

98

Found Deals and Discounts / Re: Antivirus

« on: April 27, 2017, 03:13 PM »

Oh, windows defender is enough!

-Mikekolly (April 24, 2017, 02:21 AM)

Important requirement: On Windows 10 that is, older Windows releases only have a 'less well-developed' MSE version available.

-Ath (April 24, 2017, 03:11 AM)

Isn't it Win7+?

99

General Software Discussion / Re: Windows 10 Privacy Concerns

« on: April 20, 2017, 03:48 AM »

What antivirus I can for my windows 10 Privacy and protection?

-Mikekolly (April 19, 2017, 01:03 PM)

Just stick with Windows Defender for AV - possibly supplementing with MalwareBytes AntiMalware - but read this.

As for "privacy", you might want to read this. O&O Shutup10 doesn't seem too bad, though.

100

Announce Your Software/Service/Product / Re: FrogTea

« on: April 05, 2017, 11:19 AM »

Sure, I can see some potential weaknesses in the use of FrogTea, but what puzzled me in your initial response was what seemed to be your outright damning of the whole thing in this thread - for no compelling, apparent, verifiable and substantive reason - as though it could not possibly be any kind of useful encryption tool. That would seem to be absurd.

-IainB (April 04, 2017, 03:58 PM)

Not really.

The reasons I listed against using FrogTea are pretty sound. If anything is absurd, it's that insistance that there's some merit in using an unmaintained, closed-source program with problematic encryption - while not philosophically untrue, it's about as ridiculous as insisting that it's better to wear a pajamas in a blizzard than being naked.

In the other thread, you went further and even asked what use/purpose it had and were seemingly mistakenly implying/thinking that I was putting FrogTea forward as some kind of a proposed technological solution to address the issues/problems in that other thread (which I decidedly wasn't doing and which would have been an absurd thing to do in any case).

-IainB (April 04, 2017, 03:58 PM)

You seem intent on muddling things up. I tried keeping this thread about FrogTea in and by itself (which can be kept fairly technical), whereas the other thread is political, and it's in that context I struggle to see how tech is supposed to be a solution for a political problem.