4826
Living Room / Re: Sansa Clip Zip: Wow!
« Last post by Deozaan on December 11, 2011, 01:43 AM »The post by "ncuxanam" in your second link has a link to the proper replacement, BTW.-Edvard (December 11, 2011, 12:48 AM)
Third link.
Recent Posts
The post by "ncuxanam" in your second link has a link to the proper replacement, BTW.-Edvard (December 11, 2011, 12:48 AM)
I never make any new friends.-Deozaan (December 10, 2011, 12:07 AM)
http://www.rentafriend.com/-PhilB66 (December 10, 2011, 02:50 AM)
<Deozaan> Why doesn't the internet use public/private key authentication instead of passwords?
<Lashiec> because they're still working on that
<Deozaan> What do you mean?
<Lashiec> making it easy for everyone, I mean
<Deozaan> You can do that for e-mail, can't you?
<Lashiec> with something like this: https://www.donation...ex.php?topic=27343.0
<Lashiec> PGP?
<Stephen66> biometrics would make life so much easie
<Stephen66> easier
<Deozaan> Not if you were undead!
<Deozaan> Because you know... undead don't have fingerprints...
<Deozaan> or retinas to scan
<Stephen66> why dont they have finger prints
<Deozaan> I dunno.
<Deozaan> For some reason I was thinking biometrics meant like having a pulse.
<Deozaan> But then I realized my mistake and so I started sarcastically making excuses as to why I was still correct.
<Stephen66> lol
<Lashiec> you can use the inflexion of their voice when they say "BRAAAAAINS" as a secondary authentication method
* Deozaan laughs.
<Stephen66> lol
He said brilliant, not horrifyingI have to say thats just about the most brilliant thing i've seen all year.I find it a bit hard to believe that you haven't looked in a mirror all year.-mouser (December 06, 2011, 08:55 PM)-Deozaan (December 06, 2011, 09:11 PM)-Josh (December 06, 2011, 09:14 PM)
I don't get it.-Deozaan (December 08, 2011, 02:58 PM)
"it" being my queries, or googles verification?
~ I'm just being a little contrary-tomos (December 08, 2011, 03:47 PM)
I have to say thats just about the most brilliant thing i've seen all year.-mouser (December 06, 2011, 08:55 PM)
Seriously, why even bother (joining the race) ... The computer can spit out x thousand attempts per second, which becomes completely and instantly irrelevant when a lockout policy is enabled. 5 attempts in a minute = locked out for x minutes. How successful is brute forcing against that scheme?? ...My guess is not very.-Stoic Joker (December 06, 2011, 06:48 PM)
When i do my hacker thing and connect to a server from a terminal/console/black box with letters in it, it uses public-key cryptography to prove who i am. I have a private key and a public key. The public key can be used to lock boxes in such a way that only my private key can unlock them again. I give out my public key; the server picks some big random number and encrypts it; if i can tell the server what random number it picked, then it knows i have the private key and must be who i say i am.
(Okay, that's still a bit oversimplified. The actual mechanism for how this usually works is pretty cool, if you want to read about it. It has a pretty picture using paint mixing.)
While my key is still protected by a password, the experience is radically different in a few critical ways.
- It's called a passphrase, not a password. And, indeed, my passphrase(s) tend to be phrases, 50+ characters long, decorated with punctuation in some way that makes sense to me. They're very easy to remember, yet i can't imagine how you'd even approach trying to crack them.
- I type the passphrase in once, when i boot up my machine. The private key is unlocked for the rest of the session, and it's used automatically when i connect to any server that has the corresponding public key. Logins are instant and seamless; i log in and out of stuff all day long.
- The passphrase stays on my machine. It's not sent to the server to be double-checked, like virtually all passwords on the Web are. Something like Firesheep simply cannot work; you can't sniff my passphrase out of the air if it's not there to begin with.
- Even if i connect to server A, and then hop from there to server B, i can defer all the key-checking back to my desktop. Server A doesn't need to have my private key on it to connect somewhere else in my name.
- You know those SSL certificate warnings? You know how you always ignore them? Yeah, you shouldn't do that. They're the only warning you get that someone might have hijacked the connection to your bank or whatever. It's a shame that browsers have trained most of us to ignore the warnings, because they're the only thing making SSL useful.
- Anyway, in the case of SSH: the server has its own public key, which it broadcasts to me as part of the login process. The first time i connect to a server, the public key is remembered on my machine. If i ever try to connect again, and the public key is different, the connection stops immediately. It's the same idea as the certificate warnings, except that public keys are supposed to last forever and you don't need to bleed cash to get one, so a changed key is actually a legitimate cause for concern. (Most SSL warnings are about a certificate that the website owner created himself, because getting a signed one is considerably pricey.)
- And best of all, i can use the same set of keys for any number of servers. Or i can use a separate key for every server. It's entirely up to me. It doesn't matter what my username is on each server. It doesn't matter whether the servers are related in any way. It doesn't even have to be my account; any account can have any number of public keys linked to it, so sharing an account is just a matter of giving it several people's keys.
