Brontoforumus Archive

Please login or register.

Login with username, password and session length
Advanced search  

News:


This board has been fossilized.
You are reading an archive of Brontoforumus, a.k.a. The Worst Forums Ever, from 2008 to early 2014.  Registration and posting (for most members) has been disabled here to discourage spambots from taking over.  Old members can still log in to view boards, PMs, etc.

The new message board is at http://brontoforum.us.

Pages: 1 2 3 4 5 6 [7] 8 9 10 11

Author Topic: Computer security  (Read 24671 times)

0 Members and 1 Guest are viewing this topic.

Thad

  • Master of Karate and Friendship for Everyone
  • Admin
  • Tested
  • Karma: -65394
  • Posts: 12111
    • View Profile
    • corporate-sellout.com
Re: Computer security
« Reply #120 on: February 14, 2012, 12:04:15 PM »

Nortel Networks suffered a security breach that for almost a decade gave attackers with Chinese IP addresses access to executive network accounts, technical papers, employee emails and other sensitive documents at the once-thriving telecommunications firm, The Wall Street Journal reported (subscription required).

The publication, citing a former 19-year Nortel employee who oversaw the investigation into the hack, said Nortel did nothing to keep out the hackers except to change seven compromised passwords that belonged to the CEO and other executives. The company "made no effort to determine if its products were also compromised by hackers," the WSJ said. Nortel, which sold off parts of its business as part of a 2009 bankruptcy filing, spent about six months investigating the breach and didn't disclose it to prospective buyers.

:whoops:
Logged

Mongrel

  • Emoticon Knight-Errant
  • kodePunc Team
  • Tested
  • *
  • Karma: -65340
  • Posts: 17029
    • View Profile
Re: Computer security
« Reply #121 on: February 14, 2012, 04:01:44 PM »

Holy shit! The Nortel Saga was high drama up here. The classic Canadian failure story.

Hope that makes the regular papers up here.
Logged

Thad

  • Master of Karate and Friendship for Everyone
  • Admin
  • Tested
  • Karma: -65394
  • Posts: 12111
    • View Profile
    • corporate-sellout.com
Re: Computer security
« Reply #122 on: February 15, 2012, 11:00:15 AM »

VeriSign, Pillar of Internet Security, Hacked

Quote
The security breaches were reported in a quarterly filing in October 2011 with the Securities and Exchange Commission. The filing was first discovered by Reuters. According to VeriSign’s account, the company was the victim of “several successful attacks against its corporate network,” sometime in 2010.

VeriSign told federal regulators that its Domain Name System network—the part of the company that certifies the authenticity of millions of websites—was probably not affected.

(via)


MEANWHILE: EFF: Tens of thousands of websites' SSL "offers effectively no security" due to poor RNG.
Logged

Thad

  • Master of Karate and Friendship for Everyone
  • Admin
  • Tested
  • Karma: -65394
  • Posts: 12111
    • View Profile
    • corporate-sellout.com
Re: Computer security
« Reply #123 on: February 16, 2012, 10:06:09 AM »

The math.

I had a crypto prof who said that every computer generating certs should have attached true-RNG hardware -- basically an analog device that generates some sort of random noise.  (I saw research years ago that said lava lamps are perfectly suitable for the purpose, though I can see how it might be hard to sell people on the idea.)
Logged

Thad

  • Master of Karate and Friendship for Everyone
  • Admin
  • Tested
  • Karma: -65394
  • Posts: 12111
    • View Profile
    • corporate-sellout.com
Re: Computer security
« Reply #124 on: February 17, 2012, 01:30:00 PM »

Kaminsky says:

Quote
There's been a lot of talk about some portion of the RSA keys on the Internet being insecure, with "2 out of every 1000 keys being bad". This is incorrect, as the problem is not equally likely to exist in every class of key on the Internet. In fact, the problem seems to only show up on keys that were already insecure to begin with -- those that pop errors in browsers for either being unsigned or expired. Such keys are simply not found on any production website on the web, but they are found in high numbers in devices such as firewalls, network gateways, and voice over IP phones.

Adds that it's still a problem and DNSSEC will help.

(via)
Logged

Thad

  • Master of Karate and Friendship for Everyone
  • Admin
  • Tested
  • Karma: -65394
  • Posts: 12111
    • View Profile
    • corporate-sellout.com
Re: Computer security
« Reply #125 on: March 02, 2012, 09:50:12 AM »

Demonstrating security vulnerabilities in electronic voting machines, University of Michigan prof & two grad students get Bender elected as head of school board

Quote
Finally, they inserted the word "owned" onto the final signoff screen of the voting page, and set up the University of Michigan football fight song to play after 15 seconds.

It took two days before the authorities discovered they'd been pwned, and they were only alerted to that fact when another tester told them the system was secure, but that they should lose the music on the sign-off screen, as it was rather annoying.
Logged

Mongrel

  • Emoticon Knight-Errant
  • kodePunc Team
  • Tested
  • *
  • Karma: -65340
  • Posts: 17029
    • View Profile
Re: Computer security
« Reply #126 on: March 02, 2012, 10:34:22 AM »

Logged

Thad

  • Master of Karate and Friendship for Everyone
  • Admin
  • Tested
  • Karma: -65394
  • Posts: 12111
    • View Profile
    • corporate-sellout.com
Re: Computer security
« Reply #127 on: March 05, 2012, 10:03:34 AM »

Doctorow goes on at some length about the general problem of security -- computers are too complex and it's impossible for a user to know everything that's happening at all times -- and that the latest solution is curation, with Ubuntu and Android on one side (there's a curated option but users can install what they want) and iOS and Nintendo on the other (difficult to run custom software, up to and including bricking your device if you try).  He goes through a list of different control scenarios (user/vendor/owner) and the benefits and drawbacks of each.
Logged

Friday

  • Admin
  • Tested
  • Karma: -65374
  • Posts: 5122
    • View Profile
Re: Computer security
« Reply #128 on: March 05, 2012, 11:02:06 AM »

Demonstrating security vulnerabilities in electronic voting machines, University of Michigan prof & two grad students get Bender elected as head of school board

Quote
The team also managed to guess the login details for the terminal server used by the voting system. This wasn't exactly difficult, since the user name and password were both "admin".

when are people going to stop doing this

I mean, I know jack fucking shit about computer security and computers in general, but I knew to not do this since I was able to think clearly about stuff other than A is for Alligator
Logged

Rico

  • Tested
  • Karma: 18
  • Posts: 1916
    • View Profile
Re: Computer security
« Reply #129 on: March 05, 2012, 11:32:53 AM »

I wasn't sure whether to put this in this thread or the Your Job thread but since we're talking about passwords, my manager last week was swearing at his computer, typed angrily for a bit, then yelled, "Case sensitive passwords are the stupidest thing anyone ever invented!"
Logged

Catloaf

  • Tested
  • Karma: 14
  • Posts: 1740
    • View Profile
Re: Computer security
« Reply #130 on: March 05, 2012, 07:10:43 PM »

Quote from: Rico's Boss
Case sensitive passwords are the stupidest thing anyone ever invented!
Well, there is an argument to be made on that front.


So "Even electronic brain pancake crystal elderly" is the perfect password if your a fan of Ghost in the shell... and a decent typist.

Gibberish really should be used in passwords more, it's not even hard to remember if you make it sound funny enough (emotional connection strengthens memory) and use an unambiguous spelling methodology.  And it's even easier to remember if you derive it from/make is sound similar to an actual word/phrase.
Logged

Classic

  • Happens more often than you'd think.
  • Tested
  • Karma: -58471
  • Posts: 7501
    • View Profile
Re: Computer security
« Reply #131 on: March 05, 2012, 10:35:14 PM »

"Brute force" attacks still occur, but generally they start with combinations considered "likely". Exhausting popular dictionary-based passwords (e.g. admin) before moving on to the meat of the brute force solution.

That said, barring an unfortunate hashing collision, the latter password is probably still more of a bitch to brute force because not enough passwords use that scheme to make it a popular password set. Troubador+"Salt" is probably good enough that it won't need to be replaced before 6 months. So.... Who cares?


EDIT:
That reminds me, I have to update some passwords. Excuse me.
Logged

Thad

  • Master of Karate and Friendship for Everyone
  • Admin
  • Tested
  • Karma: -65394
  • Posts: 12111
    • View Profile
    • corporate-sellout.com
Re: Computer security
« Reply #132 on: April 09, 2012, 10:53:15 AM »

Any Mac users/people who know Mac users?

Want to check and see if you or your family members got Flashback?

There's a tool called FlashbackChecker at GitHub; it'll check for it (but won't repair it; the dev explains that he doesn't want to start giving out a tool that claims to detect malware and then asks for privilege escalation so it can fix it, because he figures malware authors would follow up with a raft of imitators to inject more shit).

Via Ars, which also has an earlier article explaining how to get rid of it.
Logged

Mongrel

  • Emoticon Knight-Errant
  • kodePunc Team
  • Tested
  • *
  • Karma: -65340
  • Posts: 17029
    • View Profile
Re: Computer security
« Reply #133 on: June 06, 2012, 05:54:47 PM »

If you have a LinkedIn account, you should probably go change your password

Fortunately, the email address I used for LinkedIn hasn't been used for much else in some time. Looks like there's the potential for some damage here.
Logged

Thad

  • Master of Karate and Friendship for Everyone
  • Admin
  • Tested
  • Karma: -65394
  • Posts: 12111
    • View Profile
    • corporate-sellout.com
Re: Computer security
« Reply #134 on: June 06, 2012, 07:42:45 PM »

...unsalted.

If only LinkedIn had access to a list of contact information for people who have a basic fucking understanding of computer security and are looking for work.


EDIT TO ADD: There's more at Hacker News.

Quote
0. This is a file of SHA1 hashes of short strings (i.e. passwords).

1. There are 3,521,180 hashes that begin with 00000. I believe that these represent hashes that the hackers have already broken and they have marked them with 00000 to indicate that fact.

Evidence for this is that the SHA1 hash of 'password' does not appear in the list, but the same hash with the first five characters set to 0 is.

  5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 is not present
  000001e4c9b93f3f0682250b6cf8331b7ee68fd8 is present

Replies contain a link to the complete dump (116MB RAR), as well as scripts in multiple languages to parse the file looking for a given password's hash.

While you may want to look to see if your password's in there just for immediate peace of mind, you should still probably change it anyway.  To something you don't use somewhere else.  I mean, that's what you should be doing anyway, but ESPECIALLY with a site that's already proven it's run by fucking incompetents.
Logged

TA

  • Tested
  • Karma: 29
  • Posts: 3219
    • View Profile
Re: Computer security
« Reply #135 on: June 07, 2012, 07:36:11 AM »

For reference: here's quick python thingy to scan the .txt.

Mine wasn't in there.  Which I guess is good.  Changed it anyway.
Logged
Do you understand how terrifying the words “vibrating strap on” are for an asexual? That’s like saying “the holocaust” to a Jew.

Mongrel

  • Emoticon Knight-Errant
  • kodePunc Team
  • Tested
  • *
  • Karma: -65340
  • Posts: 17029
    • View Profile
Re: Computer security
« Reply #136 on: June 07, 2012, 07:51:54 AM »

However simple, I have never done any programming at all, so that's mostly durrrhuhwhat to me. In any case, the file Thad linked is gone now anyway.
Logged

TA

  • Tested
  • Karma: 29
  • Posts: 3219
    • View Profile
Re: Computer security
« Reply #137 on: June 07, 2012, 07:54:05 AM »

Oh.  Good thing I grabbed it, then!

I'd offer to rehost it for you but I'm ... not sure whether that's a good idea.
Logged
Do you understand how terrifying the words “vibrating strap on” are for an asexual? That’s like saying “the holocaust” to a Jew.

Mongrel

  • Emoticon Knight-Errant
  • kodePunc Team
  • Tested
  • *
  • Karma: -65340
  • Posts: 17029
    • View Profile
Re: Computer security
« Reply #138 on: June 07, 2012, 08:14:20 AM »

Well, like I said, I wouldn't get much use out of it anyway.

It should be alright in any case. I used a bullshit password for LinkedIn that I only use for trashy accounts and the email address I had there is an older one not linked to anything crucial anymore, which also had a different password of its own.
Logged

Classic

  • Happens more often than you'd think.
  • Tested
  • Karma: -58471
  • Posts: 7501
    • View Profile
Re: Computer security
« Reply #139 on: June 07, 2012, 08:26:40 AM »

I used a bullshit password for LinkedIn that I only use for trashy accounts
So you're saying they have your brontoforumus password?
Logged
Pages: 1 2 3 4 5 6 [7] 8 9 10 11