Recent Comments


Note: new comments may take a few minutes to appear on this page.

February 2, 2023 1:44 PM

Roger on AIs as Computer Hackers :

Inexplicably, DARPA never repeated the event.

It’s explicable, all right. The event goes on with DoD participants and the results are never released to the public.

February 2, 2023 1:23 PM

Jordan Brown on Passwords Are Terrible (Surprising No One) :

Dictionary attacks are very powerful.

Yes and no. For small numbers of words, yes. For larger numbers, no, they are no more powerful than knowing that there are 95 printable ASCII characters – a dictionary attack on ASCII.

My preferred passwords these days are pass phrases picked randomly from a collection of 1024 common four-letter words. That’s a nice tidy ten bits per word. I usually separate the words by a space if the service will let me. (Sigh, some won’t.)...

February 2, 2023 1:16 PM

U R ON MY PAYROLL YOU DIRTY COP on AIs as Computer Hackers :

@meestahgofyslf
THERE IS nothing worse in this world THAN A CORRUPT POS LIKE YOU THAT WORKS FOR THE GOV’T! Capiche?

February 2, 2023 1:13 PM

U R ON MY PAYROLL YOU POS on AIs as Computer Hackers :

How DARE YOU @meestahgofyslf defend yourself you piece of shit! YOU KNOW YOU’LL GET LOCKED UP WHERE YOU BELONG YOU CORRUPT POS!!!
Your days of roaming around are numbered ya POS!

February 2, 2023 1:09 PM

ResearcherZero on Friday Squid Blogging: Squid-Inspired Hydrogel :

“Your decision, Mr. President, to give the Soviet Union an interest-free credit of $1 billion in the form of materiel supplies and raw materials has been accepted by the Soviet government with heartfelt gratitude as urgent aid to the Soviet Union in its enormous and difficult fight against the common enemy – bloodthirsty Hitlerism,” Stalin wrote to Roosevelt.”

More than 14,000 U.S. airplanes, 8,000 of which came from Alaska, were given to the Soviet Union in the course of the war. The USSR received a total of 44,000 American jeeps, 375,883 cargo trucks, 8,071 tractors and 12,700 tanks. Additionally, 1,541,590 blankets, 331,066 liters of alcohol, 15,417,000 pairs of army boots, 106,893 tons of cotton, 2,670,000 tons of petroleum products and 4,478,000 tons of food supplies made their way into the Soviet Union...

February 2, 2023 1:02 PM

Oshner on Friday Squid Blogging: Squid-Inspired Hydrogel :

@jonknows…. et al

I think the watchword is specificity. Oranges and grapefruits have differing drug interaction not because the are citrus but because grapefruit juice contains compounds that interfere with the of the liver’s cytochrome P450 CYP3A4 enzyme which in turn affects metabolism of drugs such as atorvastatin.

As Maggrite said, “Ceci n’est pas une pipe”, pointing out the gap between nomenclature and reality (along with infinite other resonances). Whatever naming convention is used the characteristics of the variant are what they are...

February 2, 2023 1:01 PM

Emoya on Passwords Are Terrible (Surprising No One) :

@Clive, pd, All

Misuse of authority aside, another thing that scares me about hardware keys is account recovery in the event of loss/theft. IIRC, a few months back Bruce posted a thought experiment in which all avenues of authentication were lost in a house fire, leaving no recovery options.

Also, as Clive pointed out, biometrics are essentially tokens that cannot, under normal circumstances, be lost. However, “under normal circumstances” does not mean impossible, improbable, or even unlikely. Some people are exposed daily to conditions that could cause them to lose or alter one or more biometric attributes...

February 2, 2023 12:42 PM

Petre Peter on AIs as Computer Hackers :

It seems like a government run by ai is a different victory condition leading to fascism.

February 2, 2023 12:39 PM

Winter on Passwords Are Terrible (Surprising No One) :

@Emoya

If it were me, I would almost consider it as one word.

I think it is one word. You are tight about the rest too.

To get realistic estimates, a language model is needed too, that gives probabilities of word sequences. ChatGPT is such a model. But I did not want to complicate things too much.

In reality, it boils down to an arm’s race. To me, the solution is “In case of doubt, add a word to your passphrase”...

February 2, 2023 12:12 PM

Emoya on Passwords Are Terrible (Surprising No One) :

@Winter, Anonymous2

Don’t forget that bit security assumes drawing randomly from a set. Polar and bear are very closely related in their everyday use because combined they refer to a single object/idea, and as such, are more likely to be used together. If it were me, I would almost consider it as one word.

February 2, 2023 12:11 PM

Winter on AIs as Computer Hackers :

@meestahgofyslf

“corruption” ISN’T a default state for human beings,

Actually, it is. The default state of humans is to divide humanity in “Us” and “Them” and to work to the benefit of “Us” at the detriment of “Them”.

Corruption is extracting benefits for “Us” from “Them”.

It is the basis for “Power corrupts…”

...

February 2, 2023 11:19 AM

meestahgofyslf on AIs as Computer Hackers :

IP-RET-END:

“corruption” ISN’T a default state for human beings, unless you’re talking about entropy and the body or you’re pathologically cynical (in which case, see a shrink). When it’s ethical corruption that HARMS OTHERS, it SHOULD be exposed, whether it’s threatening its victims for speaking out about it or not. Don’t like it? Don’t do it.

...

February 2, 2023 9:55 AM

Winter on Passwords Are Terrible (Surprising No One) :

@Anonymous2

If you use words in password, think of whole word as if it was a single character of a very long alphabet

tl;dr: Go for long passphrases, not complex passwords.

Indeed. If you convert the 170000 words into bits to guess, you get ~17 bit per word. Capitalization adds 1 bit. So, think of a passphrase of words as giving you 18 guessable bits per word. Adding 2 digits before or after adds another 8 bits. So, “Polar_bear65” = 18+18+8 = 44 bits. There are 3 options to combine these 3 components: “”, ” “, “_” on 2 positions ~ 3 bit extra. All in all you end up with less than 50 bits to guess on the assumption it is two words and a two digit number...

February 2, 2023 9:00 AM

IP-RET-END on AIs as Computer Hackers :

“AIs as Computer Hackers”. Yeah, Perl, .vbs, .js .py, and many other scripting languages have been known to help accomplish just that, for quite some time now. Of course, any batch file/job/task (automation) could also be called “AI” just to make it sound “cool” but in the end it’s just some human being behind it, much like when you expose criminals within the government and then when those individual criminals pose as the “state” to go after you, so then you are retaliated against by the “STATE” and even though you have evidence that “they” only exist to protect one another-nothing happens. But now we’re wandering off into another territory called CORRUPTION. Point being – animals called humans are behind everything...

February 2, 2023 4:07 AM

Anonymous2 on Passwords Are Terrible (Surprising No One) :

@Anonymous
Dictionary attacks are very powerful. Especially if you combine it with popular methods of creating simple word based passwords (for example one or two words and a number) and you make it into a hash table. Password “Polar_bear65” is only 2 words (“Polar”, “bear”), number (“65”) and a special character as a space substitute (“_”). There is only something about 170000 english words in use today (you can further refine it by removing uncommon words). If you use words in password, think of whole word as if it was a single character of a very long alphabet (340000 characters long, containing words with and without first capital letter). For comparison, 4 character long, lower case alphabetical password has about 456 976 possible combinations...

February 2, 2023 3:55 AM

JonKnowsNothing on Friday Squid Blogging: Squid-Inspired Hydrogel :

@Clive, @Oshner, All

Just a few add-on points to your comments:

re: about medical statistics

There is quite of bit of commentary about this in the archives. You might want to grep through them so we don’t have to retread the tire or at least not all 4 wheels.

There’s lots known in the readership here about statistics, data harvesting, selection and rankings. There’s also a great deal known about Medical Decisions, Selective Decisions and certain common fallacies in Decision Processes...

February 2, 2023 12:38 AM

Clive Robinson on Friday Squid Blogging: Squid-Inspired Hydrogel :

@ Oshner, JonKnowsNothing, ALL,

Re : Antipathogenic micronutrients.

“As far as the OTC meds that you listed for colds and flu they are largely composed of similar ingredients and target symptom relief rather than cure.”

Sadly those OTC meds you list, are actually more likely to kill you than cure you. The reason is that often they work against your bodies natural anti-pathogenic behaviours.

However there are now long known but ignored group of chemicals in the UK and US that do assist rather than hinder the bodies natural anti-pathogenic behaviours, and they are available “Over The Counter” and they have considerably less side effects than “pharmaceuticals” from the major drugs companies...

February 1, 2023 11:56 PM

Clive Robinson on Passwords Are Terrible (Surprising No One) :

@ pd, All,

“Hardware keys.”

Are in most ways as bad if not worse than bio-metrics.

Hardware keys get used with accounts as,

“One ring to rule them all and in the darkness bind them”

Effectively once LE’s or IC grab your token and force you via various means legal, psychological, or physical to unlock it, every account you own, then belongs to them, to do with as they please (and people wonder why I don’t do social-media)...

February 1, 2023 11:34 PM

Oshner on Friday Squid Blogging: Squid-Inspired Hydrogel :

@jonknows….

While I understand that the rate of mutation exceeds the speed at which new vaccines can be created and therefore efficacy might be impaired, I think your comment overlooks the fact that what the virus is doing is mutating spontaneously and not wholly transforming its entire structure. As with all evolution most mutations are discarded or do not confer a selective advantage but the relevant covid strains that are the focus of research are ones where a mutation or series of mutations has conferred an advantage. Vaccine research as a result does not restart from zero. That’s why they call them variants instead of labeling them as new viruses...

February 1, 2023 11:29 PM

Clive Robinson on Friday Squid Blogging: Squid-Inspired Hydrogel :

@ SpaceLifeForm,

Re: UK strikes

“It’s a start”

Which ones?

The cost of living in real everyday terms has more than doubled and “public sector” workers have not had a pay increase in over eight years in the UK. Their income in some cases is worth less than a third in real terms of ehat it once was.

Let me put it this way, do you want nurses and teachers having to keep their families alive via “food banks” because that is what is starting to happen...

February 1, 2023 10:09 PM

JonKnowsNothing on Passwords Are Terrible (Surprising No One) :

@All

While considering the problems with the passwords, pass codes, a small dimple or pimple is the HIDE_ME feature on the password input line which comes in a few variations.

  • There is Open_EYE which will let you verify the entire line you before you hit ENTER-SUBMIT and kill one of 3 attempts before your account gets a lockout.
  • There is the ‘*’ replacement, which hides each typed character just moments after you type it. There is no Open-EYE to show the entire line which gets replaced by ‘***’ as go...

February 1, 2023 7:37 PM

Clive Robinson on Passwords Are Terrible (Surprising No One) :

@ Jordan Brown, ALL,

Re : positions of characters.

“You get three more bits because it can be in any of eight positions.”

In theory yes, for the first rule but each one goes down so the first is 1:8 the second 1:7 the third 1:6 and so on.

But with double digits they are not often spread appart unless it’s simple to remember like ‘6Polar_bear4’. But you also need to remember humans being what they are, are not likely to even do ‘Po64lar_bear’ by choice. Overwhelmingly they would do ’64Polar_bear’ or ‘Polar_bear64’ bringing it from down to just a 1bit choice...

February 1, 2023 7:18 PM

Clive Robinson on Passwords Are Terrible (Surprising No One) :

@ JonKnowsNothing, ALL,

Re : The $5 approach.

“If your social media account password is really complex enough that you cannot remember it, you aren’t going to have any working flexible digits left.”

Back when @NickP was still around, he and I used to discuss things like this.

One thing we came up with was a short life self destructive key that you provably did not know. The real key or password was generated from apparently random daya sent to you by three or more parties each in their own jurisdiction outside of the jurisdiction you are in...

February 1, 2023 5:33 PM

Clive Robinson on Friday Squid Blogging: Squid-Inspired Hydrogel :

@ Jazz Handler, SpaceLifeForm, MarkH, Winter, ALL

Re : Batteries and usage.

“So how is this being treated as a problem only solved last week?”

It tells you in the article did you read it all?

If so go back and read about why seeing it was “blood red” was a surprise and what was different that probably made it that colour.

Did you do what the article indicated to your batteries?

I suspect not, getting any battery to that temprature is to put it politely unwise...

February 1, 2023 4:58 PM

David McClain on Passwords Are Terrible (Surprising No One) :

I don’t understand the continuing use of passwords. The Signal X3DH protocol provides for password-free connections among all parties. All that is needed is a public key from each participant. If these leak out, there are no undesirable consequences. (I hate the tower of passwords we have now, surprising nobody…)

February 1, 2023 4:40 PM

Big Foot on Kevin Mitnick Hacked California Law in 1983 :

This was not a bug in the law, was by design. Juvenile courts have no authority on the subject when they reach age of majority. He just used the system as designed. More DIYer than hacker in this sense.

February 1, 2023 3:55 PM

Ted on Passwords Are Terrible (Surprising No One) :

@AlanS

I have no idea how prevalent there use in federal agencies is… I suspect the Feds requiring a security control and its implementation may be eons.

Apparently the OCIO wasn’t aware what specific systems were enforcing MFA. They had relied on the different bureaus and offices to self-report. Nobody captured the individual systems.

Per the IG report, using single-factor authentication runs against 18 years of mandates from NIST, DHS, EO’s and the dept’s own policies. (p11)...

February 1, 2023 3:05 PM

Jordan Brown on Passwords Are Terrible (Surprising No One) :

So 92^7 x 10^1 = 5.5785 10e14 or ~45 bits

That’s if the digit is forced to be at the end (or any other fixed position).

You get three more bits because it can be in any of eight positions.

But yes.

February 1, 2023 2:31 PM

Clive Robinson on Passwords Are Terrible (Surprising No One) :

@ Jordan Brown, ALL,

Re : Admin Rules reduce strength.

“… is awful because it doesn’t have the four food groups”

Each group reduces the “potential” password strength. I know this surprises many people but it’s true and I’ve had a number of arguments over the years.

I’m glad to see others can look straight at the chalk board 😉

@ ALL,

Lets take a simple eight character password. Where the entire character set is...

February 1, 2023 2:21 PM

lurker on Passwords Are Terrible (Surprising No One) :

@Jeff M

So instead of merely cracking the SHA-1 to get your password, the bad guy has to crack 475 SHA-1s and run them through his credential stuffer. I guess that’s an improvement.

February 1, 2023 1:47 PM

modem phonemes on Friday Squid Blogging: Squid-Inspired Hydrogel :

@ Winter

Where I wrote “misestimated” it would have been clearer to have written “defective”.

The only point I have been trying to make is that human nature entails natural justice, and positive law, social forms etc. need to take this as a principle and starting point. This is in contradistinction to those that say human nature is basically a blank slate and that any social agreement may justly be imposed...

February 1, 2023 1:15 PM

Clive Robinson on Passwords Are Terrible (Surprising No One) :

@ Tom, ALL,

Re : Password Checkers

“I’ve always wanted to test my master password but have never trusted the “password strength test” sites to not be harvesting.”

Even if they don’t test they will give you a falsely high value of it’s strength.

February 1, 2023 12:56 PM

Jordan Brown on Passwords Are Terrible (Surprising No One) :

Password strength meters and their estimates have almost no value, because they assume a particular model for password structure.

Is your password in an existing password leak? You’re dead, no matter how “good” it is.

Is your password built out of enough bits of randomness? You’re probably OK, no matter what characters it has in it.

How strong is “Polar_bear65”? A naive analysis might say that it’s got 12 characters from the four food groups, so it’s got 78 bits, which is really good. But almost nobody really uses a random 12-character full-character-set password, because they are impossible to remember and painful to type. (Password managers excepted.)...

February 1, 2023 12:51 PM

mark on Passwords Are Terrible (Surprising No One) :

Just one issue: how did such passwords get put in place? Everything I use, from my hosting provider to my partner’s Win 10 box, checks new passwords, and refuses them if they consider them weak. Certainly my Linux box does….

February 1, 2023 12:50 PM

Winter on Passwords Are Terrible (Surprising No One) :

@EvilKiru

I think it’s safe to assume that any password you check will end up in a rainbow table used for password cracking.

There are many JavaScript only password checkers [1], even with code available.

And if a known university assures us their password checker runs on the client computer without internet transactions [2], I trust that. The fallout of someone finding out they lied would be way to serious...

February 1, 2023 12:42 PM

lurker on Passwords Are Terrible (Surprising No One) :

@Ted (whichever)
“People will simply be tricked into clicking the little notification…”

I’ve often wondered just what the dickens does happen with all those GDPR cookie notices, how easy would it be to spoof one, and how come too many don’t [Save my Preferences].

@Kent England
“slow roll credential-stuffing attacks and limit attempts to a reasonable number”

That is so easy to do there can be only one reason why it’s not done: sysadmins don’t want the hassle of dealing with the doofuses who can’t read the stickit under their keyboard...

February 1, 2023 12:37 PM

EvilKiru on Passwords Are Terrible (Surprising No One) :

@Tom: I think it’s safe to assume that any password you check will end up in a rainbow table used for password cracking.

@yet another bruce: It’s probably not notably worse than anywhere else where humans are forced to come up with their own passwords.

February 1, 2023 12:25 PM

lurker on Friday Squid Blogging: Squid-Inspired Hydrogel :

@NickL, Winter

re women’s property rights,
from inside a thought bubble it might be hard to see the matriarchal societies (since millenia) of sub-Sahel Africa. These were the societies that provided gold and salt to Egypt, Rome, and the later Islamic realm, and still exist where they haven’t been suppressed by European colonialism.

February 1, 2023 12:00 PM

Winter on Passwords Are Terrible (Surprising No One) :

@Tom

I’ve always wanted to test my master password but have never trusted the “password strength test” sites to not be harvesting.

There are 10 types of “password strength test” sites, those that work in the cloud, and those that work in the page (JavaScript).

The former will harvest passwords, at least to feed their password strength algorithm. The latter claim they do not send any passwords over the internet. You can check that by downloading the page and running it without an internet connection...

February 1, 2023 11:58 AM

Gilberto on Passwords Are Terrible (Surprising No One) :

@Ted,

I was referring to so called “passwordless authentication”. I’ve seen a small number of websites that you can login to simply by clicking a notification on another device, or by typing in a short code you received via text or email.

It’s actually a large number of sites, because the “forgot my password” button often does exactly that. I worked with someone who, every time they were presenting a meeting via Webex, would go to that site, click the “forgot” link, and log in via the resulting email...

February 1, 2023 11:52 AM

JonKnowsNothing on Passwords Are Terrible (Surprising No One) :

@Clive, All

It’s more than a problem of “bad password” selection, it’s inconsistencies in applications across everything on the internet.

Many sites will no longer take 4 digits but they will take 6.

Some require 2FA and send a msg to “select your destination”.

Some require an Authenticator. Good, bad, or indifferent, if you want to access that site you gotta use the Authenticator they designate...

February 1, 2023 11:49 AM

AlanS on Passwords Are Terrible (Surprising No One) :

@Ted

I have no idea how prevalent there use in federal agencies is. They also appear to have some issues. See Krebs. I suspect the Feds requiring a security control and its implementation may be eons.

To add the the earlier post, passkeys appear to be a quicker route to more widespread adoption of Webauthn in the consumer space but because they can be backed up and copied appear to have some obvious vulnerabilities compared to hardware keys where the private key remains on the key...

February 1, 2023 11:39 AM

yet another bruce on Passwords Are Terrible (Surprising No One) :

Variability from department to department and between staff and management was interesting. Kudos to OIG. Interior Business Center seems like a squishy target with lots of potential exposure for client departments. I wonder why it is so notably bad.

February 1, 2023 11:03 AM

Jazz Handler on Friday Squid Blogging: Squid-Inspired Hydrogel :

@Clive, SpaceLifeForm, MarkH, Winter, et. al,

Re: PET and Self Discharge

I’ve been buying low self discharge Lithium Ion batteries for years now. And not just so I can have a bag in the kitchen drawer labelled “LSD”, I’ll have you know.

So how is this being treated as a problem only solved last week?

February 1, 2023 10:57 AM

Tom on Passwords Are Terrible (Surprising No One) :

I’ve always wanted to test my master password but have never trusted the “password strength test” sites to not be harvesting. Am I wrong?

February 1, 2023 10:50 AM

Ana Laura on Insider Attack on Lottery Software :

I loved the post, it is very complete and with valuable information. Congratulations for the tireless work in keeping this blog always updated and with quality content. It has become my favorite site to look up information on the subject I care about. Keep it up, you’re doing a great job!

In addition to liking the post, I also like the design and navigation of the blog. It’s easy to find the information I’m looking for and it’s enjoyable to read. Congratulations once again for the excellent work, you are a great example for everyone who wants to create a successful blog. Keep it up, I’m looking forward to seeing what’s next!...

February 1, 2023 10:41 AM

Winter on Friday Squid Blogging: Squid-Inspired Hydrogel :

@Nick,

I’m still unclear on the legal content of “laws of nature” as distinct from natural law,

I know “laws of nature” only as a thing in physics. Never saw it as part of legal proceedings.

February 1, 2023 10:37 AM

Winter on Passwords Are Terrible (Surprising No One) :

@Bob Easton

an easily found “Password Strength Meter” says it will take 5 years to break ‘Polar_bear65’ while this article states less than 90 minutes.

Looked up a password strength meter and it said ‘Polar_bear65’ corresponds to 6 x 10^14 guesses (weak) ~ 50 bit strength. That is weak.

February 1, 2023 10:36 AM

Ted on Passwords Are Terrible (Surprising No One) :

@AlanS

Aren’t the Feds requiring agencies and contractors to use FIDO2 hardware security keys to mitigate against weak passwords and weak 2FA?

I’m trying to figure out how prevalent PIV cards are within the DOI. This was from the IG report (still reading):

The most common MFA method the Department has implemented within the AD is a PIV card issued to all employees, which combines a digital certificate contained on the card...

February 1, 2023 10:36 AM

Ckive Robinson on Passwords Are Terrible (Surprising No One) :

@ Bruce, ALL,

Am I the only one to recognise that we have a “passwords are bad” story atleast once a year if not more frequently?…

I think it’s safe to say that the problem is not the technology –although it is mostly bad– but the usual “Nut behind the Wheel” of a human, be they a user or administrator.

There is a reason why bank PINs are only four digits… And yup people still forget them…

There are times when I think the XKCD $5 wrench cartoon[1] should be re-done… And people have their password tattooed in the scalp by repeated application ofthe wrench 😉...

February 1, 2023 10:08 AM

Kent England on Passwords Are Terrible (Surprising No One) :

Steve Gibson made some good points on passwords recently:
1) slow roll credential-stuffing attacks and limit attempts to a reasonable number
2) blacklist cloud networks and bad actor networks
3) use MFA sparingly. use the persistent cookie and limit MFA to once a month or longer

If websites did these things, password cracking and reuse wouldn’t be such an issue.

February 1, 2023 10:02 AM

Clive Robinson on Friday Squid Blogging: Squid-Inspired Hydrogel :

@ MarkH, ALL,

Re : Feel the burn…

“Investigation soon revealed that the shipping department enclosed all electrical components in anti-static bags, which were sufficiently conductive to kill each battery by the time it was needed.”

They were lucky not to have had a fire in transit (remember the Airbus aircraft amoungst others).

In the UK you are not alowed to put batteries in the post (Royal Mail),for this reason, so they have to be “shipped by courier”...

February 1, 2023 9:52 AM

Clive Robinson on Kevin Mitnick Hacked California Law in 1983 :

@

Re : hyper-dimensions

“Later developments in physics refer to dozens of dimensions at the micro level; I don’t know if they’re relevant here.”

The joys of “string theory” that started with twenty six dimensons then due to supersymmetry went down to ten.

The problem is those dimensions are way way down at the Planck length scale end of the line. And wrapped so tightly around each other they make a rose bud look loose...

February 1, 2023 9:21 AM

Nick Levinson on Friday Squid Blogging: Squid-Inspired Hydrogel :

@Winter:

I don’t dispute what you say about rights being inalienable in European law or in treaty law; I haven’t checked, and I haven’t checked if the U.S. is a party to such a treaty, or a party without a relevant reservation.

I’m still unclear on the legal content of “laws of nature” as distinct from natural law, but I can try to look that up elsewhere, time permitting.

Laws of logic can be part of natural law; I don’t know whether any are not. Whether they are part of laws of nature as distinct from natural law is something I don’t know...

February 1, 2023 8:54 AM

PHP on Kevin Mitnick Hacked California Law in 1983 :

There are lots of examples of real-world hacking.

People hacking medical equipment, or other stuff running out of support.

But there are examples of engineers with an unknown / untreatable disease that has unlimited time, and thus can diagnose, and possible even invent treatment with a professor. If I end up there, I will likely know more than a local doctor within a few weeks.

Lots of public services, if you keep calling them, your request might be pushed up in the pile, as it is too costly to keep getting buggered by you. Make fulfilling your request is the easy option...

February 1, 2023 8:52 AM

bert on Passwords Are Terrible (Surprising No One) :

@Ted
I know what you were referring to, that’s why I mentioned passkeys.
You probably know how they work because you’re a commenter on this blog.
Do you really think protecting an account with a password and 2FA is as secure as using passkeys? Passkeys are designed to eliminate the “human factor” in authentication as much as possible, which you (rightfully) claim is the weakest link!

...

February 1, 2023 8:49 AM

PHP on Passwords Are Terrible (Surprising No One) :

A standard old Nvidia 1080 graphics card can bruteforce NTLM hashes at a rate that allows me to try all possible upper/lower/numeric in less than an hour. Newer cards are way faster.

Now, when you have tried that, then hashcat supports rulesets, dictionaries etc, using that with a few dictionaries and rules describing different word separators, numeric postfix etc, then you can quickly geta bit further. And keep adding the found passwords to the new wordlist...

February 1, 2023 8:33 AM

Ted on Passwords Are Terrible (Surprising No One) :

@bert

This is not true. Such an attack would be exponentially more difficult because today’s phone OSes are heavily sandboxed and you can’t just send a “notification to log in” if the user’s using passkeys.

I was referring to so called “passwordless authentication”. I’ve seen a small number of websites that you can login to simply by clicking a notification on another device, or by typing in a short code you received via text or email. In other cases it may require a biometric factor, such as scanning your face or fingerprint. Point is, people will still be tricked into giving access to hackers, and it won’t require a password...

February 1, 2023 8:27 AM

Bob Easton on Passwords Are Terrible (Surprising No One) :

Hmmmm… an easily found “Password Strength Meter” says it will take 5 years to break ‘Polar_bear65’ while this article states less than 90 minutes. Something doesn’t compute.

February 1, 2023 8:22 AM

Alan Kaminsky on Passwords Are Terrible (Surprising No One) :

In all, the auditors cracked 18,174—or 21 percent—­of the 85,944 cryptographic hashes they tested

In other words, the auditors failed to crack 67,770—or 79 percent—of the hashes they tested. Over three-quarters of the passwords were too difficult to crack with a dictionary of “over 1.5 billion words”. A goodly percentage of the accounts would appear to be using strong passwords.

...

February 1, 2023 8:17 AM

Anonymous on Passwords Are Terrible (Surprising No One) :

Worrying if they can break Polar_bear65
That’s 12 characters with an underscore.
Either the stringing dictionary words attack approach is more flexible and effective than I would expect or they have a very big hash table.

February 1, 2023 8:15 AM

bert on Passwords Are Terrible (Surprising No One) :

@Ted (the first one):

Need to click a notification on your phone to login? People will simply be tricked into clicking the little notification thereby giving the hacker access to their accounts.

This is not true. Such an attack would be exponentially more difficult because today’s phone OSes are heavily sandboxed and you can’t just send a “notification to log in” if the user’s using passkeys...

February 1, 2023 8:06 AM

jbmartin6 on Passwords Are Terrible (Surprising No One) :

16% crack rate on dumped NTLM hashes is fairly normal. According to the article, the point of the exercise was merely to counter claims by the DOI that it would take 100+ years to crack any of the hashes because of their password policy.

February 1, 2023 8:02 AM

Ted on Passwords Are Terrible (Surprising No One) :

People Are Terrible (Surprising Bruce Schneier)

Passwords, combined with 2FA, are great as long as you actually choose strong passwords. People will always be the weakest link in security, which is why phishing and other social engineering attacks are so successful. It doesn’t matter if you replace passwords with something else. Need to click a notification on your phone to login? People will simply be tricked into clicking the little notification thereby giving the hacker access to their accounts...

February 1, 2023 7:04 AM

Clive Robinson on Friday Squid Blogging: Squid-Inspired Hydrogel :

@ Winter, ALL,

Re : The begining of the end?

Intel has been going bad for some time, do you remember the sell off of shares by one of the seniors just before the announcement of Specter / Meltdown issues found in 2017[1] (that I said were an Xmas gift that would keep giving for a half decade or so on the “Securit-v-Efficiency” paradigm, and new varients are still being found…).

In the Tom’s Hardware, article you link to, note the “core competence” comments...

February 1, 2023 6:20 AM

Winter on Friday Squid Blogging: Squid-Inspired Hydrogel :

@modem

Whether those accounts of women’s historical property rights give a correct picture (and I don’t think they do)

That is a curious statement. It is not that law and court decision in the 17-19th century are inaccessible. Also, there are ample countries now where women are denied property rights. [1] Also, there is living memory of legal practices in Europe where this was indeed the case. Where women had no say over any property, but that all they “had” was administered or owned by their male “guardian” (father, husband, brother) to be dealt with at their discretion...

February 1, 2023 5:33 AM

modem phonemes on Friday Squid Blogging: Squid-Inspired Hydrogel :

@ Winter @ Nick Levinson …

most of recorded history

Whether those accounts of women’s historical property rights give a correct picture (and I don’t think they do), they at most show that the understanding of what should follow in positive law from natural justice may have been misestimated in diverse places and times.

February 1, 2023 3:49 AM

Winter on Friday Squid Blogging: Squid-Inspired Hydrogel :

@Clive

Why so he can conpleatly kill Intel’s future to pay thrir ludicrously high quaterly dividend,

Intel is dying [1]. AMD is eating their lunch in costs and Intel missed the bus on low powered computing. In their biggest market, servers & cloud, the only people buying the newest Intel chips are those that are locked in to Intel chips[2]. Everyone else is looking to move to lower cost, AMD, or higher performance/Watt alternatives, e.g., ARM...

February 1, 2023 3:36 AM

Winter on Friday Squid Blogging: Squid-Inspired Hydrogel :

@modem

Human nature and what follows upon it (such as private property) are prior to society and laws, and inform and constrain them.

As Nick already wrote, private property is NOT something that was found in early humans in any form that is relevant for the current discussion.

In most of recorded history (ie, post agricultural revolution), women had NO property rights at all in most of the world. There even is a “A History of Women’s Property Rights in the United States” [1], which started with “No rights to own property”. Only from 1860 on, women got the right to own property by herself in the USA. And that was rather revolutionary in the world. In most other countries it took quite a long time for women to get those rights in full. And in many places of the world, women still have no right to own properties or open a bank account...

February 1, 2023 3:25 AM

Winter on Friday Squid Blogging: Squid-Inspired Hydrogel :

@Nick

So, its statements, such as on inalienable rights, are not now legally binding on the basis of their being in that Declaration.

But they are embodied in the Universal Declarations of Human Rights [1], which gave rise to quite a body of Human Rights Law [2], eg, the European Convention on Human Rights [3].

As such Inalienable rights have force of law in the EU. Which, to come back to the original discussion of “Laws of Nature” versus “Natural Law”, makes “Natural Law” something utterly different, and independent of, the “Laws of NAture” and the “Laws of Logic” (mathematics)...

February 1, 2023 3:17 AM

Winter on Friday Squid Blogging: Squid-Inspired Hydrogel :

@Nick

I’ve since learned more about natural law and I see that it is enforceable in court and by other means, and I said so.

Which means I did indeed slip up. My apologies.

February 1, 2023 2:59 AM

Nick Levinson on Friday Squid Blogging: Squid-Inspired Hydrogel :

@modem phonemes, @Yuri, @PaulBart, & @Winter:

@Winter:

You slipped. Where I wrote “and that seemed to be nonsensical as law that a court could enforce, given the U.S.’s First Amendment.”, it was in this context: “When in past years I heard of natural law, it was usually about theology, and that seemed to be nonsensical as law that a court could enforce, given the U.S.’s First Amendment. But it turns out that natural law exists and has two components: physical and metaphysical.” I was stating what I had heard in past years and that was followed by “[b]ut it turns out that . . .”. In other words, I was now contradicting what I had heard earlier. I also did not state anything like the Constitution having worldwide applicability. It has no such reach and never did. I was saying that what I had heard of natural law back then was nonsensical, because the First Amendment would not allow it to be enforced in the U.S. I’ve since learned more about natural law and I see that it is enforceable in court and by other means, and I said so...

February 1, 2023 2:24 AM

Nick Levinson on Friday Squid Blogging: Squid-Inspired Hydrogel :

@Winter:

The Declaration of Independence is a political and historical document, but is no longer a legal document and is not enforceable in court. Once England recognized U.S. nationhood, the Declaration, if it was ever law, no longer was law. So, its statements, such as on inalienable rights, are not now legally binding on the basis of their being in that Declaration.

Hayek’s comment, as given by you, is less than clear. Where Hayek refers to “spontaneously formed social institutions” and apparently means by “spontaneously formed” that what thus was formed was not formed by “deliberate human will”, “spontaneously formed social institutions” is a contradiction in terms, unless Hayek is saying humans accidentally formed the institutions. I don’t think most institutions are accidentally formed, although the intent may be trivial, especially if the institutions become substantial well after formation. If by “spontaneously formed social institutions”...

February 1, 2023 2:16 AM

modem phonemes on Friday Squid Blogging: Squid-Inspired Hydrogel :

@Yuri @PaulBart @Winter @Nick Levinson …

what makes populations societies

Unless they respect the intrinsic nature of humankind, society, its agreements, forms, laws etc. are in name only. Human nature and what follows upon it (such as private property) are prior to society and laws, and inform and constrain them. To the extent that social systems ignore or contradict human nature, they are anti-human, dysfunctional, despotic, and, in the extreme, totalitarian...

February 1, 2023 1:59 AM

Winter on Friday Squid Blogging: Squid-Inspired Hydrogel :

Continued:
@Nick

and that seemed to be nonsensical as law that a court could enforce, given the U.S.’s First Amendment.

It might be useful to get a less parochial view of the world. More than 95% of the world’s population is not bound by the formulation used in the US constitution.

Natural law is law recognized by courts and by the community of nations that can enforce it.

Sorry, but that is simply a Orwellian new-speak with no basis in reality. “Natural Law” is an existing name of a well defined concept in the legal professions. Trying to define that away is truly Orwellian discours manipulation...

February 1, 2023 1:48 AM

Winter on Friday Squid Blogging: Squid-Inspired Hydrogel :

@Nick

I don’t doubt that it has a history and it’s likely interesting, but, as I noted, I focused on natural law as it stands in modern times.

Indeed, it has a history. But it is still an active field of legal research and influence.

From Wikipedia:
‘https://en.m.wikipedia.org/wiki/Natural_law

In De Re Publica, [Cicero] writes:

There is indeed a law, right reason, which is in accordance with nature; existing in all, unchangeable, eternal. Commanding us to do what is right, forbidding us to do what is wrong. It has dominion over good men, but possesses no influence over bad ones. No other law can be substituted for it, no part of it can be taken away, nor can it be abrogated altogether. Neither the people or the senate can absolve from it. It is not one thing at Rome, and another thing at Athens: one thing to-day, and another thing to-morrow; but it is eternal and immutable for all nations and for all time.[28]...

February 1, 2023 12:41 AM

Nick Levinson on Kevin Mitnick Hacked California Law in 1983 :

Hacking is not limited to people with good intent. From @Bruce Schneier’s description, I see that Kevin Mitnick was a hacker of both law and IT.

When I read The Ice Man, by Philip Carlo, a biography of a contract murderer for the Mafia, for which the biographer said he tried to verify the subject’s stories, my impression of the murderer was that he was a geek, a murder geek, with something in common with computer geeks. If a business executive doesn’t know much about the computer at their desk and it fails, they call the office’s computer geek and say something like “it’s not printing.” The geek often immediately thinks of 5 reasons why it might be broken even if all the geek says out loud is “I’ll be right there.” The murderer used different techniques to fit varied circumstances, including surprises, and clearly was highly skilled in choosing and using techniques, and apparently the Mafia usually didn’t tell him how to murder, only whether to include torture or not, and usually left the choice of technique up to him. Murder being unlawful and antisocial is separate from whether he was skilled. It doesn’t even matter that, according to his statements to the biographer, he sometimes did good: once on his way to murder the victim he had tied up and loaded into the van he was driving and having decided that if a cop stops him he’d murder the cop, he decided he’d obey all the traffic laws so as to avoid getting stopped by a cop and thus didn’t kill a cop that day; and once he rescued young children from a criminal who that afternoon had offered him a child for whatever he wanted, even though he rescued them by murdering the criminal and other adults in the house where the children quietly sat and then, while giving himself 20 seconds’ head start to avoid being seen by cops, coaching one girl on how to call the police and have all of them wait outside. The murderer murdered around 200 people and was suspected for only 6, suggesting a 97% success rate before arrest; that underscores skill even though we don’t have to give him an award...

February 1, 2023 12:23 AM

MarkH on Friday Squid Blogging: Squid-Inspired Hydrogel :

@Clive:

Thanks again for a remarkable item of tech news!

I should be shocked that nobody seems to have checked before whether the plastic could conduct, but sadly I’m not.

A plant where I worked sent out multiple replacement “standby batteries” for computers which were returned as non-functional.

The computer was military, using a rather large high-capacity battery intended for missiles instead of the usual coin cells...

February 1, 2023 12:07 AM

Nick Levinson on Kevin Mitnick Hacked California Law in 1983 :

Geometry as we know it got hacked by someone who didn’t have a practical reason for doing it. (This is my understanding from decades ago and not lately researched.)

We understood the rules of geometry for up to 3 spatial dimensions. Someone wondered about 4 or more spatial dimensions and developed a set of rules for geometry for that general case. It worked, but no one had a use for it, back then...

January 31, 2023 11:25 PM

Nick Levinson on Friday Squid Blogging: Squid-Inspired Hydrogel :

@modem phonemes, @Yuri, @PaulBart, & @Winter:

@Winter:

I don’t doubt that it has a history and it’s likely interesting, but, as I noted, I focused on natural law as it stands in modern times. When in past years I heard of natural law, it was usually about theology, and that seemed to be nonsensical as law that a court could enforce, given the U.S.’s First Amendment. But it turns out that natural law exists and has two components: physical and metaphysical...

January 31, 2023 11:13 PM

SpaceLifeForm on Friday Squid Blogging: Squid-Inspired Hydrogel :

Volcanoes erupt

Mother Nature is telling you something.

Pay attention.

‘https://www.rnz.co.nz/international/pacific-news/483451/underwater-volcano-in-vanuatu-erupts

January 31, 2023 10:08 PM

JonKnowsNothing on Friday Squid Blogging: Squid-Inspired Hydrogel :

@Oshner

re: Influenza Virus is not SARS-CoV-2 virus

Early days of the pandemic, there were many posts about this comparative analogy between virus types and vaccine types. Lots of that is in the archives: look for posts by Clive, SpaceLifeForm, MarkH, Winter, among others.

The outlook for any type of virus for which a vaccine exists, depends on how good the candidate vaccine might be.

There is an amount of guess work and modeling about what will be floating into your lungs during your local influenza season. The same guesswork will be predicting rhinovirus and other upper respiratory diseases that get marketed under the Generic Names of “Flu and Cold”. They are not the same, and they have different viral profiles...

January 31, 2023 9:17 PM

Clive Robinson on Friday Squid Blogging: Squid-Inspired Hydrogel :

@ ALL,

Intel uses head for target practice

Put simply the Intel CEO has decided to penalize staff for his actions –and those of his predecessor– by stoping all staff bonuses and also cutting their basic pay.

Why so he can conpleatly kill Intel’s future to pay thrir ludicrously high quaterly dividend,

https://www.semianalysis.com/p/intel-cuts-pay-for-employees-to-keep

Cutting R&D compleatly and not building new plant as old plant becomes inefficient and worthless and holding out the begging bowl to US Government for subsidies is stupidity of the highest order…...

January 31, 2023 8:51 PM

Marc on Kevin Mitnick Hacked California Law in 1983 :

Years ago I took a Computers and the Law course, and it started with the basic idea of figuring out which word or phrase to attack. If murder is “the intentional killing of another person without justification of excuse”, then does your defense focus on the “intentional”, or “justification” or even “another person”. Focusing attention on specific details was key and very programmer/hacker-ish. Similarly dependent and independent clauses in patents we’re trivial for programmers to understand while apparently it’s a difficult concept for many law students. The difficult part is that the legal system sees no need to be consistent in what a word means across two laws, which is incredibly frustrating for most programmers...

January 31, 2023 8:50 PM

Oshner on Friday Squid Blogging: Squid-Inspired Hydrogel :

@jonknows…

100% efficacy with any drug or vaccine is rarely achieved.

The flu vaccine is formulated each year based on what has happened in the northern/southerns hemisphere’s preceding winter. The formulation is an educated guess. Sometimes efficacy is high and in other years they miss the mark and efficacy is lower. Despite these limitations I don’t think I’ve ever encountered a clinician who would not recommend the flu shot except in a setting where there is a contraindication (note contraindication is not hyphenated)...

January 31, 2023 8:38 PM

Clive Robinson on Friday Squid Blogging: Squid-Inspired Hydrogel :

@ SpaceLifeForm, MarkH, Winter,

Re : PET and Self Discharge.

This is curious to put it mildly.

PET is one of those near “universal plastics” you find just about everywhere you look, from plastic waste bins under your desk to that bottle of soda or overpriced water you hold in your hand.

It gets everywhere including into the batteries in our “Personal Electronic Devices”(PEDs).

Well one downside of batteries that most don’t think about is “how long they hold a charge” lithium chemistry is supposed to be one of the best, yet…...

January 31, 2023 7:12 PM

Clive Robinson on Friday Squid Blogging: Squid-Inspired Hydrogel :

@ Bruce, ALL,

You might find this document of interest,

https://digital-lab-wp.consumerreports.org/wp-content/uploads/2023/01/Memory-Safety-Convening-Report-.pdf

It points out one of the major failings that gets code a CVE entry is “Memory Safety” or more correctly lack there of.

A big problem I see in the embedded world is the use of C/C++ and the use of pointers via malloc() and friends with incorrectly used free()...

January 31, 2023 6:37 PM

vas pup on Friday Squid Blogging: Squid-Inspired Hydrogel :

A neuro-chip to manage brain disorders
https://www.sciencedaily.com/releases/2023/01/230130103022.htm

“Researchers have combined low-power chip design, machine learning algorithms, and soft implantable electrodes to produce a neural interface that can identify and suppress symptoms of various neurological disorders.

“NeuralTree benefits from the accuracy of a neural network and the hardware efficiency of a decision tree algorithm,” Shoaran says. “It’s the first time we’ve been able to integrate such...

Sidebar photo of Bruce Schneier by Joe MacInnis.