|
|
The Telecom Digest for April 20, 2010
Volume 29 : Issue 109 : "text" Format
Messages in this Issue:
Re: Please do not change your password (John Levine)
Re: Please do not change your password (Steven)
Re: Please do not change your password (Thad Floryan)
Re: Please don't change your password (Steven)
Account lockouts, was: Please don't change your password (danny burstein)
Re: Account lockouts, was: Please don't change your password (Steven)
Re: Please do not change your password (Gary)
Re: Please do not change your password (David Clayton)
Re: Washington State Approves Sale of VeriZon Exchange Areas to Frontier (Carl Navarro)
Re: Please do not change your password (Steven)
Re: Please do not change your password (Wes Leatherock)
Re: Please do not change your password (David Clayton)
Apocalypse Man (Cryderman, Charles)
Re: Apocalypse Man (Bill Horne)
It looks genuine ... next iPhone found in a bar? (Monty Solomon)
Re: Please do not change your password (Robert Bonomi)
Re: Please do not change your password (Robert Bonomi)
Re: Please do not change your password (John Levine)
Re: All-digital cellphone - is this good? Or OK? (Tor-Einar Jarnbjo)
Cyberattack on Google Said to Hit Password System (Monty Solomon)
====== 28 years of TELECOM Digest -- Founded August 21, 1981 ======
Telecom and VOIP (Voice over Internet Protocol) Digest for the
Internet. All contents here are copyrighted by Patrick Townson and
the individual writers/correspondents. Articles may be used in other
journals or newsgroups, provided the writer's name and the Digest are
included in the fair use quote. By using -any name or email address-
included herein for -any- reason other than responding to an article
herein, you agree to pay a hundred dollars to the recipients of the
email.
===========================
Addresses herein are not to be added to any mailing list, nor to be
sold or given away without explicit written consent. Chain letters,
viruses, porn, spam, and miscellaneous junk are definitely unwelcome.
We must fight spam for the same reason we fight crime: not because we
are naive enough to believe that we will ever stamp it out, but because
we do not want the kind of world that results when no one stands
against crime. Geoffrey Welsh
===========================
See the bottom of this issue for subscription and archive details
and the name of our lawyer, and other stuff of interest.
Date: 19 Apr 2010 01:32:19 -0000
From: John Levine <johnl@iecc.com>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Please do not change your password
Message-ID: <20100419013219.29152.qmail@joyce.lan>
> Given that most (if not all) access systems above basic level only
> allow "N" attempts at a password before locking out an account,
> there must be a reasonable level of complexity that allows a
> relatively easy to use password to still be effective and
> practically invulnerable to any brute-force/dictionary attack?
I gather that with a reasonable policy like four tries separated by
ten seconds, then wait 15 minutes until you can try again, four
characters are plenty. The advice to have scrambled passwords is
based on a model from ancient Unix systems where hostile people can
look at the hashed passwords and do a batch offline attack.
As Cormac points out, if the threats are phishing and keyloggers, it
doesn't matter whether your password is one character or a thousand.
R's,
John
Date: Mon, 19 Apr 2010 08:43:55 -0700
From: Steven <diespammers@killspammers.com>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Please do not change your password
Message-ID: <hqhtnr$65i$1@news.eternal-september.org>
John Levine wrote:
>> Given that most (if not all) access systems above basic level only
>> allow "N" attempts at a password before locking out an account,
>> there must be a reasonable level of complexity that allows a
>> relatively easy to use password to still be effective and
>> practically invulnerable to any brute-force/dictionary attack?
>
> I gather that with a reasonable policy like four tries separated by
> ten seconds, then wait 15 minutes until you can try again, four
> characters are plenty. The advice to have scrambled passwords is
> based on a model from ancient Unix systems where hostile people can
> look at the hashed passwords and do a batch offline attack.
>
> As Cormac points out, if the threats are phishing and keyloggers, it
> doesn't matter whether your password is one character or a thousand.
>
> R's,
> John
>
I use letters, numbers, upper and lower case on my passwords. One
exception is using the social Security web site, they require the use of
numbers only. To me that can cause a security problem.
--
The only good spammer is a dead one!! Have you hunted one down today?
(c) 2010 I Kill Spammers, Inc., A Rot in Hell. Co.
Date: Mon, 19 Apr 2010 10:09:55 -0700
From: Thad Floryan <thad@thadlabs.com>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Please do not change your password
Message-ID: <4BCC8E63.7000702@thadlabs.com>
On 4/19/2010 8:43 AM, Steven wrote:
> [...]
> I use letters, numbers, upper and lower case on my passwords.
> One exception is using the social Security web site, they
> require the use of numbers only. To me that can cause a
> security problem.
It's worse than that; here are the specific instructions from
the SSA (since I just went through this last month and saved
to PDF every page during the benefit application process):
" Choose a new 7 digit password. Use 7 numbers that are
" meaningful to you to help you remember.
"
" Helpful hints for choosing a password:
"
" * Use 7 numbers only.
" * Use a number that is meaningful to you so that you will
" remember it.
"
" Do NOT choose a password containing:
"
" * part of your Social Security number;
" * a series of numbers that would be easy to guess:
" 1234567 or 7654321;
" * a series of the same numbers: 2222222 or 3333333; or
" * your temporary Password Request Code (PRC).
"
" Do NOT use a password others might associate with your:
"
" * telephone number,
" * birthday or your child's birthday,
" * license plate number, or
" * street address number or zip code.
that's it. Real secure, huh? :-)
Date: Mon, 19 Apr 2010 17:18:49 -0700
From: Steven <diespammers@killspammers.com>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Please don't change your password
Message-ID: <hqirtd$rsf$1@news.eternal-september.org>
Thad Floryan wrote:
> On 4/19/2010 8:43 AM, Steven wrote:
>>[...]
>>I use letters, numbers, upper and lower case on my passwords.
>>One exception is using the social Security web site, they
>>require the use of numbers only. To me that can cause a
>>security problem.
>
> It's worse than that; here are the specific instructions from
> the SSA (since I just went through this last month and saved
> to PDF every page during the benefit application process):
>
> " Choose a new 7 digit password. Use 7 numbers that are
> " meaningful to you to help you remember.
> "
> " Helpful hints for choosing a password:
> "
> " * Use 7 numbers only.
> " * Use a number that is meaningful to you so that you will
> " remember it.
> "
> " Do NOT choose a password containing:
> "
> " * part of your Social Security number;
> " * a series of numbers that would be easy to guess:
> " 1234567 or 7654321;
> " * a series of the same numbers: 2222222 or 3333333; or
> " * your temporary Password Request Code (PRC).
> "
> " Do NOT use a password others might associate with your:
> "
> " * telephone number,
> " * birthday or your child's birthday,
> " * license plate number, or
> " * street address number or zip code.
>
> that's it. Real secure, huh? :-)
Thats it. I have talked to some of their IT people and they fell the
same thing. I have locked myself out more then once and it requires me
to start all over getting a new password. My wife's account locked
itself and to this day no one knows why. It is the most users UN
FRIENDLY site I have ever used. Medicare is much better.
I used the application for Social Security online and found it to be a
pain as far as time, but made things much easier in getting it.
--
The only good spammer is a dead one!! Have you hunted one down today?
(c) 2010 I Kill Spammers, Inc., A Rot in Hell. Co.
Date: Tue, 20 Apr 2010 02:58:05 +0000 (UTC)
From: danny burstein <dannyb@panix.com>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Account lockouts, was: Please don't change your password
Message-ID: <hqj57s$o0k$1@reader1.panix.com>
In <hqirtd$rsf$1@news.eternal-september.org> Steven <diespammers@killspammers.com> writes:
[snip]
> Thats it. I have talked to some of their IT people and they fell
> the same thing. I have locked myself out more then once and it
> requires me to start all over getting a new password. My wife's
> account locked itself and to this day no one knows why.
That's all too commonly a result of someone trying to break into the
account. After, perhaps, four tries, the system will freeze that ID
pending human (or a related, more secure and painful computer
inquisitory) intervention.
- which, btw, is one method of setting up a Denial Of Service
attack against people or companies. If you could get, for example,
President Washington's username at the Revolutionary Bank and Trust,
and then try logging in a half dozen times, you'd cause him lots of
annoyance.
Similarly, if you couldn't get a specific username, but had access to
a "botnet", you could pseudo-randomly try hundreds of thousands of IDs
at that bank, and lock out plenty of their users.
(designing circuit breaker/security algorithms for these banks is left
as an exercise to the student).
--
_____________________________________________________
Knowledge may be power, but communications is the key
dannyb@panix.com
[to foil spammers, my address has been double rot-13 encoded]
Date: Mon, 19 Apr 2010 20:29:33 -0700
From: Steven <diespammers@killspammers.com>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Account lockouts, was: Please don't change your password
Message-ID: <hqj730$qhi$1@news.eternal-september.org>
danny burstein wrote:
> In <hqirtd$rsf$1@news.eternal-september.org> Steven <diespammers@killspammers.com> writes:
> [snip]
>
>> Thats it. I have talked to some of their IT people and they fell
>> the same thing. I have locked myself out more then once and it
>> requires me to start all over getting a new password. My wife's
>> account locked itself and to this day no one knows why.
>
> That's all too commonly a result of someone trying to break into the
> account. After, perhaps, four tries, the system will freeze that ID
> pending human (or a related, more secure and painful computer
> inquisitory) intervention.
>
> - which, btw, is one method of setting up a Denial Of Service
> attack against people or companies. If you could get, for example,
> President Washington's username at the Revolutionary Bank and Trust,
> and then try logging in a half dozen times, you'd cause him lots of
> annoyance.
>
> Similarly, if you couldn't get a specific username, but had access to
> a "botnet", you could pseudo-randomly try hundreds of thousands of IDs
> at that bank, and lock out plenty of their users.
>
> (designing circuit breaker/security algorithms for these banks is left
> as an exercise to the student).
Another problem with the Social Security system is your user name is
your SS#. I was told that there are changes the works to change both,
but they are months or even years away. The Medicare system is a little
better as it lets you make real passwords.
My credit union required you to log in using your account number, they
have since changed that, but for now if you forget your user name you
can still use the account number
--
The only good spammer is a dead one!! Have you hunted one down today?
(c) 2010 I Kill Spammers, Inc., A Rot in Hell. Co.
Date: Sun, 18 Apr 2010 21:42:22 -0400
From: "Gary" <fake-email-address@bogus.hotmail.com>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Please do not change your password
Message-ID: <hqgce0$82t$1@news.eternal-september.org>
"David Clayton" <dcstar@myrealbox.com> wrote in message
news:pan.2010.04.18.22.11.21.574581@myrealbox.com...
>
> Most password policies are just way over the top for systems that
> (usually) will not allow access after a few attempts - and that
> essentially discredits the whole security paradigm.
Not to mention the whole "forgot your password" secret questions. I seem to
recall an article a year or two back in which researchers were able to
utilize social media data to answer supposed secret questions.
If you post the name of your first pet on Facebook, there is no reason to
have passwords on your bank accounts... On of the many reasons I haven't
bothered to enter the Facebook world.
-Gary
***** Moderator's Note *****
My first pet's name was Benny. I have never used his name in answer
to any "secret" question: I use the name of our unit mascot from
Vietnam(1). My computer password at work is a combination of five
random characters, the year and the month.
It's really not rocket science. Birth-dates are dangerous: they're
listed in every online record that's linked from a Google search of my
name. Your mother's maiden name is useless: it's in a public
record: likewise the street you lived on as a child, your first
school, etc. The trick is to pick a memory that only you will have,
and keep it to yourself.
As for my online banking password, I don't know it. It's in my
Password Safe, and that file is encrypted with a password that you
couldn't guess unless you know my favorite song, and how many
characters to offset from the start of each word of a certain verse,
provided that you could get access to the file in the first
place. Good luck.
Of course, Cormac Herley might say "You've proved my point". My answer
is that, once the "system" is set up, it's as secure as I choose to
make it, and (provided I keep my mouth shut) it's reasonably safe,
meets the security requirements of my employer, and will last for the
foreseeable future without undue effort on my part. Yes, keygrabbers
and phishing attacks are still a risk, but so are securities fraud and
driving a car: I can't do anything about those risks, but that
doesn't justify ignoring the ones I can mitigate.
1.If you served in Vietnam, I'll just say "Welcome Home". If you
served in Danang Joint Customs (8 MP GP(CI), 18 MP BDE), please call
me: my Google Voice number is 339-DOG-TITS.
Date: Mon, 19 Apr 2010 14:57:09 +1000
From: David Clayton <dcstar@myrealbox.com>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Please do not change your password
Message-ID: <pan.2010.04.19.04.57.08.752294@myrealbox.com>
On Mon, 19 Apr 2010 08:11:24 +1000, David Clayton wrote:
.........
> Given that most (if not all) access systems above basic level only allow
> "N" attempts at a password before locking out an account, there must be a
> reasonable level of complexity that allows a relatively easy to use
> password to still be effective and practically invulnerable to any
> brute-force/dictionary attack?
.........
Whoops, forget that pre 2007 Windows Server systems had one account that
could never be locked out and could sit there taking ongoing attempts: the
Administrator account!
--
Regards, David.
David Clayton
Melbourne, Victoria, Australia.
Knowledge is a measure of how many answers you have, intelligence is a
measure of how many questions you have.
Date: Mon, 19 Apr 2010 01:14:24 -0400
From: Carl Navarro <cnavarro@wcnet.org>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Washington State Approves Sale of VeriZon Exchange Areas to Frontier
Message-ID: <t7pns5td4g6r7eju0cgkho17fb1ib6nh7q@4ax.com>
On Sun, 18 Apr 2010 11:39:35 -0700, Steven
<diespammers@killspammers.com> wrote:
>Eric Tappert wrote:
>> On Sat, 17 Apr 2010 20:04:14 -0400, "Gene S. Berkowitz"
>> <first.last@verizon.net> wrote:
>>
>>> In article <0iris5l5urm6bdnpkdgmole5us4vreeof4@4ax.com>,
>>> cnavarro@wcnet.org says...
>>>> On Fri, 16 Apr 2010 16:09:48 -0700 (PDT), "Mark J. Cuccia"
>>>> <markjcuccia@yahoo.com> wrote:
>>>>
>>>>> Today, Friday 16-April-2010, the Washington (State) Utilities and
>>>>> Transportation Commission has approved (the Washington state portion)
>>>>> of the sale of most remaining GTE and Contel still retained by VeriZon
>>>>> exchange areas, to Frontier, with numerous conditions applied, see the
>>>>> following from the WUTC website:
>>>>>
>>>>> http://www.wutc.wa.gov/webimage.nsf/0/BD97957114A730D4882577070078F3D2
>>>>>
>>>>> I have not yet read through all of this, for all of the
>>>>> "numerous conditions applied" details, however.
>>>> Take this with a grain of salt, but the receivers of Verizon fortune
>>>> have not fared very well
>>>> http://district13.cwa-union.org/news/verizon-sale-to-frontier-communications.html
>>>>
>>>> Carl, wondering what my couple of shares of Idearc are worth now :-)
>>> 32 cents, the same as mine!
>>>
>>> --Gene
>>
>>
>> Hey, that's 32 cents more than mine. The Idearc stock was canceled
>> December 31st and is totally worthless. See the Reuters artticle at:
>> http://www.reuters.com/article/idUSN0419957620100104
>>
>> ET
>>
>> PS - I did get a little tax break by taking my cost basis as a loss
>> last year. Hardly worth the paperwork....
>>
>> --- news://freenews.netfront.net/ - complaints: news@netfront.net ---
>>
>The new stock is trading over $40.00 share. During the spin off from
>Verizon we were give shares of Idearc depending on Verizon shares. The
>day that t he stock was transfered I converted it back to Verizon. I
>have done this each time I was given spin off stock and will continue
>to so; though I might take a look at the spin off to Frontier since they
>appear to have funds on hand to be able to handle the new operating
>areas. I have been doing work in Washington and Oregon in Verizon areas
>to be spun off and there is a lot of work being done to bring the latest
>systems on line. I remember when I had the GTE stock, the stock was
>always high and they had plenty of money saved to cover long slow times,
>but since the merger(buyout) that money has been spend, a lot going to
>company officers.
Well that makes me half hot! I didn't bother to cash out my Idearc
because I got only 3-5 shares. I wasn't thinking it mattered until
they went under. Who is going to publish the directories? Them, just
in bankruptcy protection? They should tar and feather the guys who
got big bonuses at the expense of the shareholders. It's almost
enough to make me support Obama...where's the compensation Czar when
we need hime :-)
I'm still holding on to the last 100 shares of my ESOP stocks in Vz
converted from GTE. In fact, I think I actually got to keep the GTE
paper certificates that I actually held (about 30 shares).
I think if I get issued Frontier stock, I'll cash it out. That's like
buying stock in the White Star Line.
Carl
Date: Mon, 19 Apr 2010 17:04:30 -0700
From: Steven <diespammers@killspammers.com>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Please do not change your password
Message-ID: <hqir2f$oak$1@news.eternal-september.org>
Carl Navarro wrote:
>On Sun, 18 Apr 2010 11:39:35 -0700, Steven <diespammers@killspammers.com> wrote:
>> they went under. Who is going to publish the directories? Them, just
>> in bankruptcy protection? They should tar and feather the guys who
>> got big bonuses at the expense of the shareholders. It's almost
>> enough to make me support Obama...where's the compensation Czar when
>> we need hime :-)
>
> I'm still holding on to the last 100 shares of my ESOP stocks in Vz
> converted from GTE. In fact, I think I actually got to keep the GTE
> paper certificates that I actually held (about 30 shares).
>
> I think if I get issued Frontier stock, I'll cash it out. That's like
> buying stock in the White Star Line.
Most of mine is ESOP and several hundred are still highly restricted
from sale.
Frontier got into trouble years ago, but has been pretty stable in the
last few years. An old friend works for Rochester Telephone and I
remember that being a test site for Stromberg Carlson.
--
The only good spammer is a dead one!! Have you hunted one down today?
(c) 2010 I Kill Spammers, Inc., A Rot in Hell. Co.
Date: Mon, 19 Apr 2010 06:35:51 -0700 (PDT)
From: Wes Leatherock <wleathus@yahoo.com>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Please do not change your password
Message-ID: <418556.49003.qm@web111712.mail.gq1.yahoo.com>
Telecom Digest Moderator said:
> The problem, as I see it, is that the users don't believe the data
> in their computers is worth protecting, and thus feel that security
> is an imposition on their already-precious time.
>
> Bill Horne
> Moderator
>
> P.S. No, that wasn't my password: MY password includes a
> punctuation mark.
It seems to me that you also have to have a long list of UserNames, or
whatever the particular sites call them, because each site has its own
rules for constructing usernames, and many of them are different from
each other. Some of them are derived from internal sources, such as
account numbers, that you cannot guess unless you have an external
list. Some of them are random. One particular site has a username of
12 numerals, apparently random, and there is no way to derive them
from internal or external sources.
Wes Leatherock
wesrock@aol.com
wleathus@yahoo.com
Date: Tue, 20 Apr 2010 08:00:16 +1000
From: David Clayton <dcstar@myrealbox.com>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Please do not change your password
Message-ID: <pan.2010.04.19.22.00.11.960183@myrealbox.com>
On Mon, 19 Apr 2010 06:35:51 -0700, Wes Leatherock wrote:
.........
> It seems to me that you also have to have a long list of UserNames, or
> whatever the particular sites call them, because each site has its own
> rules for constructing usernames, and many of them are different from each
> other. Some of them are derived from internal sources, such as account
> numbers, that you cannot guess unless you have an external list. Some of
> them are random. One particular site has a username of 12 numerals,
> apparently random, and there is no way to derive them from internal or
> external sources.
Unless there is a published list of e-mail addresses somewhere, which in
some cases match the login user names (or something close).
--
Regards, David.
David Clayton
Melbourne, Victoria, Australia.
Knowledge is a measure of how many answers you have, intelligence is a
measure of how many questions you have.
Date: Mon, 19 Apr 2010 12:10:25 -0400
From: "Cryderman, Charles" <Charles.Cryderman@globalcrossing.com>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Apocalypse Man
Message-ID: <2A3BCEC6F05B404FA87F92729385837D01CBABC00D@EVS22.ams.gblxint.com>
>From our Esteem moderator:
"There was an ex-marine who was trying to tell me that the best thin to do
after the apocalypse was to start up a generator at a hospital so I can charge
a battery to get a diesel car started, and how I could make diesel fuel by
boiling fat out of a grease trap and get around in the city by using the
sewers."
Bill,
This guy is billed at the Apocalypse Man and he has/had a show on History
about this.
Chip Cryderman
Date: Mon, 19 Apr 2010 13:50:00 -0400
From: Bill Horne <bill@horneQRM.net>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Apocalypse Man
Chip Cryderman wrote:
>From our Esteem moderator:
>> There was an ex-marine who was trying to tell me that the best thing
>> to do after the apocalypse was to start up a generator at a hospital
>> so I can charge a battery to get a diesel car started, and how I
>> could make diesel fuel by boiling fat out of a grease trap and get
>> around in the city by using the sewers.
> Bill,
>
> This guy is billed as the Apocalypse Man and he has/had a show on
> History about this.
>
> Chip Cryderman
Yes, I know that, but I was trying to make a different point: there
is an ocean of floating garbage out there, and it's easy to get sucked
under. It all vanishes as quickly as a flash of headlights across the
window after Midnight, and is about as useful.
In case it wasn't obvious, aside from the fact that Cable TV is still
showing reruns of Mister Ed the talking horse, anyone can get
themselves on TV if they're able to project an image of competence in
an area the general public knows nothing about. The fact is that there
are reasonable steps we can each take to prepare for the unexpected
without going looking for a false sense of security: real-life
survival skills can't be learned from a TV show.
What little I know about disaster preparedness includes this central
truth: that there's always a point where you have to stop preparing
and admit you can't be ready for everything. I could put on my old Army
boots and my Vietnam fatigues and go running around some downtown area
at six AM on a Sunday, pretending that anyone cares who or where I am
or that I should broadcast the fact to the world, but all I would
accomplish is making a lot of people laugh at me: then again, if
History Channel (which is, apparently, now in the business of
predicting the future as well as recounting the past) was willing to
pay an overweight, middle-aged man to spout nonsense, it might be a
nice way to supplant my retirement fund.
Here's my "Treatment" of my plan for a History Channel program about a
believable plan for surviving the "Apocalypse", an event whose size,
scope, and severity I will leave to the viewer's imagination, since
fear is a lot easier to generate than electricity:
1. Take a good look in a mirror. What you see is what you have to work
with. If it's not as good as a young, well-muscled former Marine,
then lower your expectations and plan for what you can accomplish.
2. Get in shape. No, you're never going to be twenty-something again,
and you'll never again run a mile in 6:52 with full field pack and
boots and holding an M-16A2 at port-arms, but you can enjoy the
benefits of a reasonable exercise plan no matter what happens in
the future, so this small venture into the world of survivalism is
a no-brainer.
3. Grow a garden. You'll never taste better food than what you pick
yourself, and knowing how to keep varmints out and birds off and
worms confined to the compost pile will all be valuable skills that
you can trade with if needed.
4. Go camping, at lease twice a year, summer and winter. You'll find
out that you can learn to make a fire without a battery and a
steel-wool pad, that you can do without one most of the time, and
that you won't die by going without a meal or two. As an added
benefit, you'll meet lots of other ordinary people, each with
individual skills that would benefit a group, whom are used to
doing with less, making their own entertainment, and enjoying their
lives without benefit of 24/7 media access. As a side benefit, your
children will realize that food and batteries don't grow on
supermarket shelves, that it's possible to enjoy playing a guitar
even if you're not a rock star, and that conversation is an art
form.
5. If possible, join a group that you have a lot in common with. If
you're a veteran, the VFW and similar organizations will be good
resources, and there are many similar places to go, such as the
Masons, the Kiwanis, etc. All are a great place to make the
friendships and alliances you'll be helpless without: the Lone
Ranger could only survive on a stage, not in the real world. If
you're a solitary person, uncomfortable with group membership, then
you're going to need a plan that reflects and takes advantage of
that fact.
6. Be careful about firearms. While they may be sexy and look good on
TV, they're also devilishly hard to use and safeguard, and they'd
be so valuable after a cataclysm that you'd be more likely to get
killed by someone who wants them than by anything else. If you
choose to have one, then get appropriate training, a supply of
spare parts, a well-made safe that's big enough to hold them, and
lean how to do reloading at home. More important, take up hunting:
you'll need to be in the habit of taking life, albeit not human
life, before you'll be effective in their use. Trust me on this
point: pointing a loaded weapon at another human being isn't as
easy as the TV stars make it look.
7. Ask yourself what kind of world you're willing to live in. If your
skills are all with things you do behind a desk with a working
computer network at your disposal, then you're going to have to
decide if having dual citizenship and more than one valid passport
is worth the expense and (sometimes) risk: the only believable
apocalypses I can think of are all temporary interruptions in the
normal flow of food and water to my home, so it's very easy for me
to prepare for them, but if I thought there was a realistic chance
that I'd be able to rebuild my über-geek lifestyle outside the United
States, I would also consider being skilled in other languages and
having alternate documents to be essential.
If you are willing to prepare for a scenario that deprives your
city of electricity, communications, fuel, and usable roads for a
sustained length of time, then you'll do well to obtain a seaworthy
deep-water capable boat, or to obtain a pilot's license and invest
in access to a reliable aircraft: after all, everyone has a car,
and they'll all be trying to get away from the site of any disaster
at the same time. Seafaring and piloting are both skill sets that
you can employ in the current society, as well as in any believable
future one.
OTOH, if you're determined to live in the wake of a nuclear blast or
after the next "planet killer" comet hits Siberia, you're going to
need a lot more preparation, money, and training than is reasonable
for working-class citizens, and if you try to prepare for such
an event, all you'll do is make a few cynical businessmen a little
richer and yourself into a neighborhood laughingstock.
I guess you get the idea: I'm not saying that you shouldn't keep a
parachute hidden in the ceiling tiles if you work in a high-rise
building, merely that you must be both physically and psychologically
prepared to act out-of-step with your peers if the "Apocalypse"
actually comes to pass. It's much more work and time and money than
you might think by watching some kid sneak around a back lot on the
History Channel.
My 2˘. YMMV.
Bill Horne
Copyright (C) 2010 E. William Horne. All Rights Reserved.
(Filter QRM for direct replies)
Date: Mon, 19 Apr 2010 14:58:46 -0400
From: Monty Solomon <monty@roscom.com>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: It looks genuine ... next iPhone found in a bar?
Message-ID: <p06240821c7f258359d61@[10.0.1.4]>
http://blog.seattlepi.com/microsoft/archives/202550.asp
Date: Mon, 19 Apr 2010 13:48:14 -0500
From: bonomi@host122.r-bonomi.com (Robert Bonomi)
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Please do not change your password
Message-ID: <hfidncAdjNPzOFHWnZ2dnUVZ_rylnZ2d@posted.nuvoxcommunications>
In article <9KSdnVsbTf1Rh1fWnZ2dnUVZ_qY5AAAA@posted.nuvoxcommunications>,
Robert Bonomi <bonomi@host122.r-bonomi.com> wrote:
>In article <xPCdnVLvvpCZyl7WnZ2dnUVZ_jSdnZ2d@posted.nuvoxcommunications>,
>Robert Bonomi <bonomi@host122.r-bonomi.com> wrote:
>>
[[.. snecky ..]]
>>
>>Then there is the classical 'good' password:
>>
>> MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento
>>
>>
>>Purportedly used by a blonde, as in "Helloooo -- they said it had to be
>>eight characters and a capital!"
>>
>>
>>***** Moderator's Note *****
>>
>>I'm sure that the poster's remark is not made with any malice toward
>>any particular person with light colored hair.
>>
>>Bill Horne
>
>Oh, no! Bill, you weren't using that for your password, were you?
>
>Kidding aside, if the system in question uses all the characters in a
>password of that length, it's not a bad choice. The length alone is
>sufficient to render dictionary-type attacks 'impractical', and the
>components are easy enough to remember that one is not likely to 'need'
>to 'have it written down' to refer to, every time you need to use it.
>
[[.. snip ..]
>
>***** Moderator's Note *****
>
>The problem that the Microsoft paper alluded to is that security
>researchers and "experts" don't consider the value of the users' time
>when making recommendations about password strength, change intervals,
>etc.
>
>The problem, as I see it, is that the users don't believe the data in
>their computers is worth protecting, and thus feel that security is an
>imposition on their already-precious time.
>
>Bill Horne
>Moderator
>
>P.S. No, that wasn't my password: MY password includes a punctuation
>mark.
>
Ah. ".....CommaSacremento". <guffaw>
Date: Mon, 19 Apr 2010 14:05:48 -0500
From: bonomi@host122.r-bonomi.com (Robert Bonomi)
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Please do not change your password
Message-ID: <MI2dnSrpHMwRNFHWnZ2dnUVZ_oCdnZ2d@posted.nuvoxcommunications>
In article <pan.2010.04.18.22.11.21.574581@myrealbox.com>,
David Clayton <dcstar@myrealbox.com> wrote:
>..........
>> ***** Moderator's Note *****
>>
>> The problem that the Microsoft paper alluded to is that security
>> researchers and "experts" don't consider the value of the users' time when
>> making recommendations about password strength, change intervals, etc.
>>
>> The problem, as I see it, is that the users don't believe the data in
>> their computers is worth protecting, and thus feel that security is an
>> imposition on their already-precious time.
>>
>> Bill Horne
>> Moderator
>>
>Given that most (if not all) access systems above basic level only allow
>"N" attempts at a password before locking out an account, there must be a
>reasonable level of complexity that allows a relatively easy to use
>password to still be effective and practically invulnerable to any
>brute-force/dictionary attack?
>
>Most password policies are just way over the top for systems that
>(usually) will not allow access after a few attempts - and that
>essentially discredits the whole security paradigm.
INCORRECT. The encrypted password is often stored in a WORLD-READABLE
location. Bad guys are known to copy out the list of encrypted passwords,
and run their own implementations of the encryption algorithm on their
own hardware. No 'alarms' to the system administrator, no account lock-out,
no slow-down after each bad guess, etc.
Systems that lock an account out after a 'few' bad guesses are really
vulnerable to DOS attacks. Hit every 'system' account with the 'required'
number of bad guesses, and 'do something' to force a reboot, and NOBODY
can get back into the system.
A better (FSVO 'better') way is to increasingly delay responses within a
single 'session' (TCP or dial-up) as incorrect answers accumulate. Then
when the 'limit' is reached, stop responding on that session -- while
keeping the session open.
Unfortunately, when the bad guys have bot-nets with machine-counts in the
6 to 7 figure range, they can generate a lot of sessions from a lot of
different sources. In "information warfare", like any other form of war,
the defenders are always on the 'backside of the curve', and playing
catch-up. It just goes with the territory.
Date: 19 Apr 2010 21:41:06 -0000
From: John Levine <johnl@iecc.com>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Please do not change your password
Message-ID: <20100419214106.55611.qmail@joyce.lan>
>INCORRECT. The encrypted password is often stored in a WORLD-READABLE
>location. Bad guys are known to copy out the list of encrypted passwords,
That was true 20 years ago. It's not true now, even on the Unix systems
where this problem originated.
>A better (FSVO 'better') way is to increasingly delay responses within a
>single 'session' (TCP or dial-up) as incorrect answers accumulate. Then
>when the 'limit' is reached, stop responding on that session -- while
>keeping the session open.
Four tries in a row, then a 15 minute delay seems to work well to deter
password guessing while avoiding user lockout.
R's,
John
Date: Mon, 19 Apr 2010 22:45:38 +0200
From: Tor-Einar Jarnbjo <news@jarnbjo.de>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: All-digital cellphone - is this good? Or OK?
Message-ID: <833tnmFprpU1@mid.individual.net>
> ***** Moderator's Note *****
>
> What do satellite phones cost? Is there any scenario where having one
> sat phone would be cost-comparible to having a separate cell phone for
> every region/country you do business in?
Satellite phone charges and hardware costs vary quite a lot between the
different network operators. Globalstar is probably at the lower end,
but they do not offer true global coverage (roughly, there is no
coverage in southern Asia, Africa and across the large oceans). The
cheapest phones start at around US$ 400 and call charges are in the
range 1-2$/min depending on your tariff plan, location and where you're
calling to. In several countries, this is well below what you would pay
for international roaming or even international calls through a local
land-based cellular operator.
Tor
Date: Mon, 19 Apr 2010 21:49:00 -0400
From: Monty Solomon <monty@roscom.com>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Cyberattack on Google Said to Hit Password System
Message-ID: <p0624082cc7f2b80ec377@[10.0.1.4]>
Cyberattack on Google Said to Hit Password System
By JOHN MARKOFF
April 19, 2010
Ever since Google disclosed in January that Internet intruders had
stolen information from its computers, the exact nature and extent of
the theft has been a closely guarded company secret. But a person
with direct knowledge of the investigation now says that the losses
included one of Google's crown jewels, a password system that
controls access by millions of users worldwide to almost all of the
company's Web services, including e-mail and business applications.
The program, code named Gaia for the Greek goddess of the earth, was
attacked in a lightning raid taking less than two days last December,
the person said. Described publicly only once at a technical
conference four years ago, the software is intended to enable users
and employees to sign in with their password just once to operate a
range of services.
The intruders do not appear to have stolen passwords of Gmail users,
and the company quickly started making significant changes to the
security of its networks after the intrusions. But the theft leaves
open the possibility, however faint, that the intruders may find
weaknesses that Google might not even be aware of, independent
computer experts said.
The new details seem likely to increase the debate about the security
and privacy of vast computing systems such as Google's that now
centralize the personal information of millions of individuals and
businesses. Because vast amounts of digital information are stored in
one place, popularly referred to as "cloud" computing, a single
breach can lead to disastrous losses.
The theft began with an instant message sent to a Google employee in
China who was using Microsoft's Messenger program, according to the
person with knowledge of the internal inquiry, who spoke on the
condition that he not be identified.
...
http://www.nytimes.com/2010/04/20/technology/20google.html
TELECOM Digest is an electronic journal devoted mostly to telecom-
munications topics. It is circulated anywhere there is email, in
addition to Usenet, where it appears as the moderated newsgroup
'comp.dcom.telecom'.
TELECOM Digest is a not-for-profit, mostly non-commercial educational
service offered to the Internet by Bill Horne. All the contents
of the Digest are compilation-copyrighted. You may reprint articles in
some other media on an occasional basis, but please attribute my work
and that of the original author.
The Telecom Digest is moderated by Bill Horne.
Contact information: Bill Horne
Telecom Digest
43 Deerfield Road
Sharon MA 02067-2301
781-784-7287
bill at horne dot net
Subscribe: telecom-request@telecom-digest.org?body=subscribe telecom
Unsubscribe: telecom-request@telecom-digest.org?body=unsubscribe telecom
This Digest is the oldest continuing e-journal about telecomm-
unications on the Internet, having been founded in August, 1981 and
published continuously since then. Our archives are available for
your review/research. We believe we are the oldest e-zine/mailing list
on the internet in any category!
URL information: http://telecom-digest.org
Copyright (C) 2009 TELECOM Digest. All rights reserved.
Our attorney is Bill Levant, of Blue Bell, PA.
---------------------------------------------------------------
Finally, the Digest is funded by gifts from generous readers such as
yourself who provide funding in amounts deemed appropriate. Your help
is important and appreciated. A suggested donation of fifty dollars
per year per reader is considered appropriate. See our address above.
Please make at least a single donation to cover the cost of processing
your name to the mailing list.
All opinions expressed herein are deemed to be those of the
author. Any organizations listed are for identification purposes only
and messages should not be considered any official expression by the
organization.
End of The Telecom Digest (20 messages)
|
or 