31 Years of the Digest ... founded August 21, 1981Add this Digest to your personal or   The Telecom Digest for December 3, 2012
====== 31 years of TELECOM Digest -- Founded August 21, 1981 ====== | ||||||||||||||||||
Telecom and VOIP (Voice over Internet Protocol) Digest for the
Internet. All contents here are copyrighted by Bill Horne and
the individual writers/correspondents. Articles may be used in other
journals or newsgroups, provided the writer's name and the Digest are
included in the fair use quote. By using any name or email address
included herein for any reason other than responding to an article
herein, you agree to pay a hundred dollars to that person, or email address
owner.
Addresses herein are not to be added to any mailing list, nor to be sold or given away without the explicit written consent of the owner of that address. Chain letters, viruses, porn, spam, and miscellaneous junk are definitely unwelcome. We must fight spam for the same reason we fight crime: not because we are naive enough to believe that we will ever stamp it out, but because we do not want the kind of world that results when no one stands against crime. - Geoffrey Welsh See the bottom of this issue for subscription and archive details and the name of our lawyer, and other stuff of interest. |
Date: Sun, 02 Dec 2012 02:02:14 -0600 From: Dave Garland <dave.garland@wizinfo.com> To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org. Subject: Re: Why passwords have never been weaker-and crackers have never been stronger Message-ID: <k9f1ud$gp2$1@dont-email.me> On 12/1/2012 8:30 PM, Pete Cresswell wrote: > Per PV: >> What to learn from the article is that there's no such thing as a "clever and >> rememberable" password. Modern password dictionaries aren't simply the >> contents of /usr/dict/words; they're hundreds of megabytes of lessons learned >> over decades of successful password cracks. The ONLY good password is a long >> and totally random one consisting of all typable characters. Personally, I >> use LastPass for everything, so every site I go to has a unique password, >> with values like 'Bd29$UCsPrY9'. > > Not to beat a dead horse... but... > > If I'm understanding this thread correctly: > > - Sites and DBs do not record a user's password. > Instead they record the hashed result and apply > the hashing algorithm to whatever the user > types in. If you're lucky. Some poorly-administered sites record passwords in plain text. > - (and I'm extrapolating here) Cases where somebody > "hacks" somebody's email account, unless many > accounts under the same provider were also "hacked" > are mostly just some individual either guessing > somebody's PW from information they know about the > person or the person's PW having been compromised > some way - like in an email message, or harvested > by malware. That is often the case.
Date: Sun, 2 Dec 2012 05:21:42 +0000 (UTC) From: moroney@world.std.spaamtrap.com (Michael Moroney) To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org. Subject: Re: Who Do Online Advertisers Think You Are? Message-ID: <k9eoh6$pge$1@pcls6.std.com> >***** Moderator's Note ***** >Did anyone ever figure out if Microsoft was collecting hidden cookies >that users can't erase? There was some talk about that being possible, >a few years back, but nothing lately. >What about "Flash cookies"? Are they real, and if so, how can I >control them? I don't know about Microsoft hidden cookies, but flash cookies are real, and they are sneaky. First, your browser's "clear cookies" and other cookie settings don't affect flash cookies at all. You may think they aren't tracking you when they are. Second, flash cookies work across browsers. Open IE, get a flash cookie for a web site, close IE, open Firefox and revisit the same site, and that site sees the cookie set by the IE visit. In fact, if the advertisers tracking Jeff used flash cookies, they would have quickly figured out that Democratic Jeff and Republican Jeff were the same person. Third, they don't expire. A Firefox extension called "BetterPrivacy" controls what they call "SuperCookies", you can delete them or have them deleted automatically as well as prevent certain ones from being deleted. ***** Moderator's Note ***** Thanks for the info: I appreciate it. I'll ask that you and other readers post information about these and other monitoriing and tracking technologies, and ways to circumvent them. TIA. Bill Horne Moderator
Date: Sun, 02 Dec 2012 01:05:17 -0600 From: Dave Garland <dave.garland@wizinfo.com> To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org. Subject: Re: Who Do Online Advertisers Think You Are? Message-ID: <k9eujk$405$1@dont-email.me> > What about "Flash cookies"? Are they real, and if so, how can I > control them? Yes, they're real. They're called "Local Shared Objects" (LSOs). Firefox (since v.4) (and perhaps other browsers) treats them the same as ordinary cookies, CCleaner (free cleaner program, highly recommended) can be set to delete them (by default it doesn't). Probably other anti-spyware/malware programs have similar options.
Date: Sun, 02 Dec 2012 00:32:54 -0600 From: Doug McIntyre <merlyn@geeks.org> To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org. Subject: Re: Why passwords have never been weaker-and crackers have never been stronger Message-ID: <C9-dnfeVo-GLayfNnZ2dnUVZ_qCdnZ2d@giganews.com> Pete Cresswell <PeteCress@invalid.telecom-digest.org> writes: >If I'm understanding this thread correctly: .... >- The value in extremely long and arcane (basically > nonsense) strings lies in the additional computational > power needed to back into the hashed value. Right. Brute forcing passwords (ie. checking every single value. aaaaaa, aaaaab, aaaaac) still takes a long time. But the hackers use dictionaries, and tons of arcane rules about how humans typically create passwords. >- (and I'm extrapolating here) Cases where somebody > "hacks" somebody's email account, unless many > accounts under the same provider were also "hacked" > are mostly just some individual either guessing > somebody's PW from information they know about the > person or the person's PW having been compromised > some way - like in an email message, or harvested > by malware. The biggest threat is that people (generally) don't use unique passwords. They use the same password on every site, or at best, a few passwords on a large number of sites, all identified by at least email address and password. One compromised site leads to abuse at other sites. Until of course they hit paydirt on a site related to something financial..
Date: Sun, 2 Dec 2012 09:16:32 -0500 From: Bill Horne <bill@horneQRM.net> To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org. Subject: Re: Why passwords have never been weaker-and crackers have never been stronger Message-ID: <20121202141632.GA24133@telecom.csail.mit.edu> On Sun, Dec 02, 2012 at 12:32:54AM -0600, Doug McIntyre wrote: > Pete Cresswell <PeteCress@invalid.telecom-digest.org> writes: > >If I'm understanding this thread correctly: > .... > > >- (and I'm extrapolating here) Cases where somebody > > "hacks" somebody's email account, unless many > > accounts under the same provider were also "hacked" > > are mostly just some individual either guessing > > somebody's PW from information they know about the > > person or the person's PW having been compromised > > some way - like in an email message, or harvested > > by malware. > > The biggest threat is that people (generally) don't use unique passwords. > They use the same password on every site, or at best, a few > passwords on a large number of sites, all identified by at least > email address and password. > > One compromised site leads to abuse at other sites. Until of course > they hit paydirt on a site related to something financial.. AFAIK, the most serious threat to passwords is that they can be monitored when their owners enter them via open Wi-Fi hotspots. In that case, no cryptography is required: unless the owner has his email set up for encrypted connections (the default settings don't do that), his password is transmitted en clair. Of course, once the password is compromised, it (or trivial variations of it) can be used to gain access to other sites and/or email accounts, EVEN *IF* those sites use encryption. That is probably the most dangerous scenario: if a user has the same or very similar passwords for "POP"-based email reception or to send outgoing emails, or at a gaming site or online forum that doesn't use SSL encryption, then the attacker can access web-based email sites with it. In other words, if your Gmail password is the same one you use when sending or receiving emails in Outlook, Thunderbird, Eudora, etc., then a nearby sniffer can get it without any decryption effort or delay. One common attack that is currently in use is to obtian the password of a user, use it to access Gmail or Yahoo mail, lock out that same user by changing it, and then use the user's online address book to send his/her friends and family a sad-luck tale that creates a lot of Western Union transfers very quickly, typically by claiming that the owner was in a foreign country on short notice and has been mugged. I'm like most travellers in one way: if I'm in a place with open Wi-Fi, I'll take advantage of it to check my mail while waiting for my flight. However, unlike most travellers, I have my email connections set to connect using SSL, and thereby deny nearby sniffers any chance to copy my email addresses or passwords. Bill -- Bill Horne (Remove QRM from my address to write to me directly)
Date: Sun, 2 Dec 2012 20:54:15 +0000 (UTC) From: wollman@bimajority.org (Garrett Wollman) To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org. Subject: Re: Why passwords have never been weaker-and crackers have never been stronger Message-ID: <k9gf5n$2h8i$1@grapevine.csail.mit.edu> In article <20121202141632.GA24133@telecom.csail.mit.edu>, Bill Horne <bill@horneQRM.net> wrote: >AFAIK, the most serious threat to passwords is that they can be >monitored when their owners enter them via open Wi-Fi hotspots. In >that case, no cryptography is required: unless the owner has his email >set up for encrypted connections (the default settings don't do that), >his password is transmitted en clair. Only if the manager of the server is incompetent. Competently-managed servers (mail or otherwise) won't allow unencrypted passwords. Well, unless they're totally unimportant anyway (I'm looking at you, mailman). -GAWollman -- Garrett A. Wollman | What intellectual phenomenon can be older, or more oft wollman@bimajority.org| repeated, than the story of a large research program Opinions not shared by| that impaled itself upon a false central assumption my employers. | accepted by all practitioners? - S.J. Gould, 1993
Date: Sun, 02 Dec 2012 10:43:49 -0500 From: Pete Cresswell <PeteCress@invalid.telecom-digest.org> To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org. Subject: Re: Why passwords have never been weaker-and crackers have never been stronger Message-ID: <rjtmb894psh08suh2hh956kev1c6rhk168@4ax.com> Per Doug McIntyre: >The biggest threat is that people (generally) don't use unique passwords. >They use the same password on every site, or at best, a few >passwords on a large number of sites, all identified by at least >email address and password. > >One compromised site leads to abuse at other sites. Until of course >they hit paydirt on a site related to something financial.. I don't have the brainpower to cope with a separate PW for each site, but I do have several levels of password: - "Who Cares"... for sites where the consequences of compromise are insignificant. - Convenience: Where compromise would mess a few things up but not rock my world. - Fort Knox: I use this on my ID/PW DB, admin access to my PC's, and a few other things. FWIW, I wouldn't do online banking or trading even on a bet. -- Pete Cresswell
Date: Sun, 02 Dec 2012 16:19:09 -0500 From: Fred Goldstein <fgoldstein.SeeSigSpambait@wn2.wn.net> To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org. Subject: Re: How our over-reliance on satellite images led to the mystery of the South Pacific island that wasn't there Message-ID: <20121202211931.77ABEE19E@mailout.easydns.com> On Tue, 27 Nov 2012 01:25:27 -0500, Monty Solomon <monty@roscom.com> wrote, >How our over-reliance on satellite images led to the mystery of the >South Pacific island that wasn't there > > * It has also emerged that the latest non-finding was the SECOND >time Sandy Island had been 'un-discovered' > > * Radio enthusiasts on an expedition to send a message from the >most-remote possible place reported its non-existence in 2000 > > * Cartography expert tells MailOnline Sandy Island could be just one >of many errors added to maps as satellite photos were digitised > >By DAMIEN GAYLE >23 November 2012 >Mail Online > >The mysterious South Pacific island that wasn't there could be just >one many errors made in the process of digitising satellite maps of >the world, an expert said today. But the Daily Mail quoted the wrong expert. Wikipedia has a map dating back to 1875 that shows the (nonexistent) island. Later mapmakers have assumed that previous mapmakers knew what they were doing, so they copied each other enough times that the island's alleged existence became fairly common (mis-)knowledge. Note that commercial maps nowadays are often salted with intentional errors, to help identify copyright violators. But Sandy Island goes back so far that it was probably an honest mistake. The Coral Sea was not, and is not, well explored. Google, of course, is guilty of showing it. When you zoom in on the satellite view, it's a black object surrounded by deep water. It is clearly not a satellite image, so it's not clear why they bothered to draw it in over the real image. It implies that they simply didn't trust the camera and insisted on putting the island there. Were this just on the map view, it would be more understandable. Note that the somewhat nearby Chesterfield Islands, west of Sandy, are real, and are much more visible on the satellite view than on the map. I think that's because the island group is mostly a large underwater reef, visible on satellite, with only a few small areas above the water line; only those show on the map view. Bing Maps has a very poor aerial/satellite view of the Pacific; it looks like a nighttime shot. So you can't see anything there. Its map view is odd, though. At the 250 mile (bar in the lower left corner) resolution, there's a dot for Sandy. At the 100 mile resolution, Sandy's alleged shape is visible. At any closer zoom, it's gone. And Bing doesn't find it by name, though it gets the (real) Chesterfields. I do enjoy that the un-discovery was made over a decade ago by a DXpedition team merely trying to get Chesterfield Islands added to the DXCC list. This is obscure outside of the ham radio community. DX Century Club is one of the biggest Radiosport awards programs, running since 1946. (It's run by the American Radio Relay League, arrl.org. )The basic DXCC certificate is awarded for contacting (with proof, usually QSL cards) at least 100 "countries" (DXCC Entitites). The Honor Roll shows the participants with the highest lifetime totals. There are 340 Entitites now on the list, though the top guy has 398, counting now-deleted ones (usually due to a change in political status). The DXCC rules allow an Entity to be created out of islands when "A single island is separated from its Parent (and any other islands that make up the DXCC Entity Parent island group) by 350 kilometers or more, as measured from the island containing the capital city." Chesterfield is more than 350 km from the rest of New Caledonia. But Sandy was allegedly in between the two. So it would have broken up the >350 km distance into two smaller distances, thus disqualifying Chesterield from being an Entity. By disproving Sandy's existence, Chesterield could be added to the DXCC list. And it is now on the list (FK8/C). Since nobody lives on Chesterfield, the only way anyone could make a contact with another ham there would be if somebody visited the place. That's what a DXpedition does. It visits "rare ones" with radios (and generators, antennas, etc.) and puts them on the air for a few days. Thousands of DXers around the world then try desperately to make contact with you, which is kind of a nice ego trip. Some will contribute to fund the DXpedition. (You then get to do the snorkeling for free.) This is definitely "off the grid" telecom. -- Fred Goldstein k1io fgoldstein "at" ionary.com ionary Consulting http://www.ionary.com/ +1 617 795 2701 ***** Moderator's Note ***** It may be off the telecom grid, but I never met a telco guy who didn't love esoterica, so I'm sending it out. ;-) Who knows, there might even be a submarine cable buried there ... Bill Horne Moderator
TELECOM Digest is an electronic journal devoted mostly to telecom- munications topics. It is circulated anywhere there is email, in addition to Usenet, where it appears as the moderated newsgroup 'comp.dcom.telecom'. TELECOM Digest is a not-for-profit, mostly non-commercial educational service offered to the Internet by Bill Horne. All the contents of the Digest are compilation-copyrighted. You may reprint articles in some other media on an occasional basis, but please attribute my work and that of the original author. The Telecom Digest is moderated by Bill Horne.
Contact information: |
Bill Horne Telecom Digest 43 Deerfield Road Sharon MA 02067-2301 339-364-8487 bill at horne dot net |
Subscribe: | telecom-request@telecom-digest.org?body=subscribe telecom |
Unsubscribe: | telecom-request@telecom-digest.org?body=unsubscribe telecom |
This Digest is the oldest continuing e-journal about telecomm- unications on the Internet, having been founded in August, 1981 and published continuously since then. Our archives are available for your review/research. We believe we are the oldest e-zine/mailing list on the internet in any category! URL information: http://telecom-digest.org Copyright (C) 2012 TELECOM Digest. All rights reserved. Our attorney is Bill Levant, of Blue Bell, PA.
Finally, the Digest is funded by gifts from generous readers such as yourself who provide funding in amounts deemed appropriate. Your help is important and appreciated. A suggested donation of fifty dollars per year per reader is considered appropriate. See our address above. Please make at least a single donation to cover the cost of processing your name to the mailing list. All opinions expressed herein are deemed to be those of the author. Any organizations listed are for identification purposes only and messages should not be considered any official expression by the organization.