31 Years of the Digest ... founded August 21, 1981
Add this Digest to your personal
or 
The Telecom Digest for December 2, 2012
Volume 31 : Issue 282 : "text" Format
====== 31 years of TELECOM Digest -- Founded August 21, 1981 ======
|
Telecom and VOIP (Voice over Internet Protocol) Digest for the
Internet. All contents here are copyrighted by Bill Horne and
the individual writers/correspondents. Articles may be used in other
journals or newsgroups, provided the writer's name and the Digest are
included in the fair use quote. By using any name or email address
included herein for any reason other than responding to an article
herein, you agree to pay a hundred dollars to that person, or email address
owner.
Addresses herein are not to be added to any mailing list, nor to be
sold or given away without the explicit written consent of the owner of
that address. Chain letters, viruses, porn, spam, and miscellaneous junk
are definitely unwelcome.
We must fight spam for the same reason we fight crime: not because we
are naive enough to believe that we will ever stamp it out, but because
we do not want the kind of world that results when no one stands
against crime. - Geoffrey Welsh
See the bottom of this issue for subscription and archive details
and the name of our lawyer, and other stuff of interest.
|
Date: Thu, 29 Nov 2012 13:16:05 -0600
From: pv+usenet@pobox.com (PV)
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Why passwords have never been weaker-and crackers have never been stronger
Message-ID: <VsadnYjkZJzoKSrNnZ2dnUVZ_vmdnZ2d@supernews.com>
Frank Stearns <franks.pacifier.com@pacifier.net> writes:
>Forgive me for being ignorant, but doesn't the bad guy have to then try each
>password variant s/he generates?
It depends. With no information to start with, they have to do that, and most
sane systems will detect brute-forcing. That's not what the story is about
though.
Brute-forcing in an offline mode (which is where the video card or PAL based
systems come into play) works if you have the password's hash. A hash is
the output of a one-way scramble of your password - text goes in, and some
number of bits come back (usually 128 or 256), such that if even one
character of the password is changed, you get an entirely different hash.
Password hashes are stored in files or databases (on some unix systems,
infamously /etc/passwd or /etc/shadow), and those files can be accidentally
exposed to a website or otherwise lifted during a breakin.
So, what the hacker has to do is hash lots and lots of passwords, and then
compare the resulting value to the hash value that they stole. If they get
a match, that means they can enter the password on the site, and it will
be the same as you entering your password. They do their dictonary first,
and then start working on chracter patterns a letter at a time.
The issues are that some hashing algorithms (md5 for example) are showing
their age, and you can even pre-hash all possible values in what's called a
"rainbow table" so you don't even need to brute-force anymore - you
just look up the password corresponding to the hash.
Better hashing algorithms mean the cost of running a hash is higher, making
the process of breaking the password more expensive. Even better, there's the
concept of adding "salt" (an additional string added to every password,
either fixed or even unique by user) to the hash, so rainbow tables are
either site-specific, or worthless, depending on how it's employed. Salt
has existed with hashes for decades, but you STILL find situations every
day where they forgot to use it.
What to learn from the article is that there's no such thing as a "clever and
rememberable" password. Modern password dictionaries aren't simply the
contents of /usr/dict/words; they're hundreds of megabytes of lessons learned
over decades of successful password cracks. The ONLY good password is a long
and totally random one consisting of all typable characters. Personally, I
use LastPass for everything, so every site I go to has a unique password,
with values like 'Bd29$UCsPrY9'. My password vault itself is secured by
a 40 character passphrase, and backed up with a second factor (a yubikey). *
--
* PV Something like badgers, something like lizards, and something
like corkscrews.
Date: Sat, 01 Dec 2012 17:49:34 -0600
From: Frank Stearns <franks.pacifier.com@pacifier.net>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Why passwords have never been weaker-and crackers have never been stronger
Message-ID: <5r2dnWfFxpsTCifNnZ2dnUVZ_oidnZ2d@posted.palinacquisition>
pv+usenet@pobox.com (PV) writes:
>Frank Stearns <franks.pacifier.com@pacifier.net> writes:
>>Forgive me for being ignorant, but doesn't the bad guy have to then try each
>>password variant s/he generates?
>It depends. With no information to start with, they have to do that, and most
>sane systems will detect brute-forcing. That's not what the story is about
>though.
<snips to avoid duplication>
Thank you for the background!
A highly educational post.
Frank
--
.
Date: Sat, 01 Dec 2012 21:18:53 -0500
From: Pete Cresswell <PeteCress@invalid.telecom-digest.org>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Why passwords have never been weaker-and crackers have never been stronger
Message-ID: <nielb8d56socr3kur0iuv3aail19l9f6f8@4ax.com>
Per PV:
>It depends. With no information to start with, they have to do that, and most
>sane systems will detect brute-forcing. That's not what the story is about
>though.
>
>Brute-forcing in an offline mode.....
Thanks! Now the thread jells for me.
--
Pete Cresswell
Date: Sat, 01 Dec 2012 21:30:35 -0500
From: Pete Cresswell <PeteCress@invalid.telecom-digest.org>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Why passwords have never been weaker-and crackers have never been stronger
Message-ID: <7selb8pl28spntutbnf0vis95q959q1p1h@4ax.com>
Per PV:
>What to learn from the article is that there's no such thing as a "clever and
>rememberable" password. Modern password dictionaries aren't simply the
>contents of /usr/dict/words; they're hundreds of megabytes of lessons learned
>over decades of successful password cracks. The ONLY good password is a long
>and totally random one consisting of all typable characters. Personally, I
>use LastPass for everything, so every site I go to has a unique password,
>with values like 'Bd29$UCsPrY9'.
Not to beat a dead horse... but...
If I'm understanding this thread correctly:
- Sites and DBs do not record a user's password.
Instead they record the hashed result and apply
the hashing algorithm to whatever the user
types in.
- The password compromises referred to start with
the hostile entity obtaining the site or DB's
table of hash values/users.
- The massive computation comes in when it's time to
figure out what password created each hash value.
- The value in extremely long and arcane (basically
nonsense) strings lies in the additional computational
power needed to back into the hashed value.
- (and I'm extrapolating here) Cases where somebody
"hacks" somebody's email account, unless many
accounts under the same provider were also "hacked"
are mostly just some individual either guessing
somebody's PW from information they know about the
person or the person's PW having been compromised
some way - like in an email message, or harvested
by malware.
--
Pete Cresswell
Date: Fri, 30 Nov 2012 11:11:33 -0500
From: T <kd1s.nospam@cox.nospam.net>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: So You're a Good Driver? Let's Go to the Monitor
Message-ID: <MPG.2b22a4bf66809208989d50@news.eternal-september.org>
In article <p062408feccd92752b54f@[10.0.1.10]>, monty@roscom.com says...
>
> So You're a Good Driver? Let's Go to the Monitor
>
> By RANDALL STROSS
> November 24, 2012
>
> LAST week, under my car's dashboard, I installed a small wireless
> gadget that would monitor my driving. I wanted to see how it felt to
> have my driving behavior captured, sent to an insurance company and
> analyzed. More drivers, seeking discounts on auto insurance, are
> voluntarily doing just that.
[snip]
>
> http://www.nytimes.com/2012/11/25/business/seeking-cheaper-insurance-drivers-accept-monitoring-devices.html
>
>
> ***** Moderator's Note *****
>
> Would it affect my rates if an insurance company figured out that I
> was stopping at the V.F.w. for a drink on my way home from work? come
> to think of it, Route 128 (the arterial road around boston, sometimes
> called "I-95" by Barneys) has a 55 MPH speed limit posted, but I'd get
> run over if I didn't do at least 65. Is that a significant risk?
>
> If I was elected to the Legilature, would I want it known that I
> wasn't at the statehouse most of the time? Would I want it known that
> I didn't have a transponder? I wonder what having a mistress would do
> to my rates: could someone influence my votes by offering to disclose
> where I was on a particular date at a particular time?
>
> Bill Horne
> Moderator
LOL - and I can think of numerous attack vectors for those little plugin
modules.
But in essence it's a good idea. Drive like an angel for 30 days and
reap the rewards.
Date: Fri, 30 Nov 2012 01:26:28 -0500
From: Monty Solomon <monty@roscom.com>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Medicare Is Faulted on Shift to Electronic Records
Message-ID: <p06240870ccde01f0f38d@[10.0.1.10]>
Medicare Is Faulted on Shift to Electronic Records
By REED ABELSON
November 29, 2012
The conversion to electronic medical records - a critical piece of
the Obama administration's plan for health care reform - is
"vulnerable" to fraud and abuse because of the failure of Medicare
officials to develop appropriate safeguards, according to a sharply
critical report to be issued Thursday by federal investigators.
The use of electronic medical records has been central to the aim of
overhauling health care in America. Advocates contend that electronic
records systems will improve patient care and lower costs through
better coordination of medical services, and the Obama administration
is spending billions of dollars to encourage doctors and hospitals to
switch to electronic records to track patient care.
But the report says Medicare, which is charged with managing the
incentive program that encourages the adoption of electronic records,
has failed to put in place adequate safeguards to ensure that
information being provided by hospitals and doctors about their
electronic records systems is accurate. To qualify for the incentive
payments, doctors and hospitals must demonstrate that the systems
lead to better patient care, meeting a so-called meaningful use
standard by, for example, checking for harmful drug interactions.
Medicare "faces obstacles" in overseeing the electronic records
incentive program "that leave the program vulnerable to paying
incentives to professionals and hospitals that do not fully meet the
meaningful use requirements," the investigators concluded. The report
was prepared by the Office of Inspector General for the Department of
Health and Human Services, which oversees Medicare.
The investigators contrasted the looser management of the incentive
program with the agency's pledge to more closely monitor Medicare
payments of medical claims. Medicare officials have indicated that
the agency intends to move away from a "pay and chase" model, in
which it tried to get back any money it has paid in error, to one in
which it focuses on trying to avoid making unjustified payments in
the first place.
...
http://www.nytimes.com/2012/11/29/business/medicare-is-faulted-in-electronic-medical-records-conversion.html
-or-
http://goo.gl/PgxpB
Date: Thu, 29 Nov 2012 13:24:12 -0600
From: pv+usenet@pobox.com (PV)
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Why passwords have never been weaker-and crackers have never been stronger
Message-ID: <cridndHMd9rBKyrNnZ2dnUVZ_qOdnZ2d@supernews.com>
Pete Cresswell <PeteCress@invalid.telecom-digest.org> writes:
>Telecom Digest Moderator said:
>>The trick is to use easily-memorable pass-/*PHRASES*/ that won't be
>>in anyone's dictionary.
>
>Somebody suggested the "Dead Pet System"... concatenate the names of
>two dead pets and add digits to taste.
Blargh. Terrible idea.
Telecom Digest Moderator said:
>Since one of the most common "secret" questions that sites offer to
>remember in order to help me recover a forgotten password is "What was
>your first pet's name?", I have a couple of "virtual" pets and I use
>those names, which can't ever be guessed.
That's not a bad idea - you HOPE (though talk to Mat Honan about that)
that password recovery offers no bypass of the secret questions and no
opportunity to guess more than once or twice before telling you to get
stuffed.
I handle recovery questions the same way I do passwords - I have lastpass
make a random string for each, and then have it save the form values
so I know what the values are if I get asked one of the questions. Note:
this can be really irritating if the recovery questions are asked
over the phone, and I wouldn't be surprised if humans are less than
diligent about making sure that what I just said (Q-3-7-h-question mark-l-
2-7-g-H-x) matches what they have on file. I've been playing around with
the idea of using nonsense words instead for these; Lastpass has a
"prononceable" password generator, giving you values like 'tonficutonel'. *
--
* PV Something like badgers, something like lizards, and something
like corkscrews.
Date: Fri, 30 Nov 2012 16:16:51 -0700
From: fatkinson.remove-this@and-this-too.mishmash.com
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Navajo Nation without phone, internet use after copper theft
Message-ID: <91f4e01fa0db4883187af03fd15b8f00.squirrel@webmail.mishmash.org>
Navajo Nation without phone, internet use after copper theft
By Jenny Kane jkane@daily-times.com
Posted: 11/03/2012 01:00:00 AM MDT
FARMINGTON . Copper thieves are responsible for the loss of Internet
and some phone services to what likely was thousands of users in
northwest New Mexico and eastern Arizona. "It was throughout," said
Emerald Dahozy-Craig, spokeswoman for the Office of the President of
the Navajo Nation. "Even the ATMs didn't work. We still had power
though."
http://www.lcsun-news.com/ci_21918628/navajo-nation-without-phone-internet-use-after-copper?source=most_viewed
-or-
http://goo.gl/QwviM
Date: Fri, 30 Nov 2012 07:07:01 -0800 (PST)
From: HAncock4 <withheld@invalid.telecom-digest.org>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: NYC MTA releases Android weekend subway information
Message-ID: <0e53578a-b0d2-4cf3-acbf-cbd87a0a80dc@l12g2000vbj.googlegroups.com>
The NY MTA, operator of New York City's subways, buses, and commuter
trains, has announced a new "app". MTA customers who use Android
devices can now get detailed information about the subway service
changes planned for the upcoming weekend. (Heavy maintenance
resulting in route detours is performed over weekends).
Due to the large amount of data and mapping involved in the mobile
version of The Weekender - 100 Megabytes - MTA developers have smartly
"packeted" the data, so the initial download includes the basic
functions needed to get started. Then, each time the user plans a trip
or taps to view a particular neighborhood map, only those images are
added to the app, so the app gets smarter with every use without
hogging device memory.
For full announcement please see:
http://www.mta.info/news/stories/?story=888
Date: Sat, 1 Dec 2012 17:56:16 -0500
From: Monty Solomon <monty@roscom.com>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Who Do Online Advertisers Think You Are?
Message-ID: <p06240810cce03b157ba1@[10.0.1.5]>
Who Do Online Advertisers Think You Are?
By JEFFREY ROSEN
November 30, 2012
Not long ago, I decided to test how much privacy I have online. I
cleared the cookies, the bits of code that Web sites leave on my
computer to track what I browse and buy, from my two Internet
browsers, Safari and Firefox. Then, with my digital past
superficially erased, I set out to create two new identities:
Democratic Jeff and Republican Jeff.
Safari became the home of Democratic Jeff. I started by spending time
on Barack Obama's re-election Web site and then visited some travel,
car and shopping sites to search for flights to Los Angeles, Volvos
and Birkenstocks. On Firefox, as Republican Jeff, I went to Mitt
Romney's site and then searched for Cadillacs, flights to Hawaii and
diamond rings.
Having created my new digital identities as heavy-handedly as
possible, I returned to my usual Web sites. At first, the ads on my
favorite Washington neighborhood blog, the Prince of Petworth, were
the same on both browsers. But less than two days later, an ad for
Mitt Romney suddenly appeared next to a story I was reading on
Firefox about Gore Vidal's burial. When I opened that page on Safari,
the ad in the exact same spot was for Catholic University's master's
program in human resources management.
How did Republican Jeff and Democratic Jeff end up seeing entirely
different ads? The answer is real-time bidding, a technology that's
transforming advertising, politics, news and the way we live online.
Advertisers compete in an auction for the opportunity to send ads to
individual consumers. Each time a company buys access to me, it can
bombard me with an ad that will follow me no matter where I show up
on the Web.
To dig deeper into my new identities, I visited the Web site of
BlueKai, one of the leading online data aggregators. The company's
software enables its customers to sort consumers into 30,000 market
segments like "light spenders" and "safety-net seniors," and this
fine-grained categorization helps make real-time bidding possible.
According to BlueKai, Republican Jeff is someone who makes between
$60,000 and $74,999 a year, lives in Portland, Me., is interested in
luxury cars, celebrities and TV, may have bought a cruise ticket, is
an ideal candidate to take out a mortgage and a "midscale thrift
spender." Democratic Jeff is someone who lives in Los Angeles, Long
Beach or Santa Ana, runs a large company with more than 5,001
employees and cares about advertising and marketing. Neither of these
profiles is accurate. Nevertheless, the pigeonholing of Republican
Jeff and Democratic Jeff represents our digital future.
...
http://www.nytimes.com/2012/12/02/magazine/who-do-online-advertisers-think-you-are.html
***** Moderator's Note *****
Did anyone ever figure out if Microsoft was collecting hidden cookies
that users can't erase? There was some talk about that being possible,
a few years back, but nothing lately.
What about "Flash cookies"? Are they real, and if so, how can I
control them?
Bill Horne
Moderator
TELECOM Digest is an electronic journal devoted mostly to telecom-
munications topics. It is circulated anywhere there is email, in
addition to Usenet, where it appears as the moderated newsgroup
'comp.dcom.telecom'.
TELECOM Digest is a not-for-profit, mostly non-commercial educational
service offered to the Internet by Bill Horne. All the contents
of the Digest are compilation-copyrighted. You may reprint articles in
some other media on an occasional basis, but please attribute my work
and that of the original author.
The Telecom Digest is moderated by Bill Horne.
This Digest is the oldest continuing e-journal about telecomm-
unications on the Internet, having been founded in August, 1981 and
published continuously since then. Our archives are available for
your review/research. We believe we are the oldest e-zine/mailing list
on the internet in any category!
URL information: http://telecom-digest.org
Copyright (C) 2012 TELECOM Digest. All rights reserved.
Our attorney is Bill Levant, of Blue Bell, PA.
Finally, the Digest is funded by gifts from generous readers such as
yourself who provide funding in amounts deemed appropriate. Your help
is important and appreciated. A suggested donation of fifty dollars
per year per reader is considered appropriate. See our address above.
Please make at least a single donation to cover the cost of processing
your name to the mailing list.
All opinions expressed herein are deemed to be those of the
author. Any organizations listed are for identification purposes only
and messages should not be considered any official expression by the
organization.
End of The Telecom Digest (10 messages)
Return to Archives ** Older Issues