Oh, Gosh! This reminds me of those printed instructions on aluminum ladders: "Under no circumstances use this ladder for CLIMBING."
We ordinary mortals are screwed. Nick -----Original Message----- From: friam-boun...@redfish.com [mailto:friam-boun...@redfish.com] On Behalf Of Parks, Raymond Sent: Thursday, December 23, 2010 8:52 PM To: 'friam@redfish.com' Subject: Re: [FRIAM] Passwords Folks, I decided to put my advice about securing home networks in this message, along with password advice. To secure your home network - 1. Use a firewall - either build one or buy one. Most broadband routers include a firewall. 2. Configure the firewall to deny all incoming traffic and only allow minimal outgoing traffic (http and pop3/imap is a good starting set). Note that I did not include DNS or ICMP - these have long been used for exfiltration. 3. If you have wireless - A. Use the best authentication/encryption you can - WPA2 not WEP. We can break the latter in minutes if you are generating traffic. B. Find a way to treat that traffic as untrusted - route it into your home network as if it's from the Internet. This will require setting up a VPN (IPSEC comes with all modern OSes) and sending traffic directly out to the Internet. The VPN would be used to access the internal wired network, if you insist. 3. If you really want to expose a service to the Internet - don't. Use a port-knocking solution (google it) that only opens the relevant port for a brief time after you have hit the right sequence of ports. Consider using a non-standard port when it opens - many hotels and Internet cafes only allow http (port 80) so you might run your ssh on that port to bypass filtering. Passwords are only marginally secure. The problem with the idea that Owen cited is that many web-sites don't allow certain characters (usually a subset or the full set of special characters) and/or restrict password length. One site I have to regularly fight with cuts off the password I set without any indication. Password length is important. Most winders boxen store and forward NTLM password hashes. I just bought, off Newegg, three systems with Invidia GPUs that can each brute force 4-6 billion 8 character NTLM passwords per minute. You can rent GPUs off the cloud and folks have demonstrated using that for MD5 hash cracking. If you have the patience, you can double performance with ATI GPUs. Most websites use MD5 password hashes - which are usually weaker than NTLM. I use a password formula which I mix up and customize to fit each web-site's peculiarities. This method can be frustrating - but I get by. Ray Parks ----- Original Message ----- From: Owen Densmore [mailto:o...@backspaces.net] Sent: Wednesday, December 22, 2010 09:57 AM To: The Friday Morning Applied Complexity Coffee Group <friam@redfish.com> Subject: [FRIAM] Passwords I recently added a mac mini to my digital ecology, and it got me bustling about tidying up a bit. One area is logins. I fixed the mini so that I can ssh to it, but only via crypto (ssh-keygen) keys. I had a port-scan within 2 hours of forwarding port 22 from my airport, so feel that passwords simply are a Bad Idea in this day and age. My ISP also lets me use key pairs so that got me thinking about alternatives to name/password logins. Now, I *do* believe passwords can be made reasonably secure: http://goo.gl/jqV7w .. maybe even more secure than key/pairs which can be compromised stealing my laptop. So a few questions about your experiences: - Can I use public keys for heavily used sites (gmail, amazon, ...)? - Is openID a reasonable alternative? http://openid.net http://goo.gl/BOpg - Do you have a name/password strategy that you like? - Any other alternatives? -- Owen ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College lectures, archives, unsubscribe, maps at http://www.friam.org
