*hugs!* -- Espi
On Fri, Mar 16, 2012 at 9:48 AM, Kurt Buff <kurt.b...@gmail.com> wrote: > Keep reading - I regularly get shredded here. > > I know it's done with love though, so I don't mind too much. > > Kurt > > On Fri, Mar 16, 2012 at 04:18, Mack Bolan <mack.bola...@gmail.com> wrote: > >> Wow! That may be the best post I've ever read. It's like you do this >> for a living! :) >> >> Mack S. Bolan >> >> >> >> >> On Fri, Mar 16, 2012 at 6:05 AM, Andrew S. Baker <asbz...@gmail.com>wrote: >> >>> All great info, but so very totally out of context relative to the >>> thread. >>> >>> - You posted about the relative security of passphrases >>> - Discussion ensured about this relative to traditional passwords >>> - People made various assertions to the need to continue protecting >>> against insider threats >>> - You post something which strongly suggests that insider threats >>> are not the threats we should be looking for >>> - People request clarification about your assertion, pointing out >>> that insider threats have not gone away >>> - You revert to form with classic discussion evasion and >>> misdirection tactics >>> >>> >>> * * >>> >>> *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of >>> Technology for the SMB market… >>> >>> * >>> >>> >>> >>> On Fri, Mar 16, 2012 at 12:18 AM, Kurt Buff <kurt.b...@gmail.com> wrote: >>> >>>> Not really - the original article was interesting, and a good starting >>>> point for discussion. >>>> >>>> My point in response to Doug was not that the insider threat has >>>> disappeared but that the blanket statement that inside threats might no >>>> longer be dominant - something that I believe is probably true, with the >>>> rise organized crime and hactivism. >>>> >>>> >>>> Kurt >>>> >>>> On Thu, Mar 15, 2012 at 19:53, Andrew S. Baker <asbz...@gmail.com>wrote: >>>> >>>>> It's not like insider threats have plummeted to 0. >>>>> >>>>> The fact is that most organizations do not need to call for external >>>>> infosec resources for insider threats. >>>>> >>>>> The Verizon security team dealt with ~855 cases worldwide. That's a >>>>> good sample side for obtaining data about specific attacks, but it's not >>>>> so >>>>> large that its fully representative of the entire attack landscape. >>>>> >>>>> The discussion here was about passwords, which I hope you'd remember >>>>> considering you started it. Thus, within the context of the thread >>>>> itself, >>>>> the focus is on the usefulness and viability of strong passwords whether >>>>> in >>>>> the standard format, or as a passphrase. >>>>> >>>>> This other stuff you added is not really germane to the discussion, >>>>> unless your goal is simply to hijack your own thread. >>>>> >>>>> * * >>>>> >>>>> *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of >>>>> Technology for the SMB market… >>>>> >>>>> * >>>>> >>>>> >>>>> >>>>> On Thu, Mar 15, 2012 at 6:43 PM, Kurt Buff <kurt.b...@gmail.com>wrote: >>>>> >>>>>> Perhaps you might want to rethink your threat model: >>>>>> >>>>>> http://www.darkreading.com/database-security/167901020/security/attacks-breaches/232601717/new- >>>>>> verizon-breach-data-shows-outside-threat-dominated-2011.html >>>>>> >>>>>> On Thu, Mar 15, 2012 at 13:50, Doug Hampshire >>>>>> <dhampsh...@gmail.com>wrote: >>>>>> >>>>>>> Are you sure about that? The vast majority of security incidents >>>>>>> happen on the inside of your network from known individuals. Also it was >>>>>>> addressing offline brute force attacks. Most online systems have lockout >>>>>>> policies and other countermeasures to limit exposure to brute force >>>>>>> attacks. >>>>>>> >>>>>>> On Thu, Mar 15, 2012 at 2:49 PM, Crawford, Scott < >>>>>>> crawfo...@evangel.edu> wrote: >>>>>>> >>>>>>>> I'd rather have "good" passwords written down on a sticky note >>>>>>>> accessible only to a limited number of coworkers than "bad" passwords >>>>>>>> that >>>>>>>> can be exploited by any black-hat on the internet. >>>>>>>> >>>>>>>> Sent from my Windows Phone >>>>>>>> ------------------------------ >>>>>>>> From: Heaton, Joseph@DFG >>>>>>>> Sent: 3/15/2012 11:07 AM >>>>>>>> To: NT System Admin Issues >>>>>>>> Subject: RE: Worth some consideration... >>>>>>>> >>>>>>>> >>>>>>>> Wait… I’m NOT supposed to write my password on a sticky note? >>>>>>>> How am I supposed to let my coworker use my login, then? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Joe Heaton >>>>>>>> >>>>>>>> ITB – Windows Server Support >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> *From:* Andrew S. Baker [mailto:asbz...@gmail.com] >>>>>>>> *Sent:* Thursday, March 15, 2012 7:49 AM >>>>>>>> *To:* Heaton, Joseph@DFG; NT System Admin Issues >>>>>>>> *Subject:* Re: Worth some consideration... >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> That's an implementation problem. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> If I choose a passphrase of "Mary had a little lamb" then of course >>>>>>>> that will be relatively weak as passphrases go. That that is not an >>>>>>>> inherent weakness of passphrases, but of people. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Lots of things are undermined by poor choices. Completely random >>>>>>>> 20 character passwords with a unicode character set are undermined by >>>>>>>> having them posted on sticky notes. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> We didn't need a whole article to point that out. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> *ASB* >>>>>>>> >>>>>>>> *http://XeeMe.com/AndrewBaker* >>>>>>>> >>>>>>>> *Harnessing the Advantages of Technology for the SMB market…* >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Thu, Mar 15, 2012 at 10:12 AM, Kurt Buff <kurt.b...@gmail.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>> >>>>>>>> http://arstechnica.com/business/news/2012/03/passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices.ars >>>>>>>> >>>>>>>> By Dan Goodin >>>>>>>> Ars Technica >>>>>>>> March 14, 2012 >>>>>>>> >>>>>>>> Passwords that contain multiple words aren't as resistant as some >>>>>>>> researchers expected to certain types of cracking attacks, mainly >>>>>>>> because users frequently pick phrases that occur regularly in >>>>>>>> everyday >>>>>>>> speech, a recently published paper concludes. >>>>>>>> >>>>>>>> Security managers have long regarded passphrases as an >>>>>>>> easy-to-remember way to pack dozens of characters into the string >>>>>>>> that >>>>>>>> must be entered to access online accounts or to unlock private >>>>>>>> encryption keys. The more characters, the thinking goes, the harder >>>>>>>> it >>>>>>>> is for attackers to guess or otherwise crack the code, since there >>>>>>>> are >>>>>>>> orders of magnitude more possible combinations. >>>>>>>> >>>>>>>> But a pair of computer scientists from Cambridge University has >>>>>>>> found >>>>>>>> that a significant percentage of passphrases used in a real-world >>>>>>>> scenario were easy to guess. Using a dictionary containing 20,656 >>>>>>>> phrases of movie titles, sports team names, and other proper nouns, >>>>>>>> they were able to find about 8,000 passphrases chosen by users of >>>>>>>> Amazon's now-defunct PayPhrase system. That's an estimated 1.13 >>>>>>>> percent of the available accounts. The promise of passphrases' >>>>>>>> increased entropy, it seems, was undone by many users' tendency to >>>>>>>> pick phrases that are staples of the everyday lexicon. >>>>>>>> >>>>>>>> "Our results suggest that users aren't able to choose phrases made >>>>>>>> of >>>>>>>> completely random words, but are influenced by the probability of a >>>>>>>> phrase occurring in natural language," researchers Joseph Bonneau >>>>>>>> and >>>>>>>> Ekaterina Shutova wrote in the paper (PDF), which is titled >>>>>>>> "Linguistic properties of multi-word passphrases." "Examining the >>>>>>>> surprisingly weak distribution of phrases in natural language, we >>>>>>>> can >>>>>>>> conclude that even 4-word phrases probably provide less than 30 bits >>>>>>>> of security which is insufficient against offline attack," the paper >>>>>>>> says. >>>>>>>> >>>>>>>> >>>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to listmana...@lyris.sunbeltsoftware.com >>> with the body: unsubscribe ntsysadmin >>> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
