Drupal Camp NH May 22 SNHU Manchester
DrupalCampNH will take place May 22nd at SNHU Manchester. Drupal is GPL licensed software, running a classic LAMP stack. Drupal Camp appears to be a locally-organized event. An admission ticket can be purchased online for $5. See details and register at http://drupalcampnh.org/ Attendance is limited and they're already down to 27 ^H^H 26 -- going fast! -- tickets this morning. >From the site: Why DrupalCamp? This first DrupalCamp in NH has been structured to be a training day for new drupalers, and those interested in learning about Drupal. Our goal is to provide valuable information for those users, and help grow the New Hampshire Drupal community by making it more accessible to users with new and varied interest. Structured sessions will provide a start to finish overview of everything you should know when putting together a Drupal site from scratch. Topics include setting up infrastructure, Drupal Basics, CCK (Content types), Views and other important contributed modules, along with theming to round off the training. -- Ted Roche Ted Roche & Associates, LLC http://www.tedroche.com ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
bogus emails looking for money
A friend's webmail account (@msn.com) appears to have been hacked. I received a request to wire $1470 to London (UK) to help her out. She was mugged and lost her cash and credit cards. Is there any place to report this sort of email that might actually do some good? I'll start with ab...@msn.com, but would love to find out about better alternatives. -- Lloyd Kvam Venix Corp DLSLUG/GNHLUG library http://dlslug.org/library.html http://www.librarything.com/catalog/dlslug http://www.librarything.com/rsshtml/recent/dlslug http://www.librarything.com/rss/recent/dlslug ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: bogus emails looking for money
Lloyd Kvam writes: > A friend's webmail account (@msn.com) appears to have been hacked. I > received a request to wire $1470 to London (UK) to help her out. She > was mugged and lost her cash and credit cards. > > Is there any place to report this sort of email that might actually do > some good? > > I'll start with ab...@msn.com, but would love to find out about better > alternatives. Mostly you should just tell your friend to change their password.. And check the email addresses linked to their account. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH warl...@mit.eduPGP key available ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: bogus emails looking for money
I had a friend with an IDENTICAL story... Stuck in London, she had been robbed and desperately needed money to get home. Turns out her facebook account had been hacked (probably poor password security). Anyway, these guys even went as far as start chatting with me on IM (MSN and FB chat), attempting to get me to wire money to some foreign bank. Being a natural born cynic, compounded by bad English and too short answers, I smelled a rat. I tried to trap the person on the other end - started asking personal questions that my friend should have known about my family, that shut down the conversation and they immediately logged off. I told her about the hack and then reported it to msn and facebook "authorities", but nothing ever came of it. AFAIK no one really cares, unless you have some physical evidence or a location on the offenders. Anecdotal evidence: Another friend of mine contacted the FBI in a different internet scam (the old cash for cashiers check scam). The local field office asked him if he knew who the defrauders were or where to find them, he didn't, so the agent thanked him for the report and brushed him off. You could do some inter-web investigating on your own, but it's not easy to track down black-hats in a foreign country who are relaying all over the world - you'll likely end up angry and frustrated. Keep the group updated on any developments, I'm curious to know if you get anywhere. Good hunting. -- Joel On Tue, Apr 27, 2010 at 12:18 PM, Lloyd Kvam wrote: > A friend's webmail account (@msn.com) appears to have been hacked. I > received a request to wire $1470 to London (UK) to help her out. She > was mugged and lost her cash and credit cards. > > Is there any place to report this sort of email that might actually do > some good? > > I'll start with ab...@msn.com, but would love to find out about better > alternatives. > > -- > Lloyd Kvam > Venix Corp > DLSLUG/GNHLUG library > http://dlslug.org/library.html > http://www.librarything.com/catalog/dlslug > http://www.librarything.com/rsshtml/recent/dlslug > http://www.librarything.com/rss/recent/dlslug > > ___ > gnhlug-discuss mailing list > gnhlug-discuss@mail.gnhlug.org > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ > ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Password Card (was: Re: bogus emails looking for money)
On 27-Apr-2010, Joel Burtram sent: > Turns out her facebook account had been hacked (probably poor > password security). Speaking of password security, I saw this on some RSS feed the other day: http://passwordcard.org/ Seems like an interesting idea, at least a step up from the classic password-on-a-postit. Though if you card is ever stolen, it does narrow down the amount of trying that someone would have to do to brute force your accounts. -- Chip Marshall http://weblog.2bithacker.net/ KB1QYWPGP key ID 43C4819E v4sw5PUhw4/5ln5pr5FOPck4ma4u6FLOw5Xm5l5Ui2e4t4/5ARWb7HKOen6a2Xs5IMr2g6CM pgpHRchNeFA4E.pgp Description: PGP signature ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Password Card (was: Re: bogus emails looking for money)
On Tue, Apr 27, 2010 at 1:37 PM, Chip Marshall wrote: > On 27-Apr-2010, Joel Burtram sent: > > Turns out her facebook account had been hacked (probably poor > > password security). > > Speaking of password security, I saw this on some RSS feed the > other day: http://passwordcard.org/ > > Seems like an interesting idea, at least a step up from the > classic password-on-a-postit. Though if you card is ever stolen, > it does narrow down the amount of trying that someone would have > to do to brute force your accounts. > > Some of the paper planner things recommend encrypting information (financial records) on their journals in various ways. Telegraphers had various codes to encrypt/condense the data in the Victorian era. FWIW, the French had an optical telegraph that could be read by anyone that could see the towers so those codes could be more important then just for electrical telegraphs. I like those various encypted databases that can run on my phone that I always have with me. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: OpenStreetMap compatible GPS?
Benjamin Scott writes: > > On Mon, Apr 26, 2010 at 3:02 PM, Joshua Judson Rosen > wrote: > > And *then* we discovered just how much better the OSM maps can be > > than the proprietary ones ... which makes perfect sense to me, > > since there's actually a way for bugs to be reported and fixed in > > OSM > > One of the selling points of the TomTom is that they have a > mechanism for users to report updates back to the overmind. I don't > know how well it works, but they do advertise the capability. Hunh--that's news to me. But now I see it on their website. Looks like it requires regular map-update purchases > Updated commercial map sets are still way expensive, though. > $80?!? Yikes! I'm pretty sure that the `$80 for one update' option is just the `decoy effect' in action: it's there to show people that `$40 per year' is `cheap' (even if you just want one update--throw the other 3 away, and you're still saving $40!). > > Of course, then we decided shortly thereafter that the whole `GPS thing' > > seemed mostly stupid as far as we were concerned anyway[1], > > I've got a set of paper road atlases which still serve me pretty > well. Very large display surface, with excellent image quality, and > they work *better* in bright sunlight. But they're getting out of > date, and are rather tattered. I've considered just buying new paper > maps, but have been pondering GPS, too. This thread is of interest to > me. > > Electronic maps do have their advantages. Oh, of course. The classic issue of which features are defined as `advantageous' varying from user to user applies as well here as anywhere else, though--including some `features' for one type of user being `misfeatures' for another. > Compact. i.e.: the display's too small, and it gets lost too easily? ;) > The spot you're looking at will never be obscured by the boundary > between two map pages. Fold-out maps. Then we're just back to the `25+ inches of monitor is too big' thread :) > Route finding and estimating is useful if you're already on > the road and want to make an unexpected change. Audible turn-by-turn > directions are useful if you get confused on your way to a new-to-you > location. See, these were the things that made me think `this whole GPS thing is stupid'--it's so tempting to use features like that, but I've invariably found that the `seat-of-the-pants technology' results in `knowing where I'm going without really having any idea where I *am* at any given point in time', which is just... perturbing. Especially when, say, a frozen body of water next to the road suddenly causes a multipath effect that makes the unit think that it's somewhere else until I'm well past a turn that I needed. I was delighted when I found applications that focused on just showing me a map with a `you are here' marker and indicators as to where I was in relation to where I wanted to be; creating, storing, and loading traces; managing waypoints and points of interest; and other sorts of `here's all of the information you need in an easy-to-grok form, learn something from it' stuff for which I would have previously used a set of paper maps. Of course, the real `killer feature' for me is being able to change the feature-set and add things that upstream didn't think of, e.g.: http://www.hackerposse.com/~rozzin/weblog/VisualIDs/mapping-with-visualids.html > Route recording appeals to those who want to track where > they've been, when (for whatever reason). Some like that just as a sort of extended `you are here' dot. Others like to use it to show other people where they've been, or to create traces to extend OpenStreetMap where the existing coverage is poor. Or to help find their way back when travelling off-road or in other similar situations. > So I'm also wondering about good brands/models to buy, for the Linux > user who prefers to avoid MS Windows. I use my FreeRunner :) If I were buying something right now, the Touch Book looks really neat for GPS/mapping/navigation: http://www.youtube.com/watch?v=PK6jVxd_o14 http://www.alwaysinnovating.com/touchbook/ -- "Don't be afraid to ask (λf.((λx.xx) (λr.f(rr." ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: bogus emails looking for money
On 04/27/2010 12:51 PM, Derek Atkins wrote: > Lloyd Kvam writes: > > >> A friend's webmail account (@msn.com) appears to have been hacked. I >> received a request to wire $1470 to London (UK) to help her out. She >> was mugged and lost her cash and credit cards. >> >> Is there any place to report this sort of email that might actually do >> some good? >> >> I'll start with ab...@msn.com, but would love to find out about better >> alternatives. >> > Mostly you should just tell your friend to change their password.. And > check the email addresses linked to their account. > We recently got a couple of SPAM messages from one of our members' gmail accounts on the BLU discussion list. After I contacted him, he then changed his password to a more secure password. Actually, after looking at the email headers, it was in fact a hacked gmail webmail account. I'm not sure what gmail (in this case) or msn (in Lloyd's case) can really do at this point, but worth a try. Even worse is the hijacking of from addresses. I'm not sure how to prevent that. -- Jerry Feldman Boston Linux and Unix PGP key id: 537C5846 PGP Key fingerprint: 3D1B 8377 A3C0 A5F2 ECBB CA3B 4607 4319 537C 5846 signature.asc Description: OpenPGP digital signature ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: bogus emails looking for money
On Tue, 2010-04-27 at 12:53 -0400, Joel Burtram wrote: > Keep the group updated on any developments, I'm curious to know if you > get anywhere. I don't think there will be anything much to report. My friend called in. She and her husband were on the phone with Microsoft trying to get the account shut down. Unless Microsoft gets in touch with me for more data on the emails there will be nothing more. I guess law-enforcement is not nimble enough to deal with these kinds of hoaxes. -- Lloyd Kvam Venix Corp DLSLUG/GNHLUG library http://dlslug.org/library.html http://www.librarything.com/catalog/dlslug http://www.librarything.com/rsshtml/recent/dlslug http://www.librarything.com/rss/recent/dlslug ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: bogus emails looking for money
> I don't think there will be anything much to report. My friend called > in. She and her husband were on the phone with Microsoft trying to get > the account shut down. Unless Microsoft gets in touch with me for more > data on the emails there will be nothing more. Do bear in mind that it's insanely easy to forge "from" headers; unless they actually ask you to respond to the e-mail address, I'd even put that down as most-likely hypothesis, barring contradictory evidence in the headers. > I guess law-enforcement is not nimble enough to deal with these kinds of > hoaxes. Sadly, the general rule is they don't get involved until there's significant loss incurred. That's not dyed in the wool, but they simply don't have anything like the resources to go after every phishing attack, 419 scammer, "lottery winner," etc. Especially since a non-trivial number of these originate from overseas. The Interwebtubes(tm) sure is a great thing, but it also makes scammers w-a-y more able to get around. $.02, -Ken > > > -- > Lloyd Kvam > Venix Corp > DLSLUG/GNHLUG library > http://dlslug.org/library.html > http://www.librarything.com/catalog/dlslug > http://www.librarything.com/rsshtml/recent/dlslug > http://www.librarything.com/rss/recent/dlslug > > > ___ > gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: bogus emails looking for money
Wups! Mea culpa -- clearly, that wasn't the case, as the e-mail originated from someone you knew. In which case, it was probably a weak password crack. I, myself, got bitten by that using what *I*, at least, thought was a fairly esoteric password. But my account provider ran the couple-million passwords[1] against all the accounts, and disabled the accounts that had hits, and lo! Mine was one of 'em. [1] 32 million passwords stolen: http://tinyurl.com/3xwg2lm Do bear in mind that it's insanely easy to forge "from" headers; unless they actually ask you to respond to the e-mail address, I'd even put that down as most-likely hypothesis, barring contradictory evidence in the headers. > I guess law-enforcement is not nimble enough to deal with these kinds of > hoaxes. Sadly, the general rule is they don't get involved until there's significant loss incurred. That's not dyed in the wool, but they simply don't have anything like the resources to go after every phishing attack, 419 scammer, "lottery winner," etc. Especially since a non-trivial number of these originate from overseas. The Interwebtubes(tm) sure is a great thing, but it also makes scammers w-a-y more able to get around. $.02, -Ken > > > -- > Lloyd Kvam > Venix Corp > DLSLUG/GNHLUG library > http://dlslug.org/library.html > http://www.librarything.com/catalog/dlslug > http://www.librarything.com/rsshtml/recent/dlslug > http://www.librarything.com/rss/recent/dlslug > > > ___ > gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is believed to be clean. > > -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: bogus emails looking for money
To echo what others have said: I would suggest: Perform damage control, identify the vulnerability (e.g., weak password, browsing from a public terminal, etc.), take corrective action, and move on. Trying to "catch" the offenders is a hopelessly proposition. They're usually impossible to trace. When it is possible, it's almost never cost-effective. If you do trace them, chances are you'll find they're in a jurisdiction where prosecution is difficult. Best case, you and others spend a lot of time, effort, and money prosecuting someone, they get hit with a $500 fine, and continue doing the same thing. Even if that individual sees the light, tens of thousands more will continue. The abuse desks at big services (MSN, Gmail, etc.) are perpetually deluged in a flood of reports. Contacting them with anything less than a major-network-news-worthy DoS attack is a waste of your time. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: bogus emails looking for money
Jerry Feldman writes:
>
> Even worse is the hijacking of from addresses. I'm not sure how to
> prevent that.
There are some partly technical, partly social things like DKIM that you
can deploy on your domains to try to help improve the system as a whole
(not your system, *the* system)--some receiving servers honour it now,
and adoption will presumably accelerate more as it accelerates more
My first suggestion, though--and the easiest to implement--would be
toward addressing the more `social' issues that allow these problems
to bootstrap: stop calling it "hijacking"--you wouldn't use that term
for USPS-based mail fraud, because it would mean something completely
different if you did ("someone hijacked my PO box and sent postcards
claiming to be me").
--
"Don't be afraid to ask (λf.((λx.xx) (λr.f(rr."
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: bogus emails looking for money
On Tue, Apr 27, 2010 at 3:21 PM, Ken D'Ambrosio wrote: > I, myself, got bitten by that using what *I*, at least, > thought was a fairly esoteric password. If you're still using a passWORD on today's Internet, you're already in a very high risk category. Using an English word for a password is supposed to be roughly equivalent to using "12 bit encryption" or something like that. I recommend complex passphrases, minimum 15 characters in length, containing a mixture of upper- and lower-case letters, digits, spaces, and punctuation. Generally speaking, a phrase like "Ben eats purple paperclips? Why?" is much easier for people to remember than a shorter but completely random string of random characters, and just about as strong. *NEVER* use the same password on more than one system. A lot of people use the same password everywhere, or have a "system" they use to derive passwords formulaically. This is a very bad idea. Systems get compromised and password loggers installed all the time. Now one compromised account becomes *all* your accounts. In most cases, changing your password frequently is not worth it. Far better to use strong, unique passwords. *NEVER* use anything but a trusted terminal to log in to a website. That means "Internet cafe" computers, public library computers, computers belonging to friends/family, etc., are all out. Unless you have very strong evidence to the contrary, you should assume every computer you encounter is compromised. Because it probabbly is. (The above applies to assets actually worth protecting. I use cheap passwords on some sites (mainly message boards I've had to log into once) simply because I don't care if my account is hijacked.) -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: OpenStreetMap compatible GPS?
On Tue, Apr 27, 2010 at 2:25 PM, Joshua Judson Rosen wrote: > I'm pretty sure that the `$80 for one update' option is just the > `decoy effect' in action: it's there to show people that `$40 per year' > is `cheap' ... Ah, good point! >> The spot you're looking at will never be obscured by the boundary >> between two map pages. > > Fold-out maps. The spot you're looking at will *still* be right on the edge between two plates. It's a corollary to Finagle's law. And fold-out maps are a serious impediment to operating a motor vehicle. > See, these were the things that made me think `this whole GPS thing > is stupid'--it's so tempting to use features like that, but I've > invariably found that the `seat-of-the-pants technology' results > in `knowing where I'm going without really having any idea where > I *am* at any given point in time', which is just... perturbing. I've actually had fairly good results using GPS units belonging to friends. They were not perfect, but nothing is. I've made mistakes plotting routes manually, too. I do much prefer to plan my route ahead of time, but sometimes life doesn't work that way. I'd rather have the option. To me, it seems stupid to deliberately avoid a capability just because it does not work perfectly. In particular, real-time routefinding with turn-by-turn directions wins big in situations such "the road I was planning on using is closed" or "I just missed my turn". It's not always feasible to stop and consult the map. (In Boston, it can be downright suicidal.) And even in situations where I can plan my route, the ability to listen for real-time updates, rather than peering around at street signs (instead of the street ahead of me) makes for safer driving. > Especially when, say, a frozen body of water next to the road > suddenly causes a multipath effect that makes the unit think that > it's somewhere else until I'm well past a turn that I needed. The software on anything decent made in the past several years is generally smart enough to monitor velocity and ignore data that would yield physically impossible results. > I was delighted when I found applications that focused on just showing > me a map with a `you are here' marker and indicators as to where I was > in relation to where I wanted to be ... What were you using that couldn't do that? I've honestly never seen a GPS that did not have that capability. Indeed, that's all you had at first (beyond a simple lat/long readout). Routefinding and turn-by-turn directions are the newer features. > I use my FreeRunner :) I have a phone provided by work, and it's not that. Plus you can generally get a bigger screen if you're not locked into the phone form factor. Something about 3x5 inches seems optimal for dashboard placement. > If I were buying something right now, the Touch Book looks really neat > for GPS/mapping/navigation: Too big to fit on my dashboard. I already have a laptop I can use for "pull over and consult the map" situations. But ultimately, if you don't want a GPS, by all means, don't buy one. Those of us who do want one would like to know what's good to buy. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: bogus emails looking for money
On Tue, 2010-04-27 at 15:17 -0400, Ken D'Ambrosio wrote: > > I don't think there will be anything much to report. My friend called > > in. She and her husband were on the phone with Microsoft trying to get > > the account shut down. Unless Microsoft gets in touch with me for more > > data on the emails there will be nothing more. > > Do bear in mind that it's insanely easy to forge "from" headers; unless > they actually ask you to respond to the e-mail address, I'd even put that > down as most-likely hypothesis, barring contradictory evidence in the > headers. Well, my server accepted the email from a hotmail server. The server headers matched prior legitimate emails. I'm pretty sure they cracked her account. They did not ask for money in the original email. They simply reported being mugged, unable to check out of the hotel without payment, and anxious to catch their flight. When I did not receive a following email looking for money, I sent a message offering to help. That provoked a response with the Western Union details that proved it was a scam. > > > I guess law-enforcement is not nimble enough to deal with these kinds of > > hoaxes. > > Sadly, the general rule is they don't get involved until there's > significant loss incurred. That's not dyed in the wool, but they simply > don't have anything like the resources to go after every phishing attack, > 419 scammer, "lottery winner," etc. Especially since a non-trivial number > of these originate from overseas. The Interwebtubes(tm) sure is a great > thing, but it also makes scammers w-a-y more able to get around. > > $.02, > > -Ken > > > > > > > -- > > Lloyd Kvam > > Venix Corp > > DLSLUG/GNHLUG library > > http://dlslug.org/library.html > > http://www.librarything.com/catalog/dlslug > > http://www.librarything.com/rsshtml/recent/dlslug > > http://www.librarything.com/rss/recent/dlslug > > > > > > ___ > > gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org > > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ > > > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is believed to be clean. > > > > > > > -- Lloyd Kvam Venix Corp DLSLUG/GNHLUG library http://dlslug.org/library.html http://www.librarything.com/catalog/dlslug http://www.librarything.com/rsshtml/recent/dlslug http://www.librarything.com/rss/recent/dlslug ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: bogus emails looking for money
On Tue, 2010-04-27 at 16:22 -0400, Joshua Judson Rosen wrote:
> stop calling it "hijacking"--you wouldn't use that term
> for USPS-based mail fraud, because it would mean something completely
> different if you did ("someone hijacked my PO box and sent postcards
> claiming to be me").
Though in this case they did hijack the account. It went way beyond
forging the from-address. They had access to her mail-box.
--
Lloyd Kvam
Venix Corp
DLSLUG/GNHLUG library
http://dlslug.org/library.html
http://www.librarything.com/catalog/dlslug
http://www.librarything.com/rsshtml/recent/dlslug
http://www.librarything.com/rss/recent/dlslug
___
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Authentication on the Internet (bogus emails looking for money)
On Tue, 2010-04-27 at 16:22 -0400, Benjamin Scott wrote: > If you're still using a passWORD on today's Internet, you're already > in a very high risk category. Using an English word for a password is > supposed to be roughly equivalent to using "12 bit encryption" or > something like that. > > I recommend complex passphrases, minimum 15 characters in length, > containing a mixture of upper- and lower-case letters, digits, spaces, > and punctuation. Has anyone here tried to use certificates or public-keys to control access? The software is available to generate keys and certificates. Do you think it is hopeless trying to educate users to import a certificate and protect it with a pass phrase? (I'll be operating a web site with an anticipated load of hundreds to low thousands of user accounts. I've been wondering about imposing certificates on the account holders.) -- Lloyd Kvam Venix Corp. 1 Court Street, Suite 378 Lebanon, NH 03766-1358 voice: 603-653-8139 fax:320-210-3409 ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Authentication on the Internet (bogus emails looking for money)
On Tue, Apr 27, 2010 at 5:26 PM, Lloyd Kvam wrote: > Do you think it is hopeless trying to educate users to import a > certificate and protect it with a pass phrase? > Yes, see #5: http://www.ranum.com/security/computer_security/editorials/dumb/ However, that's not to say you can't offer them options, but you can't count on them not posting whatever private key/password they use on Facebook. A good sys admin assumes dumb users because it only takes one dumb move to compromise your security and we all make dumb moves some times, users and admins, smart and dumb a like. Also, if you make the cert your only option, then the substantial question is not about the reliability of your users, but their willingness to overcome potential barriers to use your service. I.e, it depends on your audience. Personally, I like the open id concept. Assuming you have a secure provider, and a secure password/cert with them, I think this offers the best balance of convenience and security. No reason your users should complain if you offer plane old password, cert auth, and open id, but you might find some reason to complain about maintaining them all. I don't know. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Authentication on the Internet (bogus emails looking for money)
On Tue, Apr 27, 2010 at 5:26 PM, Lloyd Kvam wrote: > Has anyone here tried to use certificates or public-keys to control > access? Yes. A few of our customers at $WORK do this. (Of course, they usually email us the private key without any transport protection, but hey, you didn't ask about key security.) Certainly the browsers support it. Even crufty old MSIE 6. > Do you think it is hopeless trying to educate users to import a > certificate and protect it with a pass phrase? Depends on the user community. You need clue at the user end. That can mean the users have clue themselves, or the users can be counted upon to have clue nearby (e.g., IT department), or you can afford to fund a large call center to inject clue over the telephone. The users also have to be well-motivated to put up with it. So, for example, a Large Mammoth Company can dictate the use of certificates. They can fund the call center, and nobody's going to tell them to pound sand, because they are a huge player in the industry. If you're trying to be the next Facebook or Wikipedia, forget it. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Authentication on the Internet (bogus emails looking for money)
On Tue, Apr 27, 2010 at 5:51 PM, Alan Johnson wrote: > Personally, I like the open id concept. Assuming you have a secure > provider, and a secure password/cert with them ... So, it fails on both counts, then. HHOS. Large-scale SSO systems scare me because if the SSO host is compromised, they've got access to *all* your stuff. It also tends to mean you've got a small number of high-value, high-profile targets. I suppose if you run your own OpenID host, you can make most of that go away (although if your own SSO ID is ever compromised you're still humped). But that seems like rather a corner-case to me; anyone who can do that is likely okay managing other authentication mechanisms. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
