Re: [LUAU] all your GPU are belong to us

2007-10-27 Thread Eric Hattemer 
Dave Burns wrote:
>> You're assuming that they can't get in and read /etc/shadow.
>> 
>
> If they can, then either you've got a broken configuration and they
> will own you in 5 minutes, or they have root already and ordinary
> user-level passwords aren't really stopping them from doing much. I
> suppose this situation deserves some contemplation, but I'd prefer to
> spend a lot more effort preventing them from getting to that point in
> the first place.
>   
I agree.  I think my post was a little vague, but the idea is that there
used to be vulnerabilities in Windows where you could use a null session
to download the password hash anonymously.  I suppose it's possible that
you could find a network vulnerability for any OS that lets you read
files but no execute arbitrary code.  This would make cracking a
password hash like /etc/shadow worthwhile.  But I think this situation
is pretty uncommon.

-Eric Hattemer

___
LUAU@lists.hosef.org mailing list
http://lists.hosef.org/cgi-bin/mailman/listinfo/luau

Re: [LUAU] all your GPU are belong to us

2007-10-26 Thread Dave Burns 
> You're assuming that they can't get in and read /etc/shadow.

If they can, then either you've got a broken configuration and they
will own you in 5 minutes, or they have root already and ordinary
user-level passwords aren't really stopping them from doing much. I
suppose this situation deserves some contemplation, but I'd prefer to
spend a lot more effort preventing them from getting to that point in
the first place.

a hui hou,
Dave
___
LUAU@lists.hosef.org mailing list
http://lists.hosef.org/cgi-bin/mailman/listinfo/luau

Re: [LUAU] all your GPU are belong to us

2007-10-26 Thread Jim Thompson 


On Oct 25, 2007, at 10:09 PM, Eric Hattemer wrote:


Vince Hoang wrote:

On 10/25/07, Jim Thompson <[EMAIL PROTECTED]> wrote:

If passwords weren't "dead" already, this (or having the botnet  
do it

on the CPUs) finished them.




In a world where bank PINs are 4 numeric digits can you suggest  
practical
alternatives? Biometrics are not mature enough. Two-factor  
authentication

has existed for a long time but is not cost effective for the average
consumer.

The article talks about ntlm and pgp.  The answer is not passwords  
that

are more complicated, it is passwords that can't be anonymously
downloaded and cracked offsite.  It doesn't matter how crappy your
shadow password is if someone can only try an ssh attempt every 2
seconds or so.


You're assuming that they can't get in and read /etc/shadow.


 NTLM passwords are freely available to any decent
cracker with a network connection to the windows machine.  If your PGP
secrets are important, and you expect someone to get at them, you'd
better have a ridiculously large key.


Or, better, keep the key on a separate device, such as a USB key  
or .. a Smart Card.  There are USB Smart Card readers that will hold  
a SIM-sized smart card.



___
LUAU@lists.hosef.org mailing list
http://lists.hosef.org/cgi-bin/mailman/listinfo/luau

Re: [LUAU] all your GPU are belong to us

2007-10-26 Thread Eric Hattemer 
Vince Hoang wrote:
> On 10/25/07, Jim Thompson <[EMAIL PROTECTED]> wrote:
>   
>> If passwords weren't "dead" already, this (or having the botnet do it
>> on the CPUs) finished them.
>> 
>
>
> In a world where bank PINs are 4 numeric digits can you suggest practical
> alternatives? Biometrics are not mature enough. Two-factor authentication
> has existed for a long time but is not cost effective for the average
> consumer.
>   
The article talks about ntlm and pgp.  The answer is not passwords that
are more complicated, it is passwords that can't be anonymously
downloaded and cracked offsite.  It doesn't matter how crappy your
shadow password is if someone can only try an ssh attempt every 2
seconds or so.  NTLM passwords are freely available to any decent
cracker with a network connection to the windows machine.  If your PGP
secrets are important, and you expect someone to get at them, you'd
better have a ridiculously large key.

-Eric Hattemer

___
LUAU@lists.hosef.org mailing list
http://lists.hosef.org/cgi-bin/mailman/listinfo/luau

Re: [LUAU] all your GPU are belong to us

2007-10-25 Thread Jim Thompson 


Smart cards, likely.


On Oct 25, 2007, at 10:59 AM, "Vince Hoang" <[EMAIL PROTECTED]> wrote:


On 10/25/07, Jim Thompson <[EMAIL PROTECTED]> wrote:


If passwords weren't "dead" already, this (or having the botnet do it
on the CPUs) finished them.



In a world where bank PINs are 4 numeric digits can you suggest  
practical
alternatives? Biometrics are not mature enough. Two-factor  
authentication

has existed for a long time but is not cost effective for the average
consumer.

-Vince
___
LUAU@lists.hosef.org mailing list
http://lists.hosef.org/cgi-bin/mailman/listinfo/luau

___
LUAU@lists.hosef.org mailing list
http://lists.hosef.org/cgi-bin/mailman/listinfo/luau

Re: [LUAU] all your GPU are belong to us

2007-10-25 Thread Vince Hoang 
On 10/25/07, Jim Thompson <[EMAIL PROTECTED]> wrote:
>
> If passwords weren't "dead" already, this (or having the botnet do it
> on the CPUs) finished them.


In a world where bank PINs are 4 numeric digits can you suggest practical
alternatives? Biometrics are not mature enough. Two-factor authentication
has existed for a long time but is not cost effective for the average
consumer.

-Vince
___
LUAU@lists.hosef.org mailing list
http://lists.hosef.org/cgi-bin/mailman/listinfo/luau

[LUAU] all your GPU are belong to us

2007-10-25 Thread Jim Thompson 

Talk about your "brute force"...




imagine what the bot army  will be able to do with this.


If passwords weren't "dead" already, this (or having the botnet do it  
on the CPUs) finished them.


___
LUAU@lists.hosef.org mailing list
http://lists.hosef.org/cgi-bin/mailman/listinfo/luau