date:20170619

Re: gnome-password-generator replacement?

2017-06-19 Thread Tim

Allegedly, on or about 19 June 2017, Greg Woods sent:
> I'm surprised no one has posted this yet:
>
> https://xkcd.com/936/

Virtually the same thing as I said, minus the illustrations.

-- 
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 
(always current details of the computer that I'm writing this email on)

Boilerplate:  All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.

Next time your service provider asks you to reboot your equipment, ask
them to reboot theirs, first.


___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread Tom Horsley

On Mon, 19 Jun 2017 21:27:51 +0100
Patrick O'Callaghan wrote:

> Because modern CPUs already have hardware RNGs built-in, without
> requiring an additional chip?

But, but, but, they aren't quantum :-).
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread Samuel Sieb


On 06/18/2017 01:55 PM, Andre Robatino wrote:

Thanks. I had actually installed pwgen a few months ago, but it looked like the passwords weren't strong enough. 
gnome-password-generator has a Character set option "All printable (excluding space)". It appears that 
"pwgen -sy 30 1", for example, does just that, and "pwgen -s 30 1" is the same as 
"Alphanumeric (a-z, A-Z, 0-9)". I use a password manager, so only care about maximum entropy. It would be 
really nice if there was something where you could specify an exact set of characters to either include or exclude, to 
cope with certain websites that allow only some special characters.


I use "apg".  It lets you choose the character classes you want included 
in the password and you can also exclude specific characters if necessary.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Is default umask of 022 still reasonable for Fedora?

2017-06-19 Thread Cameron Simpson


On 19Jun2017 13:17, stan  wrote:

On Mon, 19 Jun 2017 16:48:40 +0100
Patrick O'Callaghan  wrote:


Bear in mind that by default Fedora allocates each user to his own
private group. Presumably someone who intentionally shares group
membership is expected to understand the implications and adjust umask
if necessary.


Another good point.  It seems that my concerns about umask might be
misguided.


Dunno. I'm fairly private and like to end my umask in a 7 normally. Usually 
discussions revolve around the group bits.


Normally you wouldn't share membership of your personal group - this arranges 
that 027 (or the like) in your home directory is essentially private. Instead, 
one makes other groups for shared work.


For example, my partner and I have a group for "us"; both our personal accounts 
are in it (so it is a secondary group membership); we have a shared third 
account (for stuff to do with home and so on); its group has both our 
individual accounts as members, giving both of us read/write to it.


Cheers,
Cameron Simpson 
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread Patrick O'Callaghan

On Mon, 2017-06-19 at 15:54 -0400, Tom Horsley wrote:
> I just want to know when we'll all have one of these built into
> our computers?
> 
> http://www.physicscentral.com/buzz/blog/index.cfm?postid=4422261597116577682
> 
> (Doesn't look like it has been turned into a commercial product
> yet which kind of surprises me - probably the researchers and the
> university arguing about rights :-).

Because modern CPUs already have hardware RNGs built-in, without
requiring an additional chip?

poc
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Is default umask of 022 still reasonable for Fedora?

2017-06-19 Thread stan

On Mon, 19 Jun 2017 16:48:40 +0100
Patrick O'Callaghan  wrote:

> Bear in mind that by default Fedora allocates each user to his own
> private group. Presumably someone who intentionally shares group
> membership is expected to understand the implications and adjust umask
> if necessary.

Another good point.  It seems that my concerns about umask might be
misguided.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread stan

On Mon, 19 Jun 2017 15:54:25 -0400
Tom Horsley  wrote:

> http://www.physicscentral.com/buzz/blog/index.cfm?postid=4422261597116577682
> 
> (Doesn't look like it has been turned into a commercial product
> yet which kind of surprises me - probably the researchers and the
> university arguing about rights :-).

It might be that they are arguing about patent rights, but it could
also be that the prototype is not robust enough to deal with everyday
life.  There is a huge junkyard between the bench and the shelf.  It
could also be that a government agency bought all the rights to the
device, and is sitting on it because it is too secure.  What would
speculation be without conspiracy theories?  :-)
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread Tom Horsley

I just want to know when we'll all have one of these built into
our computers?

http://www.physicscentral.com/buzz/blog/index.cfm?postid=4422261597116577682

(Doesn't look like it has been turned into a commercial product
yet which kind of surprises me - probably the researchers and the
university arguing about rights :-).
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread stan

On Mon, 19 Jun 2017 17:35:10 -
"Andre Robatino"  wrote:

> It seemed
> to be a fairly sophisticated attack. When my PayPal account was
> accessed, my email account was DoS'd by sending thousands of garbage
> emails to it every hour, to prevent me from reading PayPal's email
> notifications associated with account activity. It wasn't until later
> in the day that I discovered independently what had happened, and
> realized why my email was being DoS'd.

Yes, that certainly seems sophisticated.  Systems level thinking.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Is default umask of 022 still reasonable for Fedora?

2017-06-19 Thread stan

On Mon, 19 Jun 2017 10:03:35 -0700
Gordon Messmer  wrote:

> As a minor point, I'd mention that Fedora's default umask is 002, not 
> 022, except for the root user.

Thanks.

> I think either is fine.  umask governs how you share files with other 
> authorized users of the local computer system (where "local" is
> defined as all hosts sharing the same user database).  I only share
> computing systems with people that I want to work with, so the
> default umask of 002 is entirely appropriate.

How much damage would it do to you if their accounts were compromised?

> That 
> phrase brings to mind an increase in malware, which is a concern, but 
> not one that umask can affect in any way.  If malware makes its way
> on to your workstation, it's almost certainly running under your
> account. It has exactly the same permission as any one of your other
> processes. umask doesn't change that.

Good point.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread stan

On Mon, 19 Jun 2017 07:37:35 +0200
Heinz Diehl  wrote:

> Pwgen uses /dev/urandom, so the statement that those passwords are
> less secure than "fully" random passwords (define "fully random"..) is
> merely of academical nature.
> 
> In case of any doubt, you can always do something like
> 
>  head /dev/random | tr -dc A-Za-z0-9 | head -c X
> 
> where X is your password length. Tr also lets you tailor the
> characterset used.

Here's my shell hack to generate passwords using the above.  It saves
the passwords in the file devurandom_password.txt in the home directory.

#! /bin/bash

#  generate a password using a character set, /dev/urandom,
#  and tr to select the characters included.
#  The three arguments are 
#  the character class to use to generate the password  (default alnum)
#  and
#  the length of the password (default 20)
#  and
#  the number of passwords to generate (default 10)

DPW=/home/$USER/devurandom_password.txt

if [ "$#" = 0 ]; then
  set an 20 10
elif [ "$#" = 1 ]; then
  set $1 20 10
elif [ "$#" = 2 ]; then
  set $1 $2 10
fi

echo "Passwords from /dev/urandom with $1" > $DPW
echo '' >> $DPW


for ((x = 0 ; x < $3 ; x = x + 1)) ; do
  if[   "$1" = an ]; then
echo $(head /dev/random | tr -dc [:alnum:] | head -c $2) >> $DPW
echo '' >> $DPW
  elif[ "$1" = al ]; then
echo $(head /dev/random | tr -dc [:alpha:] | head -c $2) >> $DPW
echo '' >> $DPW
  elif[ "$1" = cn ]; then
echo $(head /dev/random | tr -dc [:cntrl:] | head -c $2) >> $DPW
echo '' >> $DPW
  elif[ "$1" = di ]; then
echo $(head /dev/random | tr -dc [:digit:] | head -c $2) >> $DPW
echo '' >> $DPW
  elif[ "$1" = gr ]; then
echo $(head /dev/random | tr -dc [:graph:] | head -c $2) >> $DPW
echo '' >> $DPW
  elif[ "$1" = lo ]; then
echo $(head /dev/random | tr -dc [:lower:] | head -c $2) >> $DPW
echo '' >> $DPW
  elif[ "$1" = pr ]; then
echo $(head /dev/random | tr -dc [:print:] | head -c $2) >> $DPW
echo '' >> $DPW
  elif[ "$1" = pu ]; then
echo $(head /dev/random | tr -dc [:punct:] | head -c $2) >> $DPW
echo '' >> $DPW
  elif[ "$1" = sp ]; then
echo $(head /dev/random | tr -dc [:space:] | head -c $2) >> $DPW
echo '' >> $DPW
  elif[ "$1" = up ]; then
echo $(head /dev/random | tr -dc [:upper:] | head -c $2) >> $DPW
echo '' >> $DPW
  elif[ "$1" = xd ]; then
echo $(head /dev/random | tr -dc [:xdigit:] | head -c $2) >> $DPW
echo '' >> $DPW
  else
echo $(head /dev/random | tr -dc [:alnum:] | head -c $2) >> $DPW
echo '' >> $DPW
  fi ;
done

exit 0 ;
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Postfix bug ...

2017-06-19 Thread Tom Horsley

On Mon, 19 Jun 2017 20:26:29 +0200
Walter H. wrote:

> what is this?
> header_checks tells this and I'm used to use pcre with postfix ...

Perhaps postfix-pcre isn't installed?
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Postfix bug ...

2017-06-19 Thread Walter H.


Hello,

Jun 19 20:18:01 fedorabox postfix/smtp[4723]: error: unsupported 
dictionary type: pcre


what is this?
header_checks tells this and I'm used to use pcre with postfix ...

/etc/postfix/main.cf:

smtp_header_checks = pcre:/etc/postfix/smtp_hdr_chks.pcre
smtp_mime_header_checks =
smtp_nested_header_checks =

/etc/postfix/smtp_hdr_chks.pcre:

# remove 'Precedence: bulk'
/^precedence:[[:cntrl:][:space:]](.*)$/
IGNORE

Thanks,
Walter




smime.p7s
Description: S/MIME Cryptographic Signature
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread Andre Robatino

> How?  Don't the attackers have to know the password hashing algorithm to
> do that? If they have enough penetration into the system to know that,
> couldn't they just capture the passwords when they were unhashed?
> i.e.  could it have been that they let paypal know they had been
> compromised, so that a program they left on paypal's systems could
> report the unhashed passwords when paypal told their users to reset
> their passwords?

I don't know how it was done, but I'm pretty sure they grabbed the password 
hashes, not the plaintext passwords. If the hashes weren't salted, they could 
have just used a standard lookup table. It seemed to be a fairly sophisticated 
attack. When my PayPal account was accessed, my email account was DoS'd by 
sending thousands of garbage emails to it every hour, to prevent me from 
reading PayPal's email notifications associated with account activity. It 
wasn't until later in the day that I discovered independently what had 
happened, and realized why my email was being DoS'd.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread JD




On 06/18/2017 08:49 PM, Andre Robatino wrote:

Many websites don't allow even 30 chars. One of the important ones I use allows 
only 16 characters (and no 2FA option), but happens to allow special 
characters. Using the largest possible character set is the only way to shore 
that up.

A credit card that I recall, allows 56 character paswords.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Firefox

2017-06-19 Thread JD




On 06/18/2017 08:28 PM, Lawrence E Graves wrote:
Not able to control the maximize control on my firefox web browser. If 
I unmaximize the browser and close it out. When I log back on, it 
automatically goes to maximize.  Can anybody help with this matter? Am 
I reporting to the list?


Unfortunately, Firefox (Mozilla in general) has no mailing list. They 
have a forum, which I personally disdain, as I prefer a mailing list myself.

https://www.mozilla.org/en-US/about/forums/
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Is default umask of 022 still reasonable for Fedora?

2017-06-19 Thread Gordon Messmer


On 06/18/2017 07:18 PM, stan wrote:

On Mon, 19 Jun 2017 05:49:20 +0800 Ed Greshko  wrote:

You haven't described your environment.
  
Home workstation with no web facing services.


As a minor point, I'd mention that Fedora's default umask is 002, not 
022, except for the root user.


I think either is fine.  umask governs how you share files with other 
authorized users of the local computer system (where "local" is defined 
as all hosts sharing the same user database).  I only share computing 
systems with people that I want to work with, so the default umask of 
002 is entirely appropriate.


For single-user systems (workstations), umask has no practical effect.

I don't believe there have been any changes in "today's security 
atmosphere" relevant to collaborative work, where umask applies. That 
phrase brings to mind an increase in malware, which is a concern, but 
not one that umask can affect in any way.  If malware makes its way on 
to your workstation, it's almost certainly running under your account.  
It has exactly the same permission as any one of your other processes.  
umask doesn't change that.



It seems to me that linux depends a lot on file
permissions for security, particularly for root.


If we're going to discuss general security practices and principals, I'd 
start with: Don't log in as root.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread Greg Woods

On Mon, Jun 19, 2017 at 8:42 AM, stan  wrote:

> The man page says they are modified to be more memorable, by
> some definition, and so are less than compeletely random.
>
> ...generates passwords which are designed to be easily memorized by
> humans, while being as secure as possible.
>

I'm surprised no one has posted this yet:

https://xkcd.com/936/

--Greg
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread stan

On Mon, 19 Jun 2017 11:12:20 -0400
Matthew Miller  wrote:

> There are only a handful of commonly-used cryptographically-secure
> hashes which are likely to be used, and they're relatively easy to
> narrow down simply by looking at length. Or, if they're stored like
> they are in /etc/shadow, the entire string actually includes an
> identifier for the hash.
> 
> If the passwords are hashed in a non-standard way or with some made-up
> thing... there's probably something wrong that a skilled attacker can
> exploit. (Rule one of crypto: don't write your own crypto.)

Why not use RSA?  Create a set of RSA keys, and don't publish them.
Encrypt each password with one of the keys, and store it in a
database.  When needed, decrypt it with the other RSA key.  Or encrypt
with the original key to compare with the database contents.  If an
attacker gets the database without the RSA keys, they are trying to
decrypt the encrypted message without knowing the composite number that
generated the keys. That is, they are trying to break RSA for all
composite numbers the product of two large primes. Horrendous. And
because these RSA keys aren't published, they can be nonstandard
sizes.  4023? 3084? 6173? Good luck with that if you are the
cracker.  :-)

This is private key RSA instead of public key RSA, more secure.  Not
roll your own crypto, extensively attacked and tested crypto.  Sure, if
your system gets compromised, and someone gains the keys, they break
the encryption easily, but that isn't a crypto problem.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread Patrick O'Callaghan

On Mon, 2017-06-19 at 12:07 -0400, Tom Horsley wrote:
> On Mon, 19 Jun 2017 16:44:25 +0100
> Patrick O'Callaghan wrote:
> 
> > Exactly. It also makes me question the competence of whoever programmed
> > the website. Can it be that they only know how to read alphanumeric
> > input?
> 
> I always suspect someone's nephew built the web site and
> didn't know how to properly quote and unquote special
> characters in HTTP messages :-).

Indeed. It's often the same kind of site that breaks when I input my
surname ...

poc
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread Tom Horsley

On Mon, 19 Jun 2017 16:44:25 +0100
Patrick O'Callaghan wrote:

> Exactly. It also makes me question the competence of whoever programmed
> the website. Can it be that they only know how to read alphanumeric
> input?

I always suspect someone's nephew built the web site and
didn't know how to properly quote and unquote special
characters in HTTP messages :-).
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread Tim

Tim:
>> Really, what ought to get tightened up is the software accepting
>> logons. There should be a limited number of attempts (3 goes and your
>> out for a significant time limit).  Any system that lets a cracker
>> hammer away with repeated attempts is the thing that is broken.

stan:
> I don't think it has to be as low as 3.  It could be 100 or 1000, a
> restriction that a human will never hit, but a cracking program will
> hit almost immediately.

Three seems to be a common threshold, but I agree that it could be set
higher for those reasons.  I know that I've mistyped things three times
in a row, and when you can't see what you're typing, it's easy to not
notice you've made a mistake.  Like you, I imagine a cracking attempt is
going to try more than a person would.

> This makes it easy to separate attackers from legitimate users, and
> take appropriate action against the attackers. Ban their IP address?
> Notify their ISP?  Track their botnet and disable it?  I'm not sure
> there are effective defenses.
> 
> An alternative is to look for frequency of login attempts.  More than 1
> every second implies a bot, not a human.

Again, I agree.  It's not too hard for a person to make that kind of
judgement call about what's a cracking attempt versus a human trying to
deal with a poor interface, so it ought to be a programmable solution,
too.

I think you'd first want to block the source from further attempts.  If
multiple sources are trying, you know it's a crack attempt.  No real
user could be doing that.

You could try banning all cracking sources, but if they're a zombied
army of bots, you could be banning genuine users of your service who've
no idea they're using a compromised computer.  So the idea of notifying
their ISP has merit, on a number of fronts (ISP can tell the user they
need to fix up their PC, ISP can take action to check if their users are
indulging in organised hacking, etc).

Though there's still the problem of reporting things to ISPs that are a
problem, in themselves.  In my early days of using the net, I'd
occasionally make a report to an ISP about spam from one of their users,
only to get a bucketload more spam straight away.  It was obvious that
the ISP itself, or one of their staff, was involved in spamming; or they
stupidly inform their user about the complaint, naming where the
complaint came from.  Either way, making a complaint was actually worse
than useless.

-- 
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 
(always current details of the computer that I'm writing this email on)

Boilerplate:  All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.

Next time your service provider asks you to reboot your equipment, ask
them to reboot theirs, first.


___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Is default umask of 022 still reasonable for Fedora?

2017-06-19 Thread Patrick O'Callaghan

On Mon, 2017-06-19 at 07:05 -0700, stan wrote:
> On Mon, 19 Jun 2017 07:55:59 +1000
> Cameron Simpson  wrote:
> 
> > As remarked elsewhere, it does depend on your environment.
> 
> Well, yes, but it just seems that the default should be to the most
> secure.
> 
> > I like 027 myself. Combined with setgid directories it leaves things
> > readable by the group of the working area, but otherwise private.
> > Then one just arranges group ownership. An workable default.
> 
> That seems reasonable, and would be better than the current default.

Bear in mind that by default Fedora allocates each user to his own
private group. Presumably someone who intentionally shares group
membership is expected to understand the implications and adjust umask
if necessary.

poc
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Firefox

2017-06-19 Thread Tim

Allegedly, on or about 18 June 2017, Lawrence E Graves sent:
> Not able to control the maximize control on my firefox web browser. If
> I unmaximize the browser and close it out. When I log back on, it 
> automatically goes to maximize. 

Sometimes dopey things can stop that kind of problem, such as
un-maximise the browser, then grab a window border and resize the window
by some amount, then quit the program.

I've done that kind of thing, before, to tame a web browser.  Perhaps
it's the window resizing that sets a parameter somewhere, clearing out
some peculiar problem.

It may depend on your desktop manager, too.  I found the Gnome 3 (which
I don't use anymore), it liked to behave like a tablet computer, with
every program full screen, and a pain to use several programs
simultaneously.

-- 
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 
(always current details of the computer that I'm writing this email on)

Boilerplate:  All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.

If you are not the intended recipient, why are you reading their email?
You bastard!


___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread Patrick O'Callaghan

On Mon, 2017-06-19 at 08:36 -0400, Tom Horsley wrote:
> On Mon, 19 Jun 2017 12:55:28 +0100
> Patrick O'Callaghan wrote:
> 
> > One
> > of them even disallows cut-and-paste, which tempts the user to have a
> > password simple enough to remember and type by hand.
> 
> One of the keepassx features is the ability to simulate
> typing to teach the annoying web designers who is boss :-).

I just use the X buffer copy-and-paste, which they don't seem to be
aware of.

> The sites that crack me up are the ones which have rules
> like "you can only use letters and numbers" in your password.
> Why? That just means anyone trying to guess passwords has
> a much simpler job.

Exactly. It also makes me question the competence of whoever programmed
the website. Can it be that they only know how to read alphanumeric
input?

poc
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread Matthew Miller

On Mon, Jun 19, 2017 at 08:02:28AM -0700, stan wrote:
> > That works as long as the website isn't hacked. If it is, even if the
> > passwords are hashed (which they often aren't), the hash can be
> > cracked if the password is weak.
> How?  Don't the attackers have to know the password hashing algorithm to
> do that? If they have enough penetration into the system to know that,

There are only a handful of commonly-used cryptographically-secure
hashes which are likely to be used, and they're relatively easy to
narrow down simply by looking at length. Or, if they're stored like
they are in /etc/shadow, the entire string actually includes an
identifier for the hash.

If the passwords are hashed in a non-standard way or with some made-up
thing... there's probably something wrong that a skilled attacker can
exploit. (Rule one of crypto: don't write your own crypto.)

-- 
Matthew Miller

Fedora Project Leader
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread stan

On Mon, 19 Jun 2017 02:49:30 -
"Andre Robatino"  wrote:

> Many websites don't allow even 30 chars. One of the important ones I
> use allows only 16 characters (and no 2FA option), but happens to
> allow special characters. Using the largest possible character set is
> the only way to shore that up.

Good point.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread stan

On Mon, 19 Jun 2017 04:48:16 -
"Andre Robatino"  wrote:

> That works as long as the website isn't hacked. If it is, even if the
> passwords are hashed (which they often aren't), the hash can be
> cracked if the password is weak.

How?  Don't the attackers have to know the password hashing algorithm to
do that? If they have enough penetration into the system to know that,
couldn't they just capture the passwords when they were unhashed?
i.e.  could it have been that they let paypal know they had been
compromised, so that a program they left on paypal's systems could
report the unhashed passwords when paypal told their users to reset
their passwords?
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread stan

On Mon, 19 Jun 2017 12:51:30 +0930
Tim  wrote:

> Really, what ought to get tightened up is the software accepting
> logons. There should be a limited number of attempts (3 goes and your
> out for a significant time limit).  Any system that lets a cracker
> hammer away with repeated attempts is the thing that is broken.

I don't think it has to be as low as 3.  It could be 100 or 1000, a
restriction that a human will never hit, but a cracking program will
hit almost immediately.  This makes it easy to separate attackers from
legitimate users, and take appropriate action against the attackers.
Ban their IP address?  Notify their ISP?  Track their botnet and
disable it?  I'm not sure there are effective defenses.

An alternative is to look for frequency of login attempts.  More than 1
every second implies a bot, not a human.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread stan

On Mon, 19 Jun 2017 07:37:35 +0200
Heinz Diehl  wrote:

> Pwgen uses /dev/urandom, so the statement that those passwords are
> less secure than "fully" random passwords (define "fully random"..) is
> merely of academical nature.

The man page says they are modified to be more memorable, by
some definition, and so are less than compeletely random.  

...generates passwords which are designed to be easily memorized by
humans, while being as secure as possible.  Human-memorable passwords
are never going to be as secure as completely random passwords. ...

I suppose if someone knew I had used pwgen, and incorporated that
pattern knowledge into their attack, that might be true.  But to an
ignorant attacker, these are effectively random passwords.  Or more
importantly, crpytographically secure passwords, since 'password' is a
perfectly legitimate random 8 character string, but not a
crpytographically secure 8 character string.

I'm glad to learn that pwgen uses /dev/urandom.  That is probably the
best solution on a linux system, especially if a hardware random number
generator is feeding entropy into /dev/random, as excess entropy will
be fed into /dev/urandom, enhancing its unpredictability.

> In case of any doubt, you can always do something like
> 
>  head /dev/random | tr -dc A-Za-z0-9 | head -c X
> 
> where X is your password length. Tr also lets you tailor the
> characterset used.

Neat solution.  I like all the predefined character classes for tr.
And it lends itself nicely to a script.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread Matthew Miller

On Mon, Jun 19, 2017 at 11:33:00AM +0930, Tim wrote:
> Matthew Miller:
> > This seems... unnecssary. 
> Though, I'd say it's accurate.

Maybe, but *entirely* unrelated to the situation here. So I don't see
the value. 

-- 
Matthew Miller

Fedora Project Leader
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Is default umask of 022 still reasonable for Fedora?

2017-06-19 Thread stan

On Mon, 19 Jun 2017 07:55:59 +1000
Cameron Simpson  wrote:

> As remarked elsewhere, it does depend on your environment.

Well, yes, but it just seems that the default should be to the most
secure.

> I like 027 myself. Combined with setgid directories it leaves things
> readable by the group of the working area, but otherwise private.
> Then one just arranges group ownership. An workable default.

That seems reasonable, and would be better than the current default.

Thanks.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

[389-users] Re: Migration from OpenLDAP to 389 DS

2017-06-19 Thread Mark Reynolds



On 06/19/2017 03:14 AM, Blaz Kalan wrote:
> I added these two lines to 99user.ldif:
>
> ObjectClasses: ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC2079: 
> object that contains the URI attribute type' SUP top AUXILIARY MAY labeledURI 
> )
> AttributeTypes: ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI' DESC 'RFC2079: 
> Uniform Resource Identifier with optional label' EQUALITY caseExactMatch 
> SYNTAX  1.3.6.1.4.1.1466.115.121.1.15 )
>
> And looks fine. 
>
> But for 
> AttributeTypes: ( 1.3.6.1.4.1.4203.666.1.7 NAME 'entryCSN' DESC 'change 
> sequence number of the entry content' EQUALITY CSNMatch ORDERING 
> CSNOrderingMatch SYNTAX 1.3.6.1.4.1.4203.666.11.2.1 SINGLE-VALUE 
> NO-USER-MODIFICATION USAGE directoryOperation )
>
> I get an error: 
> (Invalid syntax) - attribute type entryCSN: Unknown attribute syntax OID 
> "1.3.6.1.4.1.4203.666.11.2.1"
Well, you can change the syntax to 1.3.6.1.4.1.1466.115.121.1.15, or
remove entryCSN from the user ldif.  entryCSN is only used by Openldap's
replication protocol, it serves no purpose in 389 and can be removed if
you want to.

Regards,
Mark

>
> BR,
> Blaz
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

Re: Firefox

2017-06-19 Thread stan

On Sun, 18 Jun 2017 20:28:28 -0600
Lawrence E Graves  wrote:

> Not able to control the maximize control on my firefox web browser.
> If I unmaximize the browser and close it out. When I log back on, it 
> automatically goes to maximize.  Can anybody help with this matter?
> Am I reporting to the list?
> 
This seems like it should be simple, but a search found that it is
anything but.

One recommendation was to install an addon:
The solution is to install Minimize On Start And Close Firefox Add-On.

Other solutions were only applicable when starting from a script
using xdotool, 

#!/bin/bash

#launch the program in the background, with all command-line options
passed to it. firefox "$@" &

#grab its process id.
pidno=$!

#wait for a second so that the window has time to fully register.
sleep 1

#use xdotool to make sure that window is raised to the top.
#this is necessary because it won't directly accept xdotool keypresses
otherwise. #matches both the pid and the class, to ensure we have the
right window. xdotool search --all --pid $pidno --class firefox
windowactivate

#use xdotool again to simulate your hotkey combo.  Adjust as necessary.
xdotool key alt+F9

exit 0

or configuring the window manager if it allowed it, like KDE.

 In KDE KWin can do things like that. Bring Firefox window to the
 front, then hit Alt+F3 and on the menu select 'Advanced' > 'Special
 Window Settings'. At least here you could make it so that (certain)
 Firefox windows are initially minimized.

And for the System Tray, you need to create/modifiy an application
starter, where the option "Place in System Tray" is checked. In
'kmenuedit', for instance. 

These were all pretty old, so I'm not sure they still work.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Video editing disaster

2017-06-19 Thread Tim

Allegedly, on or about 26 May 2017, Wade Hampton sent:
> I am trying out multiple video editors on Fedora, with very poor
> results and a ton of crashes.  

When I tried this, long ago, I came across the same thing.  As well as;
all the video formats you need are encumbered, and probably not even
available for purchase, and a lot of transcoding was required (which is
not only an awful lot of time wasting, but you lose quality doing that).

I gave up, and used Final Cut Pro on my friend's Mac.

-- 
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 
(always current details of the computer that I'm writing this email on)

Boilerplate:  All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.



___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread Tim

Allegedly, on or about 19 June 2017, Patrick O'Callaghan sent:
> I have a number of bank accounts in several countries (for perfectly
> legitimate reasons, I hasten to add) and in my experience each bank
> has its own rules which as often as not mitigate *against* good
> security practice, e.g. forcing you to change the password every 3
> months (which invites password1, password2, password3 ...) or having
> their own peculiar Javascript which blocks you from using a password
> manager. One of them even disallows cut-and-paste, which tempts the
> user to have a password simple enough to remember and type by hand. 

Yes, I'm tired of hosts with special rules, and they often are the
opposite of security.  Such as your password has to be 6 to 8 characters
long.  My long passphrase is far more secure than a 6 to 8 character
sequence, and far easier to type than mixed case and symbols.

I wish these dunderheads would get it through their thick skulls that
hard-to-type passwords does not equal hard-to-crack.

Long ago, I set a password on something, but must have mistyped it in,
the first time around.  It took me ages to try out all the possible
typing errors that might have occurred.  I loathe password entry boxes
that don't let you see what you're typing in.

After one site gave me the runaround with their stupid rules, I set a
passphrase that was my low opinion of the service.  Later on, I had to
say the password to one of their phone help people to resolve a problem.

-- 
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 
(always current details of the computer that I'm writing this email on)

Boilerplate:  All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.

I reserve the right to treat other people in exactly the same way that
they treat me.


___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread Tim

Allegedly, on or about 19 June 2017, Tom Horsley sent:
> The sites that crack me up are the ones which have rules
> like "you can only use letters and numbers" in your password.
> Why? That just means anyone trying to guess passwords has
> a much simpler job. 

I can guess two reasons:

Some special characters might get interpreted by their software, rather
than accepted as-is.

Some special characters can't by typed on all computers, or their users
can't type them properly.  e.g. How many times do you see the Brits
mis-use the backtick as an apostrophe?

-- 
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 
(always current details of the computer that I'm writing this email on)

Boilerplate:  All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.

Just because nobody complains, it doesn't mean that all parachutes are
perfect.


___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread Fred Smith

On Mon, Jun 19, 2017 at 08:36:35AM -0400, Tom Horsley wrote:
> On Mon, 19 Jun 2017 12:55:28 +0100
> Patrick O'Callaghan wrote:
> 
> > One
> > of them even disallows cut-and-paste, which tempts the user to have a
> > password simple enough to remember and type by hand.
> 
> One of the keepassx features is the ability to simulate
> typing to teach the annoying web designers who is boss :-).
> 
> The sites that crack me up are the ones which have rules
> like "you can only use letters and numbers" in your password.
> Why? That just means anyone trying to guess passwords has
> a much simpler job.

possibly of brain-dead underlying systems that will accept
only those characters.

-- 
 Fred Smith -- fre...@fcshome.stoneham.ma.us -
   Show me your ways, O LORD, teach me your paths;
 Guide me in your truth and teach me,
 for you are God my Savior,
And my hope is in you all day long.
-- Psalm 25:4-5 (NIV) 
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread Tom Horsley

On Mon, 19 Jun 2017 12:55:28 +0100
Patrick O'Callaghan wrote:

> One
> of them even disallows cut-and-paste, which tempts the user to have a
> password simple enough to remember and type by hand.

One of the keepassx features is the ability to simulate
typing to teach the annoying web designers who is boss :-).

The sites that crack me up are the ones which have rules
like "you can only use letters and numbers" in your password.
Why? That just means anyone trying to guess passwords has
a much simpler job.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread Patrick O'Callaghan

On Mon, 2017-06-19 at 00:17 -0700, Joe Zeff wrote:
> On 06/18/2017 08:21 PM, Tim wrote:
> > I completely agree, it's just as impossible to guess that a password is
> > "$#DfSGxS" than "sickturtlepyjamas", and I know which one is easier to
> > remember and type.  With the peculiar password rules, I have no choice
> > to but to do the insecure and write down passwords somewhere (whether
> > that's on paper or on file).  You're not supposed to write passwords
> > down anywhere.
> 
> I may have mentioned this before, but I have a friend who uses (roughly) 
> ThisIsAVeryVeryLongPassword for his WiFi, on the grounds that it's just 
> as hard to guess as the type of gibberish that most security "experts" 
> recommend, and a lot easier to remember.

The problem with many of these "rules" is that they don't apply
universally. A password suitable for a banking site is one thing, and a
password for your home Wifi network is another. Never write down the
first one (use a password manager), but feel free to write down the
second one and keep it in a drawer. And where possible, use your router
to configure a guest network with a different password and more
restricted access for those times when you have visitors.

I have a number of bank accounts in several countries (for perfectly
legitimate reasons, I hasten to add) and in my experience each bank has
its own rules which as often as not mitigate *against* good security
practice, e.g. forcing you to change the password every 3 months (which
invites password1, password2, password3 ...) or having their own
peculiar Javascript which blocks you from using a password manager. One
of them even disallows cut-and-paste, which tempts the user to have a
password simple enough to remember and type by hand.

poc
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: Video editing disaster

2017-06-19 Thread Ian Chapman


On 27/05/17 08:53, Wade Hampton wrote:
I am trying out multiple video editors on Fedora, with very poor results 
and a ton of crashes.


There is also LightWorks (https://www.lwks.com). There's an RPM 
available for Fedora, although the software does require you to have a 
lightworks account but it's free.


--
Ian Chapman.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread Gour

On Mon, 19 Jun 2017 06:03:08 -0400
Tom Horsley  wrote:

> I use keepassx to not only generate, but also store passwords.

I was using the same, but now find (qt)pass more pleasant to use.


Sincerely,
Gour

-- 
As the ignorant perform their duties with attachment to results,
the learned may similarly act, but without attachment, for the
sake of leading people on the right path.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread Tom Horsley

I use keepassx to not only generate, but also store passwords.
It has lots of rules you can select about how to generate
passwords, which is useful, because lots of web sites
have idiotic requirements for passwords, and you can plug
those idiot requirements into the password generator.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

2017-06-19 Thread Joe Zeff


On 06/18/2017 08:21 PM, Tim wrote:

I completely agree, it's just as impossible to guess that a password is
"$#DfSGxS" than "sickturtlepyjamas", and I know which one is easier to
remember and type.  With the peculiar password rules, I have no choice
to but to do the insecure and write down passwords somewhere (whether
that's on paper or on file).  You're not supposed to write passwords
down anywhere.


I may have mentioned this before, but I have a friend who uses (roughly) 
ThisIsAVeryVeryLongPassword for his WiFi, on the grounds that it's just 
as hard to guess as the type of gibberish that most security "experts" 
recommend, and a lot easier to remember.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

[389-users] Re: Migration from OpenLDAP to 389 DS

2017-06-19 Thread Blaz Kalan

I added these two lines to 99user.ldif:

ObjectClasses: ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC2079: 
object that contains the URI attribute type' SUP top AUXILIARY MAY labeledURI )
AttributeTypes: ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI' DESC 'RFC2079: Uniform 
Resource Identifier with optional label' EQUALITY caseExactMatch SYNTAX  
1.3.6.1.4.1.1466.115.121.1.15 )

And looks fine. 

But for 
AttributeTypes: ( 1.3.6.1.4.1.4203.666.1.7 NAME 'entryCSN' DESC 'change 
sequence number of the entry content' EQUALITY CSNMatch ORDERING 
CSNOrderingMatch SYNTAX 1.3.6.1.4.1.4203.666.11.2.1 SINGLE-VALUE 
NO-USER-MODIFICATION USAGE directoryOperation )

I get an error: 
(Invalid syntax) - attribute type entryCSN: Unknown attribute syntax OID 
"1.3.6.1.4.1.4203.666.11.2.1"

BR,
Blaz
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

[389-users] Re: Migration from OpenLDAP to 389 DS

2017-06-19 Thread Blaz Kalan

Hi, 
yes I find all these attributes and class in openLDAP schema files, there is:

olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.7 NAME 'entryCSN' DESC 'change 
sequence number of the entry content' EQUALITY CSNMatch ORDERING 
CSNOrderingMatch SYNTAX 1.3.6.1.4.1.4203.666.11.2.1{64} SINGLE-VALUE 
NO-USER-MODIFICATION USAGE directoryOperation )

olcObjectClasses: {23}( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 
'RFC2079: object that contains the URI attribute type' SUP top AUXILIARY MAY 
labeledURI

olcAttributeTypes: ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI' DESC 'RFC2079: 
Uniform Resource Identifier with optional label' EQUALITY caseExactMatch SYNTAX 
1.3.6.1.4.1.1466.115.121.1.15 )

Br, Blaz
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org

46 matches

Mail list logo