fly.
---
() ascii ribbon campaign against html e-mail
/\ www.asciiribbon.org
-Original Message-
From: Leo Bicknell [mailto:bickn...@ufp.org]
Sent: Wednesday, 20 June, 2012 15:39
To: nanog@nanog.org
Subject: Re: LinkedIn password database compromised
In a message written on Wed
2. Pre-compromised-at-the-factory smartphones and similar. There's
no reason why these can't be preloaded with spyware similar to CarrierIQ
and directed to upload all newly-created private keys to a central
collection point. This can be done, therefore it will be done, and when
some
[mailto:bickn...@ufp.org]
Sent: Wednesday, 20 June, 2012 15:39
To: nanog@nanog.org
Subject: Re: LinkedIn password database compromised
In a message written on Wed, Jun 20, 2012 at 02:19:15PM -0700, Leo Vegoda
wrote:
Key management: doing it right is hard and probably beyond most end users.
I could
Rich Kulawiec r...@gsp.org wrote:
On Wed, Jun 20, 2012 at 12:43:44PM -0700, Leo Bicknell wrote:
(on the use of public/private keys)
The leaks stop immediately. There's almost no value in a database of
public keys, heck if you want one go download a PGP keyring now.
It's a nice
Still playing devils advocate here, but does this still not resolve the
human factor of Implementation?
--
- Robert Miller
(arch3angel)
On 6/22/12 7:43 AM, Robert Bonomi wrote:
Rich Kulawiec r...@gsp.org wrote:
On Wed, Jun 20, 2012 at 12:43:44PM -0700, Leo Bicknell wrote:
(on the use of
Anonymity on the Internet is a feature, because a lot of the world
netcitizens come from countries where saying this or that is a crime,
and can get you in trouble.
Any asymetric cryptography solution that remove anonymity is a bad
thing. Making censorship easier on the internet is making it
On Wed, Jun 20, 2012 at 12:43:44PM -0700, Leo Bicknell wrote:
(on the use of public/private keys)
The leaks stop immediately. There's almost no value in a database of
public keys, heck if you want one go download a PGP keyring now.
It's a nice thought, but it won't work. There are two
Tei oscar.vi...@gmail.com wrote:
Anonymity on the Internet is a feature, because a lot of the world
netcitizens come from countries where saying this or that is a crime,
and can get you in trouble.
Note that you need to make a distinction between pseudonymity and
anonymity. In most online
I have two concerns with this thought, while at the same time intrigued
by it.
How will this prevent man in the middle attacks, either at the users
location, the server location, or even on the compromised server itself
where the attacker is just gathering data. This is the same concerns we
If anyone have a really good idea how to fix this mess, It will be a
good idea to contact with Jeff Atwood (of codehorror.com and
stackoverflow.com fame). He and other people is working on a new
internet approach to discussions. Think forums 2.0. If this new pet
rock succeed, could change how
I want to start by saing, there are lots of different security problems
with accessing a cloud service. Several folks have already brought up
issues like compromised user machines or actually verifing identity.
One of the problems in this space I think is that people keep looking
for a silver
this conversation in?
LinkedIn password database compromised
or
How to fix authentication (was LinkedIn)
:-)
- Robert Miller
(arch3angel)
On 6/21/12 11:05 AM, Leo Bicknell wrote:
I want to start by saing, there are lots of different security problems
with accessing a cloud service. Several folks have
On Thu, Jun 21, 2012 at 12:56 PM, Rich Kulawiec r...@gsp.org wrote:
On Wed, Jun 20, 2012 at 12:43:44PM -0700, Leo Bicknell wrote:
(on the use of public/private keys)
The leaks stop immediately. There's almost no value in a database of
public keys, heck if you want one go download a PGP
- Original Message -
From: Tei oscar.vi...@gmail.com
If anyone have a really good idea how to fix this mess, It will be a
good idea to contact with Jeff Atwood (of codehorror.com and
stackoverflow.com fame). He and other people is working on a new
internet approach to discussions.
On Thu, Jun 21, 2012 at 08:33:47AM +0900, Randy Bush wrote:
would be interested to hear smb on this.
+1. I've been reading and thinking about:
http://www.ietf.org/id/draft-bellovin-hpw-01.txt
for quite some time, and I recommend that others interested in
this topic do the same.
I normally don't respond and just sit back leeching knowledge, however
this incident with LinkedIn eHarmony strikes close to home. Not just
because my password was in this list of dumped LinkedIn accounts, but
the fact that this incident struck virtually every business professional
and
In a message written on Wed, Jun 20, 2012 at 03:30:58PM -0400, AP NANOG wrote:
So the question falls back on how can we make things better?
Dump passwords.
The tech community went through this back in oh, 1990-1993 when
folks were sniffing passwords with tcpdump and sysadmins were using
Telnet.
Hi,
Leo Bicknell wrote:
[public key cryptography]
What's missing? A pretty UI for the users. Apple, Mozilla, W3C,
Microsoft IE developers and so on need to get their butts in gear and make a
pretty UI to create personal key material, send the public key as part of a
sign up form, import a
What's missing? A pretty UI for the users. Apple, Mozilla, W3C,
perhaps this is a good starting point:
http://gpg4usb.cpunk.de/
GPLv3, lightweight, portable, compatibility with GNU/Linux and Windows
Exactly!
Passwords = Fail
All we can do is make it as difficult as possible for them to crack it
until the developers decide to make pretty eye candy.
- Robert Miller
(arch3angel)
On 6/20/12 3:43 PM, Leo Bicknell wrote:
In a message written on Wed, Jun 20, 2012 at 03:30:58PM -0400, AP
In a message written on Wed, Jun 20, 2012 at 02:19:15PM -0700, Leo Vegoda wrote:
Key management: doing it right is hard and probably beyond most end users.
I could not be in more violent disagreement.
First time a user goes to sign up on a web page, the browser should
detect it wants a key
(Fight of the Leos...)
bickn...@ufp.org (Leo Bicknell) wrote:
Users would find it much more convenient and wonder why we ever used
passwords, I think...
Yeah cool. Shame I have three accounts on peerindb.com alone...
On 6/20/2012 2:39 PM, Leo Bicknell wrote:
Users would find it much more convenient and wonder why we ever used
passwords, I think...
Yes. Those users who have a single computer with a single browser. For
anyone with a computer *and* a smartphone, however, there's a huge
missing piece. And
On Wed, Jun 20, 2012 at 2:44 PM, Elmar K. Bins e...@4ever.de wrote:
(Fight of the Leos...)
bickn...@ufp.org (Leo Bicknell) wrote:
Users would find it much more convenient and wonder why we ever used
passwords, I think...
Yeah cool. Shame I have three accounts on peerindb.com alone...
On Jun 20, 2012, at 5:54 PM, Matthew Kaufman wrote:
On 6/20/2012 2:39 PM, Leo Bicknell wrote:
Users would find it much more convenient and wonder why we ever used
passwords, I think...
Yes. Those users who have a single computer with a single browser. For anyone
with a computer *and* a
In a message written on Wed, Jun 20, 2012 at 03:05:17PM -0700, Aaron C. de
Bruyn wrote:
You're right. Multiple accounts is unpossible in every way except
prompting for usernames and passwords in the way we do it now.
The whole ssh-having-multiple-identities thing is a concept that could
On Wed, 20 Jun 2012 14:39:14 -0700, Leo Bicknell said:
In a message written on Wed, Jun 20, 2012 at 02:19:15PM -0700, Leo Vegoda
wrote:
Key management: doing it right is hard and probably beyond most end users.
I could not be in more violent disagreement.
I have to agree with Leo on this
In a message written on Wed, Jun 20, 2012 at 06:37:50PM -0400,
valdis.kletni...@vt.edu wrote:
I have to agree with Leo on this one. Key management *is* hard - especially
the part about doing secure key management in a world where Vint Cerf
says there's 140M pwned boxes. It's all nice and
leo,
what is the real difference between my having holding the private half
of an asymmetric key and my holding a good passphrase for some site?
that the passphrase is symmetric?
First time a user goes to sign up on a web page, the browser should
detect it wants a key uploaded and do a simple
In a message written on Thu, Jun 21, 2012 at 08:02:58AM +0900, Randy Bush wrote:
what is the real difference between my having holding the private half
of an asymmetric key and my holding a good passphrase for some site?
that the passphrase is symmetric?
The fact that it is symmetric leads to
The fact that it is symmetric leads to the problem.
Even if the attacker had fully compromised the server end they get
nothing. There's no reply attack. No shared secret they can use to log
into another web site. Zero value.
with per-site passphrases there is no cross-site threat. there
On 6/8/12 7:22 PM, Luke S. Crawford wrote:
I haven't found any way that is as simple and as portable as using
ssh that works in a web browser.
The Enigform Firefox Add-on (plus mod_openpgp on Apache httpd) seems
similar:
http://wordpress.org/extend/plugins/wp-enigform-authentication/
Hi Everyone,
I thought that i would share an IEEE article about LinkenIn and eHarmony.
http://spectrum.ieee.org/riskfactor/telecom/security/linkedin-and-eharmony-hacked-8-million-passwords-taken/?utm_source=computerwiseutm_medium=emailutm_campaign=061312
-Grant
On Wed, Jun 13, 2012 at 1:05
On Thu, Jun 07, 2012 at 03:49:18PM -0700, Randy Bush wrote:
open source sure would be good
I think it's mandatory. It's the only way we can have even modest trust
that it does what it claims to do. And...as the last week's events have
shown us...vendor-signed software sometimes isn't.
---rsk
On 6/7/12, Aaron C. de Bruyn aa...@heyaaron.com wrote:
A TLS + Client-Side X.509 Certificate for every user.
Heck no to X.509. We'd run into the same issue we have right now--a
select group of companies charging users to prove their identity.
The PKI infrastructure and authority
On 08/06/2012, at 2:09 AM, Aaron C. de Bruyn aa...@heyaaron.com wrote:
I would think it's fairly simple.
What if she forgot her existing password? Most sites have a 'reset
password' link they e-mail you.
I especially like the ones that email back your password in clear text...
Sadly this
On Fri, Jun 8, 2012 at 5:09 AM, Jimmy Hess mysi...@gmail.com wrote:
The PKI infrastructure and authority validation components are not
required. Even if they were -- anyone can setup a PKI infrastructure,
the problem is trust.
We don't need all the 'PKI' crap to do this. We already have
David Walker wrote:
Self signed certificates does sound great and for most purposes,
certainly in this case, fulfills all the requirements. There's no need
to verify anything about me is correct other than to tie my
authentication to my account. If I fail to meet the TOS then the plug
is
On Wed, Jun 06, 2012 at 07:43:42PM -0700, Aaron C. de Bruyn wrote:
Why haven't we taken this out of the hands of website operators yet?
Why can't I use my ssh-agent to sign in to a website just like I do
for about hundred servers, workstations, and my PCs at home?
One local password used
On Wed, Jun 6, 2012 at 8:34 PM, Jimmy Hess mysi...@gmail.com wrote:
Which digital id architecture should web sites implement, and what's
going to make them all agree on one SSO system and move from the
current state to one of the possible solutions though? :)
A TLS + Client-Side
On Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de Bruyn wrote:
Imaging signing up for a site by putting in your email and pasting
your public key.
Yes! Yes! Yes!
I've been making this exact argument for about a year. It even retains
the same email a link reset mechanism when someone
On 6/7/2012 9:22 AM, James Snow wrote:
On Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de Bruyn wrote:
Imaging signing up for a site by putting in your email and pasting
your public key.
Yes! Yes! Yes!
I've been making this exact argument for about a year. It even retains
the same email a
In a message written on Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de
Bruyn wrote:
Heck no to X.509. We'd run into the same issue we have right now--a
select group of companies charging users to prove their identity.
Why?
A user providing the public half of a self-signed certificate is
On Jun 7, 2012, at 9:58 AM, Leo Bicknell wrote:
In a message written on Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de
Bruyn wrote:
Heck no to X.509. We'd run into the same issue we have right now--a
select group of companies charging users to prove their identity.
...
For
On 07/06/12 6:36 AM, Peter Kristolaitis wrote:
Plus, now you have the problem of users not being able to login to
their favourite websites when they're using a friend's computer,
internet cafe, etc, unless they've remembered to bring a copy of their
private key with them.
I've run into this
On Thu, Jun 7, 2012 at 6:36 AM, Peter Kristolaitis alte...@alter3d.ca wrote:
On 6/7/2012 9:22 AM, James Snow wrote:
On Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de Bruyn wrote:
Imagine if the website has a lock on it, and you tell them what key you
want to use by giving them a copy.
...@jeffmurphy.org]
Sent: Thursday, June 07, 2012 10:06 AM
To: Nanog
Subject: Re: LinkedIn password database compromised
On Jun 7, 2012, at 9:58 AM, Leo Bicknell wrote:
In a message written on Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron
C. de Bruyn wrote:
Heck no to X.509. We'd run into the same
On Jun 7, 2012, at 2:14 AM, Aaron C. de Bruyn wrote:
Imaging signing up for a site by putting in your email and pasting
your public key.
I'm imagining my mother trying this, or trying to help her change it after the
hard drive dies and the media in the safe deposit box doesn't read
On Thu, Jun 7, 2012 at 8:58 AM, Jared Mauch ja...@puck.nether.net wrote:
I'm imagining my mother trying this, or trying to help her change it after
the hard drive dies and the media in the safe deposit box doesn't read
anymore.
I would think it's fairly simple.
What if she forgot her
On Thu, Jun 7, 2012 at 11:58 AM, Jared Mauch ja...@puck.nether.net wrote:
On Jun 7, 2012, at 2:14 AM, Aaron C. de Bruyn wrote:
Imaging signing up for a site by putting in your email and pasting
your public key.
I'm imagining my mother trying this, or trying to help her change it after
-
From: Aaron C. de Bruyn [mailto:aa...@heyaaron.com]
Sent: Thursday, June 07, 2012 11:10 AM
To: Jared Mauch
Cc: Nanog
Subject: Re: LinkedIn password database compromised
On Thu, Jun 7, 2012 at 8:58 AM, Jared Mauch ja...@puck.nether.net wrote:
I'm imagining my mother trying this, or trying to help
On 6/7/2012 8:58 AM, Jared Mauch wrote:
On Jun 7, 2012, at 2:14 AM, Aaron C. de Bruyn wrote:
Imaging signing up for a site by putting in your email and pasting
your public key.
I'm imagining my mother trying this, or trying to help her change it
after the hard drive dies and the media in
hi etaoin,
I still don't want single sign on. Not anywhere.
i believe that 'single sign on' is a bad deal and dangerous for all, not
just we geeks. essentially it means that the 'identiry provider' owns
your identity. i love that they call themselves 'identity providers'
when it is MY
On Thu, Jun 7, 2012 at 1:03 PM, Randy Bush ra...@psg.com wrote:
hi etaoin,
I still don't want single sign on. Not anywhere.
i believe that 'single sign on' is a bad deal and dangerous for all, not
just we geeks. essentially it means that the 'identiry provider' owns
your identity. i love
so... now that this can is open, has anyone looked at:
http://www.oneid.com/
yep. yet another bucket of identity slime wanting to resell my
identity.
randy
The problem:
- Modern internet users must have lots of different login/passwords around
the internet. Most of then in easy-to-break poorly-patched poorly-managed
servers, like linkedin.
The solution:
- Reduce the number of authentication. Allow anonymous posting in more
sites.
Imagine this.
On Thu, Jun 7, 2012 at 1:30 PM, Tei oscar.vi...@gmail.com wrote:
The problem:
- Modern internet users must have lots of different login/passwords around
the internet. Most of then in easy-to-break poorly-patched poorly-managed
servers, like linkedin.
The solution:
- Reduce the number of
so... now that this can is open, has anyone looked at:
http://www.oneid.com/
yep. yet another bucket of identity slime wanting to resell my
identity.
maybe? they don't seem to want to be the 'identity provider' directly
though, or rather they point out that your corporation could be
On Thu, 07 Jun 2012 13:33:59 -0400, Marshall Eubanks said:
Maybe so, but anonymous entries on linkedin seems like a zen koan,
beyond the powers of my simple mind.
There's a distinction between anonymous and pseudonymous. I'm
certainly not the former, but to all but maybe a dozen or two
On Jun 6, 2012, at 11:14 PM, Aaron C. de Bruyn wrote:
On Wed, Jun 6, 2012 at 8:34 PM, Jimmy Hess mysi...@gmail.com wrote:
Which digital id architecture should web sites implement, and what's
going to make them all agree on one SSO system and move from the
current state to one of the
On Jun 7, 2012, at 6:36 AM, Peter Kristolaitis wrote:
On 6/7/2012 9:22 AM, James Snow wrote:
On Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de Bruyn wrote:
Imaging signing up for a site by putting in your email and pasting
your public key.
Yes! Yes! Yes!
I've been making this exact
On Thu, Jun 7, 2012 at 12:24 PM, Owen DeLong o...@delong.com wrote:
Heck no to X.509. We'd run into the same issue we have right now--a
select group of companies charging users to prove their identity.
Not if enough of us get behind CACERT.
Yet again, another org (free or not) that is
...@heyaaron.com]
Sent: Thursday, June 07, 2012 11:10 AM
To: Jared Mauch
Cc: Nanog
Subject: Re: LinkedIn password database compromised
On Thu, Jun 7, 2012 at 8:58 AM, Jared Mauch ja...@puck.nether.net wrote:
I'm imagining my mother trying this, or trying to help her change it after
the hard
I gotta agree with Aaron here. What would be my motivation to trust an
open and public infrastructure? With my business or personal keys?
-Hammer-
I was a normal American nerd
-Jack Herer
On 6/7/2012 2:37 PM, Aaron C. de Bruyn wrote:
On Thu, Jun 7, 2012 at 12:24 PM, Owen
On Jun 7, 2012, at 10:03 AM, Randy Bush wrote:
hi etaoin,
I still don't want single sign on. Not anywhere.
i believe that 'single sign on' is a bad deal and dangerous for all, not
just we geeks. essentially it means that the 'identiry provider' owns
your identity. i love that they
On Jun 7, 2012, at 12:37 PM, Aaron C. de Bruyn wrote:
On Thu, Jun 7, 2012 at 12:24 PM, Owen DeLong o...@delong.com wrote:
Heck no to X.509. We'd run into the same issue we have right now--a
select group of companies charging users to prove their identity.
Not if enough of us get behind
A proper CA does not have your business or personal keys, they merely
sign them and attest to the fact that they actually represent you. You are
free to seek and obtain such validation from any and as many parties as
you see fit.
At no point should any CA be given your private key data. They
Thank you for educating without insulting. Always professional Owen.
It's appreciated.
-Hammer-
I was a normal American nerd
-Jack Herer
On 6/7/2012 3:18 PM, Owen DeLong wrote:
A proper CA does not have your business or personal keys, they merely
sign them and attest to the fact that they
It also allows them to sign anyone they want as someone pretending to be you,
but with a different key pair.
Just like the DMV could, if it wanted to (or was ordered to) issue a drivers
license with my name and DL number but an FBI agent's photo and thumbprint
associated.
You'd want your
Hi Randy,
Le jeudi 07 juin 2012 à 10:03 -0700, Randy Bush a écrit :
hi etaoin,
I still don't want single sign on. Not anywhere.
i believe that 'single sign on' is a bad deal and dangerous for all, not
just we geeks. essentially it means that the 'identiry provider' owns
your identity.
On 07/06/2012, Lynda shr...@deaddrop.org wrote:
Sorry to be the bearer of such bad tidings.
I'm a very amateur cryptologist so some of this is new to me:
Any organization using SHA-1 without salting user passwords is
running a great risk -- much higher than they should, said Per
Thorsheim, chief
No argument about that at all.
Owen
On Jun 7, 2012, at 2:26 PM, Matthew Kaufman wrote:
It also allows them to sign anyone they want as someone pretending to be you,
but with a different key pair.
Just like the DMV could, if it wanted to (or was ordered to) issue a drivers
license with
On 08/06/2012, Matthew Kaufman matt...@matthew.at wrote:
It also allows them to sign anyone they want as someone pretending to be
you, but with a different key pair.
You're exacly correct but in this case I don't think CAs are necessary
and probably detrimental so it's moot.
Currently I don't
the 'single sign on' i encourage for the end using human beings i
support is 1password and its ilk. it provides the user with one
sign-on yet strongly encourages separation of identities and strong
passwords for sites.
Local repository of passwords, aggregation in a way. Right? Encrypted?
In message 4fd0ae52.20...@alter3d.ca, Peter Kristolaitis writes:
On 6/7/2012 9:22 AM, James Snow wrote:
On Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de Bruyn wrote:
Imaging signing up for a site by putting in your email and pasting
your public key.
Yes! Yes! Yes!
I've been
Plus, now you have the problem of users not being able to login to
their favourite websites when they're using a friend's computer,
internet cafe, etc, unless they've remembered to bring a copy of their
private key with them.
this is a feature, not a bug. you should be explaining to them why
On Jun 7, 2012, at 19:24, Randy Bush wrote:
this is a feature, not a bug. you should be explaining to them why they
should never type passwords on another's keyboard, log on to anything
from an internet cafe, ...
And this is where you lose the user. It doesn't matter that you're entirely
this is a feature, not a bug. you should be explaining to them why
they should never type passwords on another's keyboard, log on to
anything from an internet cafe, ...
And this is where you lose the user.
actually, not. it's like safe sex, an anology they understand. you may
be tempted
Sorry to be the bearer of such bad tidings. Please note that I'm doing a
quick copy/paste from a notification I received. I've edited it a bit.
Please note that LinkedIn has weighed in with a carefully worded blog post:
http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/
On Wed, Jun 6, 2012 at 9:33 PM, Lynda shr...@deaddrop.org wrote:
Sorry to be the bearer of such bad tidings. Please note that I'm doing a
quick copy/paste from a notification I received. I've edited it a bit.
Please note that LinkedIn has weighed in with a carefully worded blog post:
On Wed, Jun 6, 2012 at 7:19 PM, Marshall Eubanks
marshall.euba...@gmail.com wrote:
On Wed, Jun 6, 2012 at 9:33 PM, Lynda shr...@deaddrop.org wrote:
In other words, if you have a LinkedIn account, expect that the password has
been stolen. Go change your password now. If you used that password
On 6/6/12, Aaron C. de Bruyn aa...@heyaaron.com wrote:
[snip]
One local password used everywhere that can't be compromised through
website stupidity...
One local password is an excellent idea of course.
Remote servers directly handling user created credentials should be appended
to the list
82 matches
Mail list logo