31 Years of the Digest ... founded August 21, 1981
The Telecom Digest for December 2, 2012
====== 31 years of TELECOM Digest -- Founded August 21, 1981 ======
Telecom and VOIP (Voice over Internet Protocol) Digest for the
Internet. All contents here are copyrighted by Bill Horne and
the individual writers/correspondents. Articles may be used in other
journals or newsgroups, provided the writer's name and the Digest are
included in the fair use quote. By using any name or email address
included herein for any reason other than responding to an article
herein, you agree to pay a hundred dollars to that person, or email address
Addresses herein are not to be added to any mailing list, nor to be sold or given away without the explicit written consent of the owner of that address. Chain letters, viruses, porn, spam, and miscellaneous junk are definitely unwelcome.
We must fight spam for the same reason we fight crime: not because we are naive enough to believe that we will ever stamp it out, but because we do not want the kind of world that results when no one stands against crime. - Geoffrey Welsh
See the bottom of this issue for subscription and archive details and the name of our lawyer, and other stuff of interest.
Date: Thu, 29 Nov 2012 13:16:05 -0600 From: firstname.lastname@example.org (PV) To: email@example.com. Subject: Re: Why passwords have never been weaker-and crackers have never been stronger Message-ID: <VsadnYjkZJzoKSrNnZ2dnUVZ_vmdnZ2d@supernews.com> Frank Stearns <firstname.lastname@example.org> writes: >Forgive me for being ignorant, but doesn't the bad guy have to then try each >password variant s/he generates? It depends. With no information to start with, they have to do that, and most sane systems will detect brute-forcing. That's not what the story is about though. Brute-forcing in an offline mode (which is where the video card or PAL based systems come into play) works if you have the password's hash. A hash is the output of a one-way scramble of your password - text goes in, and some number of bits come back (usually 128 or 256), such that if even one character of the password is changed, you get an entirely different hash. Password hashes are stored in files or databases (on some unix systems, infamously /etc/passwd or /etc/shadow), and those files can be accidentally exposed to a website or otherwise lifted during a breakin. So, what the hacker has to do is hash lots and lots of passwords, and then compare the resulting value to the hash value that they stole. If they get a match, that means they can enter the password on the site, and it will be the same as you entering your password. They do their dictonary first, and then start working on chracter patterns a letter at a time. The issues are that some hashing algorithms (md5 for example) are showing their age, and you can even pre-hash all possible values in what's called a "rainbow table" so you don't even need to brute-force anymore - you just look up the password corresponding to the hash. Better hashing algorithms mean the cost of running a hash is higher, making the process of breaking the password more expensive. Even better, there's the concept of adding "salt" (an additional string added to every password, either fixed or even unique by user) to the hash, so rainbow tables are either site-specific, or worthless, depending on how it's employed. Salt has existed with hashes for decades, but you STILL find situations every day where they forgot to use it. What to learn from the article is that there's no such thing as a "clever and rememberable" password. Modern password dictionaries aren't simply the contents of /usr/dict/words; they're hundreds of megabytes of lessons learned over decades of successful password cracks. The ONLY good password is a long and totally random one consisting of all typable characters. Personally, I use LastPass for everything, so every site I go to has a unique password, with values like 'Bd29$UCsPrY9'. My password vault itself is secured by a 40 character passphrase, and backed up with a second factor (a yubikey). * -- * PV Something like badgers, something like lizards, and something like corkscrews.
Date: Sat, 01 Dec 2012 17:49:34 -0600 From: Frank Stearns <email@example.com> To: firstname.lastname@example.org. Subject: Re: Why passwords have never been weaker-and crackers have never been stronger Message-ID: <5r2dnWfFxpsTCifNnZ2dnUVZ_oidnZ2d@posted.palinacquisition> email@example.com (PV) writes: >Frank Stearns <firstname.lastname@example.org> writes: >>Forgive me for being ignorant, but doesn't the bad guy have to then try each >>password variant s/he generates? >It depends. With no information to start with, they have to do that, and most >sane systems will detect brute-forcing. That's not what the story is about >though. <snips to avoid duplication> Thank you for the background! A highly educational post. Frank -- .
Date: Sat, 01 Dec 2012 21:18:53 -0500 From: Pete Cresswell <PeteCress@invalid.telecom-digest.org> To: email@example.com. Subject: Re: Why passwords have never been weaker-and crackers have never been stronger Message-ID: <firstname.lastname@example.org> Per PV: >It depends. With no information to start with, they have to do that, and most >sane systems will detect brute-forcing. That's not what the story is about >though. > >Brute-forcing in an offline mode..... Thanks! Now the thread jells for me. -- Pete Cresswell
Date: Sat, 01 Dec 2012 21:30:35 -0500 From: Pete Cresswell <PeteCress@invalid.telecom-digest.org> To: email@example.com. Subject: Re: Why passwords have never been weaker-and crackers have never been stronger Message-ID: <firstname.lastname@example.org> Per PV: >What to learn from the article is that there's no such thing as a "clever and >rememberable" password. Modern password dictionaries aren't simply the >contents of /usr/dict/words; they're hundreds of megabytes of lessons learned >over decades of successful password cracks. The ONLY good password is a long >and totally random one consisting of all typable characters. Personally, I >use LastPass for everything, so every site I go to has a unique password, >with values like 'Bd29$UCsPrY9'. Not to beat a dead horse... but... If I'm understanding this thread correctly: - Sites and DBs do not record a user's password. Instead they record the hashed result and apply the hashing algorithm to whatever the user types in. - The password compromises referred to start with the hostile entity obtaining the site or DB's table of hash values/users. - The massive computation comes in when it's time to figure out what password created each hash value. - The value in extremely long and arcane (basically nonsense) strings lies in the additional computational power needed to back into the hashed value. - (and I'm extrapolating here) Cases where somebody "hacks" somebody's email account, unless many accounts under the same provider were also "hacked" are mostly just some individual either guessing somebody's PW from information they know about the person or the person's PW having been compromised some way - like in an email message, or harvested by malware. -- Pete Cresswell
Date: Fri, 30 Nov 2012 11:11:33 -0500 From: T <email@example.com> To: firstname.lastname@example.org. Subject: Re: So You're a Good Driver? Let's Go to the Monitor Message-ID: <MPG.email@example.com> In article <firstname.lastname@example.org>, email@example.com says... > > So You're a Good Driver? Let's Go to the Monitor > > By RANDALL STROSS > November 24, 2012 > > LAST week, under my car's dashboard, I installed a small wireless > gadget that would monitor my driving. I wanted to see how it felt to > have my driving behavior captured, sent to an insurance company and > analyzed. More drivers, seeking discounts on auto insurance, are > voluntarily doing just that. [snip] > > http://www.nytimes.com/2012/11/25/business/seeking-cheaper-insurance-drivers-accept-monitoring-devices.html > > > ***** Moderator's Note ***** > > Would it affect my rates if an insurance company figured out that I > was stopping at the V.F.w. for a drink on my way home from work? come > to think of it, Route 128 (the arterial road around boston, sometimes > called "I-95" by Barneys) has a 55 MPH speed limit posted, but I'd get > run over if I didn't do at least 65. Is that a significant risk? > > If I was elected to the Legilature, would I want it known that I > wasn't at the statehouse most of the time? Would I want it known that > I didn't have a transponder? I wonder what having a mistress would do > to my rates: could someone influence my votes by offering to disclose > where I was on a particular date at a particular time? > > Bill Horne > Moderator LOL - and I can think of numerous attack vectors for those little plugin modules. But in essence it's a good idea. Drive like an angel for 30 days and reap the rewards.
Date: Fri, 30 Nov 2012 01:26:28 -0500 From: Monty Solomon <firstname.lastname@example.org> To: email@example.com. Subject: Medicare Is Faulted on Shift to Electronic Records Message-ID: <firstname.lastname@example.org> Medicare Is Faulted on Shift to Electronic Records By REED ABELSON November 29, 2012 The conversion to electronic medical records - a critical piece of the Obama administration's plan for health care reform - is "vulnerable" to fraud and abuse because of the failure of Medicare officials to develop appropriate safeguards, according to a sharply critical report to be issued Thursday by federal investigators. The use of electronic medical records has been central to the aim of overhauling health care in America. Advocates contend that electronic records systems will improve patient care and lower costs through better coordination of medical services, and the Obama administration is spending billions of dollars to encourage doctors and hospitals to switch to electronic records to track patient care. But the report says Medicare, which is charged with managing the incentive program that encourages the adoption of electronic records, has failed to put in place adequate safeguards to ensure that information being provided by hospitals and doctors about their electronic records systems is accurate. To qualify for the incentive payments, doctors and hospitals must demonstrate that the systems lead to better patient care, meeting a so-called meaningful use standard by, for example, checking for harmful drug interactions. Medicare "faces obstacles" in overseeing the electronic records incentive program "that leave the program vulnerable to paying incentives to professionals and hospitals that do not fully meet the meaningful use requirements," the investigators concluded. The report was prepared by the Office of Inspector General for the Department of Health and Human Services, which oversees Medicare. The investigators contrasted the looser management of the incentive program with the agency's pledge to more closely monitor Medicare payments of medical claims. Medicare officials have indicated that the agency intends to move away from a "pay and chase" model, in which it tried to get back any money it has paid in error, to one in which it focuses on trying to avoid making unjustified payments in the first place. ... http://www.nytimes.com/2012/11/29/business/medicare-is-faulted-in-electronic-medical-records-conversion.html -or- http://goo.gl/PgxpB
Date: Thu, 29 Nov 2012 13:24:12 -0600 From: email@example.com (PV) To: firstname.lastname@example.org. Subject: Re: Why passwords have never been weaker-and crackers have never been stronger Message-ID: <cridndHMd9rBKyrNnZ2dnUVZ_qOdnZ2d@supernews.com> Pete Cresswell <PeteCress@invalid.telecom-digest.org> writes: >Telecom Digest Moderator said: >>The trick is to use easily-memorable pass-/*PHRASES*/ that won't be >>in anyone's dictionary. > >Somebody suggested the "Dead Pet System"... concatenate the names of >two dead pets and add digits to taste. Blargh. Terrible idea. Telecom Digest Moderator said: >Since one of the most common "secret" questions that sites offer to >remember in order to help me recover a forgotten password is "What was >your first pet's name?", I have a couple of "virtual" pets and I use >those names, which can't ever be guessed. That's not a bad idea - you HOPE (though talk to Mat Honan about that) that password recovery offers no bypass of the secret questions and no opportunity to guess more than once or twice before telling you to get stuffed. I handle recovery questions the same way I do passwords - I have lastpass make a random string for each, and then have it save the form values so I know what the values are if I get asked one of the questions. Note: this can be really irritating if the recovery questions are asked over the phone, and I wouldn't be surprised if humans are less than diligent about making sure that what I just said (Q-3-7-h-question mark-l- 2-7-g-H-x) matches what they have on file. I've been playing around with the idea of using nonsense words instead for these; Lastpass has a "prononceable" password generator, giving you values like 'tonficutonel'. * -- * PV Something like badgers, something like lizards, and something like corkscrews.
Date: Fri, 30 Nov 2012 16:16:51 -0700 From: email@example.com To: firstname.lastname@example.org. Subject: Navajo Nation without phone, internet use after copper theft Message-ID: <email@example.com> Navajo Nation without phone, internet use after copper theft By Jenny Kane firstname.lastname@example.org Posted: 11/03/2012 01:00:00 AM MDT FARMINGTON . Copper thieves are responsible for the loss of Internet and some phone services to what likely was thousands of users in northwest New Mexico and eastern Arizona. "It was throughout," said Emerald Dahozy-Craig, spokeswoman for the Office of the President of the Navajo Nation. "Even the ATMs didn't work. We still had power though." http://www.lcsun-news.com/ci_21918628/navajo-nation-without-phone-internet-use-after-copper?source=most_viewed -or- http://goo.gl/QwviM
Date: Fri, 30 Nov 2012 07:07:01 -0800 (PST) From: HAncock4 <email@example.com> To: firstname.lastname@example.org. Subject: NYC MTA releases Android weekend subway information Message-ID: <email@example.com> The NY MTA, operator of New York City's subways, buses, and commuter trains, has announced a new "app". MTA customers who use Android devices can now get detailed information about the subway service changes planned for the upcoming weekend. (Heavy maintenance resulting in route detours is performed over weekends). Due to the large amount of data and mapping involved in the mobile version of The Weekender - 100 Megabytes - MTA developers have smartly "packeted" the data, so the initial download includes the basic functions needed to get started. Then, each time the user plans a trip or taps to view a particular neighborhood map, only those images are added to the app, so the app gets smarter with every use without hogging device memory. For full announcement please see: http://www.mta.info/news/stories/?story=888
Date: Sat, 1 Dec 2012 17:56:16 -0500 From: Monty Solomon <firstname.lastname@example.org> To: email@example.com. Subject: Who Do Online Advertisers Think You Are? Message-ID: <firstname.lastname@example.org> Who Do Online Advertisers Think You Are? By JEFFREY ROSEN November 30, 2012 Not long ago, I decided to test how much privacy I have online. I cleared the cookies, the bits of code that Web sites leave on my computer to track what I browse and buy, from my two Internet browsers, Safari and Firefox. Then, with my digital past superficially erased, I set out to create two new identities: Democratic Jeff and Republican Jeff. Safari became the home of Democratic Jeff. I started by spending time on Barack Obama's re-election Web site and then visited some travel, car and shopping sites to search for flights to Los Angeles, Volvos and Birkenstocks. On Firefox, as Republican Jeff, I went to Mitt Romney's site and then searched for Cadillacs, flights to Hawaii and diamond rings. Having created my new digital identities as heavy-handedly as possible, I returned to my usual Web sites. At first, the ads on my favorite Washington neighborhood blog, the Prince of Petworth, were the same on both browsers. But less than two days later, an ad for Mitt Romney suddenly appeared next to a story I was reading on Firefox about Gore Vidal's burial. When I opened that page on Safari, the ad in the exact same spot was for Catholic University's master's program in human resources management. How did Republican Jeff and Democratic Jeff end up seeing entirely different ads? The answer is real-time bidding, a technology that's transforming advertising, politics, news and the way we live online. Advertisers compete in an auction for the opportunity to send ads to individual consumers. Each time a company buys access to me, it can bombard me with an ad that will follow me no matter where I show up on the Web. To dig deeper into my new identities, I visited the Web site of BlueKai, one of the leading online data aggregators. The company's software enables its customers to sort consumers into 30,000 market segments like "light spenders" and "safety-net seniors," and this fine-grained categorization helps make real-time bidding possible. According to BlueKai, Republican Jeff is someone who makes between $60,000 and $74,999 a year, lives in Portland, Me., is interested in luxury cars, celebrities and TV, may have bought a cruise ticket, is an ideal candidate to take out a mortgage and a "midscale thrift spender." Democratic Jeff is someone who lives in Los Angeles, Long Beach or Santa Ana, runs a large company with more than 5,001 employees and cares about advertising and marketing. Neither of these profiles is accurate. Nevertheless, the pigeonholing of Republican Jeff and Democratic Jeff represents our digital future. ... http://www.nytimes.com/2012/12/02/magazine/who-do-online-advertisers-think-you-are.html ***** Moderator's Note ***** Did anyone ever figure out if Microsoft was collecting hidden cookies that users can't erase? There was some talk about that being possible, a few years back, but nothing lately. What about "Flash cookies"? Are they real, and if so, how can I control them? Bill Horne Moderator
TELECOM Digest is an electronic journal devoted mostly to telecom- munications topics. It is circulated anywhere there is email, in addition to Usenet, where it appears as the moderated newsgroup 'comp.dcom.telecom'. TELECOM Digest is a not-for-profit, mostly non-commercial educational service offered to the Internet by Bill Horne. All the contents of the Digest are compilation-copyrighted. You may reprint articles in some other media on an occasional basis, but please attribute my work and that of the original author. The Telecom Digest is moderated by Bill Horne.
43 Deerfield Road
Sharon MA 02067-2301
bill at horne dot net
This Digest is the oldest continuing e-journal about telecomm- unications on the Internet, having been founded in August, 1981 and published continuously since then. Our archives are available for your review/research. We believe we are the oldest e-zine/mailing list on the internet in any category! URL information: http://telecom-digest.org Copyright (C) 2012 TELECOM Digest. All rights reserved. Our attorney is Bill Levant, of Blue Bell, PA.
Finally, the Digest is funded by gifts from generous readers such as yourself who provide funding in amounts deemed appropriate. Your help is important and appreciated. A suggested donation of fifty dollars per year per reader is considered appropriate. See our address above. Please make at least a single donation to cover the cost of processing your name to the mailing list. All opinions expressed herein are deemed to be those of the author. Any organizations listed are for identification purposes only and messages should not be considered any official expression by the organization.