31 Years of the Digest ... founded August 21, 1981
Add this Digest to your personal
or 
The Telecom Digest for December 3, 2012
Volume 31 : Issue 283 : "text" Format
====== 31 years of TELECOM Digest -- Founded August 21, 1981 ======
|
Telecom and VOIP (Voice over Internet Protocol) Digest for the
Internet. All contents here are copyrighted by Bill Horne and
the individual writers/correspondents. Articles may be used in other
journals or newsgroups, provided the writer's name and the Digest are
included in the fair use quote. By using any name or email address
included herein for any reason other than responding to an article
herein, you agree to pay a hundred dollars to that person, or email address
owner.
Addresses herein are not to be added to any mailing list, nor to be
sold or given away without the explicit written consent of the owner of
that address. Chain letters, viruses, porn, spam, and miscellaneous junk
are definitely unwelcome.
We must fight spam for the same reason we fight crime: not because we
are naive enough to believe that we will ever stamp it out, but because
we do not want the kind of world that results when no one stands
against crime. - Geoffrey Welsh
See the bottom of this issue for subscription and archive details
and the name of our lawyer, and other stuff of interest.
|
Date: Sun, 02 Dec 2012 02:02:14 -0600
From: Dave Garland <dave.garland@wizinfo.com>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Why passwords have never been weaker-and crackers have never been stronger
Message-ID: <k9f1ud$gp2$1@dont-email.me>
On 12/1/2012 8:30 PM, Pete Cresswell wrote:
> Per PV:
>> What to learn from the article is that there's no such thing as a "clever and
>> rememberable" password. Modern password dictionaries aren't simply the
>> contents of /usr/dict/words; they're hundreds of megabytes of lessons learned
>> over decades of successful password cracks. The ONLY good password is a long
>> and totally random one consisting of all typable characters. Personally, I
>> use LastPass for everything, so every site I go to has a unique password,
>> with values like 'Bd29$UCsPrY9'.
>
> Not to beat a dead horse... but...
>
> If I'm understanding this thread correctly:
>
> - Sites and DBs do not record a user's password.
> Instead they record the hashed result and apply
> the hashing algorithm to whatever the user
> types in.
If you're lucky. Some poorly-administered sites record passwords in
plain text.
> - (and I'm extrapolating here) Cases where somebody
> "hacks" somebody's email account, unless many
> accounts under the same provider were also "hacked"
> are mostly just some individual either guessing
> somebody's PW from information they know about the
> person or the person's PW having been compromised
> some way - like in an email message, or harvested
> by malware.
That is often the case.
Date: Sun, 2 Dec 2012 05:21:42 +0000 (UTC)
From: moroney@world.std.spaamtrap.com (Michael Moroney)
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Who Do Online Advertisers Think You Are?
Message-ID: <k9eoh6$pge$1@pcls6.std.com>
>***** Moderator's Note *****
>Did anyone ever figure out if Microsoft was collecting hidden cookies
>that users can't erase? There was some talk about that being possible,
>a few years back, but nothing lately.
>What about "Flash cookies"? Are they real, and if so, how can I
>control them?
I don't know about Microsoft hidden cookies, but flash cookies are real,
and they are sneaky. First, your browser's "clear cookies" and other
cookie settings don't affect flash cookies at all. You may think they
aren't tracking you when they are. Second, flash cookies work across
browsers. Open IE, get a flash cookie for a web site, close IE, open
Firefox and revisit the same site, and that site sees the cookie set
by the IE visit. In fact, if the advertisers tracking Jeff used flash
cookies, they would have quickly figured out that Democratic Jeff and
Republican Jeff were the same person. Third, they don't expire.
A Firefox extension called "BetterPrivacy" controls what they call
"SuperCookies", you can delete them or have them deleted automatically as
well as prevent certain ones from being deleted.
***** Moderator's Note *****
Thanks for the info: I appreciate it.
I'll ask that you and other readers post information about these and
other monitoriing and tracking technologies, and ways to circumvent
them. TIA.
Bill Horne
Moderator
Date: Sun, 02 Dec 2012 01:05:17 -0600
From: Dave Garland <dave.garland@wizinfo.com>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Who Do Online Advertisers Think You Are?
Message-ID: <k9eujk$405$1@dont-email.me>
> What about "Flash cookies"? Are they real, and if so, how can I
> control them?
Yes, they're real. They're called "Local Shared Objects" (LSOs).
Firefox (since v.4) (and perhaps other browsers) treats them the same
as ordinary cookies, CCleaner (free cleaner program, highly
recommended) can be set to delete them (by default it doesn't).
Probably other anti-spyware/malware programs have similar options.
Date: Sun, 02 Dec 2012 00:32:54 -0600
From: Doug McIntyre <merlyn@geeks.org>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Why passwords have never been weaker-and crackers have never been stronger
Message-ID: <C9-dnfeVo-GLayfNnZ2dnUVZ_qCdnZ2d@giganews.com>
Pete Cresswell <PeteCress@invalid.telecom-digest.org> writes:
>If I'm understanding this thread correctly:
....
>- The value in extremely long and arcane (basically
> nonsense) strings lies in the additional computational
> power needed to back into the hashed value.
Right. Brute forcing passwords (ie. checking every single
value. aaaaaa, aaaaab, aaaaac) still takes a long time.
But the hackers use dictionaries, and tons of arcane rules
about how humans typically create passwords.
>- (and I'm extrapolating here) Cases where somebody
> "hacks" somebody's email account, unless many
> accounts under the same provider were also "hacked"
> are mostly just some individual either guessing
> somebody's PW from information they know about the
> person or the person's PW having been compromised
> some way - like in an email message, or harvested
> by malware.
The biggest threat is that people (generally) don't use unique passwords.
They use the same password on every site, or at best, a few
passwords on a large number of sites, all identified by at least
email address and password.
One compromised site leads to abuse at other sites. Until of course
they hit paydirt on a site related to something financial..
Date: Sun, 2 Dec 2012 09:16:32 -0500
From: Bill Horne <bill@horneQRM.net>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Why passwords have never been weaker-and crackers have never been stronger
Message-ID: <20121202141632.GA24133@telecom.csail.mit.edu>
On Sun, Dec 02, 2012 at 12:32:54AM -0600, Doug McIntyre wrote:
> Pete Cresswell <PeteCress@invalid.telecom-digest.org> writes:
> >If I'm understanding this thread correctly:
> ....
>
> >- (and I'm extrapolating here) Cases where somebody
> > "hacks" somebody's email account, unless many
> > accounts under the same provider were also "hacked"
> > are mostly just some individual either guessing
> > somebody's PW from information they know about the
> > person or the person's PW having been compromised
> > some way - like in an email message, or harvested
> > by malware.
>
> The biggest threat is that people (generally) don't use unique passwords.
> They use the same password on every site, or at best, a few
> passwords on a large number of sites, all identified by at least
> email address and password.
>
> One compromised site leads to abuse at other sites. Until of course
> they hit paydirt on a site related to something financial..
AFAIK, the most serious threat to passwords is that they can be
monitored when their owners enter them via open Wi-Fi hotspots. In
that case, no cryptography is required: unless the owner has his email
set up for encrypted connections (the default settings don't do that),
his password is transmitted en clair.
Of course, once the password is compromised, it (or trivial variations
of it) can be used to gain access to other sites and/or email
accounts, EVEN *IF* those sites use encryption. That is probably
the most dangerous scenario: if a user has the same or very similar
passwords for "POP"-based email reception or to send outgoing emails,
or at a gaming site or online forum that doesn't use SSL encryption,
then the attacker can access web-based email sites with it.
In other words, if your Gmail password is the same one you use when
sending or receiving emails in Outlook, Thunderbird, Eudora, etc.,
then a nearby sniffer can get it without any decryption effort or
delay. One common attack that is currently in use is to obtian the
password of a user, use it to access Gmail or Yahoo mail, lock out
that same user by changing it, and then use the user's online address
book to send his/her friends and family a sad-luck tale that creates a
lot of Western Union transfers very quickly, typically by claiming
that the owner was in a foreign country on short notice and has been
mugged.
I'm like most travellers in one way: if I'm in a place with open
Wi-Fi, I'll take advantage of it to check my mail while waiting for my
flight. However, unlike most travellers, I have my email connections
set to connect using SSL, and thereby deny nearby sniffers any chance
to copy my email addresses or passwords.
Bill
--
Bill Horne
(Remove QRM from my address to write to me directly)
Date: Sun, 2 Dec 2012 20:54:15 +0000 (UTC)
From: wollman@bimajority.org (Garrett Wollman)
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Why passwords have never been weaker-and crackers have never been stronger
Message-ID: <k9gf5n$2h8i$1@grapevine.csail.mit.edu>
In article <20121202141632.GA24133@telecom.csail.mit.edu>,
Bill Horne <bill@horneQRM.net> wrote:
>AFAIK, the most serious threat to passwords is that they can be
>monitored when their owners enter them via open Wi-Fi hotspots. In
>that case, no cryptography is required: unless the owner has his email
>set up for encrypted connections (the default settings don't do that),
>his password is transmitted en clair.
Only if the manager of the server is incompetent.
Competently-managed servers (mail or otherwise) won't allow
unencrypted passwords. Well, unless they're totally unimportant
anyway (I'm looking at you, mailman).
-GAWollman
--
Garrett A. Wollman | What intellectual phenomenon can be older, or more oft
wollman@bimajority.org| repeated, than the story of a large research program
Opinions not shared by| that impaled itself upon a false central assumption
my employers. | accepted by all practitioners? - S.J. Gould, 1993
Date: Sun, 02 Dec 2012 10:43:49 -0500
From: Pete Cresswell <PeteCress@invalid.telecom-digest.org>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: Why passwords have never been weaker-and crackers have never been stronger
Message-ID: <rjtmb894psh08suh2hh956kev1c6rhk168@4ax.com>
Per Doug McIntyre:
>The biggest threat is that people (generally) don't use unique passwords.
>They use the same password on every site, or at best, a few
>passwords on a large number of sites, all identified by at least
>email address and password.
>
>One compromised site leads to abuse at other sites. Until of course
>they hit paydirt on a site related to something financial..
I don't have the brainpower to cope with a separate PW for each
site, but I do have several levels of password:
- "Who Cares"... for sites where the consequences of compromise
are insignificant.
- Convenience: Where compromise would mess a few things up but
not rock my world.
- Fort Knox: I use this on my ID/PW DB, admin access to my PC's,
and a few other things.
FWIW, I wouldn't do online banking or trading even on a bet.
--
Pete Cresswell
Date: Sun, 02 Dec 2012 16:19:09 -0500
From: Fred Goldstein <fgoldstein.SeeSigSpambait@wn2.wn.net>
To: telecomdigestmoderator.remove-this@and-this-too.telecom-digest.org.
Subject: Re: How our over-reliance on satellite images led to the mystery of the South Pacific island that wasn't there
Message-ID: <20121202211931.77ABEE19E@mailout.easydns.com>
On Tue, 27 Nov 2012 01:25:27 -0500, Monty Solomon <monty@roscom.com> wrote,
>How our over-reliance on satellite images led to the mystery of the
>South Pacific island that wasn't there
>
> * It has also emerged that the latest non-finding was the SECOND
>time Sandy Island had been 'un-discovered'
>
> * Radio enthusiasts on an expedition to send a message from the
>most-remote possible place reported its non-existence in 2000
>
> * Cartography expert tells MailOnline Sandy Island could be just one
>of many errors added to maps as satellite photos were digitised
>
>By DAMIEN GAYLE
>23 November 2012
>Mail Online
>
>The mysterious South Pacific island that wasn't there could be just
>one many errors made in the process of digitising satellite maps of
>the world, an expert said today.
But the Daily Mail quoted the wrong expert. Wikipedia has a map
dating back to 1875 that shows the (nonexistent) island. Later
mapmakers have assumed that previous mapmakers knew what they were
doing, so they copied each other enough times that the island's
alleged existence became fairly common (mis-)knowledge.
Note that commercial maps nowadays are often salted with intentional
errors, to help identify copyright violators. But Sandy Island goes
back so far that it was probably an honest mistake. The Coral Sea
was not, and is not, well explored.
Google, of course, is guilty of showing it. When you zoom in on the
satellite view, it's a black object surrounded by deep water. It is
clearly not a satellite image, so it's not clear why they bothered to
draw it in over the real image. It implies that they simply didn't
trust the camera and insisted on putting the island there. Were this
just on the map view, it would be more understandable. Note that the
somewhat nearby Chesterfield Islands, west of Sandy, are real, and
are much more visible on the satellite view than on the map. I think
that's because the island group is mostly a large underwater reef,
visible on satellite, with only a few small areas above the water
line; only those show on the map view.
Bing Maps has a very poor aerial/satellite view of the Pacific; it
looks like a nighttime shot. So you can't see anything there. Its
map view is odd, though. At the 250 mile (bar in the lower left
corner) resolution, there's a dot for Sandy. At the 100 mile
resolution, Sandy's alleged shape is visible. At any closer zoom,
it's gone. And Bing doesn't find it by name, though it gets the
(real) Chesterfields.
I do enjoy that the un-discovery was made over a decade ago by a
DXpedition team merely trying to get Chesterfield Islands added to
the DXCC list. This is obscure outside of the ham radio
community. DX Century Club is one of the biggest Radiosport awards
programs, running since 1946. (It's run by the American Radio Relay
League, arrl.org. )The basic DXCC certificate is awarded for
contacting (with proof, usually QSL cards) at least 100 "countries"
(DXCC Entitites). The Honor Roll shows the participants with the
highest lifetime totals. There are 340 Entitites now on the list,
though the top guy has 398, counting now-deleted ones (usually due to
a change in political status).
The DXCC rules allow an Entity to be created out of islands when "A
single island is separated from its Parent (and any other islands
that make up the DXCC Entity Parent island group) by 350 kilometers
or more, as measured from the island containing the capital
city." Chesterfield is more than 350 km from the rest of New
Caledonia. But Sandy was allegedly in between the two. So it would
have broken up the >350 km distance into two smaller distances, thus
disqualifying Chesterield from being an Entity. By disproving
Sandy's existence, Chesterield could be added to the DXCC list. And
it is now on the list (FK8/C).
Since nobody lives on Chesterfield, the only way anyone could make a
contact with another ham there would be if somebody visited the
place. That's what a DXpedition does. It visits "rare ones" with
radios (and generators, antennas, etc.) and puts them on the air for
a few days. Thousands of DXers around the world then try desperately
to make contact with you, which is kind of a nice ego trip. Some
will contribute to fund the DXpedition. (You then get to do the
snorkeling for free.)
This is definitely "off the grid" telecom.
--
Fred Goldstein k1io fgoldstein "at" ionary.com
ionary Consulting
http://www.ionary.com/
+1 617 795 2701
***** Moderator's Note *****
It may be off the telecom grid, but I never met a telco guy who didn't
love esoterica, so I'm sending it out. ;-)
Who knows, there might even be a submarine cable buried there ...
Bill Horne
Moderator
TELECOM Digest is an electronic journal devoted mostly to telecom-
munications topics. It is circulated anywhere there is email, in
addition to Usenet, where it appears as the moderated newsgroup
'comp.dcom.telecom'.
TELECOM Digest is a not-for-profit, mostly non-commercial educational
service offered to the Internet by Bill Horne. All the contents
of the Digest are compilation-copyrighted. You may reprint articles in
some other media on an occasional basis, but please attribute my work
and that of the original author.
The Telecom Digest is moderated by Bill Horne.
This Digest is the oldest continuing e-journal about telecomm-
unications on the Internet, having been founded in August, 1981 and
published continuously since then. Our archives are available for
your review/research. We believe we are the oldest e-zine/mailing list
on the internet in any category!
URL information: http://telecom-digest.org
Copyright (C) 2012 TELECOM Digest. All rights reserved.
Our attorney is Bill Levant, of Blue Bell, PA.
Finally, the Digest is funded by gifts from generous readers such as
yourself who provide funding in amounts deemed appropriate. Your help
is important and appreciated. A suggested donation of fifty dollars
per year per reader is considered appropriate. See our address above.
Please make at least a single donation to cover the cost of processing
your name to the mailing list.
All opinions expressed herein are deemed to be those of the
author. Any organizations listed are for identification purposes only
and messages should not be considered any official expression by the
organization.
End of The Telecom Digest (8 messages)
Return to Archives ** Older Issues