Re: Continuous brute force attempt from own server !!! (OT question)
On Tue, Jul 30, 2013 at 08:49:35AM +0900, Joel Rees wrote: And I find myself puzzling over whether re-cycling a password by running it through an encryption device and using the encryption result as the new password is better or worse than using a random password generator. Obviously, systemizing the process would set up a huge vulnerability, Please, no neologisms. If you mean streamlining, then obviously you would take that into account during the planning phase. relative to former employees and others who might get access to the process and historical passwords. On the other hand, picking a different encryption or even just a different encryption key at random would defeat the attempt to re-construct the generation chain. If there were some need to be able to re-create the sequence of passwords, it might be useful, and it might be considered less exposing than leaving the old passwords in some closely guarded database. (And having to think that deeply about such things ... I believe, it is called cost benefit analysis. :) ... is usually indication of structural problems in the organization. Convincing/reasoning with the powers that be seems to be another issue: :( http://www.3news.co.nz/Whistleblowers-reject-Collins-hacker-label/tabid/1607/articleID/293669/Default.aspx -- If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing. --- Malcolm X -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130731094434.GB2234@tal
Re: Continuous brute force attempt from own server !!! (OT question)
On Tue, Jul 30, 2013 at 12:19 AM, Chris Bannister cbannis...@slingshot.co.nz wrote: On Mon, Jul 29, 2013 at 11:26:17PM +0900, Joel Rees wrote: Do you mean actually recycled? Or are you thinking of one-time pads? Not really. Umm, what about: http://www.logicalsecurity.com/resources/whitepapers/Cryptography.pdf ... We'll cite two kinds of rotation ciphering machines: the Jefferson disk and the ... And the term rotation crops up in the actual ciphering technique, e.g. http://en.wikipedia.org/wiki/Caesar_cipher ... For instance, here is a Caesar cipher using a left rotation of three places, equivalent to a right shift of 23 (the shift parameter is used as the key): ... And as the technology evolved the terminology did not and got infused into modern technology. Yeah, that possibility occurred to me, too. E.g. Hey Barman, can you put that on the slate mate. :) I'm not sure if my reasoning is accurate or not, but it sounds darned good to me. :) So much of our reasoning is post-facto rationalization. It's important to recognize that a reasonable interpretation is not necessarily an accurate description of events, even when it may be an informative interpretation. -- If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing. --- Malcolm X1893@talhttp://lists.debian.org/20130729151946.GA1893@tal And I find myself puzzling over whether re-cycling a password by running it through an encryption device and using the encryption result as the new password is better or worse than using a random password generator. Obviously, systemizing the process would set up a huge vulnerability, relative to former employees and others who might get access to the process and historical passwords. On the other hand, picking a different encryption or even just a different encryption key at random would defeat the attempt to re-construct the generation chain. If there were some need to be able to re-create the sequence of passwords, it might be useful, and it might be considered less exposing than leaving the old passwords in some closely guarded database. (And having to think that deeply about such things is usually indication of structural problems in the organization. And then there is the question of whether that particular organization should try to fix the structural problems or should try to get along with partial remedies. And so it goes.) If rotating stock as a metaphor helps the sales crew to understand the necessity of regularly changing passwords, I'd use it as a metaphor. -- Joel Rees
Re: Continuous brute force attempt from own server !!! (OT question)
On Sun, Jul 28, 2013 at 10:12 PM, Henrique de Moraes Holschuh h...@debian.org wrote: On Sat, 27 Jul 2013, Paul E Condon wrote: I intended the question to be answered in the context of the post by Henrique de Moraes Holschuh, where 'across security domains' is considered less desirable than 'across hosts'. I know what hosts are when writing computer stuff, but, come to think about it what does it mean to rotate keys? Is the idea that a particular key string is to be Switching to a new one and disposing of the older one is, for whatever reason, usually called rotating the keys. Probably because of perceived similarities to rotating logs? reused on some host after it has been removed from service on some other host? I had thought that it was best to never use a retired key string again - but security is tricky - maybe there might be some You're correct. It is best to dispose of old keys, and never reuse them. point in using old strings as the keys on some (unmentioned) honey pot servers. You could do that, but there might be risks associated with that (or not). Actually, if you are running a network which needs to assume regular penetration (such as the banking internets and banks' intranets), honeypots of various kinds should be part of the network. Tripwire techniques. And the old keys folded into certain honeypots (flypaper servers), which would flag their use as indicating a potential source of privilege leak. But you have to be very careful, because you are not putting the keys out to be discovered. -- Joel Rees
Re: Continuous brute force attempt from own server !!! (OT question)
On Mon, Jul 29, 2013 at 09:16:50PM +0900, Joel Rees wrote: On Sun, Jul 28, 2013 at 10:12 PM, Henrique de Moraes Holschuh Switching to a new one and disposing of the older one is, for whatever reason, usually called rotating the keys. Probably because of perceived similarities to rotating logs? Unlikely. Two completely different concepts. My guess is that they were actually rotated at some point but when that changed, the name was not. -- If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing. --- Malcolm X -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130729131259.GA32146@tal
Re: Continuous brute force attempt from own server !!! (OT question)
On Mon, Jul 29, 2013 at 10:12 PM, Chris Bannister cbannis...@slingshot.co.nz wrote: On Mon, Jul 29, 2013 at 09:16:50PM +0900, Joel Rees wrote: On Sun, Jul 28, 2013 at 10:12 PM, Henrique de Moraes Holschuh Switching to a new one and disposing of the older one is, for whatever reason, usually called rotating the keys. Probably because of perceived similarities to rotating logs? Unlikely. Two completely different concepts. How so? A log is a resource. When it's time to move on, use a new resource. A key is a resource. When it is time to move on, use a new key. The difference being of course that the log is renamed and left behind for a bit, where the key is not left behind. Maybe moved to the list of keys to be watched for. Speaking of which, PKI techniques would indeed move the old keys to the revocation list My guess is that they were actually rotated at some point but when that changed, the name was not. Do you mean actually recycled? Or are you thinking of one-time pads? -- Joel Rees
Re: Continuous brute force attempt from own server !!! (OT question)
Chris Bannister writes: My guess is that they were actually rotated at some point but when that changed, the name was not. People wrote about rotating passwords decades ago but they didn't really mean it then either. -- John Hasler jhas...@newsguy.com Elmwood, WI USA -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87ob9ll8yv@thumper.dhh.gt.org
Re: Continuous brute force attempt from own server !!! (OT question)
On Mon, Jul 29, 2013 at 11:26:17PM +0900, Joel Rees wrote: Do you mean actually recycled? Or are you thinking of one-time pads? Not really. Umm, what about: http://www.logicalsecurity.com/resources/whitepapers/Cryptography.pdf ... We'll cite two kinds of rotation ciphering machines: the Jefferson disk and the ... And the term rotation crops up in the actual ciphering technique, e.g. http://en.wikipedia.org/wiki/Caesar_cipher ... For instance, here is a Caesar cipher using a left rotation of three places, equivalent to a right shift of 23 (the shift parameter is used as the key): ... And as the technology evolved the terminology did not and got infused into modern technology. E.g. Hey Barman, can you put that on the slate mate. :) I'm not sure if my reasoning is accurate or not, but it sounds darned good to me. :) -- If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing. --- Malcolm X -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130729151946.GA1893@tal
Re: Continuous brute force attempt from own server !!! (OT question)
On Sun, Jul 28, 2013 at 4:56 AM, Glenn English g...@slsware.com wrote: NSA.com? Did you mean nsa.gov? nsa.com site is a shipping company. -- Arun Khan Sent from my non-iphone/non-android device -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAHhM8gAdaYMEThs66EXMNY2h_dpHidA=ctlr4pxr5cqv3ko...@mail.gmail.com
Re: Continuous brute force attempt from own server !!! (OT question)
On Sat, 27 Jul 2013, Paul E Condon wrote: I intended the question to be answered in the context of the post by Henrique de Moraes Holschuh, where 'across security domains' is considered less desirable than 'across hosts'. I know what hosts are when writing computer stuff, but, come to think about it what does it mean to rotate keys? Is the idea that a particular key string is to be Switching to a new one and disposing of the older one is, for whatever reason, usually called rotating the keys. reused on some host after it has been removed from service on some other host? I had thought that it was best to never use a retired key string again - but security is tricky - maybe there might be some You're correct. It is best to dispose of old keys, and never reuse them. point in using old strings as the keys on some (unmentioned) honey pot servers. You could do that, but there might be risks associated with that (or not). -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130728131242.ga7...@khazad-dum.debian.net
Re: Continuous brute force attempt from own server !!! (OT question)
On 20130727_140629, Henrique de Moraes Holschuh wrote: On Sat, 27 Jul 2013, Brian wrote: On Sat 27 Jul 2013 at 12:05:05 +0300, Lars Noodén wrote: On 07/26/2013 11:26 PM, Brian wrote: Does this 'good idea' have reasons to support it? It is for much the same reasons that passwords are rotated. It was mainly this draft that convinced me: http://datatracker.ietf.org/doc/draft-ylonen-sshkeybcp/?include_text=1 It mentions rotating the keys in several places. Thank you, that was an interesting read. The focus of the draft is on organisations which utilise SSH keys extensively, so in such a situation I can understand a recommendation for key rotation because ignoring it may have disastrous consequences. Users with small networks and with well managed access to them would rarely have a need to change passwords or keys at predetermined intervals. If you have that key sitting anywhere outside of a hardened smartcard, you should rotate it every so often, in case someone managed to snag a copy of it while you were not paying attention. It is NOT too much pain to rotate keys once an year, unless you're doing it wrong in the first place. It is also good practice to never share the same key across hosts (or if that's impratical, across security domains), and to have specific keys for I'm lurking here, hoping to learn things: In this case, what is a 'security domain'? Don't make fun of me. I really haven't, to my memory, come across the term, before. specific services. This practice can greatly reduce the damage caused by a compromised key. -- Paul E Condon pecon...@mesanetworks.net -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130727222740.GA19973@big
Re: Continuous brute force attempt from own server !!! (OT question)
On Saturday 27 July 2013 23:27:40 Paul E Condon wrote: I'm lurking here, hoping to learn things: In this case, what is a 'security domain'? Don't make fun of me. I really haven't, to my memory, come across the term, before. I'd like to know what a security domain is too. So I can join you as Aunt Sally, Paul. ;-) Lisi -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201307272331.54679.lisi.re...@gmail.com
Re: Continuous brute force attempt from own server !!! (OT question)
On Jul 27, 2013, at 4:31 PM, Lisi Reisz wrote: On Saturday 27 July 2013 23:27:40 Paul E Condon wrote: I'm lurking here, hoping to learn things: In this case, what is a 'security domain'? Don't make fun of me. I really haven't, to my memory, come across the term, before. I'd like to know what a security domain is too. So I can join you as Aunt Sally, Paul. ;-) NSA.com? -- Glenn English Disclaimer: Any disclaimer attached to this message may be ignored. smime.p7s Description: S/MIME cryptographic signature
Re: Continuous brute force attempt from own server !!! (OT question)
On Sat, 2013-07-27 at 17:26 -0600, Glenn English wrote: On Jul 27, 2013, at 4:31 PM, Lisi Reisz wrote: On Saturday 27 July 2013 23:27:40 Paul E Condon wrote: I'm lurking here, hoping to learn things: In this case, what is a 'security domain'? Don't make fun of me. I really haven't, to my memory, come across the term, before. I'd like to know what a security domain is too. So I can join you as Aunt Sally, Paul. ;-) NSA.com? I don't know the context of 'security domain', but perhaps 'domain' is for 'subject', 'field', 'branch of'. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1374968247.651.6.camel@archlinux
Re: Continuous brute force attempt from own server !!! (OT question)
On Sat, 27 Jul 2013, Paul E Condon wrote: In this case, what is a 'security domain'? It is a partition or a group (actually, a set). When you have several services/hosts that have different attributes from an information security[1] perspective, you should place them in different partitions (aka domains, realms, zones). You usually have important partitions/domains as segregated as possible (including at the hardware level) from any others. This is always done to minimize risk and contain damage, but it can also be done for simple reasons such as to keep separate administrative domains[2] segregated. Don't make fun of me. I really haven't, to my memory, come across the term, before. I am unsure whether this is a widely-used term or not. I should have added a definition anyway. Sorry about that. [1] this actually means a lot more than just keep people away from my stuff, see http://en.wikipedia.org/wiki/Information_security#Key_concepts for details. [2] domain here has the partition or set meaning. Stuff that is controlled / owned / operated / managed by or for different parties / teams / customers are probably in separate administrative domains. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130728013919.gb20...@khazad-dum.debian.net
Re: Continuous brute force attempt from own server !!! (OT question)
Thanks for the amusing responses. With our new knowledge of who actually reads our emails, rules for cycling passwords have lost pride of place in a ranking of things-to-worry-about. I intended the question to be answered in the context of the post by Henrique de Moraes Holschuh, where 'across security domains' is considered less desirable than 'across hosts'. I know what hosts are when writing computer stuff, but, come to think about it what does it mean to rotate keys? Is the idea that a particular key string is to be reused on some host after it has been removed from service on some other host? I had thought that it was best to never use a retired key string again - but security is tricky - maybe there might be some point in using old strings as the keys on some (unmentioned) honey pot servers. On 20130727_162740, Paul E Condon wrote: On 20130727_140629, Henrique de Moraes Holschuh wrote: On Sat, 27 Jul 2013, Brian wrote: On Sat 27 Jul 2013 at 12:05:05 +0300, Lars Noodén wrote: On 07/26/2013 11:26 PM, Brian wrote: Does this 'good idea' have reasons to support it? It is for much the same reasons that passwords are rotated. It was mainly this draft that convinced me: http://datatracker.ietf.org/doc/draft-ylonen-sshkeybcp/?include_text=1 It mentions rotating the keys in several places. Thank you, that was an interesting read. The focus of the draft is on organisations which utilise SSH keys extensively, so in such a situation I can understand a recommendation for key rotation because ignoring it may have disastrous consequences. Users with small networks and with well managed access to them would rarely have a need to change passwords or keys at predetermined intervals. If you have that key sitting anywhere outside of a hardened smartcard, you should rotate it every so often, in case someone managed to snag a copy of it while you were not paying attention. It is NOT too much pain to rotate keys once an year, unless you're doing it wrong in the first place. It is also good practice to never share the same key across hosts (or if that's impratical, across security domains), and to have specific keys for I'm lurking here, hoping to learn things: In this case, what is a 'security domain'? Don't make fun of me. I really haven't, to my memory, come across the term, before. specific services. This practice can greatly reduce the damage caused by a compromised key. -- Paul E Condon pecon...@mesanetworks.net -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130727222740.GA19973@big -- Paul E Condon pecon...@mesanetworks.net -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130728053748.GB20388@big
Re: Continuous brute force attempt from own server !!! (OT question)
On 20130727_172641, Glenn English wrote: On Jul 27, 2013, at 4:31 PM, Lisi Reisz wrote: On Saturday 27 July 2013 23:27:40 Paul E Condon wrote: I'm lurking here, hoping to learn things: In this case, what is a 'security domain'? Don't make fun of me. I really haven't, to my memory, come across the term, before. I'd like to know what a security domain is too. So I can join you as Aunt Sally, Paul. ;-) NSA.com? The NSA web site is www.nsa.gov Other use of NSA is National Softball Association, but their web site is www.playnsa.com Enough! -- Paul E Condon pecon...@mesanetworks.net -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130728055211.GC20388@big