C, many openid & openotp solutions are out there offering various eye catching e-identity authenticity management solutions and essentially software providers with the magic of SMS or hardware dudes with a shiny RSA style dongle and i do not think passwords or some high tech bio-id , or whatever else that is in fashion , is going to help an average citizen not getting rubbed or mugged ( read : blue screen asking a liberty reserve pay or wipe ) . passwords in essence are not really the security issue . no matter what is being considered as a key or an element of it , assuming we assign a fuzzy meaning to the concept of "key" and accept all sorts of Quantum universe goodness one can get offered , at some point "they will do you" whether you are a GCHQ/MI6 transvestite Math wizard , a security fella using typical silent 21-years-old-comodohackered-SSL connection for emails or a grandpa in U.S with made in china nice OTP dongle to go a normal banking . point is , the city is insecure with weapons of all strips , and with any conceptual police , your business is going to get Aramcoed real easy . what helps a fellow dd reader from getting Fcked is having the chance of owning bits of more intelligent genes and lesser habits of ignorance and a critical "soul" . sorry for the speech and i am no member of a password advocacy or lobby firm out there . just dont see the point in so much focus on the technical part of our electronic experience while i have seen much more "Human Factor"s involved in e-security . btw , i recall dave twitted about the book a while back . its phenomenal . get your copy and read it , it does good , and the money goes to children of the dead soldiers
D, i am following some works get out of senate CRS and various , mostly chatter-type , signals from house CFA . there is an amazing pattern from 2006 up until now to build up mind games gear and political tools to produce an unsafe foggy wall around china acting like a determinant dark cloud on the east's possible supremacy . fun stuff are available for all to read under Open Government Act and where U.S wants to be standing at 2025 . younger folks : go for .pdf inurl:2025-strategy site:*.gov . i do not and can not know details of stories like this NYT thing , but i am as certain as i can reach to that WP post and NYT and a whole other dozens of media out there are not doing "Journalism" or "Research" . they do contract work and owned by like 5 power entity . so the story might be simply pure bullshit , a project , a gig for a pay -- or we've got a bunch of retard employees of a media outlet and some single digit IQ Chinese hackers. meanwhile , Haaretz a news outlet close to powerful elements in .il recently pwned and i have read many interesting content in leaked emails , their headers , etc . that is what i call a story . Peace M. On Mon, Feb 4, 2013 at 7:06 PM, Charisse Castagnoli <[email protected]>wrote: > Dave - > > I agree NYT was playing with fire - but they stuck to their journalistic > mission. > Maybe they have factored in the risk of being a continuous target of the > countries and organizations they report on. > > The password problem, on the other hand, is really frustrating. > Why Why Why with mobile phones, tiny dongles etc. are we STILL using > passwords everywhere. > I used to be able to get by with 3-5 passwords, now I have to have a > different password on every account. > (Thank goodness for keeper) > > We really have come to the point of absurdity with passwords. So, on that > topic, does anyone in this esteemed group have an opinion about OpenID > providers? > I'm looking to pay for my OpenID, I don't want to be dependent on a google > or aol. > > > > Charisse Castagnoli > [email protected] > > > > > > > On Feb 1, 2013, at 4:19 PM, Dave Aitel wrote: > > So one thing I think is interesting is that New York Times story. > > Here's how it goes, in bullet points: > 1. NYT knows it's ruffling feathers, so it hires AT&T (??) to "watch > their network" > 2. AT&T sees something, so NYT calls in Mandiant > 3. Mandiant and NYT let the Chinese hack things and watch them while > they penetrate into the domain controller and lots of other machines. > 4. Article about this comes out on NYT.com, calling out the Chinese. > > So, as far as I can tell from their article, the Chinese have all the > passwords for every NYT employee. This sounds like something that is not > good for NYT employees who may reuse their passwords elsewhere, even if > they're changed now. > > Likewise, it seems like at any time the Chinese could have turned off > the domain controller. That would probably have had significant > downsides for NYT, to say the least. Here's why they didn't: Their > policy did not let them. But that doesn't ameliorate all the risk, as > even hackers make typos... > > In other words, playing games with hackers on your network for a story > is a fundamentally bad idea. Because at some point, you're going to find > a contractor who screws up and doesn't follow their own policy (or can't > type) and it's going to take down your whole business. > > -dave > > -- > INFILTRATE - the world's best offensive information security conference. > April 2013 in Miami Beach > www.infiltratecon.com > > > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave > > > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave > >
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
