Keep reading - I regularly get shredded here. I know it's done with love though, so I don't mind too much.
Kurt On Fri, Mar 16, 2012 at 04:18, Mack Bolan <[email protected]> wrote: > Wow! That may be the best post I've ever read. It's like you do this for > a living! :) > > Mack S. Bolan > > > > > On Fri, Mar 16, 2012 at 6:05 AM, Andrew S. Baker <[email protected]>wrote: > >> All great info, but so very totally out of context relative to the thread. >> >> - You posted about the relative security of passphrases >> - Discussion ensured about this relative to traditional passwords >> - People made various assertions to the need to continue protecting >> against insider threats >> - You post something which strongly suggests that insider threats are >> not the threats we should be looking for >> - People request clarification about your assertion, pointing out >> that insider threats have not gone away >> - You revert to form with classic discussion evasion and misdirection >> tactics >> >> >> * * >> >> *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of >> Technology for the SMB market… >> >> * >> >> >> >> On Fri, Mar 16, 2012 at 12:18 AM, Kurt Buff <[email protected]> wrote: >> >>> Not really - the original article was interesting, and a good starting >>> point for discussion. >>> >>> My point in response to Doug was not that the insider threat has >>> disappeared but that the blanket statement that inside threats might no >>> longer be dominant - something that I believe is probably true, with the >>> rise organized crime and hactivism. >>> >>> >>> Kurt >>> >>> On Thu, Mar 15, 2012 at 19:53, Andrew S. Baker <[email protected]>wrote: >>> >>>> It's not like insider threats have plummeted to 0. >>>> >>>> The fact is that most organizations do not need to call for external >>>> infosec resources for insider threats. >>>> >>>> The Verizon security team dealt with ~855 cases worldwide. That's a >>>> good sample side for obtaining data about specific attacks, but it's not so >>>> large that its fully representative of the entire attack landscape. >>>> >>>> The discussion here was about passwords, which I hope you'd remember >>>> considering you started it. Thus, within the context of the thread itself, >>>> the focus is on the usefulness and viability of strong passwords whether in >>>> the standard format, or as a passphrase. >>>> >>>> This other stuff you added is not really germane to the discussion, >>>> unless your goal is simply to hijack your own thread. >>>> >>>> * * >>>> >>>> *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of >>>> Technology for the SMB market… >>>> >>>> * >>>> >>>> >>>> >>>> On Thu, Mar 15, 2012 at 6:43 PM, Kurt Buff <[email protected]> wrote: >>>> >>>>> Perhaps you might want to rethink your threat model: >>>>> >>>>> http://www.darkreading.com/database-security/167901020/security/attacks-breaches/232601717/new- >>>>> verizon-breach-data-shows-outside-threat-dominated-2011.html >>>>> >>>>> On Thu, Mar 15, 2012 at 13:50, Doug Hampshire <[email protected]>wrote: >>>>> >>>>>> Are you sure about that? The vast majority of security incidents >>>>>> happen on the inside of your network from known individuals. Also it was >>>>>> addressing offline brute force attacks. Most online systems have lockout >>>>>> policies and other countermeasures to limit exposure to brute force >>>>>> attacks. >>>>>> >>>>>> On Thu, Mar 15, 2012 at 2:49 PM, Crawford, Scott < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> I'd rather have "good" passwords written down on a sticky note >>>>>>> accessible only to a limited number of coworkers than "bad" passwords >>>>>>> that >>>>>>> can be exploited by any black-hat on the internet. >>>>>>> >>>>>>> Sent from my Windows Phone >>>>>>> ------------------------------ >>>>>>> From: Heaton, Joseph@DFG >>>>>>> Sent: 3/15/2012 11:07 AM >>>>>>> To: NT System Admin Issues >>>>>>> Subject: RE: Worth some consideration... >>>>>>> >>>>>>> >>>>>>> Wait… I’m NOT supposed to write my password on a sticky note? How >>>>>>> am I supposed to let my coworker use my login, then? >>>>>>> >>>>>>> >>>>>>> >>>>>>> Joe Heaton >>>>>>> >>>>>>> ITB – Windows Server Support >>>>>>> >>>>>>> >>>>>>> >>>>>>> *From:* Andrew S. Baker [mailto:[email protected]] >>>>>>> *Sent:* Thursday, March 15, 2012 7:49 AM >>>>>>> *To:* Heaton, Joseph@DFG; NT System Admin Issues >>>>>>> *Subject:* Re: Worth some consideration... >>>>>>> >>>>>>> >>>>>>> >>>>>>> That's an implementation problem. >>>>>>> >>>>>>> >>>>>>> >>>>>>> If I choose a passphrase of "Mary had a little lamb" then of course >>>>>>> that will be relatively weak as passphrases go. That that is not an >>>>>>> inherent weakness of passphrases, but of people. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Lots of things are undermined by poor choices. Completely random >>>>>>> 20 character passwords with a unicode character set are undermined by >>>>>>> having them posted on sticky notes. >>>>>>> >>>>>>> >>>>>>> >>>>>>> We didn't need a whole article to point that out. >>>>>>> >>>>>>> >>>>>>> >>>>>>> *ASB* >>>>>>> >>>>>>> *http://XeeMe.com/AndrewBaker* >>>>>>> >>>>>>> *Harnessing the Advantages of Technology for the SMB market…* >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Thu, Mar 15, 2012 at 10:12 AM, Kurt Buff <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>> >>>>>>> http://arstechnica.com/business/news/2012/03/passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices.ars >>>>>>> >>>>>>> By Dan Goodin >>>>>>> Ars Technica >>>>>>> March 14, 2012 >>>>>>> >>>>>>> Passwords that contain multiple words aren't as resistant as some >>>>>>> researchers expected to certain types of cracking attacks, mainly >>>>>>> because users frequently pick phrases that occur regularly in >>>>>>> everyday >>>>>>> speech, a recently published paper concludes. >>>>>>> >>>>>>> Security managers have long regarded passphrases as an >>>>>>> easy-to-remember way to pack dozens of characters into the string >>>>>>> that >>>>>>> must be entered to access online accounts or to unlock private >>>>>>> encryption keys. The more characters, the thinking goes, the harder >>>>>>> it >>>>>>> is for attackers to guess or otherwise crack the code, since there >>>>>>> are >>>>>>> orders of magnitude more possible combinations. >>>>>>> >>>>>>> But a pair of computer scientists from Cambridge University has found >>>>>>> that a significant percentage of passphrases used in a real-world >>>>>>> scenario were easy to guess. Using a dictionary containing 20,656 >>>>>>> phrases of movie titles, sports team names, and other proper nouns, >>>>>>> they were able to find about 8,000 passphrases chosen by users of >>>>>>> Amazon's now-defunct PayPhrase system. That's an estimated 1.13 >>>>>>> percent of the available accounts. The promise of passphrases' >>>>>>> increased entropy, it seems, was undone by many users' tendency to >>>>>>> pick phrases that are staples of the everyday lexicon. >>>>>>> >>>>>>> "Our results suggest that users aren't able to choose phrases made of >>>>>>> completely random words, but are influenced by the probability of a >>>>>>> phrase occurring in natural language," researchers Joseph Bonneau and >>>>>>> Ekaterina Shutova wrote in the paper (PDF), which is titled >>>>>>> "Linguistic properties of multi-word passphrases." "Examining the >>>>>>> surprisingly weak distribution of phrases in natural language, we can >>>>>>> conclude that even 4-word phrases probably provide less than 30 bits >>>>>>> of security which is insufficient against offline attack," the paper >>>>>>> says. >>>>>>> >>>>>>> >>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
