Posts by Charles 9

Re: Too many dependencies.

But it doesn't really use JavaScript. The page itself is passive. It uses the bog-standard forms and such (though I may take issue with the way the icons are done; the old way was safer), and I don't have much issue with that. But live-update stuff like Discus and Lyvewire? Whole other story.

Re: Too many dependencies.

No, I believe an Interactive Web is inherently bad. Why don't we push for moving it to a protocol designed for interactivity such as X or VNC? This would also put the onus back on the servers to keep their systems clean because now THEY have to run the code or they can't function.

So how do we fix it when the only people that can fix the problem are too slippery to coerce?

Re: choices

Interactivity was NOT an intended design of the Web, though. That's something best left for proper protocols like X over SSH or VNC. So I refuse to consider it not an option. It's ALWAYS an option. In fact, taking the Web passive again should be the ONLY option to save the Internet as we know it.

"Web based Google Docs, Maps, Search, Gmail, etc are toast."

That's why they're now in APPS. What's to stop Google creating a native-desktop program to encompass all their functions in a world without JavaScript?

Re: It's like this conversation is happening in outer space

"Because anyone who suggests that you don't use Javascript in a website is in reality denial. I can count on the fingers of one ear sites that don't. Good luck explaining to your customer why NONE of the things they want, work."

Simple. "Due to the nature of the technologies involved being actively used to infect and take over computers all throughout the Internet, we cannot in good conscience require the use of these enabling technologies. HTML 1.0 was a passive technology, and separate protocols and external programs were the solution to interactivity in the past; therefore, we have no choice but to revert to technologies like VNC to provide interactivity."

"And yes, everything should be constantly patched and updated."

What if the patch is usurped with spyware? Or worse, hijacked to inject malware?

"The only solution is for it to be fixed at source: for the libs to be secure and the version number to become irrelevant: no local copies and the CDN always serves up the latest version which is *always* backwardly compatible."

Single point of failure. The hackers hijack the developer accounts and inject the malware into the sources, and since they took over the DEV accounts, they also have access to the signing keys.

"There is no solution: you are lumbered with the insecurities."

Well, we could always abandon the Internet and go back to the Sears catalog. Oh, wait, the telephone networks can be pwned, too...

No, it's just a sign of the teetering condition of society as a while when ANYTHING can be rigged into a security exploit.

Re: Meanwhile, back in the real world...

"Month previous, I was in the local private hospital. Still very sensibly using paper for all their records!"

And what if there's a FIRE? Hard to copy paper records offsite, and expensive.

Re: Perhaps

"If we just scrapped browser support for JavaScript, then created a plugin to enable rich content without the need to be downloading snippets of insecure script from untrustworthy sources."

Serious question. What do you propose as an alternative to interactive websites? Anything else you propose is likely to be holier than a wheel of Emmentaler, given we tried this approach in the past. Remember RealPlayer?

It's cheaper for manufacturers to game the tests and ignore the risks. Look at Volkswagen. And if a fly-by-night gets sued or pursued by the law, they can just vanish...

How do you do that when the manufacturer can do a fly-by-night? Or is not based in a country subject to your laws and thus has sovereign protection?

Re: End to end is a myth

You don't use EVERYTHING because someone can exploit one of those somethings to get around others (to use cybersecurity parlance, pwn one layer of security and then use it to bypass others). Use ONLY what you need. Plus you have to consider that more hoops to jump irks users who reach their limits and then start creating (exploitable) shortcuts.

Re: End to end is a myth

"If they are doing that you have other problems a firewall won't protect you from."

And that alone is enough of a threat since they can be coerced by the law. Remember, trust no one.

With routing, you don't NEED to NAT. You GO AROUND it. If you really, REALLY wanted to protect your intranet, don't use NAT. Use a proxy.

PS. ISP's aren't SUPPOSED to route RFC1918 addresses, but many still do. If you take a very close look at a connection log, you'll probably run into some of them at some point.

Re: @AC ... A really smart gun...

The Culture (capitalized) is a novel series by Iain M. Banks. Been writing them since 1987, and his latest is pretty recent (The Hydrogen Sonata, 2012). The title refers to a pretty loose and liberal society of the future (it's post-scarcity, so basic needs are ubiquitous and there's little real "need"). This society includes mechanical entities. Those rating at least 1.0 are considered equal to humans in status. SC refers to Special Circumstances, basically the black ops arm that deals with the most troublesome aspects of Culture-outside relations.

In The Culture, a "knife missile" is a sci-fi smart weapon. It's more than a ballistic knife that you launch and it flies forward. No, knife missiles can act on their own, float in the air, and cut very rapidly using both itself and projected force fields, among other things (equipment varies, but that's the basic function). It's an autonomous device so it's technically a citizen in the Culture. It rates well over 1.0, though, as it's designed specifically for use with Special Circumstances.

Re: We need a browser extension...

If you're forced to allow JavaScript to log onto a site, the malware writers will pwn you with a JavaScript injection attack. Increasing numbers of people want future HTML to be LESS rather than MORE complicated: more passive, with media tasks shunted back to dedicated apps.

"This scheme does _not_ protect against other hazards; hackers can, for example, intercept the hashed password and send it to log into that particular site (i.e., you still need HTTPS) and can keylog, shoulder-surf, etc. I don't see any panaceas. You need complex passwords, salted and hashed so they can't be easily deciphered, limits on how many password attempts are allowed in a particular time interval, 2FA, and HTTPS... even though no one or two of these alone are sufficient."

Except if you make things TOO complicated, you force people to create shortcuts that malcontents can exploit. You need a solution that's strong enough to block anything short of an insider or state yet simple enough that even the dullest drone can and will do it nigh-automatically.

Re: We need a browser extension...

Like hackers simply attack the extension. Hackers already attack the browsers directly.

Unless, of course, they downloaded the password database and are cracking it in their own machines, much like a robber managing to take the whole safe with them.

Re: Can someone please point this out to tucows/openSRS

Um, how else can they deal with unknown hacked accounts, then? Forced password changes either close those doors (the hacked details aren't valid anymore) or draw them into the open (because the hacker is forced to changed the particulars and the real user gets locked out).

Re: War Games is fake...

"I tell people get something like a verse from your favorite song, favorite bible verse, something a comedian said like "why do you have a hot water heater, you need a cold water heater". Get the point."

Now try repeating that about 100 times or so because you need a different one for EACH site, or when ONE site gets hacked, ALL the ones that used the same password are fair game. And you also have to deal with people with poor memories.

"Remember the hacker unlike War Games does not know anything about the password, including the key and that it was base64 encoded."

But he may know enough about you to find ways to get at that password, perhaps by hacking your home machine or other stuff.

Re: Users confuse complexity with entropy, no?

With a little practice, I'd say less than ten seconds. Longer if there are caps and punctuation.

Re: I believe...

Oh, so hackers figure it out, start posing as you, and either slander your image or engage in social engineering attacks?

Re: 99 ice cream loving honeybadgers ate my hamster!

No, poor memory. As in "CorrectHorseBatteryStaple" turns into "DonkeyEnginePaperclipWrong" one day and "CrankMaybePinMule" the next. Some people's memories are THAT bad (or worse, you have to keep telling them THE SAME THING every single day).

Re: Why does anybody treat passwords as ASCII FFS

If they set up a keylogger, they can just record the strokes no matter how obscure they are.

Re: It's 2017 - use FIDO U2F

And what if you lose THAT?

Re: @Charles 9

"If you haven't already guessed, I use those questions as another layer of password, don't answer them correctly, and keep them in a file like I do the passwords themselves and other data like the account name or whatever."

So what happens WHEN (not if) they pwn your local machine with a drive-by and steal your special file?

Re: Users confuse complexity with entropy, no?

Except people will just keep using the same one because trying to remember a bunch of them will have people trying to remember correcthorsebatterystaple and instead recall donkeyenginepaperclipwrong. Our memories get muddled and we mess up.

Re: Personally I find it really annoying when..

Most people don't provide fake information. Some even verify it or record your IP which can be enough of a clue to get more information.

Even the best encryption in the world is useless if you just wait until it's DEcrypted as a matter of course.

Re: Files as passwords

The hackers ALREADY have the solution for that: they hack your LIVE session, meaning they get the envelope while it's open. That's the current most-intractable problem with encrypted content: it must be DEcrypted to be useful; hackers just wait until then. The only way around that is to have crypto-chips in our brains a la Ghost in the Shell, and I think Shirow Masamune's timetable for that world was all too optimistic.

Re: He has a point, but also contradicts himself

Then we're at an impasse because he's saying that anything LESS is crackable within reasonable time. Basically, combining your statement and his, the MINIMUM reasonable standard for security is BEYOND the capability of the average human. Meaning we're basically screwed. And as the saying goes, the hackers only have to be lucky ONCE. That one entry lets them gain enough information to hack other accounts and go from there.

Re: Human versus machine input

I don't think that will work, either, as the hackers will simply find faster ways to do the hashes. It's basically an intractable siege problem: the besiegers always have the edge against the besieged because the former isn't locked down.

Re: Why do we patch, or not?

But it's NOT chuckle-worthy. If it's eat a moose turd pie or DIE, guess what happens?

Re: Why do we patch, or not?

Offer an EMACIATED starving man a moose-turd pie and watch him scarf it down. If you can't be sure of your next meal, anything to stave off starvarion. You see it all the time in animals.

"With the threats consumers face growing everyday, I don't see how encrypting everything can be avoided. It's the only thing that provides the most basic level of security."

Until you realize you can be pwned on the hardware that would be needed to do the encryption. Imagine pwned CPUs, network chips, etc. And the level of technical knowledge (not to mention real, legitimate patents) needed to roll you own silicon puts you in No Man's Land. The ONLY people capable of building the chips that run your machine aren't trustworthy. Heck, even beyond computers, can you trust your letter carriers, postal employees, and so on? Heck, remember village gossips?

Let's face it. Privacy as we know it was a fleeting thing to begin with. And now the global village has caught up.

Re: Not that surprising...

"The article does give one good piece of advice: keep everything updated. No matter what type of device, OS or applications, keep applying the updates (and ignore those saying to stick with older OS versions)."

But what happens when the updates cripple functions, install spyware, or (worst case) are hijacked and are used to install malware instead?

"Taken to the extreme logical conclusion, yes, there'll be a few families who own everything and everything will be 100% automated. So who is left to buy the products and keep the super rich rich?"

Each other. As long as there are at least two such families and each can provide something the other can't, there can be an agreement between them.

Otherwise, the families become self-sufficient and don't need anyone else. Their robots will be strictly for themselves and they won't need to engage in commerce anymore.

Then the Democrats simply need to play one of the Republicans' own cards against them. Make the whole deal into a "with us or against us" up-or-down kind of deal, perhaps by adding a sense of urgency or a threat of a Cyber 9/11 so that any attempt to forestall or delay would be painted as itself threatening national security and just as bad as a "no" vote.

This kind of tactic is one reason Republicans are having trouble replacing Obamacare: because it's way too easy for Democrats to cite explicit cases of people who literally depend on Obamacare just to live. Take away Obamacare and people DIE...which won't sit well come midterms (plus there's the risk a law on the books will allow bereaved families to SUE).