Security for the Paranoid

**nihil** · April 30th, 2005, 01:54 PM

Hmmmm,

Last time I checked you could get all keyboard upper and lower case rainbow tables up to 14 characters for $800. So you should look for something a bit over 14. Given that this stuff is exponential, the fact that those rainbow tables are 60Gb would suggest that maybe 20 characters is quite paranoid enough.

I think that Tiger~ has mentioned this in at least one other thread, throw in a few ASCII off keyboard characters and you really up the ante.

I don't just throw out shredded documents; I spread the shredded bits into my garden to use as mulch.

No!, no!, no!..........................he needs one of those big bins like my wife has. You chuck in your kitchen vegetable waste, non-glossy paper (preferably shredded) and garden waste (not grass cuttings) and three million earthworms turn them into worm p1$$ and $h1t (coire). You sort it out every now and then and use the coire as compost and the p1$$ you dilute 1:10 with water to make an excellent organic fertiliser.

Anything else goes in the huge green composter. Both for $37 the pair from our local council, worms included.

Speaking of Newspapers.... The markers they sell on the open market nowadays to detect counterfeit bills.... on a regular bill they mark yellow, on plain paper they mark black... black being indicative of counterfeit bills. Why do they mark yellow on newspaper? Try one and see for yourself

Bleach?

**Double//Cut** · April 30th, 2005, 02:46 PM

Last time I checked you could get all keyboard upper and lower case rainbow tables up to 14 characters for $800. So you should look for something a bit over 14. Given that this stuff is exponential, the fact that those rainbow tables are 60Gb would suggest that maybe 20 characters is quite paranoid enough.

For LanManager hash's probably, because its actually 2 7 char passwords, old school (win9x days) method of encryption, still used for interpolarity IF your password can be encrypted with it (ie, all lower case, no symbols? and no more than 14 chars)... but this guy would HAVE to have LM hash's disabled, its stupid to leave them enabled on a all windows 2000+ network...

But for hashs such as md5 and NTLM/v2 (new school windows hash), 14 characters would either mean MASSIVE tables, or MASSIVE calculation time. its impractical, atm, to generate those tables, let alone the time it would take, even distributed efforts render these tables completely inpractical

**nihil** · April 30th, 2005, 03:03 PM

Hi Double//Cut

It is with the greatest of pleasure that an old fart like me can suggest that you are behind the times

Rainbow tables will crack long passwords in a short space of time. As I said for 14 characters you are looking at 60Gig, just for the tables. This is not 7 x 7.............you can be sure that the law enforcement and security agencies have them up to 128 characters and better.

I am no expert, but how I believe that how they work is to use very large computers or a large number of smaller ones to pre-compute the solutions. Obviously this takes months, or many years by single computer standards. Then all you have to do is straight comparisons.

The end result tables are not impracticable...............believe me!

Please check it out, it is really quite frightening

Fortunately well beyond the means of your average scum skiddie

**catch** · April 30th, 2005, 06:48 PM

Security is the balance between Security and usability.

I don't completely agree with this... I think it can be more accurately stated as a balance between security and cost. (since decreased usability increases cost)

This leads me to the idiocy of the original link... I'd venture that he is spending more on security than the value of what he is protecting. End result is that he loses more being secure than having no security at all.

Paranoia does not make for good security, just a good waste of resources and time.

cheers,

catch

***xierox*** · April 30th, 2005, 08:04 PM

Um... Does anyone else find it ironic that he runs Windows on at least some of his machines?

Whether or not it's Microsoft's fault, isn't Windows one of the most exploited OS's today? (Granted, a very part of this is that more idiots use Windows than other OS's, but still there's some exploits that are hard to block and that would bypass his three firewalls without patches . i.e. image buffer overflow attacks.) I'm not saying that other OS's are perfect, but if he could halve the possibility of getting exploited by switching from Windows, and if he's so "highly secure" then why doesn't he do it?

- Xierox

**!mitationRust** · April 30th, 2005, 08:56 PM

*sigh* I can't believe I read that fools asinine comments. Good thing he didn't get into his cryptography escapades.

However senator I will give you a profile.

Five foot ten, weakly built, about 180 pounds. Hair brown, eyes pale black. He displays symptoms of an obsessive-compulsive pedophile, which he tries so desperately hard to shed. His heart begins to race when his ISP calls. He becomes engulfed with irrational fear when the DNS resolves slowly. He launches boot-nuke at the ring of a doorbell. He files his fingertips, like nightrider. He checks photos in his wife and kids em@ils for steganography inserts. He's quite the niggler when it comes to his family and their I-surfing. He dropped a lot of acid in college. He'd be about 35 now. He said he lived in Philadelphia but may have lied. That's all I can remember now.

**catch** · April 30th, 2005, 09:00 PM

So what should he run? XTS-400 desktops, maybe with a HYDRA webserver, SMG mail server, and perhaps a Boeing network controller?

NT is as good or better than any other COTS general purpose operating system, with regard to security and aussrance.

cheers,

catch

**nihil** · April 30th, 2005, 09:17 PM

catch

This leads me to the idiocy of the original link... I'd venture that he is spending more on security than the value of what he is protecting. End result is that he loses more being secure than having no security at all.

The only justification that I can see would be as an academic exercise or a test project?

As I know that you are aware that in the defence industry, classified stuff is on a secure network with no internet link.

If I were voting I would give the guy:

**!mitationRust** · April 30th, 2005, 10:35 PM

Don't want to step on any toes here, but I was always under the impression that NT has been formally validated to handle data above unclassified. But they can’t have a link to the internet at the same time? Makes sense, but I'm curious about this. I guess different standards in different countries with different labels etc....

***xierox*** · April 30th, 2005, 10:38 PM

Originally posted here by !mitationRust
Don't want to step on any toes here, but I was always under the impression that NT has been formally validated to handle data above unclassified. But they can’t have a link to the internet at the same time? Makes sense, but I'm curious about this. I guess different standards in different countries with different labels etc....

Hmm, I didn't know this. Perhaps I was unecessarily critical on my above post?

- Xierox

Thread: Security for the Paranoid

Thread Tools

Display

Posting Permissions