|
Not just kernel patching, many distros are amazingly behind in updates. The slowness of Debian versions is pretty astonishing, until you deal with RHEL and CentOS!
|
|
|
|
|
Joe Woodbury wrote: RHEL and CentOS Red Hat gets certified by some American authority. That takes time, but you can be sure that the NSA will then know how to deal with that OS. CentOS is just a re-branded Red Hat.
Oh sanctissimi Wilhelmus, Theodorus, et Fredericus!
|
|
|
|
|
Roslyn is the codename-that-stuck for the open-source compiler for C# and Visual Basic.NET. Here’s how it started in the deepest darkness of last decade’s corporate Microsoft, and became an open source, cross-platform, public language engine for all things C# (and VB) "Just sit right back and you'll hear a tale, a tale of a fateful trip"
|
|
|
|
|
Yes, this is new info although it sounds somewhat familiar.
Are long passphrases the answer to password problems? | CSO Online[^]
article said: Kevin Mitnick, chief hacking officer for KnowBe4, Inc. (my full-time employer) kills that supposed fact with his latest video. In it, he cracks a 17-character, complex password in 31 seconds. Because of this, Mitnick recommends using simple, long passphrases (also known as “PassSentences”) 25 characters or more, something like, “I like to go to the beach to get wet.” Kevin also recommends using a good password manager to manage your passphrases.
Quote: It’s good, sound advice. I agree with most of it. The only part I’m not sure about is the 25-character-minimum requirement. The reason is that while using 25-character or longer passwords might make password cracking (i.e., password hash cracking and password guessing) harder to pull off, it increases the risk that users will reuse the same password across different security domains, which is what NIST’s latest advice is trying to prevent.
Use a password manager (like cyapass.com) and creating 25 character or longer passwords is no problem.
I suppose we will always have passwords.
I like this solution that Microsoft is proposing with yubikey FIDO2 etc.
Watch the video -- it is very cool how it works:
Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices - Microsoft 365 Blog[^]
If it really worked that way.
|
|
|
|
|
DoD's been doing PKI with a similar system (smartcards instead of USB keys) for over a decade. It is very portable and works well, and for the life of me I cannot figure out why there aren't more commercial identity providers out there with a larger client base.
"Never attribute to malice that which can be explained by stupidity."
- Hanlon's Razor
|
|
|
|
|
The only thing I can think of is that people will forget them at home and then complain to admins and the admins will be annoyed so they don't implement. Most people have badges to get in there buildings, maybe they could make it all part of the same thing?
|
|
|
|
|
|
raddevus wrote: Most people have badges to get in there buildings, maybe they could make it all part of the same thing? One of the departments here does that, the employee's ID badge has a smart chip in it that can be used to log into their PC.
Unfortunately, everyone else is squabbling among themselves trying to figure out which standard and provider to use for 2FA. Card vs USB vs Soft Token, etc. Been going on for a couple of years now.
|
|
|
|
|
RJOberg wrote: everyone else is squabbling among themselves trying to figure out which standard and provider to use
Yeah, it's too bad when good tech gets ignored because of subtle differences and warring factions of users / managers.
|
|
|
|
|
The only problem with the smart cards is that it doubles as your military id and I cannot tell you how many times people left their's in their computer when they left for the day and one of us had to drive all the way out to the main gate to bring it to them the next day. Even I did it once or twice.
if (Object.DividedByZero == true) { Universe.Implode(); }
|
|
|
|
|
Dude, the Cyber Challenge even has a bit about that! For shame!
"Never attribute to malice that which can be explained by stupidity."
- Hanlon's Razor
|
|
|
|
|
And there are women hitting on guys in it. Yeah, yeah, "inviting to lunch", talking about "music".
|
|
|
|
|
raddevus wrote: Use a password manager (like cyapass.com)
shameless plug.
|
|
|
|
|
It has to be done.
|
|
|
|
|
raddevus wrote: Use a password manager I find it interesting that there are lots of people here on CP that are against using the cloud for security reasons but have no problem handing over every single password they have to a single source.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
011111100010 wrote: against using the cloud for security reasons but have no problem handing over every single password they have to a single source On a related thread, one of the professors I had a programming security course with in college advocated 25+ character passwords with the standard suggestions, unique for every site/system, change regularly, etc., plus didn't contain any complete or commonly used slang words*. This was over 10 years ago, so it should have been reasonably strong against systems of the time.
The final part of his advice was to write the password with the site, date created/changed, etc. in a spiral notebook, and NOT save it to a file on your PC. Then stick that notebook in a locked desk drawer.
His reasoning behind that was if someone had physical access to your PC, it was as good as compromised anyway. They could copy your hard drive and brute force it or any number of other attack types. It sounded** like good advice at the time, but it certainly didn't travel well.
* He never mentioned checking for non-English slang, I wonder if that would matter...
** Not saying it WAS good advice, just that it sounded that way to someone who was still learning security theories. Yes, keyloggers were still a weak point against this method.
|
|
|
|
|
I'll repeat what I said to OP about saving pwds in cloud:
raddevus: That's why my password manager (http://cyapass.com) does not save your passwords anywhere.
That is not hyperbole. With C'YaPass your password is generated every time from:
1. your site key
2. the pattern you draw
The final output is a SHA-256 hash which you use as your password (64 characters long).
And...the site keys you create to remember which site you use the password at are stored only on your machine and you can manage them yourself. Never stored in the cloud. You (the user) own everything and it is open source too.
|
|
|
|
|
011111100010 wrote: lots of people here on CP that are against using the cloud for security reasons but have no problem handing over every single password they have to a single source.
I do too.
That's why my password manager (http://cyapass.com) does not save your passwords anywhere.
That is not hyperbole. With C'YaPass your password is generated every time from:
1. your site key
2. the pattern you draw
The final output is a SHA-256 hash which you use as your password (64 characters long).
And...the site keys you create to remember which site you use the password at are stored only on your machine and you can manage them yourself. Never stored in the cloud. You (the user) own everything and it is open source too.
You are the perfect foil for my marketing message. Thanks!
|
|
|
|
|
raddevus wrote: it is open source too. Which makes it easy to figure out how to hack so once someone has access to your computer, whoops.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
|
I think you've missed the point.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
011111100010 wrote: I think you've missed the point.
I often do.
But, it's just because I'm oblivious.
However, I am also obsequious, purple and clairvoyant.
modified 28-Sep-18 14:43pm.
|
|
|
|
|
I had written something similar several years ago and it worked great until one day:
My account was flagged for an insecure password due to only having HEX character set, never mind the length. This led me to deduce that the email server software we used encrypted the passwords as opposed to hashing them. The SysAdmin laughed when he saw my kilometer-lengthed password being flagged due to a lack of special characters
Director of Transmogrification Services
Shinobi of Query Language
Master of Yoda Conditional
|
|
|
|
|
Great story!
I always find it funny / frustrating too when they enforce special chars but then only allow 12 char length. The devs at the other end have no idea what they're doing.
|
|
|
|
|
raddevus wrote: Use a password manager (like cyapass.com) That site isn't https!!! How can I trust a password manager that doesn't even secure its own site!?
|
|
|
|