 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
John VanSickle wrote:
> They were all limited to what the 6502 processor could handle,
Technically, some of them had bank-switched RAM, but I'm not counting
that. :-)
--
Darren New / San Diego, CA, USA (PST)
Helpful housekeeping hints:
Check your feather pillows for holes
before putting them in the washing machine.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> Depends. If the key algorithm is still as weak, the cipher makes no
>> difference.
>
> Yes. But AFAIK the key algorithm on AES-encrypted ZIPs is improved. At
> least what I've heard it's a PITA to crack open (haven't tried myself -
> never had any need).
Unable to verify. If they changed the key algorithm then yes, otherwise
no. ;-)
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Fri, 04 Jul 2008 22:07:48 +0200, andrel wrote:
> Jim Henderson wrote:
>> On Fri, 04 Jul 2008 14:21:48 +0200, scott wrote:
>>
>>>>> Especially when some stupid system forces you to change it every
>>>>> month.
>>>> ...and this is bad because...?
>>> You try coming up with a different strong password every month, *and*
>>> remembering it without writing it down. I doubt I'm the only user of
>>> this system who needs to write the password somewhere. I wonder if
>>> security would actually be improved by removing the 1 month expiry.
>>
>> There have been studies done that suggest that changes that are too
>> frequent reduce security for just this reason.
>>
> Do you have a pointer?
Let me see if I can find it....The study I recall was from about 6 years
ago.
http://www.rsa.com/blog/blog_entry.aspx?id=1286 is a more recent blog
entry on the topic; it's not the study I was thinking of (since it's
dated this year), but it explains the essence of what I recall from the
study in question.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Fri, 04 Jul 2008 18:24:26 +0300, Eero Ahonen wrote:
> Jim Henderson wrote:
>> On Fri, 04 Jul 2008 12:06:01 +0100, Invisible wrote:
>>
>>> Worrying fact: 50% of the population has below-average intelligence.
>>> (!!!)
>
> So... If we have 4 men, with intelligences 1, 8, 9 and 9, the average is
> (1+8+9+9)/4=6,75, so 75% of men are more intelligent than average person
> (who, if he existed, would be over 6 times as intelligent as the dumpest
> one).
I think you just broke my brain. ;-)
>> LOL, but mathematically sound. More worrying is the 80% who think
>> they're above average drivers.
>
> Measuring a best driver is very relative.
Absolutely; that's kinda the point of that old joke. :-)
> My opinion is that there's a
> triangle, having endpoints of speed, economy and safety. If the car
> won't move, you're safe and economic, but you're not getting anywhere.
> If you'll take a risk, you'll lose safety and economy and gain speed.
> And ie. when overtaking someone increasing speed might gain you safety,
> but it'll reduce the economy. So basically you can't have 100% of all
> three of them - increasing one decreases at least one other. People have
> different *opinions* of what's the best placement on this map, ie. what
> combination of the three they are heading for, so it's very easy to
> think that "I'm better than the average" for 80+%, since the goal is
> different. Who's the best driver for some (good speed, high safety,
> average economy for example) is the worst driver for some (who would
> prefer great economy, average safety and average speed).
That's an interesting perspective - I like the way you're thinking here.
> In my opinion, five nines of safety (99,999%), average economy and
> good/stable speed is the best spot to go for. But that's my *opinion*,
> not The Only Real Truth.
I would go with that as well.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Fri, 04 Jul 2008 09:19:39 -0700, Darren New wrote:
> Jim Henderson wrote:
>> On Fri, 04 Jul 2008 12:03:55 +0100, Invisible wrote:
>>
>>>>> a kernel-level debugger can see every octet of data in the machine's
>>>>> main RAM and swap file.
>>>> Hmmm, so you've reversed your opinion on whether or not a memory dump
>>>> is useful? ;-) <scnr>
>>> Useful for trying to grab somebody's credit card number? Absolutely!
>>
>> And how exactly do you propose to do that?
>
> It's pretty trivial, really. Scan thru memory looking for 16 digits
> that match the LUHN 10 algorithm. That's what CardShark (FV's sample
> "encryption isn't good enough" program) did, in essence.
I was hoping Andy would answer the question, because I was attempting to
make a point about kernel debugging. :-(
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Fri, 04 Jul 2008 09:24:49 -0700, Darren New wrote:
> Jim Henderson wrote:
>> If the built-in encryption keys off the login password only (ie, the
>> login password just unlocks the encryption key), then as an admin, you
>> just have to change the user's password.
>
> If you change the password without knowing the old password, you can't
> decrypt the private key that encrypts the shared secret. So, basically,
> you lose access to the encrypted files.
That's good to know - I know this can be implemented a number of
different ways, and not being a Windows user, I wasn't sure which method
was used.
>>> Or just zip things up with a password.
>>
>> That's a pain to use, though
>
> Plus it's trivially easy to crack. Even long passwords hash down to 8
> characters or something. There are plenty of free programs that'll crack
> a zip archive in a matter of minutes or hours just with brute force.
True also. I tried a few of those, though, on the zip file of my old
source code (wouldn't you know, one of my coworkers needed to get at my
code over the summer - this was in college - and when he couldn't figure
out the password, he got pissed and nuked the program that had the
mechanism for generating the password. The only other copy of the code
was *in the zip file*, of course, encrypted with the password in
question).
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Fri, 04 Jul 2008 17:53:07 +0200, Gail Shaw wrote:
> "Jim Henderson" <nos### [at] nospam com> wrote in message
> news:486deaf7$1@news.povray.org...
>> On Fri, 04 Jul 2008 09:03:49 +0100, Invisible wrote:
>>
>> > Er... like, WTF?
>>
>> That said, there are ways, for example, to prevent a sysadmin from
>> seeing files in a filesystem.
>
> And there are ways (at least in SQL Server) to keep the windows
> sysadmins out of a database, however you can't stop them shutting down
> the service and taking the data files or changing the passwords of the
> accounts that do have sysadmin rights.
Yep. That's the thing that really makes me chuckle, too. Then there's
auditing systems that have to be enabled by the administrator.
> We've done that as a standard across the organisation, along with
> ensuring that the database administrators don't have administrative
> rights to the OS.
Yeah, that would help somewhat.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Fri, 04 Jul 2008 18:00:47 +0300, Eero Ahonen wrote:
> On a sysadmin job (or janitor, or any other really important
> caretaker-job) there exists that little something called "work ethics".
Exactly. I think that's why I get so angry about unethical behaviour in
other jobs (and particularly in politics); if I behaved unethical in the
ways some of these other professions seem to allow, I'd be out of not
only a job, but a career.
But it's perfectly acceptable, for example, for the co-chair of a
committee for election for a particular candidate within a state to
*also* be the person to certify a vote in that same state. That's just
mind-blowing to me.
Yet at the same time, one of my employers' ethics policies wouldn't let
me update a book I wrote because the book would compete with the class I
was teaching - and doing so, I would have been fired. I also know of
situations where a conflict of interest existed like that in a private
sector job, and the person *was* fired.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Fri, 04 Jul 2008 19:02:44 -0400, John VanSickle wrote:
> Jim Henderson wrote:
>> On Thu, 03 Jul 2008 09:43:47 -0700, Darren New wrote:
>>
>>> You can't even buy a hard drive that won't hold five Commodore Pet
>>> computers worth of memory for every *bit* of memory a Commodore Pet
>>> could address.
>>
>> I'm trying to remember - what was the addressable space fro the Pet?
>> There were so many models, but the address space was the same on all of
>> them IIRC.
>
> They were all limited to what the 6502 processor could handle, which was
> as has been said by others here. Early Pets had only 8K of RAM
> installed, but some machines were bulked out to 32K. To think that
> those things retailed for $1k in 1979 dollars...
Yep, but the 8K PETs were a luxury; the elementary school I went to had
2K PETs.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Invisible wrote:
...
> Now all the sysadmin needs to do is install a keylogger...
> oh, wait... ;-)
>
> Anything you can do, the sysadmin can undo. He controls the machine
> you're using. You can't win.
...
I think you can.
Just boot an OS from a media that he does not control.
E.g. Knoppix from a CD or a memory stick.
Thereafter there are many ways to store information encrypted
on network drives.
And the keys does not have to be visible to the network server.
(Small memory sticks or smart cards are good places to store
the keys.)
--
Tor Olav
http://subcube.com
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
