Friam

Forum hacked

classic Classic list List threaded Threaded
48 messages Options
123
Owen Densmore
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Forum hacked

Owen Densmore
Administrator
Ray, you'd have a far better take on passwords, and security of all sorts than most of us, love your input on this.

So here's an observation: 
Passwords are Dead.  Just move along and we'll come back with a better solution after the commercial.

Why?
1 - To be secure, you depend on the ISP to be secure. That's OK, but does fail often.

2 - Apparently length of passwords is the high order bit for crackibility. We humans dislike typing 20 character passwords, especially on our phones, and its extremely likely to be miss-typed at least once, probability of typo goes up with each keystroke.

3 - We are also instructed to have a different password for each login.  Humans simply cannot do that, they are limited.  Thus they resort to a formula like two phrases with a 3-4 character difference in the middle, with some significance like "azn" or "books" for amazon.

4 - Most ISPs have their own rules for passwords, and likely any formula will fail on a percentage of them.  Thus a formula will only work part of the time.  Maybe there is a subset that most ISPs accept?  I found UNM, and my bank, for example, failed to accept a formula I tried.

5 - This leads to keepass, 1password etc to remember all your passwords for you.  Silly, but still appears reasonable.  But they typically fail in certain situations.  Ex: they are designed for browser use so are plugins/bookmarklets.  But what if you have a phone "app".  Won't work.  So you have to do stupid tricks to go to the pw app and cut/paste.

6 - The latest trend to improve this is two-fold: 
    6.1: Reduce number of logins: Use OAuth to have just a few accounts that are very secure.  As soon as twitter, google, facebook, moz, yahoo, ... and the rest of the "standard ISPs" all have OAuth (or equivalent), and are used by the vast majority of the other sites (forums, stores, ..) we have reduced the complexity of the user.  Probably will work with all non-creditcard sites.
    6.2: 2-factor: How make more secure?  So far 2-factor works out pretty well.  It would require a standard pin generator, google's is pretty effective.  Have to do this to reduce the pile of silly physical pin generators.

I'm not sure this will work, its too complicated for most people.  We might be able to have a single pin dongle for 2-factor, could help.  Thus far 2-factor for me has been the best, and I use that account via OAuth for all the forums, mail lists etc that accept that.  Even stores as long as they don't keep the credit card info.

The fallback is a password keeper as mentioned above.  But do you really want it to keep all your passwords?  You're dead without it (travel etc) and it simply doesn't work in all situations (apps vs browser) and its a bit creepy to depend on a computer program for all your security.

Sigh.

   -- Owen

On Mon, Nov 18, 2013 at 5:16 PM, Parks, Raymond <[hidden email]> wrote:
The addition of a salt to a password makes rainbow tables much less effective because it makes the table space larger, even trading off chain length for convergence.  However, rainbow tables are no longer the thing - with multi-GPU setups, password crackers just brute force passwords.  Basically, the sequence is:

1. Using a large (20 million word) multiple language (but standard ASCII) dictionary derived from text sources across the WWW, hash the words in that dictionary with variants (leet-speak, other substitutions, plurals, added numbers, 8 for "ate", et cetera), and compare the outputs to the captured password file.  Salt is basically a variant that can be accounted for - extra random characters.

2.  If some passwords are of the type you dislike, then those can be brute-forced almost as fast as rainbow tables can be calculated.  Salt is irrelevant in this process, other than making the effective number of bytes longer.

In the Ars articles, Step 1 seems to get as much as 90% of self-chosen passwords in a matter of hours.  The practitioners in the Ars articles don't go on to Step 2, but I would expect that to take less than a week.  If the hash algorithm is captured along with the passwords, then the cracker has the advantage of knowing whether the web-site uses salt.  Operating systems, of course, are studied off-line to determine the algorithm and use of salt.

Ray Parks
Consilient Heuristician/IDART Program Manager
V: <a href="tel:505-844-4024" value="+15058444024" target="_blank">505-844-4024  M: <a href="tel:505-238-9359" value="+15052389359" target="_blank">505-238-9359  P: <a href="tel:505-951-6084" value="+15059516084" target="_blank">505-951-6084
SIPR: [hidden email] (send NIPR reminder)
JWICS: [hidden email] (send NIPR reminder)



On Nov 18, 2013, at 11:48 AM, cody dooderson wrote:

I find passwords really hard to remember. Especially those sites that require numbers, symbols,uppercase, and lower case characters. I personally would rather use a 20 character all lowercase password than an 8 character mixed symbol password. As a result keep a document, in the cloud, with all of my passwords stored in plain text. Many of these passwords I could care less if someone cracked. 
Also, I was under the impression that salting prevents the use of rainbow tables.

Cody Smith


On Mon, Nov 18, 2013 at 11:28 AM, Parks, Raymond <[hidden email]> wrote:
WRT password cracking - Dan Goodin has a good series of articles on password cracking at Ars Technica.


TL;DR - Current GPU-based password cracking using 20-million word dictionaries make truly random passwords below 14 characters and nearl all pass-phrases susceptible to cracking in a relatively short time.

On a related subject, roughly 75% of websites store passwords as nothing more complicated than simple, unsalted MD5 hashes.  This is almost as easy to break as as NTLM.

Salt makes the initial crack more difficult, but if the same salt is used for all hashes, then subsequent cracks ignore it.

WRT the use of PII - it's sold on various markets, correlated in a "big data" manner with other exposures, and, if enough information is available and the person's credit score is high enough, is used for credit attacks.  In some cases, if banking information is correlated, the collection is used for banking attacks.  If there is poor correlation but an email or FQDN is in the information, then the data may be used as a target list.

Ray Parks
Consilient Heuristician/IDART Program Manager
V: <a href="tel:505-844-4024" value="+15058444024" target="_blank">505-844-4024  M: <a href="tel:505-238-9359" value="+15052389359" target="_blank">505-238-9359  P: <a href="tel:505-951-6084" value="+15059516084" target="_blank">505-951-6084
SIPR: [hidden email] (send NIPR reminder)
JWICS: [hidden email] (send NIPR reminder)



On Nov 18, 2013, at 10:12 AM, Owen Densmore wrote:

A forum I belong to has been hacked, including personal info as well as passwords.

How do they use this information?

I presume they try the hash function on all combinations of possible passwords.  (Naturally optimized for faster convergence).  They see a match, i.e. a letter combination resulting in the given hash of the password.

If they crack one password, does that make cracking the rest any easier?

And does "salt" simply increase the difficulty, and indeed can it be deduced, as above, by cracking a single password?

.. or is it all quite different from this!

   -- Owen


============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Owen Densmore
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Forum hacked

Owen Densmore
Administrator
As a quick followup:
- I use 1password.  Why?  To collect a list of my logins.  Most of us do not know half of the logins we have!  This lets me at least spend an afternoon updating all my passwords if I want to.  1P seems OK and works well in my ecology.

- I use 2-factor with google and their app.  And if a site lets me login w/ OAuth, I try to use google.  A few more ISPs are using 2-factor and if they are easy to use, I may try them too.  Main issue is pin; most sms it to you but dongles abound and I think I'll avoid them.

- Where possible I use pub/priv key crypto.  My hosting service.  My home computers, servers and NAS, ssh sites.  I wish I could use it on my router, router attacks are on the rise.

   -- Owen


On Tue, Nov 19, 2013 at 10:21 AM, Owen Densmore <[hidden email]> wrote:
Ray, you'd have a far better take on passwords, and security of all sorts than most of us, love your input on this.

So here's an observation: 
Passwords are Dead.  Just move along and we'll come back with a better solution after the commercial.

Why?
1 - To be secure, you depend on the ISP to be secure. That's OK, but does fail often.

2 - Apparently length of passwords is the high order bit for crackibility. We humans dislike typing 20 character passwords, especially on our phones, and its extremely likely to be miss-typed at least once, probability of typo goes up with each keystroke.

3 - We are also instructed to have a different password for each login.  Humans simply cannot do that, they are limited.  Thus they resort to a formula like two phrases with a 3-4 character difference in the middle, with some significance like "azn" or "books" for amazon.

4 - Most ISPs have their own rules for passwords, and likely any formula will fail on a percentage of them.  Thus a formula will only work part of the time.  Maybe there is a subset that most ISPs accept?  I found UNM, and my bank, for example, failed to accept a formula I tried.

5 - This leads to keepass, 1password etc to remember all your passwords for you.  Silly, but still appears reasonable.  But they typically fail in certain situations.  Ex: they are designed for browser use so are plugins/bookmarklets.  But what if you have a phone "app".  Won't work.  So you have to do stupid tricks to go to the pw app and cut/paste.

6 - The latest trend to improve this is two-fold: 
    6.1: Reduce number of logins: Use OAuth to have just a few accounts that are very secure.  As soon as twitter, google, facebook, moz, yahoo, ... and the rest of the "standard ISPs" all have OAuth (or equivalent), and are used by the vast majority of the other sites (forums, stores, ..) we have reduced the complexity of the user.  Probably will work with all non-creditcard sites.
    6.2: 2-factor: How make more secure?  So far 2-factor works out pretty well.  It would require a standard pin generator, google's is pretty effective.  Have to do this to reduce the pile of silly physical pin generators.

I'm not sure this will work, its too complicated for most people.  We might be able to have a single pin dongle for 2-factor, could help.  Thus far 2-factor for me has been the best, and I use that account via OAuth for all the forums, mail lists etc that accept that.  Even stores as long as they don't keep the credit card info.

The fallback is a password keeper as mentioned above.  But do you really want it to keep all your passwords?  You're dead without it (travel etc) and it simply doesn't work in all situations (apps vs browser) and its a bit creepy to depend on a computer program for all your security.

Sigh.

   -- Owen

On Mon, Nov 18, 2013 at 5:16 PM, Parks, Raymond <[hidden email]> wrote:
The addition of a salt to a password makes rainbow tables much less effective because it makes the table space larger, even trading off chain length for convergence.  However, rainbow tables are no longer the thing - with multi-GPU setups, password crackers just brute force passwords.  Basically, the sequence is:

1. Using a large (20 million word) multiple language (but standard ASCII) dictionary derived from text sources across the WWW, hash the words in that dictionary with variants (leet-speak, other substitutions, plurals, added numbers, 8 for "ate", et cetera), and compare the outputs to the captured password file.  Salt is basically a variant that can be accounted for - extra random characters.

2.  If some passwords are of the type you dislike, then those can be brute-forced almost as fast as rainbow tables can be calculated.  Salt is irrelevant in this process, other than making the effective number of bytes longer.

In the Ars articles, Step 1 seems to get as much as 90% of self-chosen passwords in a matter of hours.  The practitioners in the Ars articles don't go on to Step 2, but I would expect that to take less than a week.  If the hash algorithm is captured along with the passwords, then the cracker has the advantage of knowing whether the web-site uses salt.  Operating systems, of course, are studied off-line to determine the algorithm and use of salt.

Ray Parks
Consilient Heuristician/IDART Program Manager
V: <a href="tel:505-844-4024" value="+15058444024" target="_blank">505-844-4024  M: <a href="tel:505-238-9359" value="+15052389359" target="_blank">505-238-9359  P: <a href="tel:505-951-6084" value="+15059516084" target="_blank">505-951-6084
SIPR: [hidden email] (send NIPR reminder)
JWICS: [hidden email] (send NIPR reminder)



On Nov 18, 2013, at 11:48 AM, cody dooderson wrote:

I find passwords really hard to remember. Especially those sites that require numbers, symbols,uppercase, and lower case characters. I personally would rather use a 20 character all lowercase password than an 8 character mixed symbol password. As a result keep a document, in the cloud, with all of my passwords stored in plain text. Many of these passwords I could care less if someone cracked. 
Also, I was under the impression that salting prevents the use of rainbow tables.

Cody Smith


On Mon, Nov 18, 2013 at 11:28 AM, Parks, Raymond <[hidden email]> wrote:
WRT password cracking - Dan Goodin has a good series of articles on password cracking at Ars Technica.


TL;DR - Current GPU-based password cracking using 20-million word dictionaries make truly random passwords below 14 characters and nearl all pass-phrases susceptible to cracking in a relatively short time.

On a related subject, roughly 75% of websites store passwords as nothing more complicated than simple, unsalted MD5 hashes.  This is almost as easy to break as as NTLM.

Salt makes the initial crack more difficult, but if the same salt is used for all hashes, then subsequent cracks ignore it.

WRT the use of PII - it's sold on various markets, correlated in a "big data" manner with other exposures, and, if enough information is available and the person's credit score is high enough, is used for credit attacks.  In some cases, if banking information is correlated, the collection is used for banking attacks.  If there is poor correlation but an email or FQDN is in the information, then the data may be used as a target list.

Ray Parks
Consilient Heuristician/IDART Program Manager
V: <a href="tel:505-844-4024" value="+15058444024" target="_blank">505-844-4024  M: <a href="tel:505-238-9359" value="+15052389359" target="_blank">505-238-9359  P: <a href="tel:505-951-6084" value="+15059516084" target="_blank">505-951-6084
SIPR: [hidden email] (send NIPR reminder)
JWICS: [hidden email] (send NIPR reminder)



On Nov 18, 2013, at 10:12 AM, Owen Densmore wrote:

A forum I belong to has been hacked, including personal info as well as passwords.

How do they use this information?

I presume they try the hash function on all combinations of possible passwords.  (Naturally optimized for faster convergence).  They see a match, i.e. a letter combination resulting in the given hash of the password.

If they crack one password, does that make cracking the rest any easier?

And does "salt" simply increase the difficulty, and indeed can it be deduced, as above, by cracking a single password?

.. or is it all quite different from this!

   -- Owen



============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
cody dooderson
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Forum hacked

cody dooderson
Now that you mention it I do see a peacock almost ever time I go through Nambe. 

Cody Smith


On Tue, Nov 19, 2013 at 10:51 AM, Owen Densmore <[hidden email]> wrote:
As a quick followup:
- I use 1password.  Why?  To collect a list of my logins.  Most of us do not know half of the logins we have!  This lets me at least spend an afternoon updating all my passwords if I want to.  1P seems OK and works well in my ecology.

- I use 2-factor with google and their app.  And if a site lets me login w/ OAuth, I try to use google.  A few more ISPs are using 2-factor and if they are easy to use, I may try them too.  Main issue is pin; most sms it to you but dongles abound and I think I'll avoid them.

- Where possible I use pub/priv key crypto.  My hosting service.  My home computers, servers and NAS, ssh sites.  I wish I could use it on my router, router attacks are on the rise.

   -- Owen


On Tue, Nov 19, 2013 at 10:21 AM, Owen Densmore <[hidden email]> wrote:
Ray, you'd have a far better take on passwords, and security of all sorts than most of us, love your input on this.

So here's an observation: 
Passwords are Dead.  Just move along and we'll come back with a better solution after the commercial.

Why?
1 - To be secure, you depend on the ISP to be secure. That's OK, but does fail often.

2 - Apparently length of passwords is the high order bit for crackibility. We humans dislike typing 20 character passwords, especially on our phones, and its extremely likely to be miss-typed at least once, probability of typo goes up with each keystroke.

3 - We are also instructed to have a different password for each login.  Humans simply cannot do that, they are limited.  Thus they resort to a formula like two phrases with a 3-4 character difference in the middle, with some significance like "azn" or "books" for amazon.

4 - Most ISPs have their own rules for passwords, and likely any formula will fail on a percentage of them.  Thus a formula will only work part of the time.  Maybe there is a subset that most ISPs accept?  I found UNM, and my bank, for example, failed to accept a formula I tried.

5 - This leads to keepass, 1password etc to remember all your passwords for you.  Silly, but still appears reasonable.  But they typically fail in certain situations.  Ex: they are designed for browser use so are plugins/bookmarklets.  But what if you have a phone "app".  Won't work.  So you have to do stupid tricks to go to the pw app and cut/paste.

6 - The latest trend to improve this is two-fold: 
    6.1: Reduce number of logins: Use OAuth to have just a few accounts that are very secure.  As soon as twitter, google, facebook, moz, yahoo, ... and the rest of the "standard ISPs" all have OAuth (or equivalent), and are used by the vast majority of the other sites (forums, stores, ..) we have reduced the complexity of the user.  Probably will work with all non-creditcard sites.
    6.2: 2-factor: How make more secure?  So far 2-factor works out pretty well.  It would require a standard pin generator, google's is pretty effective.  Have to do this to reduce the pile of silly physical pin generators.

I'm not sure this will work, its too complicated for most people.  We might be able to have a single pin dongle for 2-factor, could help.  Thus far 2-factor for me has been the best, and I use that account via OAuth for all the forums, mail lists etc that accept that.  Even stores as long as they don't keep the credit card info.

The fallback is a password keeper as mentioned above.  But do you really want it to keep all your passwords?  You're dead without it (travel etc) and it simply doesn't work in all situations (apps vs browser) and its a bit creepy to depend on a computer program for all your security.

Sigh.

   -- Owen

On Mon, Nov 18, 2013 at 5:16 PM, Parks, Raymond <[hidden email]> wrote:
The addition of a salt to a password makes rainbow tables much less effective because it makes the table space larger, even trading off chain length for convergence.  However, rainbow tables are no longer the thing - with multi-GPU setups, password crackers just brute force passwords.  Basically, the sequence is:

1. Using a large (20 million word) multiple language (but standard ASCII) dictionary derived from text sources across the WWW, hash the words in that dictionary with variants (leet-speak, other substitutions, plurals, added numbers, 8 for "ate", et cetera), and compare the outputs to the captured password file.  Salt is basically a variant that can be accounted for - extra random characters.

2.  If some passwords are of the type you dislike, then those can be brute-forced almost as fast as rainbow tables can be calculated.  Salt is irrelevant in this process, other than making the effective number of bytes longer.

In the Ars articles, Step 1 seems to get as much as 90% of self-chosen passwords in a matter of hours.  The practitioners in the Ars articles don't go on to Step 2, but I would expect that to take less than a week.  If the hash algorithm is captured along with the passwords, then the cracker has the advantage of knowing whether the web-site uses salt.  Operating systems, of course, are studied off-line to determine the algorithm and use of salt.

Ray Parks
Consilient Heuristician/IDART Program Manager
V: <a href="tel:505-844-4024" value="+15058444024" target="_blank">505-844-4024  M: <a href="tel:505-238-9359" value="+15052389359" target="_blank">505-238-9359  P: <a href="tel:505-951-6084" value="+15059516084" target="_blank">505-951-6084
SIPR: [hidden email] (send NIPR reminder)
JWICS: [hidden email] (send NIPR reminder)



On Nov 18, 2013, at 11:48 AM, cody dooderson wrote:

I find passwords really hard to remember. Especially those sites that require numbers, symbols,uppercase, and lower case characters. I personally would rather use a 20 character all lowercase password than an 8 character mixed symbol password. As a result keep a document, in the cloud, with all of my passwords stored in plain text. Many of these passwords I could care less if someone cracked. 
Also, I was under the impression that salting prevents the use of rainbow tables.

Cody Smith


On Mon, Nov 18, 2013 at 11:28 AM, Parks, Raymond <[hidden email]> wrote:
WRT password cracking - Dan Goodin has a good series of articles on password cracking at Ars Technica.


TL;DR - Current GPU-based password cracking using 20-million word dictionaries make truly random passwords below 14 characters and nearl all pass-phrases susceptible to cracking in a relatively short time.

On a related subject, roughly 75% of websites store passwords as nothing more complicated than simple, unsalted MD5 hashes.  This is almost as easy to break as as NTLM.

Salt makes the initial crack more difficult, but if the same salt is used for all hashes, then subsequent cracks ignore it.

WRT the use of PII - it's sold on various markets, correlated in a "big data" manner with other exposures, and, if enough information is available and the person's credit score is high enough, is used for credit attacks.  In some cases, if banking information is correlated, the collection is used for banking attacks.  If there is poor correlation but an email or FQDN is in the information, then the data may be used as a target list.

Ray Parks
Consilient Heuristician/IDART Program Manager
V: <a href="tel:505-844-4024" value="+15058444024" target="_blank">505-844-4024  M: <a href="tel:505-238-9359" value="+15052389359" target="_blank">505-238-9359  P: <a href="tel:505-951-6084" value="+15059516084" target="_blank">505-951-6084
SIPR: [hidden email] (send NIPR reminder)
JWICS: [hidden email] (send NIPR reminder)



On Nov 18, 2013, at 10:12 AM, Owen Densmore wrote:

A forum I belong to has been hacked, including personal info as well as passwords.

How do they use this information?

I presume they try the hash function on all combinations of possible passwords.  (Naturally optimized for faster convergence).  They see a match, i.e. a letter combination resulting in the given hash of the password.

If they crack one password, does that make cracking the rest any easier?

And does "salt" simply increase the difficulty, and indeed can it be deduced, as above, by cracking a single password?

.. or is it all quite different from this!

   -- Owen



============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com


============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Steve Smith
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Forum hacked

Steve Smith
In reply to this post by Owen Densmore
Owen -

Good observations...

Why?
1 - To be secure, you depend on the ISP to be secure. That's OK, but does fail often.
Do you mean the server(s) and intranet of the service being used?  Or do you mean your (and their) first-mile provider?  If you mean the former, any service is only as secure as the one you are entrusting to provide it.
2 - Apparently length of passwords is the high order bit for crackibility. We humans dislike typing 20 character passwords, especially on our phones, and its extremely likely to be miss-typed at least once, probability of typo goes up with each keystroke.
Complexity order M^N goes up faster than N^M for increasing N (the length of the string matters more than the size of the alphabet for brute-force).  I find long passwords just fine if I have a keyboard.  Admittedly, my mental password generator is mnemonic, but not particularly dictionary-worthy.

3 - We are also instructed to have a different password for each login.  Humans simply cannot do that, they are limited.  Thus they resort to a formula like two phrases with a 3-4 character difference in the middle, with some significance like "azn" or "books" for amazon.
Significance can be metaphorical or appositional too.   In my own case, I apply rood concepts (with mangled spelling) to avoid the temptation to *ever* share my password or allow it to be stored in clear text..  they are just appalling.   I suspect someone has done a study on how much complexity using ideosyncratic phonetic spelling variations expands the dictionary.  I suppose it does nothing for rainbow table and brute-force attacks.  It also gives me a little bit of satisfaction each time I diss Jeff Bezos, Steve Jobs, Bill Gates in street argot not even likely to be found on the internet.

4 - Most ISPs have their own rules for passwords, and likely any formula will fail on a percentage of them.  Thus a formula will only work part of the time.  Maybe there is a subset that most ISPs accept?  I found UNM, and my bank, for example, failed to accept a formula I tried.
I have backup (back-down) plans for overly restrictive systems...  especially those that don't like special characters or caps..

5 - This leads to keepass, 1password etc to remember all your passwords for you.  Silly, but still appears reasonable.  But they typically fail in certain situations.  Ex: they are designed for browser use so are plugins/bookmarklets.  But what if you have a phone "app".  Won't work.  So you have to do stupid tricks to go to the pw app and cut/paste.
Yes, clumsy.

6 - The latest trend to improve this is two-fold: 
    6.1: Reduce number of logins: Use OAuth to have just a few accounts that are very secure.  As soon as twitter, google, facebook, moz, yahoo, ... and the rest of the "standard ISPs" all have OAuth (or equivalent), and are used by the vast majority of the other sites (forums, stores, ..) we have reduced the complexity of the user.  Probably will work with all non-creditcard sites.
I like the convenience but don't like having my eggs in a single basket.  I'm giving over to it for "trivial" services... for example, AutoCad's 123d products let me defer to Google Login.  Yes, this lets the NSA right into my business (where they surely already are anyway) and anyone *else* who can hack Google.  I trust Google more than Facebook for this.   But I'm not inclined to do this with my Bank, with Amazon, etc.
    6.2: 2-factor: How make more secure?  So far 2-factor works out pretty well.  It would require a standard pin generator, google's is pretty effective.  Have to do this to reduce the pile of silly physical pin generators.
Two-factor also implies two of:  "who you are", "what you have", "what you know".   So, an ATM card and a PIN or a retinal scan and a PIN are better than a password and a PIN.

I'm not sure this will work, its too complicated for most people.  We might be able to have a single pin dongle for 2-factor, could help.  Thus far 2-factor for me has been the best, and I use that account via OAuth for all the forums, mail lists etc that accept that.  Even stores as long as they don't keep the credit card info.
LANL (and all of DOE/DOD?) has been using clock-synced CryptoCards for a long time (15 years?)... Ray may know more of their potential vulnerabilities but for a single two-factor authentication, I think they are as good as it gets still?

The fallback is a password keeper as mentioned above.  But do you really want it to keep all your passwords?  You're dead without it (travel etc) and it simply doesn't work in all situations (apps vs browser) and its a bit creepy to depend on a computer program for all your security.
I've always felt terribly vulnerable (especially international travel) knowing that I was "dead" (in the water) without my ID.   And by extension, my wallet.  Thus all the shenaniganry of keeping photocopies of everything in a separate place from your wallet, etc.  

My last trip to europe, I photographed everything with my iPhone (including my reservations, iteneraries, passport, driver's license, credit cards (front only, memorizing my security code)), mostly out of convenience (so, at a glance I could get certain info without rummaging, etc.). Unfortunately it would have been a rich storehouse (the only things missing from it were things committed to memory like Soc Sec, Mothers Maiden, PINs, passphrases/passwords) for identity thieves.  I also managed to (temporarily) disable my phone by dropping it into a 1" deep cup of icewater (don't ask) which completely bolloxed an important plan for the next morning.  Fortunately the water *only* interfered with the backlight (took me a while to figure that out) and when it dried 12 hours later, came back to normal, but made me aware of how dependent I was on that single device (in this case google map directions/address and a phone number of a contact)

 

Sigh.
I felt *very* uncomfortable leaving my passport with people (hotels, etc.) who used it as a simple "surety" measure.  

We haven't really *solved* the problem of identity en Verite yet, why do we think we can solve it en Virtu?

Sigh,
 - Steve
PS.. it is worth noting that a great deal of the mechanisms of molecular biology (especially virology) have a lot in common with this problem... self-vs-other and defeat mechanisms using massively parallel attacks.


============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Parks, Raymond
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: Forum hacked

Parks, Raymond
In reply to this post by Steve Smith
Naah, we're just an hour and a half closer to the airport.  We still have folks tell us they can't work with us because we don't sit side by side with them back East.

Ray Parks
Consilient Heuristician/IDART Program Manager
V: 505-844-4024  M: 505-238-9359  P: 505-951-6084
SIPR: [hidden email] (send NIPR reminder)
JWICS: [hidden email] (send NIPR reminder)



On Nov 19, 2013, at 9:47 AM, Steve Smith wrote:

Ray -
  I've used an example of that on a Cabinet-level exec only to find that the connection I though existed was actually negative - the target disliked the person from whom I thought they would accept email.
I always wondered how SNL folks managed to get such better insider contacts in the Gov't than LANL ;^)

Now we know the truth! 

- Steve
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com


============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

smime.p7s (4K) Download Attachment
Steve Smith
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Forum hacked

Steve Smith
In reply to this post by cody dooderson

> Now that you mention it I do see a peacock almost ever time I go
> through Nambe.
>
> Cody Smith
It's the same one, and he's got his eye on YOU!  Peacocks are almost as
creepy as clowns.  Remember that next time you go through Nambe.

Stop in and visit Doug... but lock your doors... that Peacock may let
himself into your back seat!  And don't stop for clown-hitchikers
either.  They are everywhere once you are attuned to seeing them!

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Joshua Thorp
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Forum hacked

Joshua Thorp
In reply to this post by Owen Densmore
This an interesting if dense approach to doing away with the password:


a little more high level: http://www.sqrl.pl/


Basically use an app on your phone or desktop to confirm your unique identity using a cryptographic signature.  One click login…  No passwords (except to access the authentication app… :P ) 

One interesting thing to note about the implementation,  they define a new scheme for links sqrl://  that then get registered for the authentication app…  Interesting approach to define a custom scheme/register app to handle it which could be taken advantage in a lot of situations.

—joshua


On Nov 19, 2013, at 10:51 AM, Owen Densmore <[hidden email]> wrote:

As a quick followup:
- I use 1password.  Why?  To collect a list of my logins.  Most of us do not know half of the logins we have!  This lets me at least spend an afternoon updating all my passwords if I want to.  1P seems OK and works well in my ecology.

- I use 2-factor with google and their app.  And if a site lets me login w/ OAuth, I try to use google.  A few more ISPs are using 2-factor and if they are easy to use, I may try them too.  Main issue is pin; most sms it to you but dongles abound and I think I'll avoid them.

- Where possible I use pub/priv key crypto.  My hosting service.  My home computers, servers and NAS, ssh sites.  I wish I could use it on my router, router attacks are on the rise.

   -- Owen


On Tue, Nov 19, 2013 at 10:21 AM, Owen Densmore <[hidden email]> wrote:
Ray, you'd have a far better take on passwords, and security of all sorts than most of us, love your input on this.

So here's an observation: 
Passwords are Dead.  Just move along and we'll come back with a better solution after the commercial.

Why?
1 - To be secure, you depend on the ISP to be secure. That's OK, but does fail often.

2 - Apparently length of passwords is the high order bit for crackibility. We humans dislike typing 20 character passwords, especially on our phones, and its extremely likely to be miss-typed at least once, probability of typo goes up with each keystroke.

3 - We are also instructed to have a different password for each login.  Humans simply cannot do that, they are limited.  Thus they resort to a formula like two phrases with a 3-4 character difference in the middle, with some significance like "azn" or "books" for amazon.

4 - Most ISPs have their own rules for passwords, and likely any formula will fail on a percentage of them.  Thus a formula will only work part of the time.  Maybe there is a subset that most ISPs accept?  I found UNM, and my bank, for example, failed to accept a formula I tried.

5 - This leads to keepass, 1password etc to remember all your passwords for you.  Silly, but still appears reasonable.  But they typically fail in certain situations.  Ex: they are designed for browser use so are plugins/bookmarklets.  But what if you have a phone "app".  Won't work.  So you have to do stupid tricks to go to the pw app and cut/paste.

6 - The latest trend to improve this is two-fold: 
    6.1: Reduce number of logins: Use OAuth to have just a few accounts that are very secure.  As soon as twitter, google, facebook, moz, yahoo, ... and the rest of the "standard ISPs" all have OAuth (or equivalent), and are used by the vast majority of the other sites (forums, stores, ..) we have reduced the complexity of the user.  Probably will work with all non-creditcard sites.
    6.2: 2-factor: How make more secure?  So far 2-factor works out pretty well.  It would require a standard pin generator, google's is pretty effective.  Have to do this to reduce the pile of silly physical pin generators.

I'm not sure this will work, its too complicated for most people.  We might be able to have a single pin dongle for 2-factor, could help.  Thus far 2-factor for me has been the best, and I use that account via OAuth for all the forums, mail lists etc that accept that.  Even stores as long as they don't keep the credit card info.

The fallback is a password keeper as mentioned above.  But do you really want it to keep all your passwords?  You're dead without it (travel etc) and it simply doesn't work in all situations (apps vs browser) and its a bit creepy to depend on a computer program for all your security.

Sigh.

   -- Owen

On Mon, Nov 18, 2013 at 5:16 PM, Parks, Raymond <[hidden email]> wrote:
The addition of a salt to a password makes rainbow tables much less effective because it makes the table space larger, even trading off chain length for convergence.  However, rainbow tables are no longer the thing - with multi-GPU setups, password crackers just brute force passwords.  Basically, the sequence is:

1. Using a large (20 million word) multiple language (but standard ASCII) dictionary derived from text sources across the WWW, hash the words in that dictionary with variants (leet-speak, other substitutions, plurals, added numbers, 8 for "ate", et cetera), and compare the outputs to the captured password file.  Salt is basically a variant that can be accounted for - extra random characters.

2.  If some passwords are of the type you dislike, then those can be brute-forced almost as fast as rainbow tables can be calculated.  Salt is irrelevant in this process, other than making the effective number of bytes longer.

In the Ars articles, Step 1 seems to get as much as 90% of self-chosen passwords in a matter of hours.  The practitioners in the Ars articles don't go on to Step 2, but I would expect that to take less than a week.  If the hash algorithm is captured along with the passwords, then the cracker has the advantage of knowing whether the web-site uses salt.  Operating systems, of course, are studied off-line to determine the algorithm and use of salt.

Ray Parks
Consilient Heuristician/IDART Program Manager
V: <a href="tel:505-844-4024" value="+15058444024" target="_blank">505-844-4024  M: <a href="tel:505-238-9359" value="+15052389359" target="_blank">505-238-9359  P: <a href="tel:505-951-6084" value="+15059516084" target="_blank">505-951-6084
SIPR: [hidden email] (send NIPR reminder)
JWICS: [hidden email] (send NIPR reminder)



On Nov 18, 2013, at 11:48 AM, cody dooderson wrote:

I find passwords really hard to remember. Especially those sites that require numbers, symbols,uppercase, and lower case characters. I personally would rather use a 20 character all lowercase password than an 8 character mixed symbol password. As a result keep a document, in the cloud, with all of my passwords stored in plain text. Many of these passwords I could care less if someone cracked. 
Also, I was under the impression that salting prevents the use of rainbow tables.

Cody Smith


On Mon, Nov 18, 2013 at 11:28 AM, Parks, Raymond <[hidden email]> wrote:
WRT password cracking - Dan Goodin has a good series of articles on password cracking at Ars Technica.


TL;DR - Current GPU-based password cracking using 20-million word dictionaries make truly random passwords below 14 characters and nearl all pass-phrases susceptible to cracking in a relatively short time.

On a related subject, roughly 75% of websites store passwords as nothing more complicated than simple, unsalted MD5 hashes.  This is almost as easy to break as as NTLM.

Salt makes the initial crack more difficult, but if the same salt is used for all hashes, then subsequent cracks ignore it.

WRT the use of PII - it's sold on various markets, correlated in a "big data" manner with other exposures, and, if enough information is available and the person's credit score is high enough, is used for credit attacks.  In some cases, if banking information is correlated, the collection is used for banking attacks.  If there is poor correlation but an email or FQDN is in the information, then the data may be used as a target list.

Ray Parks
Consilient Heuristician/IDART Program Manager
V: <a href="tel:505-844-4024" value="+15058444024" target="_blank">505-844-4024  M: <a href="tel:505-238-9359" value="+15052389359" target="_blank">505-238-9359  P: <a href="tel:505-951-6084" value="+15059516084" target="_blank">505-951-6084
SIPR: [hidden email] (send NIPR reminder)
JWICS: [hidden email] (send NIPR reminder)



On Nov 18, 2013, at 10:12 AM, Owen Densmore wrote:

A forum I belong to has been hacked, including personal info as well as passwords.

How do they use this information?

I presume they try the hash function on all combinations of possible passwords.  (Naturally optimized for faster convergence).  They see a match, i.e. a letter combination resulting in the given hash of the password.

If they crack one password, does that make cracking the rest any easier?

And does "salt" simply increase the difficulty, and indeed can it be deduced, as above, by cracking a single password?

.. or is it all quite different from this!

   -- Owen


============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com


============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Steve Smith
Reply | Threaded
Open this post in threaded view
|

Big Science/Engineering

Steve Smith
In reply to this post by Parks, Raymond
On 11/19/13 10:57 AM, Parks, Raymond wrote:
> Naah, we're just an hour and a half closer to the airport.  We still
> have folks tell us they can't work with us because we don't sit side
> by side with them back East.
>
Yes, and a different culture in many ways...   I always respected the
differences even though sometimes it *was* very hard to "compete" with
Sandia on certain types of projects.

When LockMart was bidding on the LANL contract, I thought it would be a
bad idea to have both under the same contractor, though I'm sure it
would have made it easier to sit "side by side" back East. Little did I
know what letting Bechtel in the door would do to LANL.   I questioned
corporate stewardship of something as important as Nuclear R&D but at
least LockMart *has* a technical agenda to buffer the economic (and
therefore political) agendas.   Bechtel is proud of being completely
void of any agenda except money (and therefore everything that goes with
it).  UC had it's problems but I think they were genuinely interested in
the lab mission(s).. I got a much better flavor of that when I spent a
year at LBL (while Pete Nanos was swabbing  the decks at LANL with
cowboys and buttheads).

I'm proud to be out in the cold scraping up my work rather than living
inside the warm belly of the machine (beast?), but I still respect many
of the people and much of the work that comes out of said machine/beast.

Carry on!
   - Steve

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Steve Smith
Reply | Threaded
Open this post in threaded view
|

Peacocks, Clowns and now Squirrels

Steve Smith
In reply to this post by Steve Smith
Just to continue the riff at Josh's expense this time.

a little more high level: http://www.sqrl.pl/
I don't trust Squirrels anymore than Zuchinnis, Peacocks, and Clowns.  They not only appear in your back seat without warning but mine also like to eat the wires in my vehicles.    I think I need to start a feral cat colony and habituate them to attack Clowns.  Squirrels are already in their DNA... I don't know WHAT to do about the Zuchinnis and Peacocks... maybe Doug and Nick know how to handle those.

-Steve

Now that you mention it I do see a peacock almost ever time I go through Nambe.

Cody Smith
It's the same one, and he's got his eye on YOU!  Peacocks are almost as creepy as clowns.  Remember that next time you go through Nambe.

Stop in and visit Doug... but lock your doors... that Peacock may let himself into your back seat!  And don't stop for clown-hitchikers either.  They are everywhere once you are attuned to seeing them!

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com


============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Parks, Raymond
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Big Science/Engineering

Parks, Raymond
In reply to this post by Steve Smith
When I heard that the Bechtel/UC team won the contract, I told folks that LANS would combine all the innovation and vision of Bechtel with the administrative expertise of UC.

Ray Parks
Consilient Heuristician/IDART Program Manager
V: 505-844-4024  M: 505-238-9359  P: 505-951-6084
SIPR: [hidden email] (send NIPR reminder)
JWICS: [hidden email] (send NIPR reminder)



On Nov 19, 2013, at 11:09 AM, Steve Smith wrote:

On 11/19/13 10:57 AM, Parks, Raymond wrote:
Naah, we're just an hour and a half closer to the airport.  We still have folks tell us they can't work with us because we don't sit side by side with them back East.

Yes, and a different culture in many ways...   I always respected the differences even though sometimes it *was* very hard to "compete" with Sandia on certain types of projects.

When LockMart was bidding on the LANL contract, I thought it would be a bad idea to have both under the same contractor, though I'm sure it would have made it easier to sit "side by side" back East. Little did I know what letting Bechtel in the door would do to LANL.   I questioned corporate stewardship of something as important as Nuclear R&D but at least LockMart *has* a technical agenda to buffer the economic (and therefore political) agendas.   Bechtel is proud of being completely void of any agenda except money (and therefore everything that goes with it).  UC had it's problems but I think they were genuinely interested in the lab mission(s).. I got a much better flavor of that when I spent a year at LBL (while Pete Nanos was swabbing  the decks at LANL with cowboys and buttheads).

I'm proud to be out in the cold scraping up my work rather than living inside the warm belly of the machine (beast?), but I still respect many of the people and much of the work that comes out of said machine/beast.

Carry on!
 - Steve

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com


============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

smime.p7s (4K) Download Attachment
Barry MacKichan
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Forum hacked

Barry MacKichan
In reply to this post by Owen Densmore
You have found the weakest point in programs like 1PassWord. In the last few weeks, though, some things have come out to ameliorate the situation.

1. Apple now has its iCloud keychain, which means for a certain class of secrets, web passwords and credit card numbers, you can have automatic pasting on OS/X and IOS. The password for your keychain defaults to your logon password in OS/X, but it can be changed.

2. 1PassWord on the Mac now has a menu-bar widget that makes the cut and paste much more convenient.

—Barry


On Nov 19, 2013, at 10:21 AM, Owen Densmore <[hidden email]> wrote:

5 - This leads to keepass, 1password etc to remember all your passwords for you.  Silly, but still appears reasonable.  But they typically fail in certain situations.  Ex: they are designed for browser use so are plugins/bookmarklets.  But what if you have a phone "app".  Won't work.  So you have to do stupid tricks to go to the pw app and cut/paste.

The fallback is a password keeper as mentioned above.  But do you really want it to keep all your passwords?  

I do. Remembering several hundred secure passwords isn’t an option.

You're dead without it (travel etc) and it simply doesn't work in all situations (apps vs browser)

My experience is that it works everywhere; the only question is how convenient is it. I think I had to write a password on a piece of paper once in the last 3 years — I don’t recall why I had to do it.

and its a bit creepy to depend on a computer program for all your security.

We wouldn’t have to if the hackers didn’t have computers.

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

signature.asc (859 bytes) Download Attachment
Steve Smith
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Big Science/Engineering

Steve Smith
In reply to this post by Parks, Raymond
On 11/19/13 11:19 AM, Parks, Raymond wrote:
> When I heard that the Bechtel/UC team won the contract, I told folks
> that LANS would combine all the innovation and vision of Bechtel with
> the administrative expertise of UC.
So far so good!   LANL has such a checkered (sad and wonderful) past...  
it has a future, but I fear it may be a mostly grey one.

Ahead of the horrors of nanotechnology, Bechtel has already turned LANL
to grey goo.

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Parks, Raymond
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Re: Forum hacked

Parks, Raymond
In reply to this post by Steve Smith
A similar flock has been free-ranging the Albuquerque valley area near Broadway and Montano.  Some friends of mine whose property is roamed got married some years ago and they had a wedding dinner featuring roast peacock. It's a little greasy, like duck, and tastes somewhere between duck and goose.

When I first moved into Corrales, there were several flocks of guinea hens that migrated north-south twice-daily across the generally east-west properties.  Those were the remnant of a flock released when a local farmer failed to make any money raising them.

I would expect that there has not been sufficient time for real genetic variations to develop in any of these isolated communities.

Ray Parks
Consilient Heuristician/IDART Program Manager
V: 505-844-4024  M: 505-238-9359  P: 505-951-6084
SIPR: [hidden email] (send NIPR reminder)
JWICS: [hidden email] (send NIPR reminder)



On Nov 19, 2013, at 10:18 AM, Steve Smith wrote:

Ray -
PS... if you visit Doug's, don't leave your car unlocked, you may find halfway home that there is a Peacock in the back seat.

Yumm!
Is there a Peacock equivalent of the Turducken?   Does Peacock taste like Pheasant?

- Steve
PS... Doug really loves his many birds.  These Peacocks, as I understand it, have been a free-range flock roaming a number of properties in his Nambe neighborhood since it was all a single Rancho maybe 100 years ago?   There is probably some genetic testing of this isolated community that could be done, similar to the Icelandic studies?

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com


============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

smime.p7s (4K) Download Attachment
Steve Smith
Reply | Threaded
Open this post in threaded view
|

Peacocks, Clowns and now Squirrels

Steve Smith
Ray -
> A similar flock has been free-ranging the Albuquerque valley area near
> Broadway and Montano.
I don't think I ever make it down that way.  I'm always heartened to see
a little "wild" in the city.
>  Some friends of mine whose property is roamed got married some years
> ago and they had a wedding dinner featuring roast peacock. It's a
> little greasy, like duck, and tastes somewhere between duck and goose.
And free-range, if not (almost surely) organic to boot!   I've always
wondered what the rules about "harvesting" feral animals might be...  
especially in a city.  Is that NM Fish&Game rules or Bernalillo country
Animal Control purview?  My Appalachy ancestors loved their squirrel and
possum (not feral but verminish).   I assume that the last generation's
homeless (aka Hobos) fed off of anything they could catch (pigeons,
rats, ???) with gusto while today I suspect most of us would starve to
death while pigeons shat upon us and rats tugged at our leather
shoes/belts while we slept.
> When I first moved into Corrales, there were several flocks of guinea
> hens that migrated north-south twice-daily across the generally
> east-west properties.  Those were the remnant of a flock released when
> a local farmer failed to make any money raising them.
We had 3 (remaining of 4 after an Owl snagged one) Geese and 8 chickens
when we gave them up to move to Berkeley in 2005.  I was amazed that
both, raised from chicks/goslings were happy to remain within our
property boundaries (how do they recognize a barbed wire fence as a
boundary?) as a matter of course.   Maybe they recognized the territory
of our dog (who also for the most part respected the same boundaries) as
being (mostly) coyote free?     I suppose that Pea and Guinea fowl are
probably much closer to "wild" and of course water birds are going to
stay close/return to their water.
> I would expect that there has not been sufficient time for real
> genetic variations to develop in any of these isolated communities.
If I'm right about the timeline of the Nambe Peacocks, it seems like an
isolated and relatively small community of order 100 generations with no
(or few?) introductions and no (or little) human intervention (except as
patrons)?

- Steve


============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Merle Lefkoff-2
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Big Science/Engineering

Merle Lefkoff-2
In reply to this post by Parks, Raymond
Just saw this.  Having been a contractor at Sandia (Advanced Concepts Group), and Guest Scientist and Affiliate at CNLS at LANL, as well as a Bechtel contractor on the "big dig" in Boston,  so knowing all three from the inside, I can report without reservation that LANL was doomed the minute Bechtel walked in the door.  My impression at Sandia was that LockMart is a traditional but responsible manager and lets the employees do their work without much interference (the interference comes from the idiots at D.O.E.).   During four years at LANL under the old contract my feeling every day going to work was one of privilege to be able to explore the resources of what felt very much like a small graduate campus.  


On Tue, Nov 19, 2013 at 11:19 AM, Parks, Raymond <[hidden email]> wrote:
When I heard that the Bechtel/UC team won the contract, I told folks that LANS would combine all the innovation and vision of Bechtel with the administrative expertise of UC.

Ray Parks
Consilient Heuristician/IDART Program Manager
V: <a href="tel:505-844-4024" value="+15058444024" target="_blank">505-844-4024  M: <a href="tel:505-238-9359" value="+15052389359" target="_blank">505-238-9359  P: <a href="tel:505-951-6084" value="+15059516084" target="_blank">505-951-6084
SIPR: [hidden email] (send NIPR reminder)
JWICS: [hidden email] (send NIPR reminder)



On Nov 19, 2013, at 11:09 AM, Steve Smith wrote:

On 11/19/13 10:57 AM, Parks, Raymond wrote:
Naah, we're just an hour and a half closer to the airport.  We still have folks tell us they can't work with us because we don't sit side by side with them back East.

Yes, and a different culture in many ways...   I always respected the differences even though sometimes it *was* very hard to "compete" with Sandia on certain types of projects.

When LockMart was bidding on the LANL contract, I thought it would be a bad idea to have both under the same contractor, though I'm sure it would have made it easier to sit "side by side" back East. Little did I know what letting Bechtel in the door would do to LANL.   I questioned corporate stewardship of something as important as Nuclear R&D but at least LockMart *has* a technical agenda to buffer the economic (and therefore political) agendas.   Bechtel is proud of being completely void of any agenda except money (and therefore everything that goes with it).  UC had it's problems but I think they were genuinely interested in the lab mission(s).. I got a much better flavor of that when I spent a year at LBL (while Pete Nanos was swabbing  the decks at LANL with cowboys and buttheads).

I'm proud to be out in the cold scraping up my work rather than living inside the warm belly of the machine (beast?), but I still respect many of the people and much of the work that comes out of said machine/beast.

Carry on!
 - Steve

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com


============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com



--
Merle Lefkoff, Ph.D.
President, Center for Emergent Diplomacy
Santa Fe, New Mexico, USA
[hidden email]
mobile:  (303) 859-5609
skype:  merlelefkoff

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Steve Smith
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Big Science/Engineering

Steve Smith
Merle -
> Just saw this.  Having been a contractor at Sandia (Advanced Concepts
> Group), and Guest Scientist and Affiliate at CNLS at LANL, as well as
> a Bechtel contractor on the "big dig" in Boston,
got any good stories from that one (probably not suitable for a public
forum)?
>  so knowing all three from the inside, I can report without
> reservation that LANL was doomed the minute Bechtel walked in the door.
Interesting to get this kind of perspective.. thank you.
>  My impression at Sandia was that LockMart is a traditional but
> responsible manager and lets the employees do their work without much
> interference (the interference comes from the idiots at D.O.E.).
I began to see this (about LockMart) as I was studying the future while
the contract was in play.   I get the impression that their upper
management are Aerospace Engineers which is a little better than
Physicists and a *lot* better than Plutocrats and their trained monkeys.

I had no idea about Bechtel (they do manage a low profile in some ways?)
until I started attending the open contract negotiations in SFo.   I was
the only one attending besides a handful of students waiting for the
right moment to protest (and get thrown out) on general principles and
sometimes one or two reporters.  The conversations between Bechtel, UC,
and DOE were completely staged. There were no decisions being made in
public... there was still smoke wafting up from their clothes and hair
from the backroom deals that had already been struck.   I was roughly
the lone witness to this as the reporters didn't seem to take note of
this at all, dutifully reporting what was "declared" at these meetings
which were supposed to be discussions/negotiations.    I was appalled.
> During four years at LANL under the old contract my feeling every day
> going to work was one of privilege to be able to explore the resources
> of what felt very much like a small graduate campus.
It gets even better at LBL...  I felt as privileged in this manner as I
do now when I attend SFI meetings/events.   I thought Chu was a great
choice as director of LBL as well as Obama's Energy Sec'y. I don't know
if there is a story behind his leaving after 4 years...  do you?

I'm not a big fan of traditional "academia" but I do think it has it's
place and I think LANL and LBL (even moreso) served as interesting
hybrids.  SNL, ORNL, and PNNL seem to be yet another breed(s).

Until Bush-Cheney handed our Nuclear Gems over to their friends the
Bechtels.

I"m not bitter.  But I am a friend of Doug's... does that count?

- Steve



============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
glen ropella
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Forum hacked

glen ropella
In reply to this post by Gillian Densmore
On 11/18/2013 08:35 PM, Gillian Densmore wrote:
> Password cracking?  Hmm- as to how? I can add a little insight into this
> one. Password cracking is just one tool.

You can always just _ask_ for their passwords, too! ;-)

Exclusive: Snowden persuaded other NSA workers to give up passwords -
sources
http://www.reuters.com/article/2013/11/08/net-us-usa-security-snowden-idUSBRE9A703020131108


--
⇒⇐ glen

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Steve Smith
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Forum hacked

Steve Smith
> On 11/18/2013 08:35 PM, Gillian Densmore wrote:
>> Password cracking?  Hmm- as to how? I can add a little insight into this
>> one. Password cracking is just one tool.
> You can always just _ask_ for their passwords, too! ;-)
>
> Exclusive: Snowden persuaded other NSA workers to give up passwords -
> sources
> http://www.reuters.com/article/2013/11/08/net-us-usa-security-snowden-idUSBRE9A703020131108
During the worst of the Wen Ho Lee experience 15 years ago, I had at
least one person who should definitely have known better ask me for my
*classified* password on the phone (intra-laboratory) to avoid waiting
for me to come take care of something for him (15 min walk).  This is
someone who had even been yanked out of bed at midnight by the FBI for a
polygraph under bright lights (yes, they did use blanket harrassment
techniques during that period for people *not* directly related to or
implicated in Wen Ho's folly).

I had already decided to make my passwords so vile that nobody besides
me would be able to stomach typing them, but in this case we were stuck
with computer generated ones (refreshed regularly) and had not yet been
set up with CryptoCards.   The two-factor (crypto (have) + pin (know))
system meant that I couldn't have shared my login credentials with him
if my life depended on it (excepting if he already had MY cryptocard in
his posession).   If he had pulled rank on me (which was his style and
he did have lots of rank) I would have spelled out one of my disgusting
style ("e8sh@tMo%fo!") and let him try it a few times until he gave up
and either realized I was sh@tting him around  or just gave up and
waited for me to come and do it correctly.

- Steve


============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Parks, Raymond
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Big Science/Engineering

Parks, Raymond
In reply to this post by Steve Smith

On Nov 19, 2013, at 2:13 PM, Steve Smith wrote:

I"m not bitter.  But I am a friend of Doug's... does that count?


  Is that like some strange equivalent of staying at a Holiday Inn Express?

Ray Parks
Consilient Heuristician/IDART Program Manager
V: 505-844-4024  M: 505-238-9359  P: 505-951-6084
SIPR: [hidden email] (send NIPR reminder)
JWICS: [hidden email] (send NIPR reminder)




============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

smime.p7s (4K) Download Attachment
Steve Smith
Reply | Threaded
Open this post in threaded view
|

Re: [EXTERNAL] Big Science/Engineering

Steve Smith
On 11/19/13 4:46 PM, Parks, Raymond wrote:

On Nov 19, 2013, at 2:13 PM, Steve Smith wrote:

I"m not bitter.  But I am a friend of Doug's... does that count?


  Is that like some strange equivalent of staying at a Holiday Inn Express?

http://dontworrygonuclear.blogspot.com/2007/04/dr-nano-vs-blog.html

Kindof...

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
123
Free forum by Nabble Edit this page