Forum hacked

Ray -

A similar flock has been free-ranging the Albuquerque valley area near Broadway and Montano.

I don't think I ever make it down that way.  I'm always heartened to see a little "wild" in the city.

 Some friends of mine whose property is roamed got married some years ago and they had a wedding dinner featuring roast peacock. It's a little greasy, like duck, and tastes somewhere between duck and goose.

And free-range, if not (almost surely) organic to boot!   I've always wondered what the rules about "harvesting" feral animals might be...   especially in a city.  Is that NM Fish&Game rules or Bernalillo country Animal Control purview?  My Appalachy ancestors loved their squirrel and possum (not feral but verminish).   I assume that the last generation's homeless (aka Hobos) fed off of anything they could catch (pigeons, rats, ???) with gusto while today I suspect most of us would starve to death while pigeons shat upon us and rats tugged at our leather shoes/belts while we slept.

When I first moved into Corrales, there were several flocks of guinea hens that migrated north-south twice-daily across the generally east-west properties.  Those were the remnant of a flock released when a local farmer failed to make any money raising them.

We had 3 (remaining of 4 after an Owl snagged one) Geese and 8 chickens when we gave them up to move to Berkeley in 2005.  I was amazed that both, raised from chicks/goslings were happy to remain within our property boundaries (how do they recognize a barbed wire fence as a boundary?) as a matter of course.   Maybe they recognized the territory of our dog (who also for the most part respected the same boundaries) as being (mostly) coyote free?     I suppose that Pea and Guinea fowl are probably much closer to "wild" and of course water birds are going to stay close/return to their water.

I would expect that there has not been sufficient time for real genetic variations to develop in any of these isolated communities.

If I'm right about the timeline of the Nambe Peacocks, it seems like an isolated and relatively small community of order 100 generations with no (or few?) introductions and no (or little) human intervention (except as patrons)?

- Steve

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

WRT password cracking - Dan Goodin has a good series of articles on password cracking at Ars Technica.

http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/

TL;DR - Current GPU-based password cracking using 20-million word dictionaries make truly random passwords below 14 characters and nearl all pass-phrases susceptible to cracking in a relatively short time.

On a related subject, roughly 75% of websites store passwords as nothing more complicated than simple, unsalted MD5 hashes.  This is almost as easy to break as as NTLM.

Salt makes the initial crack more difficult, but if the same salt is used for all hashes, then subsequent cracks ignore it.

WRT the use of PII - it's sold on various markets, correlated in a "big data" manner with other exposures, and, if enough information is available and the person's credit score is high enough, is used for credit attacks.  In some cases, if banking information is correlated, the collection is used for banking attacks.  If there is poor correlation but an email or FQDN is in the information, then the data may be used as a target list.

Ray Parks

Consilient Heuristician/IDART Program Manager

V: <a href="tel:505-844-4024" value="+15058444024" target="_blank">505-844-4024  M: <a href="tel:505-238-9359" value="+15052389359" target="_blank">505-238-9359  P: <a href="tel:505-951-6084" value="+15059516084" target="_blank">505-951-6084

NIPR: [hidden email]

SIPR: [hidden email] (send NIPR reminder)

JWICS: [hidden email] (send NIPR reminder)

On Nov 18, 2013, at 10:12 AM, Owen Densmore wrote:

A forum I belong to has been hacked, including personal info as well as passwords.

How do they use this information?

I presume they try the hash function on all combinations of possible passwords.  (Naturally optimized for faster convergence).  They see a match, i.e. a letter combination resulting in the given hash of the password.

If they crack one password, does that make cracking the rest any easier?

And does "salt" simply increase the difficulty, and indeed can it be deduced, as above, by cracking a single password?

.. or is it all quite different from this!

   -- Owen

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com

For what it's worth, here are my answers:
1. I use 1Password on the Mac, Windows, and IOS, which is currently all the computers I use. The passwords it generates for me are currently 20 characters including upper and lower case, digits, punctuation, and symbols. I never (well, hardly ever) have to enter one by hand, so I don't mind using ambiguous characters (1, l, I, 0, O). They are not limited to 20 characters, but that seemed enough to me. The only problem is sites that put a low limit on the number of characters in a password (!!!)
2. The character distribution in the 'sentence-based stunts' is probably like the character distribution in English -- the etaoinshrdlu distribution. Since some characters may be more or less likely as word starters, the entropy might be even less than in English, so I don't consider it random.
3. I've considered putting some unicode characters in my 1Password master password, but I haven't checked to see that I can enter them in a password field on all the platforms I use. I would expect that unicode in a password field is represented as UTF8, so that making a single character unicode would add only one, maybe two, bytes to the password, rather than doubling the length. Making some of the characters ≥ 128 and < 256 would change the number of combinations that need to be checked from 128^n to 256^n; i.e., it would multiply it by 2^n, but this could also be done by adding a few more characters. Using UTF8 unicode would also put in high bytes.

The XKCD method is not bad. The fact that the component parts are words is not fatal. With the DICE method, you pick words at random from a dictionary of about 7000 words. Brute force cracking a five-word password requires 7000^5 tries, and then you can change the capitalization, use a variety of symbols between the words, etc. to increase the number. If someone tries to crack my 1Password vault, they don't have a hashed password, so they need to feed each password to 1Password, which uses PBKDF to slow down the process. With current hardware the time to crack my vault is over 100,000 years; I forget the exact number. When hardware improves, I'll add another word to the password.

For passwords I must remember (logon, Apple ID, dropbox) I use a program written by a friend which produces 11-character pronounceable pseudo-words. Dropbox has a shorter password so I can get to the 1Password vault it contains in the case of disaster.

—Barry



On 28 Jan 2015, at 21:25, Owen Densmore wrote:

So questions:
- How many of us are now using completely random pw's generated by one of the pw managers?
- Is sentence based stunts close to "random"?
- Wouldn't unicode help here? 16 bit characters would definitely bother the crackers, right?

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com