THE latest and surely the greatest .......

Frankenkubota · Nov 3, 2021

California said:
Thanks for detailing that. Rip Van Winkle here. I was the PC guru for our office long long ago (pre wifi. Sneakernet to go print something off anyone's laptop!) and kept up with security etc then but I've ignored the field since I retired. Now just a concerned user. Clinging to familiar Windows 7 for as long as it works.

Yosemite bears? After sunset they mingle with the campers in the Yosemite Valley campgrounds. We saw silly girls a few sites over leave out a sandwich, then take flash photos when the bear came by. One year we got a site right on the river and with a gorgeous view of Half Dome. Broken glass everywhere. Neighbor said bears broke into the car previously parked there. We hid all food under tarps in the trunk of the car and no bear problem. We did see one slink by on the other side of our fire pit. Injuries from bears there are exceedingly rare which is surprising when something like 10,000 people can be in Yosemite Valley in peak season.

My photo from our campsite. Incredibly, Half Dome is a vertical mile tall.

they used to start huge fires up on the top edge of half dome and push it over, i think i've seen video.

they have, or had, a mini van on display there that had been entered by bears.

Tore up!

Whidbey · Nov 5, 2021

ponytug said:
Long lasting how? We have had our latest ones for over five years, the ones before that lasted ten-ish years. We do have one person for travel reasons.

And yes, as @Frankenkubota points out all the "Internet of Things" gizmos (Alexa, Ring, security cameras, etc.) are a security nightmare. If you have them, I really think they should be on their own segregated VLAN that is different from your "normal" home network, and preferably also separate from any guest network(s) that you have. The IoT gizmos are too inexpensive for much in the way of security to begin with and there is no recurring revenue to support patching and fixing them going forward.

Personally, I think that if you have IoT gizmos, you probably need to upgrade to a more fully featured router and WiFi access points. At the very least, it is cheap insurance. As they say about hiking in the woods with grizzly bears- "You don't have to outrun the bear, you just have to outrun at least one other person." You are just trying to make your home/finances/bank hard enough to access that you won't be the low hanging fruit in some attack. And long, unique, passwords, please!

Stay safe out there.

All the best,

Peter

I don't want to come across as a know it all but if you perform the math you will see that there is a large number of possibilities for even a relatively short password, say six characters. If you use numbers, letters (upper and lower case), punctuation marks then each character has 62+ possibilities. Now multiply that, 62 x 62 x 62 x 62 x 62 x 62 = a very large number. If your security system limits logon attempts they are not going to hack your password. Of course you need to choose a password that is relatively random and your password is still subject to intercept on unencrypted systems. So changing your password on a regular basis is a good practice. All the best.

ponytug · Nov 5, 2021

No worries. This is just about being safer in your digital life. With that in mind, here are a few thoughts.

Actually changing passwords frequently turns out not to buy you much of anything. That is actually an older recommendation. Newer data suggest that it doesn't solve anything, unless of course you have some reason to think that you have leaked them, or they have been cracked. In which case, yes, change them, and choose nice, long random passwords or passphrases. When frequent password rules were implemented on computer systems, it was found that users tended to do two things;

1) choose simpler passwords, and

2) write them down,

neither of which help keep systems secure.

Length, and randomness matter. Most cracking starts by using dictionaries of previously cracked passwords, and fragments / variations thereof. It is the low hanging fruit, and incredibly fast. If your password doesn't yield to that, most nefarious folks will move on, unless they have some reason to target you in particular. Then brute force cracking kicks in.

Just for perspective, the example of a password length of six, 62**6 or 56,800,235,584, is brute force crackable in a few seconds to minutes on a modern computer, if the password file has been stolen. (1 Gigahertz 64bit CPUs and GPUs get through enormous numbers of variations in no time, and can be purchased for a few dollars, e.g. a Raspberry Pi. So the cost of cracking is quite low.) Many moons ago, after several breakin attempts were made on a computer system that I was running by bad actors, I warned our users to change their passwords and choose good passwords, and that their passwords would be tested. Despite the appeal to pick good passwords, half the passwords were broken in a few hours using a 32bit 40MHz computer, which was also doing other things at the time. Spousal names and single nouns were probably half of that half, and a quarter were silly things "th3d0g" that fell out in the first few minutes of cracking.

If you feel safe with a password length of six, go for it, but I doubt that you would find anyone in the computer security industry that would recommend it.

All the best,

Peter

zzvyb6 · Nov 5, 2021

Well it is a Blu-Tooth connection, eh ? Next will be a wireless bridge and a router canal.

JethroB · Nov 5, 2021

ponytug said:
No worries. This is just about being safer in your digital life. With that in mind, here are a few thoughts.

Actually changing passwords frequently turns out not to buy you much of anything. That is actually an older recommendation. Newer data suggest that it doesn't solve anything, unless of course you have some reason to think that you have leaked them, or they have been cracked. In which case, yes, change them, and choose nice, long random passwords or passphrases. When frequent password rules were implemented on computer systems, it was found that users tended to do two things;

1) choose simpler passwords, and
2) write them down,
neither of which help keep systems secure.

Length, and randomness matter. Most cracking starts by using dictionaries of previously cracked passwords, and fragments / variations thereof. It is the low hanging fruit, and incredibly fast. If your password doesn't yield to that, most nefarious folks will move on, unless they have some reason to target you in particular. Then brute force cracking kicks in.

Just for perspective, the example of a password length of six, 62**6 or 56,800,235,584, is brute force crackable in a few seconds to minutes on a modern computer, if the password file has been stolen. (1 Gigahertz 64bit CPUs and GPUs get through enormous numbers of variations in no time, and can be purchased for a few dollars, e.g. a Raspberry Pi. So the cost of cracking is quite low.) Many moons ago, after several breakin attempts were made on a computer system that I was running by bad actors, I warned our users to change their passwords and choose good passwords, and that their passwords would be tested. Despite the appeal to pick good passwords, half the passwords were broken in a few hours using a 32bit 40MHz computer, which was also doing other things at the time. Spousal names and single nouns were probably half of that half, and a quarter were silly things "th3d0g" that fell out in the first few minutes of cracking.

If you feel safe with a password length of six, go for it, but I doubt that you would find anyone in the computer security industry that would recommend it.

All the best,

Peter

In a system that locks you out after, say three login attempts, does that thwart brute force attempts or other system generated hack efforts?

two_bit_score · Nov 5, 2021

Given Time and access a determined thief can get into anything.

ponytug · Nov 5, 2021

JethroB said:
In a system that locks you out after, say three login attempts, does that thwart brute force attempts or other system generated hack efforts?

Some systems are harder to break into than others.

I tend to look at the current prices for zero day exploits on the dark web. (For an article, here) You want to be on systems (phone, PC) with high prices.

That said, like burglars, hackers almost never come in the front door unless it is unlocked or they already have the keys. The weakest link is usually the point of entry. That old phone, the old desk top running windows seven in the guest bedroom, that old WiFi enabled TV, your digital doorbell, that cheap security camera...

Often hackers get low level access through a flaw, and go from there to escalate privileges until they can do what they want; encrypt your files for ransom, installing a key logger to get your passwords, even take the credentials for your phone to control two factor authentication for themselves.

I tend to think of digital security as a series of fences; each one slows down the bad guys, and if there are enough of them, the bad guys will quit bothering with your system and go elsewhere. You also don't want to put all your eggs in one basket, lest it become a Maginot line. As mentioned in an earlier post, you don't have to outrun the bear, just the person behind you.

#1 being prudent!
not opening or clicking on phishing texts or emails or giving information over the phone
long password /passphrase
two factor authentication
up to date operating systems and software on your phone and PCs
(and reputable software on them!)
not leaving electronics on if they aren't in use. (What is off can't be hacked into or encrypted...)
multiple antivirus/anti malware systems
not installing software that you aren't actively using on a regular basis
not using public WiFi
good firewall system
good access control on your home network and
minimize what you allow through/on your home WiFi
good offline, and offsite, backups

Each one is a small fence. It adds up, but nothing is perfect.

My bottom line is that any repair after a digital break-in, will be unpaid hassle, aggravation, and time out of my life. I would like to avoid that, so I am willing to do more now, on my own time, betting against a future where I won't be doing it in rush, under duress because someone did break in and encrypted not only my computers, but my backups.

A friend is going through an identity theft at the moment that cost her north of $40,000 unrecoverable losses, plus time lost, and the need to postpone a long planned home renovation due to the financial snafu. Can she afford it? Yes, but probably not what she would have chosen to do with her $40,000...

All the best,

Peter

Whidbey · Nov 6, 2021

ponytug said:
No worries. This is just about being safer in your digital life. With that in mind, here are a few thoughts.

Actually changing passwords frequently turns out not to buy you much of anything. That is actually an older recommendation. Newer data suggest that it doesn't solve anything, unless of course you have some reason to think that you have leaked them, or they have been cracked. In which case, yes, change them, and choose nice, long random passwords or passphrases. When frequent password rules were implemented on computer systems, it was found that users tended to do two things;

1) choose simpler passwords, and
2) write them down,
neither of which help keep systems secure.

Length, and randomness matter. Most cracking starts by using dictionaries of previously cracked passwords, and fragments / variations thereof. It is the low hanging fruit, and incredibly fast. If your password doesn't yield to that, most nefarious folks will move on, unless they have some reason to target you in particular. Then brute force cracking kicks in.

Just for perspective, the example of a password length of six, 62**6 or 56,800,235,584, is brute force crackable in a few seconds to minutes on a modern computer, if the password file has been stolen. (1 Gigahertz 64bit CPUs and GPUs get through enormous numbers of variations in no time, and can be purchased for a few dollars, e.g. a Raspberry Pi. So the cost of cracking is quite low.) Many moons ago, after several breakin attempts were made on a computer system that I was running by bad actors, I warned our users to change their passwords and choose good passwords, and that their passwords would be tested. Despite the appeal to pick good passwords, half the passwords were broken in a few hours using a 32bit 40MHz computer, which was also doing other things at the time. Spousal names and single nouns were probably half of that half, and a quarter were silly things "th3d0g" that fell out in the first few minutes of cracking.

If you feel safe with a password length of six, go for it, but I doubt that you would find anyone in the computer security industry that would recommend it.

All the best,

Peter

I am quite familiar with what you stated. The bottom line in your scenario was that the password was compromised by a weakness in the operating system that could be exploited, not only the length of the password. If someone can steal the password file on your computer you have problems. If you are exchanging information on an unencrypted network you can have problems. If you password is accessible to others, written down or shared with others you can have problems. My passwords length are actually 10, the six character length was an example. In a former life I was responsible for computer security. Password length alone will not ensure system integrity.

Wakey · Dec 11, 2021

After 10 years outside of my industry I’m back, as an employee this time. I took a position with a company that does high end residential low voltage systems.

When I was still in business, home automation was starting and I was resisting

Shoot, I didn’t even use wireless unless in the most dire situation.

I’ll be installing some of these systems in my home so I can become familiar with them.

There is an old(ish) joke about an Internet connected refrigerator that won’t allow the door to open because of a racist joke you told during supper the evening before.

While my laptop was struggling with some cloud computing I pulled the invoice for the job I was on. It was at $224,000 and they hadn’t even moved in yet. Displays, speakers, cameras, locks, security, networking..

Good grief.. And I’m happy to report that you can in fact teach an old dog new tricks!

Jstpssng · Dec 11, 2021

This thread has convinced me that I definitely do not want a wifi toothbrush... the last thing I need is to get that hacked by the Russians.

I've also learned a bit more about passwords, and believe mine should be random enough to make them tough to hack.
(No words or sequences involved...)