Send News. Want a reply? Read this. More in the FAQ.   News Forum - All Forums - Mobile - PDA - RSS Headlines  RSS Headlines   Twitter  Twitter
Customize
User Settings
Styles:
LAN Parties
Upcoming one-time events:

Regularly scheduled events

Sunday Safety Dance

View
8 Replies. 1 pages. Viewing page 1.
< Newer [ 1 ] Older >

8. Re: Sunday Safety Dance Nov 26, 2012, 03:01 Flatline
 
Mashiki Amiketo wrote on Nov 26, 2012, 00:31:
Flatline wrote on Nov 25, 2012, 17:37:
I don't see any solution that will ever be social-engineering proof. If you have a gatekeeper, and that gatekeeper is human, that security system, no matter what it is, can be compromised.
Keyfob, the only way then is to physically take the device from the person. I don't mean a keygen token like what we're using now, but a unique keyring fob tied to you. We'll probably get there in another 30 years.

The only way that works is if you lose it you're SOL. Period. If you have some way of circumventing that, even with a really, really good procedural to provide security, sooner or later people will relent to social engineering and unlock the gate for you.

We can have that today. Big alerts everywhere stating that if you lose your password you lose access permanently, that it can't be recovered at all. You'd entirely eliminate the social engineering password retrieval/reset aspect of security breaching, but you'd have people freaking out.

Unless of course you decided to like... implant your fob in your body, but even then you're at the same limitation as biometrics: it's eventually 1's and 0's transmitting a "let me in" signal.

I didn't get to the end of that article, because 8 pages to tell me that passwords are insecure is way too fucking long to get to the point.

However, I'm curious about something like the connect-the-dots password security that Android uses as the basis for password alternatives (although the current android lock screen has something like 400,000 solutions, which is clearly not sufficient for security). We should be looking at games and systems that even supercomputers simply suck at: Go springs to mind, and patterning a security challenge after that might work, as solution hashes for systems like that would take an eternity even on super computers, but be relatively simple for a human to remember.
 
Reply Quote Edit Delete Report
 
7. Re: Sunday Safety Dance Nov 26, 2012, 02:03 necrosis
 
The biggest problem with passwords are the users themselves.

Passwords are fairly secure but the users make their passwords the stupidest shit, never change them, and use the same password for everything.

The easier we make 'questions' and the like the easier we make it for the hackers too. You can only make things so simple for the truly stupid who do not belong online before you might as well not have any security at all.
 
Avatar 16007
 
Reply Quote Edit Delete Report
 
6. Re: Sunday Safety Dance Nov 26, 2012, 00:31 Mashiki Amiketo
 
Flatline wrote on Nov 25, 2012, 17:37:
I don't see any solution that will ever be social-engineering proof. If you have a gatekeeper, and that gatekeeper is human, that security system, no matter what it is, can be compromised.
Keyfob, the only way then is to physically take the device from the person. I don't mean a keygen token like what we're using now, but a unique keyring fob tied to you. We'll probably get there in another 30 years.
 
--
"For every human problem,
there is a neat, simple solution;
and it is always wrong."
--H.L. Mencken
Reply Quote Edit Delete Report
 
5. Re: Sunday Safety Dance Nov 25, 2012, 17:37 Flatline
 
I don't see any solution that will ever be social-engineering proof. If you have a gatekeeper, and that gatekeeper is human, that security system, no matter what it is, can be compromised.

I'm still, to this day, convinced that there are people in Blizzard for example resetting passwords and selling accounts. I played WoW for a few months, stopped, and six months later my account was compromised and they suspended it. I figured my account got phished somewhere along the way, even though I'm pretty cautious about that.

Okay, so reset the password. Over the phone. With a human. Reset the password on a clean computer. And I never logged in again because I don't give a shit about blizzard games any more. Six months later I get another email saying my account has been compromsied. Call blizzard and they lecture me on account security. I point out I changed passwords and never again actually logged in afterwards. So I reset the password over the phone. And six months later, my account was compromised again. That finally ended when I bought the key fob with Diablo 3 (I know I know...), but I seriously suspect that there are CS people or *somebody* who goes through and sifts for inactive accounts, resets the password, and sells the access to gold farmers.

Apple is perhaps the worst though. My account was compromised, email address reset, and whoever hacked it added a credit card and used that credit card to buy gift cards, so I lost no money. It took three days to regain access to my account, and at the end I only was able to because of social engineering. Apple is literally easier for hackers to abuse than for legitimate customers to get redress.
 
Reply Quote Edit Delete Report
 
4. Re: Sunday Safety Dance Nov 25, 2012, 17:22 jimnms
 
And to delay me from getting it back, they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture Id ever taken of my 18-month-old daughter.

I don't use apple products for other reasons, but if what he says is true that is the #1 reason to never use apple. I wouldn't want one company being able to remotely wipe all of my devices. And another point, what kind of moron doesn't keep external backups of important things like family pictures and documents?
 
Avatar 17277
 
MeanJim on Steam
Reply Quote Edit Delete Report
 
3. Re: Sunday Safety Dance Nov 25, 2012, 16:16 J
 
My choice of login is relevant to this post  
Avatar 45926
 
Reply Quote Edit Delete Report
 
2. Re: Sunday Safety Dance Nov 25, 2012, 13:08 Mashiki Amiketo
 
eRe4s3r wrote on Nov 25, 2012, 13:04:
The real issue: Using the email as a username. Which is absolutely stupid!
Bingo. A sting of characters works fine to protect us, the problem as you simply point out is tying accounts to an email address. Once someone has that, you're effectively screwed.
 
--
"For every human problem,
there is a neat, simple solution;
and it is always wrong."
--H.L. Mencken
Reply Quote Edit Delete Report
 
1. Re: Sunday Safety Dance Nov 25, 2012, 13:04 eRe4s3r
 
The real issue: Using the email as a username. Which is absolutely stupid!  
Avatar 54727
 
Reply Quote Edit Delete Report
 
8 Replies. 1 pages. Viewing page 1.
< Newer [ 1 ] Older >


footer

Blue's News logo