* Posts by 124Out

9 publicly visible posts • joined 22 Jan 2010

Survey: '4 million' Brits stung by ID theft

124Out
Stop

Sex Lies and Cybercrime surveys

- Missing methodology section? Check!

- Unverified user input? Check!

- Report the average but not the median? Check!

- Sponsored by security vendor? Check!

"It is ironic then that our cyber-crime survey estimates rely almost exclusively on unverified user input. A practice that is regarded as unacceptable in writing code is ubiquitous in forming the estimates that drive policy."

http://www.theregister.co.uk/2011/06/09/cybercrime_surveys_are_tosh_says_ms/

Phishers switch focus to targeted attacks, warns Cisco

124Out
Stop

More junk surveys

Security vendor produces survey showing that everything is very scarey.

Sex, lies and cybercrime surveys: http://www.theregister.co.uk/2011/06/09/cybercrime_surveys_are_tosh_says_ms/

Cybercrime figures 'as true as sexual-conquest scores'

124Out

So?

So, one virus 10 years ago cost the company your worked for 2 days worth of work. How do we get from that to trillion dollar estimates exactly?

124Out
Thumb Up

Finally

I've always wondered where these estimates come from.What's going on is even worse than I imagined. One exaggerated response is all it takes to make the numbers rubbish.

The fact that estimates are usually put out by vendors and fudsters should have been a clue I guess.

Short passwords 'hopelessly inadequate', say boffins

124Out

6 chars is enough

> Your entry for Paypal, 8 chars, says you're wrong! Paypal may not think 12 chars is needed, but they obviously think that more than six is.

Not obvious. Everyone likes some margin for error. That serious sites like Facebook, hotmail, Fidelity manage with 6 chars suggests online brute-forcing can be resisted at that level.

> Anyway, many of those sites will not admit to intrusions even when they are aware of them, so your suggestion that "the people who run real sites know..." is spurious

Evidence?

> I suppose the people who run real banks know how to run, err, real banks? Experience of the past few years says they don't!

They knew how to run real banks for their own profit while shareholders got torched. Worked out rather well for them.

124Out
FAIL

Threat to your password is not brute-frocing

The Georgia Tech analysis makes sense only if the attacker has the hashed passwords. The threat to your password is keylogging, phishing, SQL injection etc. Online brute-forcing isn't very feasable against well protected sites.

Schneier's recent Cryptogram has a section about password policies at various sites:

http://www.schneier.com/blog/archives/2010/07/website_passwor_1.html

Policies at some well-known sites:

Amazon: 6 chars unrestricted

Fidelity Investments: 6 chars unrestricted

facebook: 6 chars unrestricted

Hotmail: 6 chars unrestricted

Yahoo: 6 chars unrestricted

Paypal: 8 chars unrestricted

The people who run real sites serving 100s of millions of users know that 6 chars is enough to protect against online attacks, and make sure that there's no offline attack. People who tell us that 12 chars are necessary have no idea what is actually going on.

Online crims not just 'speccy geeks', researchers warn

124Out
Stop

Not a single verifiable fact

"Trend Micro researchers cite underground sources in speculation that ZeuS programmers earn more than $800,000 per year. The potential earnings of botnet herders may be even higher than this"

They might be earning more than $800k, or only $80k, or $8k or nothing. The only good FUD is more FUD.

Weak passwords stored in browsers make hackers happy

124Out

Password advice does more harm than good

Users ignore it, because they understand that the cost is greater than the benefit.

Microsoft: http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf

Schneier: http://www.schneier.com/essay-282.html

RockYou hack reveals easy-to-crack passwords

124Out

Here we go again...........

The message here isn't the users who choose weak passwords. The message is the (32million-N) users who wasted their time choosing and remembering strong passwords and had them compromised anyway.

Users show a better understanding of the risk than most security people:

http://www.schneier.com/blog/archives/2009/11/users_rationall.html