* Posts by DannyJr

8 publicly visible posts • joined 20 Jul 2011

How long is your password? HTTPS Bicycle attack reveals that and more

DannyJr

Optional

Yawn. So what if they knew my password is 16 characters long? It will still be computationally infeasible to find it through a brute force search. As long as you use a password twelve or more characters long, has symbols, numbers, and capital letters, and must not have dictionary words, then it will be very difficult to attack. And if you use a good pseudorandom password generator then you're good to go.

One simple way to counter this ground-breaking attack is to use clientside scripting to hash the username and password on the browser before transmitting it. Then all credentials will have the same length. Problem solved.

Half of UK financial institutions vulnerable to well-known crypto flaws

DannyJr

It goes to show that banks have piss-poor security and hide behind draconian laws to hide their flaws. White hatters would be reluctant to report flaws knowing that British laws are crap. It reminds me of this one bloke who found a gun lying around. He picked it up and brought it to the police as a good citizen. He was charged for gun possession, was prosecuted, and convicted by a braindead jury of his peers. All because of badly written laws.

You can bet I won't be reporting online security flaws from UK firms. They got the laws they lobbied for, and they shall get the requisite response.

Researcher claims Facebook tried to gag him over critical flaw

DannyJr

John the Ripper

"John the Ripper, an open source password cracker capable of about 250 guesses a second"

Is it that slow? Wow, even with bcrypt I would expect the cracking software to do thousands of guesses per second, and hundreds of millions if MD5 is used.

IETF floats plan to PRISM-proof the Internet

DannyJr

Re: They still don't get it

The IETF designs and implements internet standards. They can, for instance, redesign the email standard to hide or obscure email headers. Or require TLS connections between email servers. Or make email transport encrypted instead of plaintext.

The IETF is one of the bodies that can solve the metadata problem. Your criticism is uninformed.

Open-source password keeper to get 'minor' weekend security fix

DannyJr
Thumb Up

Use 2.xx branch

This very minor vulnerability is only exploitable in the legacy (and .NET-free) KeePass 1.xx branch. Since all of my computers I use have .NET installed, I have no problems using KeePass 2.xx. It's a wee bit slower but a lot more secure and modern. Unless someone has an old OS or philosophical objections to .NET, I suggest everyone to migrate to the 2.xx branch.

Hackers break SSL encryption used by millions of sites

DannyJr

Opera may have TLS 1.1 and 1.2 on by default but almost no website support it. I tried using Opera with only 1.1 and 1.2 on, and almost every https website fails to load. We need to have the major websites like GMail to support 1.1 and 1.2 so that we can safely turn off 1.0 and SSL 3.

Rupert Murdoch was never Keyser Soze

DannyJr

Different fictional character

He's no Keyser Soze but he's definitely Citizen Kane material.

Baidu apes Google with Chinese Chrome

DannyJr
Facepalm

Read first

@Karl Lattimer

You're half right. If you read the article before bitching, you would read the part that says it uses IE (Trident engine) to render basic html. And a review the post links to says:

"Baidu Browser uses IE for web browsing and Webkit for applications"

It looks like Chrome but uses Trident in addition to Webkit.