<div dir="ltr"><div><div><div><div><div><div>C,<br></div>many openid & openotp solutions are out there offering various eye catching e-identity authenticity management solutions and essentially software providers with the magic of SMS or hardware dudes with a shiny RSA style dongle and i do not think passwords or some high tech bio-id , or whatever else that is in fashion , is going to help an average citizen not getting rubbed or mugged ( read : blue screen asking a liberty reserve pay or wipe ) . passwords in essence are not really the security issue . no matter what is being considered as a key or an element of it , assuming we assign a fuzzy meaning to the concept of "key" and accept all sorts of Quantum universe goodness one can get offered , at some point "they will do you" whether you are a GCHQ/MI6 transvestite Math wizard , a security fella using typical silent 21-years-old-comodohackered-SSL connection for emails or a grandpa in U.S with made in china nice OTP dongle to go a normal banking . point is , the city is insecure with weapons of all strips , and with any conceptual police , your business is going to get Aramcoed real easy . what helps a fellow dd reader from getting Fcked is having the chance of owning bits of more intelligent genes and lesser habits of ignorance and a critical "soul" . sorry for the speech and i am no member of a password advocacy or lobby firm out there . just dont see the point in so much focus on the technical part of our electronic experience while i have seen much more "Human Factor"s involved in e-security . btw , i recall dave twitted about the book a while back . its phenomenal . get your copy and read it , it does good , and the money goes to children of the dead soldiers <br>
<br></div>D,<br></div>i am following some works get out of senate CRS and various , mostly chatter-type , signals from house CFA . there is an amazing pattern from 2006 up until now to build up mind games gear and political tools to produce an unsafe foggy wall around china acting like a determinant dark cloud on the east's possible supremacy . fun stuff are available for all to read under Open Government Act and where U.S wants to be standing at 2025 . younger folks : go for .pdf inurl:2025-strategy site:*.gov . i do not and can not know details of stories like this NYT thing , but i am as certain as i can reach to that WP post and NYT and a whole other dozens of media out there are not doing "Journalism" or "Research" . they do contract work and owned by like 5 power entity . so the story might be simply pure bullshit , a project , a gig for a pay -- or we've got a bunch of retard employees of a media outlet and some single digit IQ Chinese hackers.<br>
<br></div>meanwhile , Haaretz a news outlet close to powerful elements in .il recently pwned and i have read many interesting content in leaked emails , their headers , etc . that is what i call a story . <br><br></div>Peace<br>
</div>M.<br><div><div><div> <br></div></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Feb 4, 2013 at 7:06 PM, Charisse Castagnoli <span dir="ltr"><<a href="mailto:charisse@charissec.com" target="_blank">charisse@charissec.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">Dave -<div><br></div><div>I agree NYT was playing with fire - but they stuck to their journalistic mission.</div>
<div>Maybe they have factored in the risk of being a continuous target of the countries and organizations they report on.</div><div><br></div><div>The password problem, on the other hand, is really frustrating.</div><div>
Why Why Why with mobile phones, tiny dongles etc. are we STILL using passwords everywhere.</div><div>I used to be able to get by with 3-5 passwords, now I have to have a different password on every account.</div><div>(Thank goodness for keeper)</div>
<div><br></div><div>We really have come to the point of absurdity with passwords. So, on that topic, does anyone in this esteemed group have an opinion about OpenID providers?</div><div>I'm looking to pay for my OpenID, I don't want to be dependent on a google or aol.</div>
<div><br></div><div><br></div><div><br><div>
<span style="text-indent:0px;letter-spacing:normal;font-variant:normal;text-align:-webkit-auto;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><span style="text-indent:0px;letter-spacing:normal;font-variant:normal;font-style:normal;font-weight:normal;line-height:normal;border-collapse:separate;text-transform:none;font-size:medium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style="word-wrap:break-word">
<div>Charisse Castagnoli</div><div><a href="mailto:charisse@charissec.com" target="_blank">charisse@charissec.com</a></div><div><br></div><div><br></div><div><br></div></div></span><br></span><br>
</div>
<br><div><div><div class="h5"><div>On Feb 1, 2013, at 4:19 PM, Dave Aitel wrote:</div><br></div></div><div><div><div class="h5">So one thing I think is interesting is that New York Times story.<br><br>Here's how it goes, in bullet points:<br>
1. NYT knows it's ruffling feathers, so it hires AT&T (??) to "watch<br>their network"<br>2. AT&T sees something, so NYT calls in Mandiant<br>3. Mandiant and NYT let the Chinese hack things and watch them while<br>
they penetrate into the domain controller and lots of other machines.<br>4. Article about this comes out on <a href="http://NYT.com" target="_blank">NYT.com</a>, calling out the Chinese.<br><br>So, as far as I can tell from their article, the Chinese have all the<br>
passwords for every NYT employee. This sounds like something that is not<br>good for NYT employees who may reuse their passwords elsewhere, even if<br>they're changed now.<br><br>Likewise, it seems like at any time the Chinese could have turned off<br>
the domain controller. That would probably have had significant<br>downsides for NYT, to say the least. Here's why they didn't: Their<br>policy did not let them. But that doesn't ameliorate all the risk, as<br>
even hackers make typos...<br><br>In other words, playing games with hackers on your network for a story<br>is a fundamentally bad idea. Because at some point, you're going to find<br>a contractor who screws up and doesn't follow their own policy (or can't<br>
type) and it's going to take down your whole business.<br><br>-dave<br><br>-- <br>INFILTRATE - the world's best offensive information security conference.<br>April 2013 in Miami Beach<br><a href="http://www.infiltratecon.com" target="_blank">www.infiltratecon.com</a><br>
<br><br></div></div>_______________________________________________<br>Dailydave mailing list<br><a href="mailto:Dailydave@lists.immunityinc.com" target="_blank">Dailydave@lists.immunityinc.com</a><br><a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
</div></div><br></div></div><br>_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br></div>