Do you have adblock enabled?
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(MacRumors)   Apple's multimillion dollar advanced security system foiled by a Scrabble dictionary and a shiatty graphics card. No, that isn't snark, that is the actual truth   (macrumors.com) divider line 90
    More: Fail, Scrabble, security systems, iOS, Scrabble dictionary, wifi hotspots, GPUs, random numbers, gas generator  
•       •       •

7438 clicks; posted to Geek » on 19 Jun 2013 at 10:52 PM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



90 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread

First | « | 1 | 2 | » | Last | Show all
 
2013-06-20 03:38:24 AM  
Fun fact:  Carnegie Mellon web-based email used to send everything plaintext, all it took was a sniffer on the hotspot to gain full access to an email account.
 
2013-06-20 06:17:21 AM  

LockeOak: Not into IT at all, but wouldn't it be easy to avoid brute force attempts like this by simply limiting the number of attempted connections from one device (or all devices, to prevent spoofing of the device id) per minute?


Yes, it would. It is a disgrace that Apple (and probably other companies) didn't do that. 1 attempt/second, 5 second wait after 3 fails and a 15 minute lockout after 5 fails would boost the time required to several years. Or just put a (manually revocable) lifetime ban on the device that reaches 10 fails. The ban could probably be circumvented by spoofing a different ip/mac address but it would probably be more effort than it is worth anyway. Or the hotspot could turn off if more than a 1 device has reached the level at which bans are given.

The hacker wouldn't be nearby for longer than a few hours anyway, considering that this is about mobile hotspots.
 
2013-06-20 06:29:39 AM  
Before I forget:

The team discovered that only a small set of Apple's larger word list was being used, so with GPU cluster of four AMD Radeon HD 7970s, they narrowed their iOS-generated hotspot password cracking time down to just 50 seconds.

That is 4 video cards which according to Newegg are at least $360 each. Good luck putting that on a mobile platform.
 
2013-06-20 06:39:19 AM  

hardinparamedic: Real men use Hungarian Phrasebooks.


Drop your panties, Ilsa, I cannot wait 'til lunchtime!

/I cannot buy this tobacconist's, it is scratched
//All my passwords contain MAD onomatopoeia or words I've made up myself
 
2013-06-20 07:13:12 AM  

hamdinger: GreenAdder: Who the fark uses a default password on anything?

Apple users.


Hell, I might in this case.

1. The hotspot is only on temporarily.
2. I would only be using it in a place where I can't get a normal wifi connection, so even a coffee shop is too connected for this scenario.
3. It would be incredibly unlikely that someone would have the hardware and software available and be attempting to hack a wifi connection in the short time I am using the hotspot.
4. Even if they got on to the hotspot, unless they are mailing out threatening emails to the President or downloading kiddie porn, who the hell cares.
5. That is a long/expensive way for someone to go to get access to the Internet.

An analogy would be the fact that I don't put metal bars over all the windows in my house even though breaking a window is a trivially easy way to bypass the locked door. Some security measures are really there to put up enough of a barrier to keep most people honest.
 
2013-06-20 07:16:57 AM  
Isn't the real question why Apple didn't use a random password? It doesn't need to be memorable or pronouncable. Why use dictionary words at all? 12 random characters would be easier and more secure.
 
2013-06-20 07:39:00 AM  

DerAppie: LockeOak: Not into IT at all, but wouldn't it be easy to avoid brute force attempts like this by simply limiting the number of attempted connections from one device (or all devices, to prevent spoofing of the device id) per minute?

Yes, it would. It is a disgrace that Apple (and probably other companies) didn't do that. 1 attempt/second, 5 second wait after 3 fails and a 15 minute lockout after 5 fails would boost the time required to several years. Or just put a (manually revocable) lifetime ban on the device that reaches 10 fails. The ban could probably be circumvented by spoofing a different ip/mac address but it would probably be more effort than it is worth anyway. Or the hotspot could turn off if more than a 1 device has reached the level at which bans are given.

The hacker wouldn't be nearby for longer than a few hours anyway, considering that this is about mobile hotspots.


While it's a good idea (and some systems do have this sort of security), it wouldn't be applicable, as WiFi cracking is an offline exercise.  You capture traffic from the air and then crack that traffic locally.
 
2013-06-20 07:52:09 AM  

Pinko_Commie: DerAppie: LockeOak: Not into IT at all, but wouldn't it be easy to avoid brute force attempts like this by simply limiting the number of attempted connections from one device (or all devices, to prevent spoofing of the device id) per minute?

Yes, it would. It is a disgrace that Apple (and probably other companies) didn't do that. 1 attempt/second, 5 second wait after 3 fails and a 15 minute lockout after 5 fails would boost the time required to several years. Or just put a (manually revocable) lifetime ban on the device that reaches 10 fails. The ban could probably be circumvented by spoofing a different ip/mac address but it would probably be more effort than it is worth anyway. Or the hotspot could turn off if more than a 1 device has reached the level at which bans are given.

The hacker wouldn't be nearby for longer than a few hours anyway, considering that this is about mobile hotspots.

While it's a good idea (and some systems do have this sort of security), it wouldn't be applicable, as WiFi cracking is an offline exercise.  You capture traffic from the air and then crack that traffic locally.


Stupid me... Forgot that the security data needs to be sent along with the rest of the transmission.
 
2013-06-20 09:14:07 AM  

Quantumbunny: RealAmericanHero: Wow! Whoever wrote this headline straight up doesn't know what they are talking about. All they are talking about is when you turn on an option to create a hotspot. It's no "advanced security system." It's a short algorithm that generates an 8 character password consisting of letters and numbers that probably took some guy 10 minutes to create. The simplicity is for the sake of users who can't be bothered to input a secure password (I've ran into people who couldn't be assed to put in a password with symbols. They actually complained.) Subby is a total dumbass.

If you don't think it's unreasonable to choose a password consisting of at least 3 of the following that changes every 2 months and can't re-use any 6 character chunk...
number
lower case letter
upper case letter
special character

I think that merits complaining. Even assuming you chose part of the opening sentence of your favorite book... "Now is the winter of our discontent", for example, the time it would take to crack my sentence is somewhere on the order of 200x longer than the 8 character garble I am forced to use at work. In my case, it's actually worse, as a contractor, my company has a 2mo cycle, the client has a 3mo cycle. So I am have numerous of these stupid passwords at a go.

Logically, If I chose say... a 30 character phrase, I should be able to keep my password at least a year. I'm sick of managing passwords.


This
 
2013-06-20 09:22:58 AM  
Just tested my WIFI password at https://howsecureismypassword.net/

Results:

It would take a desktop PC about A million years to crack your password


I think I'm good.
 
2013-06-20 09:27:42 AM  
Tested the password I have at work:

It would take a desktop PC about 3 quadrillion years to crack your password

Guess I'm good there too.
 
2013-06-20 09:28:47 AM  

ZAZ: If only there were some geek who couldn't draw to make a webcomic instruction on creating easily remembered but hard to crack passwords.


"battery staple correct horse"!  Crap, that didn't work... maybe "correct horse staple battery"?  Hm.

If I were a password cracker focusing on Reddit-type I'm-a-nerd-LOL-me-too sites, I'd give a strong weight to "four dictionary words separated by spaces" in my cracking algorithm after the publication of that xkcd comic.
 
2013-06-20 09:48:06 AM  

imfallen_angel: Tested the password I have at work:

It would take a desktop PC about 3 quadrillion years to crack your password

Guess I'm good there too.


I did the same thing to my wifi password and got 312 nonillion years. I had never even heard of a nonillion
 
2013-06-20 10:25:04 AM  
Penisx12 takes 62 unvigintillion years to crack according to that site.
 
2013-06-20 10:30:32 AM  
Isn't this one of the plot points from Ocean's 14?
 
2013-06-20 10:59:59 AM  
From the comments:

"Wow, I guess next time I setup a personal hotspot to check my email on my laptop, I'd better watch out for someone nearby with a "GPU cluster of four AMD Radeon HD 7970s".

BTW Subby, the card you listed in the headline is far from 'shiatty" - it only is if you're a "733t gamer"
 
2013-06-20 11:41:57 AM  

imfallen_angel: Just tested my WIFI password at https://howsecureismypassword.net/

Results:

It would take a desktop PC about A million years to crack your password


I think I'm good.


That (and all the sites like it) is actually a really crappy and misleading place to test strength. "A desktop PC" doesn't tell you what's actually doing it. Are they saying a dual core, 3.2Ghz processor? How about a couple GPUs? Or is it a 4, 8, 12 core processor? What's the power in like? What's the latency on the hardware?

The only absolute measurement is mathematic, expressed as entropy (as referenced in the XKCD comic above). With that knowledge, you can then apply the degrees of entropy to the actual machine doing the cracking. Here's a much better page that also gives guidelines on good passwords, and why they're good:

http://rumkin.com/tools/password/passchk.php

For example, a password I use for non-essential non-financial stuff would take "4 thousand years" on the crappy first site, while that same password gives me this result from my link:

Length: 11
Strength: Reasonable - This password is fairly secure cryptographically and skilled hackers may need some good computing power to crack it. (Depends greatly on implementation!)
Entropy: 45.3 bits
Charset Size: 72 characters

In other words, one site says OMG NEVER, the other says "yeah, you're going to have to buy some more GPUs."
 
2013-06-20 11:43:21 AM  

imfallen_angel: Just tested my WIFI password at https://howsecureismypassword.net/

Results:

It would take a desktop PC about A million years to crack your password


I think I'm good.


It would take a desktop PC about 177 quintillion years to crack your password (wow) I guess I can cut that one back
 
2013-06-20 12:07:54 PM  

HeFixesTheCable: In other words, one site says OMG NEVER, the other says "yeah, you're going to have to buy some more GPUs."


Problem is... the way that a password cracker works can differ from one to the other.  Using one that would be able to guess (or test) words upon the first letters received in an intelligent manner, would be able to crack just about any word combination.

If I had "CorrectHorseStapleBattery" for example, as a very good algorithm would start with breaking the chain ********************* into multiple possible length of words (considering that most password cannot take spaces).

Now, if you take a system that allows a letter by letter echo.. like you see in movies where each character is guessed one by one, instead of simply "all or nothing" approach that I assume is more of a reality for most systems, the "cracking" is infinitely different.

So the password isn't the only factor here, the system is also.  Lock down after 5 tries? complete lockout or timer that requires 1-12-24 hours before 5 more tries?

Heck, a decent serious system could have a system that the password would also have a time factor such as one character requires to be different according to time or any other factor (temperature, weather condition, colour for background that's rotating, all of them assigned a particular character) so that the password isn't static, but yet, very easy to use.

If I wanted to design a bulletproof system, I'd be sure to incorporate such a device.

We also have the whole biometrics (fingerprints and eyeball scans), that movies has shown can be bypassed with gum or cutting someone's finger or eyeball out.

But seriously, it's a question of how far does one goes for their access to be protected?

I wouldn't want someone playing in my bank accounts, of course, but how much of a target am I, or do I make myself to be.

Our PIN for bank cards are 4-5 digits... very far from secure according to these sites, but yet, that's what we use every day.
 
2013-06-20 12:08:17 PM  

HeFixesTheCable: That (and all the sites like it) is actually a really crappy and misleading place to test strength. "A desktop PC" doesn't tell you what's actually doing it. Are they saying a dual core, 3.2Ghz processor? How about a couple GPUs? Or is it a 4, 8, 12 core processor? What's the power in like? What's the latency on the hardware?


The performance difference between an entry-level desktop and a high-end one at any given time is what, one order of magnitude?  Maybe two?   Does it matter to someone if the site reports back that it will take a million years to brute-force the solution, or "only" ten thousand years?

Keep in mind also that these estimates, whether based on bits of entropy, or arbitrary hardware time required to resolve bits of entropy, are always for the most pessimal case: a solution is guaranteed within  n attempts, but if the algorithm is smart or lucky it will likely take far fewer than that.
 
2013-06-20 01:03:54 PM  

poot_rootbeer: HeFixesTheCable: That (and all the sites like it) is actually a really crappy and misleading place to test strength. "A desktop PC" doesn't tell you what's actually doing it. Are they saying a dual core, 3.2Ghz processor? How about a couple GPUs? Or is it a 4, 8, 12 core processor? What's the power in like? What's the latency on the hardware?

The performance difference between an entry-level desktop and a high-end one at any given time is what, one order of magnitude?  Maybe two?   Does it matter to someone if the site reports back that it will take a million years to brute-force the solution, or "only" ten thousand years?

Keep in mind also that these estimates, whether based on bits of entropy, or arbitrary hardware time required to resolve bits of entropy, are always for the most pessimal case: a solution is guaranteed within  n attempts, but if the algorithm is smart or lucky it will likely take far fewer than that.


You are quite correct that the order of magnitude may be as little as 2, just doing a simple example to illustrate how vague these sites are. I should also have made the point that "no one's using an off the shelf desktop PC who is doing this full-time/for a living."

I can tell you, too, that the password I typed in would take WAY less than 4 thousand years for a "smart" program. It uses a semi-common word, in a VERY familiar password format: First letter uppercase, #s and symbols after. The original site doesn't take that into account, because it's not measuring entropy. As another person noted, if you're already using "correcthorsebatterystaple," it might seem uncrackable...if you didn't speak english.

And yep, it may get lucky much sooner than that, which is true of every password. Adding entropy means that it will hopefully take longer to get lucky. All your points are valid, however.
 
2013-06-20 02:42:57 PM  

imfallen_angel: Just tested my WIFI password at https://howsecureismypassword.net/


imfallen_angel: Tested the password I have at work:


MightyPez: I did the same thing to my wifi password and got 312 nonillion years.


Mcaffolder: It would take a desktop PC about 177 quintillion years to crack your password (wow) I guess I can cut that one back


So y'all just went and typed your passwords into a random page on the internet to see what would happen? I hope you're not the ones complaining about "weak security" in the automated device handshakes... I believe that's what tech service reps call a DSBKF error.
 
2013-06-20 03:20:20 PM  

LoneVVolf: So y'all just went and typed your passwords into a random page on the internet to see what would happen? I hope you're not the ones complaining about "weak security" in the automated device handshakes... I believe that's what tech service reps call a DSBKF error.


Meh, the fact is that I doubt very much that someone from that particular site would be able to figure out which system, etc. that uses said passwords, as I don't think their WIFIs can reach that far.
 
2013-06-20 03:25:51 PM  

LoneVVolf: So y'all just went and typed your passwords into a random page on the internet to see what would happen? I hope you're not the ones complaining about "weak security" in the automated device handshakes... I believe that's what tech service reps call a DSBKF error.


Yes, I'm sure that web site is nefariously wringing its hands at a password I soley use for my wifi at home. And I did this from a place that wasn't from that network, so clearly these evil deeds they are doing will come back to haunt me.

It's also a shame I can't change it any time if I feel these ne'er-do-wells somehow find my small geographic location and start leeching my meager bandwidth to fuel their plot of nebulous evil.
 
2013-06-20 03:29:05 PM  

HeFixesTheCable: And yep, it may get lucky much sooner than that, which is true of every password. Adding entropy means that it will hopefully take longer to get lucky. All your points are valid, however.


So technically, if you have a routine cracker that uses a replacement parameter to test all characters one at a time:  aaaaaaaaa is pretty useless, ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ (being the last ASCII character) should be the best (using same number of characters)

LOL

/just jesting, but still funny....
 
2013-06-20 03:29:47 PM  

MightyPez: to fuel their plot of nebulous evil.


NARF!
 
2013-06-20 04:41:13 PM  

imfallen_angel: Tested the password I have at work:

It would take a desktop PC about 3 quadrillion years to crack your password

Guess I'm good there too.



In case somebody else hasn't sufficiently congratulated you.
You've just added your home and work passwords to a database that tracks your IP.
Mazal tov.
 
2013-06-20 05:01:06 PM  

demaL-demaL-yeH: imfallen_angel: Tested the password I have at work:

It would take a desktop PC about 3 quadrillion years to crack your password

Guess I'm good there too.


In case somebody else hasn't sufficiently congratulated you.
You've just added your home and work passwords to a database that tracks your IP.
Mazal tov.


It's ok, I'm being a bunch of moxies...
 
2013-06-20 05:20:50 PM  

imfallen_angel: demaL-demaL-yeH: imfallen_angel: Tested the password I have at work:

It would take a desktop PC about 3 quadrillion years to crack your password

Guess I'm good there too.


In case somebody else hasn't sufficiently congratulated you.
You've just added your home and work passwords to a database that tracks your IP.
Mazal tov.

It's ok, I'm being a bunch of moxies...


Ya, 'cause nobody would ever think of adding them to a dictionary.
 
2013-06-20 05:31:14 PM  

demaL-demaL-yeH: Ya, 'cause nobody would ever think of adding them to a dictionary.


Well, the fact that they'd need a loooooot of power to have their WIFIs reach mine, and odds are, mine doesn't broadcast that far either, and well... having other restrictions such as MAC address limitations, etc.

You'd still need to get the other passwords for the machines too.  The worse they'd do is might be able to print on the WIFI printers. Oh dear.... the world will crumble.

I'm not really much of a foil wearing nut that has a government reading everything you write online.... but it appears that you are.. so good luck with that.
 
2013-06-20 05:51:55 PM  

imfallen_angel: demaL-demaL-yeH: Ya, 'cause nobody would ever think of adding them to a dictionary.

Well, the fact that they'd need a loooooot of power to have their WIFIs reach mine, and odds are, mine doesn't broadcast that far either, and well... having other restrictions such as MAC address limitations, etc.

You'd still need to get the other passwords for the machines too.  The worse they'd do is might be able to print on the WIFI printers. Oh dear.... the world will crumble.
I'm not really much of a foil wearing nut that has a government reading everything you write online.... but it appears that you are.. so good luck with that.


Interesting. I'm fairly certain that my email is of no interest to the federal government, although some of my fark comments might be vaguely amusing. I am concerned that so much traffic is being intercepted, and even more concerned that the agencies doing the interceptions claim, for all sorts of specious excuses, that Amendment IV doesn't apply to private correspondence. The vacuum-cleaner approach has one, huge, obvious, glaring flaw: False positives are overwhelming investigative resources.

That sworn officers of the United States would excuse this approach is disgusting, but unsurprising: CYA is a rational trait of bureaucrats. That the Supreme Court keeps giving their bullshiat arguments any credence - to the point of barring suits because the plaintiff can't prove standing so they can dodge striking down clearly unconstitutional laws - is distressing. The courts grant undue deference to the executive branch. I do state as fact that FISA as originally written and implemented was more than sufficient to get the job done.

If that falls into tinfoil hat territory, so be it.
 
2013-06-20 05:57:46 PM  

demaL-demaL-yeH: imfallen_angel: demaL-demaL-yeH: Ya, 'cause nobody would ever think of adding them to a dictionary.

Well, the fact that they'd need a loooooot of power to have their WIFIs reach mine, and odds are, mine doesn't broadcast that far either, and well... having other restrictions such as MAC address limitations, etc.

You'd still need to get the other passwords for the machines too.  The worse they'd do is might be able to print on the WIFI printers. Oh dear.... the world will crumble.
I'm not really much of a foil wearing nut that has a government reading everything you write online.... but it appears that you are.. so good luck with that.

Interesting. I'm fairly certain that my email is of no interest to the federal government, although some of my fark comments might be vaguely amusing. I am concerned that so much traffic is being intercepted, and even more concerned that the agencies doing the interceptions claim, for all sorts of specious excuses, that Amendment IV doesn't apply to private correspondence. The vacuum-cleaner approach has one, huge, obvious, glaring flaw: False positives are overwhelming investigative resources.

That sworn officers of the United States would excuse this approach is disgusting, but unsurprising: CYA is a rational trait of bureaucrats. That the Supreme Court keeps giving their bullshiat arguments any credence - to the point of barring suits because the plaintiff can't prove standing so they can dodge striking down clearly unconstitutional laws - is distressing. The courts grant undue deference to the executive branch. I do state as fact that FISA as originally written and implemented was more than sufficient to get the job done.

If that falls into tinfoil hat territory, so be it.


That's like thinking that a piece of glass will stop a person from getting inside your house and doing vile things to you or your property...

People are funny that way...
 
2013-06-20 06:08:05 PM  

imfallen_angel: That's like thinking that a piece of glass will stop a person from getting inside your house and doing vile things to you or your property...

People are funny that way...


What in the blue blazes are you doing throwing out a non-sequitur like that?
 
2013-06-20 06:21:41 PM  

demaL-demaL-yeH: imfallen_angel: That's like thinking that a piece of glass will stop a person from getting inside your house and doing vile things to you or your property...

People are funny that way...

What in the blue blazes are you doing throwing out a non-sequitur like that?


Guess the point is too high for you to reach....

Just saying, regardless of how secure one would assume something to be, it's simply not, there's always a way to do it.

Security as a whole is an illusion, on the internet, even more so.

A house you can protect with a fence, barriers, etc. and can be controlled,while the internet, well, anything one does is flying on wires, going through servers, etc... the only way to secure a computer 100% is to not plug it in into such a network.

But anyways, the thing is that if you're worried about the government, I'd worry more about Google's tracking every more you do.
 
2013-06-20 07:06:29 PM  

imfallen_angel: demaL-demaL-yeH: imfallen_angel: That's like thinking that a piece of glass will stop a person from getting inside your house and doing vile things to you or your property...
People are funny that way...

What in the blue blazes are you doing throwing out a non-sequitur like that?

Guess the point is too high for you to reach....
Just saying, regardless of how secure one would assume something to be, it's simply not, there's always a way to do it.
Security as a whole is an illusion, on the internet, even more so.
A house you can protect with a fence, barriers, etc. and can be controlled,while the internet, well, anything one does is flying on wires, going through servers, etc... the only way to secure a computer 100% is to not plug it in into such a network.
But anyways, the thing is that if you're worried about the government, I'd worry more about Google's tracking every more you do.


Nice try, eh. Take a gander at what you quoted with your comment, apologize, and move on.
(Do you believe that your communications are sacrosanct? Because Jenny S. seems to have some concerns.)
 
2013-06-20 08:10:55 PM  

demaL-demaL-yeH: Nice try, eh. Take a gander at what you quoted with your comment, apologize, and move on.
(Do you believe that your communications are sacrosanct? Because Jenny S. seems to have some concerns.)


Ok, I'm so very sorry that you couldn't understand my point and have a need to have a superiority complex.

We good?
 
2013-06-20 08:49:09 PM  
imfallen_angel : So technically, if you have a routine cracker that uses a replacement parameter to test all characters one at a time: aaaaaaaaa is pretty useless, ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ ÿ (being the last ASCII character) should be the best (using same number of characters)

But brute force is the very very very last thing you try.

long, but good read
 
2013-06-20 08:51:42 PM  
^ edit. I specifically meant the untargeted brute force that you were implying.

IE, try every character combination in sequence until you find the password.
 
2013-06-20 09:05:39 PM  

imfallen_angel: demaL-demaL-yeH: Nice try, eh. Take a gander at what you quoted with your comment, apologize, and move on.
(Do you believe that your communications are sacrosanct? Because Jenny S. seems to have some concerns.)

Ok, I'm so very sorry that you couldn't understand my point and have a need to have a superiority complex.

We good?


Project much, or do you save it up for fark, eh?
 
2013-06-20 11:53:53 PM  

demaL-demaL-yeH: imfallen_angel: demaL-demaL-yeH: Nice try, eh. Take a gander at what you quoted with your comment, apologize, and move on.
(Do you believe that your communications are sacrosanct? Because Jenny S. seems to have some concerns.)

Ok, I'm so very sorry that you couldn't understand my point and have a need to have a superiority complex.

We good?

Project much, or do you save it up for fark, eh?


Now talk about not being able to move on.. shessss...
 
Displayed 40 of 90 comments

First | « | 1 | 2 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »
Advertisement
On Twitter





In Other Media


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report