From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 18D881384B4 for ; Tue, 10 Nov 2015 19:00:22 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B764721C03F; Tue, 10 Nov 2015 19:00:15 +0000 (UTC) Received: from mail-yk0-f174.google.com (mail-yk0-f174.google.com [209.85.160.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 79EB2E0867 for ; Tue, 10 Nov 2015 19:00:14 +0000 (UTC) Received: by ykdv3 with SMTP id v3so10250833ykd.0 for ; Tue, 10 Nov 2015 11:00:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=UJXb8xnXDo/XOuFS1Dqh0knI0qct90HA77V0H8A8lc8=; b=r4ULxmweHSpB2gLe9DP3XDZakfYDODwWMrQwguTHfeivdWhEIHVR1lHHFd+eL/jwcE GAauVMKivEv3gvpguEneKcuElUKc0LPsQb2Tq65bjJKpmMiExd8jvru+Dcs33ImYxNz6 ARt1VEWVRk4axeRxDFV/uyvX0g3LGkiTRSyFS/WoVHtgH6uJZg0ohSR/+GlKHITQK+nk OCgbqbmLAWzZymDeIX1jooHyRpk2PUnA/WYAAAk5iATAoFJ8UXFaFALsjR6RVwu4cYkB X0deRy9j2cKiCk9ArkUYG7zu/pzQ1eFRmz2V98Ub6d070qGO0b7zTIeCnk/rc3XLjuKd EDeg== Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 X-Received: by 10.13.230.131 with SMTP id p125mr4556100ywe.328.1447182013632; Tue, 10 Nov 2015 11:00:13 -0800 (PST) Received: by 10.37.115.141 with HTTP; Tue, 10 Nov 2015 11:00:13 -0800 (PST) In-Reply-To: <56423DAD.5030200@gentoo.org> References: <56414A8C.1080701@gentoo.org> <56420397.8010504@gentoo.org> <56420DB1.80302@gmail.com> <56421438.4080202@gentoo.org> <564236F0.9020503@gmail.com> <56423DAD.5030200@gentoo.org> Date: Tue, 10 Nov 2015 12:00:13 -0700 Message-ID: Subject: Re: [gentoo-user] OpenSSH upgrade warning From: Jeff Smelser To: gentoo-user@lists.gentoo.org Content-Type: multipart/alternative; boundary=94eb2c0866e6d91b2e05243451d5 X-Archives-Salt: b1bd5e0d-0ada-43b4-96e3-9a10c7d84d6e X-Archives-Hash: 39e5decdb5a5d96eb737babfb258746a --94eb2c0866e6d91b2e05243451d5 Content-Type: text/plain; charset=UTF-8 On Tue, Nov 10, 2015 at 11:55 AM, Michael Orlitzky wrote: > On 11/10/2015 01:26 PM, Alan McKinnon wrote: > > > > I think you are approaching this problem from the wrong viewpoint. You > > have to assume an attacker has vastly more resources to bear on the > > problem than you have. Thanks to Amazon and the cloud, this is now a > > very true reality. Brute force attacking a root password is nowhere near > > as complex as the maths would lead you to believe; for one thing they > > are decidedly not random. The fact is that they are heavily biased, > > mostly due to 1) you need to be able to remember it and 2) you need to > > be able to type it. > > > > Humans have been proven to be very bad at coming up with passwords that > > are truly good[1] and hard for computers to figure out. And our brains > > and very very VERY good at convincing us that our latest dumb idea is > > awesome. Are you really going to protect the mother lode (root password) > > with a single system proven to be quite broken and deeply flawed by > wetware? > > > > I know all that, but I asked you to assume that I'm not an idiot and > that it would take forever to brute-force my root password =) > > I'm not going to tell you what it is, so you'll have to believe me. > > I guess from this your assuming that everyones passwords that have been hacked are god, birthdays and such? --94eb2c0866e6d91b2e05243451d5 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On T= ue, Nov 10, 2015 at 11:55 AM, Michael Orlitzky <mjo@gentoo.org>= wrote:
On 11/10/2015 01= :26 PM, Alan McKinnon wrote:
>
> I think you are approaching this problem from the wrong viewpoint. You=
> have to assume an attacker has vastly more resources to bear on the > problem than you have. Thanks to Amazon and the cloud, this is now a > very true reality. Brute force attacking a root password is nowhere ne= ar
> as complex as the maths would lead you to believe; for one thing they<= br> > are decidedly not random. The fact is that they are heavily biased, > mostly due to 1) you need to be able to remember it and 2) you need to=
> be able to type it.
>
> Humans have been proven to be very bad at coming up with passwords tha= t
> are truly good[1] and hard for computers to figure out. And our brains=
> and very very VERY good at convincing us that our latest dumb idea is<= br> > awesome. Are you really going to protect the mother lode (root passwor= d)
> with a single system proven to be quite broken and deeply flawed by we= tware?
>

I know all that, but I asked you to assume that I'm not an idiot= and
that it would take forever to brute-force my root password =3D)

I'm not going to tell you what it is, so you'll have to believe me.=


I guess from t= his your assuming that everyones passwords that have been hacked are god, b= irthdays and such?

=C2=A0
--94eb2c0866e6d91b2e05243451d5--