Re: [CentOS] what percent of time are there unpatched exploits against default config?
There is a concept called dynamic firewall i am working on that should eliminate any brute force attempts. If you think about it, if you know someone is trying to break in there is no need to give them access to the server any more. So after a hundred wrong passwords you cut them off. Reindl Harald wrote: > > >Am 29.12.2011 12:56, schrieb Leonard den Ottolander: >> Hello Reindl, >> >> On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote: >>> Am 29.12.2011 09:17, schrieb Bennett Haselton: Even though the ssh key is more random, they're both sufficiently random that it would take at >least hundreds of years to get in by trial and error. >> >>> if you really think your 12-chars password is as secure >>> as a ssh-key protcected with this password you should >>> consider to take some education in security >> >> Bennett clearly states that he understands the ssh key is more >random, >> but wonders why a 12 char password (of roughly 6 bits entropy per >byte >> assuming upper & lower case characters and numbers) wouldn't be >> sufficient. > >so explain me why discuss to use or not to use the best >currently availbale method in context of security? > >this is a secure configuration with no costs >so why not use it? > >PasswordAuthentication no >ChallengeResponseAuthentication no >GSSAPIAuthenticationno >GSSAPICleanupCredentialsno >RSAAuthentication yes >PubkeyAuthenticationyes >PermitEmptyPasswordsno >PermitRootLogin without-password >AllowGroups root verwaltung >AllowUsers root harry >IgnoreRhostsyes >HostbasedAuthentication no >StrictModes yes >UseDNS no >UsePrivilegeSeparation yes >UsePAM yes >LoginGraceTime 25 >MaxAuthTries10 >MaxStartups 25 > >___ >CentOS mailing list >CentOS@centos.org >http://lists.centos.org/mailman/listinfo/centos -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On 12/30/2011 03:55 AM, Alex Milojkovic wrote: > There is a concept called dynamic firewall i am working on that should > eliminate any brute force attempts. If you think about it, if you know > someone is trying to break in there is no need to give them access to the > server any more. So after a hundred wrong passwords you cut them off. > > http://www.fail2ban.org/wiki/index.php/Main_Page signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On 12/30/2011 02:33 AM, Ljubomir Ljubojevic wrote: > I like to use serial numbers from MB, HDD, etc., as passwords. I never > use normal words for my passwords, and few other users (with ssh/cli > access) are carefully checked for their passwords. > > If this formula is true "(1/2 . 2 ^ 54 . 1s / 10)" for 9 *random* > character password, then 0.5 * 18014398509481984 /10 gives > 900719925474099 seconds to crack it, or 10424999137 days per attacker. > > If you use denyhosts or fail2ban, attacker needs 10,000 attack PC's that > never attacked any denyhosts or fail2ban server in recent time. > > So for army of 10,000 attacker PC's, bruteforce ssh needs 1042499 days, > or 2856 years to crack it. Is this correct figure? > Unfortunately, no, it is not a correct number. There are a few situational variables that have to be considered to really assess the security of a password, and theoretical best-case entropy is only a small part of that. If, for example, you login remotely using a password that has to cross an untrusted network you should expect that it is being sniffed. Now this is less a problem because it should be encrypted. The situation is the same for local Windows or Linux logins -- all systems I know of encrypt passowords for storage by default, which isn't much different than how simple password encryption works across the network. There is a problem with this, however. The password, however long, is reduced to a fixed-length hash in most password encryption schemes. Because of the wonders of modulo mathematics the total set of possible hashes is a lot less than the total set of possible passwords. What this means is we can start attacking the algorithm itself, in preparation for trying to decrypt intercepted data (of any type that falls under a signature/hash type scheme, not just passwords). We can start a 10,000 computer botnet (or, more realistically, a 10m computer botnet these days, and this is a technique used right now) working on the problem of assembling a new index table that orders and assigns every possible valid hash said algorithm can produce, and start assigning values. Essentially, we can move the computing cost up-front by assuming that we indeed *do* have to try *every* possible password, which means computing done 5 years ago applies to your brand new password today. Something weird about the way encryption algorithms tend to work is that as you move through the list of possible hashes you find large spans of values that are impossible to actually arrive at given the set of data a user can enter. You can move those to the side, and this massively redudces the work load (but its something you can't discover until you're well into building the hash index, which might be a year or so). You can also start with targeted hash indexing, meaning you first run through every possible dictionary word, then every variant of, then every possible combination of, then every possible combination with l33t substitutions, then any data set that you can scan from external sources (meaning things people might see and decide to use as a password that isn't in the dictionary, which is the category your S/N scheme falls into...), all of the above with numeric insertions (4, 2 and scattered single digits are most common, so focus on those), names of companies, etc. Going this route you can can about 99% of average user passwords in about a month. This is how John the Ripper works, in a nutshell -- it has a hash index of pre-checked phrases in a myriad of different hashing schemes and just checks the hashed password against the index to locate the list of possible correct ones, which is a pretty short list. Anyway, to keep from getting into too much math, just consider that password cracking is not only based on entropy of the password, and the concept of passwords encrypted for transit or storage has been around long enough that has tables exist for a vast number of common algorithms. If you are only logging on locally *and* you are nearly certain that nobody has access to your password storage, then you're just fine. Most users who don't spend time using IE to surf unsavory websites and click on everything those websites has to offer are safe from this. People who log in remotely, however, face a different challenge. People who login to a web interface using a password have a SERIOUS problem, in my opinion, because HTTP cannot be secured, and some websites (even banks!) sometimes don't have a public HTTPS, but force the user to use a HTTP->HTTPS redirect, which makes securing it literally impossible. Blah blah. I'm glossing over some details here and there are as many different cracking scenarios which involve their own weaknesses as there are systems. In short, keys, man, keys. Its not perfect, but it is much stronger than passwords and in my experience FAR much less hassle. -Iwao ___ CentOS mailin
[CentOS] Need help in writing a shell/bash script
Hi Friends, I am trying to write a shell script which can merge the 2 columns into 3rd one on Centos 5. The file is very long around 31200 rows having around 1370 unique groups and around 12000 unique user-names. The 1st column is the groupname and then 2nd column is the user-name. 1st Column (Groupname)2nd Column (username) admin ankush admin amit powerusers dinesh powerusers jitendra The desired output should be like this admin: ankush, amit powerusers: dinesh, jitendra There are commands available but not able to use it properly to get the desired output. Please help me Thanks & Regards Ankush ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] UC Need help in writing a shell/bash script
I knocked up the enclosed under Cygwin: #!/bin/sh ( cat
Re: [CentOS] Need help in writing a shell/bash script
Hi, On Friday, December 30, 2011 at 9:00 PM, ankush grover wrote: > Hi Friends, > > I am trying to write a shell script which can merge the 2 columns into > 3rd one on Centos 5. The file is very long around 31200 rows having > around 1370 unique groups and around 12000 unique user-names. > The 1st column is the groupname and then 2nd column is the user-name. I’m not sure I understood that “2 columns into 3rd one” there but... > 1st Column (Groupname) 2nd Column (username) > admin ankush > admin amit > powerusers dinesh > powerusers jitendra If that’s the format of your input and … > The desired output should be like this > > admin: ankush, amit > powerusers: dinesh, jitendra > If that’s your desired output, and assuming the input file is already sorted, try the ff: # -- code starts here --> #!/bin/bash GROUPNAMENOW='' while read LINE do GROUPNAME=$(echo $LINE | cut -d ' ' -f 1) USERNAME=$(echo $LINE | cut -d ' ' -f 2) if [ "$GROUPNAME" == "$GROUPNAMENOW" ]; then echo ", $USERNAME" else GROUPNAMENOW=$GROUPNAME echo -n "$GROUPNAMENOW: $USERNAME" fi done < input.txt # <-- code ends here -- Note: Tested and worked as expected in OS X. It should work in CentOS too. HTH, -- - Edo - mailto:ml2ed...@gmail.com “Happy are those conscious of their spiritual need …” —Matthew 5:3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] UC Need help in writing a shell/bash script
Rushton Martin wrote:
> I knocked up the enclosed under Cygwin:
>
> #!/bin/sh
> (
> cat < admin ankush
> admin amit
> powerusers dinesh
> powerusers jitendra
> EOTx
> ) | awk '
> {
> grpnm[$1] = grpnm[$1] ", " $2
> }
> END {
> for (i in grpnm) {
> print i ": " substr(grpnm[i], 3)
> }
> }
> ' | sort
>
Why use cat? Why not just stick the filename in the command line, right
after the closing ', and before the pipe?
mark
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] UC UC Need help in writing a shell/bash script
Demonstration purposes only. I wanted to show the data going is was the
user's data as described. The awk script is the key, the cat and sort
are merely decoration.
Martin Rushton
HPC System Manager, Weapons Technologies
Tel: 01959 514777, Mobile: 07939 219057
email: jmrush...@qinetiq.com
www.QinetiQ.com
QinetiQ - Delivering customer-focused solutions
Please consider the environment before printing this email.
-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
Behalf Of m.r...@5-cent.us
Sent: 30 December 2011 15:06
To: CentOS mailing list
Subject: Re: [CentOS] UC Need help in writing a shell/bash script
Rushton Martin wrote:
> I knocked up the enclosed under Cygwin:
>
> #!/bin/sh
> (
> cat < admin ankush
> admin amit
> powerusers dinesh
> powerusers jitendra
> EOTx
> ) | awk '
> {
> grpnm[$1] = grpnm[$1] ", " $2
> }
> END {
> for (i in grpnm) {
> print i ": " substr(grpnm[i], 3)
> }
> }
> ' | sort
>
Why use cat? Why not just stick the filename in the command line, right
after the closing ', and before the pipe?
mark
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
This email and any attachments to it may be confidential and are
intended solely for the use of the individual to whom it is
addressed. If you are not the intended recipient of this email,
you must neither take any action based upon its contents, nor
copy or show it to anyone. Please contact the sender if you
believe you have received this email in error. QinetiQ may
monitor email traffic data and also the content of email for
the purposes of security. QinetiQ Limited (Registered in England
& Wales: Company Number: 3796233) Registered office: Cody Technology
Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On Wednesday, December 28, 2011 10:38:30 PM Craig White wrote: > the top priority was to get the machine back online? > > Seems to me that you threw away the only opportunity to find out what > you did wrong and to correct that so it doesn't happen again. You are > left to endlessly suffer the endless possibilities and the extreme > likelihood that it will happen again. Agreed 100%. There is an old saying that applies here 'penny wise but pound foolish.' While getting back up quickly is a definite goal, fixing the underlying issue (which can only be done when the underlying issue is known!) is a far more important issue. If downtime cannot be tolerated for a thorough investigation, then the high-availability plan needs to be adjusted to provide failover to another box/VM while the compromised box/VM is investigated. As to the OP's original question about statistics, it seems to me that such statistics are useless for predictive analysis, and no matter how much history you have of past exploit timing this will not and cannot accurately predict the next exploit's timing or the exploitability of the next issue. Now for risk assessment it might be useful to have some sort of metric, with the knowledge that no risk assessment is an accurate predictor of future exploitability. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On 12/30/2011 09:15 AM, Lamar Owen wrote: > On Wednesday, December 28, 2011 10:38:30 PM Craig White wrote: >> the top priority was to get the machine back online? >> >> Seems to me that you threw away the only opportunity to find out what >> you did wrong and to correct that so it doesn't happen again. You are >> left to endlessly suffer the endless possibilities and the extreme >> likelihood that it will happen again. > > Agreed 100%. There is an old saying that applies here 'penny wise but pound > foolish.' > > While getting back up quickly is a definite goal, fixing the underlying issue > (which can only be done when the underlying issue is known!) is a far more > important issue. If downtime cannot be tolerated for a thorough > investigation, then the high-availability plan needs to be adjusted to > provide failover to another box/VM while the compromised box/VM is > investigated. Agree with this. At the very least, some kind of image (dd) of the original disk for further study even if you have to get the machine back on line and you don't have a failover machine. Not knowing how or at least who (so you can block that location) got in means that if/when they want in again, they do it the same way they did last time ... unless you got lucky and happened to correct the issue in the meantime. > > As to the OP's original question about statistics, it seems to me that such > statistics are useless for predictive analysis, and no matter how much > history you have of past exploit timing this will not and cannot accurately > predict the next exploit's timing or the exploitability of the next issue. > > Now for risk assessment it might be useful to have some sort of metric, with > the knowledge that no risk assessment is an accurate predictor of future > exploitability. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On Tuesday, December 27, 2011 10:13:12 PM Bennett Haselton wrote: > Roughly what percent of the time is there such an unpatched exploit in the > wild, so that the machine can be hacked by someone keeping up with the > exploits? While I did reply elsewhere in the thread, I want to address this specifically. I can give you a percentage number very easily. The answer is 100%. There is always an unpatched exploit in the wild; just because it's not been found by the upstream vendor (and by extension the CentOS project) doesn't mean it's not being used in the wild. I would hazard to say the risk from an unknown, but used, exploit is far greater than the 'window of opportunity' exploits you seem to be targeting. I would also hazard to say that it would be similar in risk to 'window of opportunity' exploit timing in the Windows world; not because the OS's are similar in terms of security but because 'window of opportunity' exploit timing is the same regardless of the general security of the OS. And I think studies of 'window of opportunity' exploits have been done and are publicly available. I say this after having performing a risk assessment of our infrastructure myself, incidentally. It's not a matter of 'if' you will be hacked, but 'when,' and this is being acknowledged in high-level security circles. So you plan your high-availability solution accordingly, and plan for outages due to security issues just like you'd plan for network or power outages. This is becoming standard operating procedure in many places. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Checkinstall rpm for CentOS-6 x86_64?
I cannot seem to find a checkinstall rpm package for CentOS-6 or one for x86_64 more recent than CentOS4. When I try to build it locally from the most recent source I can find, c.2006, I get build errors having to do with size constants either missing or improperly defined. Does anyone have a source for an rpm of this package that runs on CentOS-6_x86_64 or can recommend a replacement for it? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On Thursday, December 29, 2011 12:33:41 PM Ljubomir Ljubojevic wrote: > If you use denyhosts or fail2ban, attacker needs 10,000 attack PC's that > never attacked any denyhosts or fail2ban server in recent time. That would be a very small botnet. And with gamers out there with CUDA-capable GPU's getting botted.. The scale of the botnets doing brute-forcing (among other nefariousness) should never be underestimated. In addition to fail2ban, simple user-based login timeouts and lockouts can be used that survive botnet brute-forcing, but are DoS sitting ducks because of it. Security is a hard problem. There is no magic bullet. Recent news should show that ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On Friday, December 30, 2011 10:24:15 AM Johnny Hughes wrote: > Agree with this. At the very least, some kind of image (dd) of the > original disk for further study even if you have to get the machine back > on line and you don't have a failover machine. Speaking of dd, ddrescue in my experience is faster, but even then you will have downtime during the imaging. For a large drive this can easily take hours; I did a 500GB drive yesterday on my laptop using CentOS 6.2+the EPEL ddrescue package (LiveCD on a USB stick, by the way, with a 1GB overlay) and using a USB 3.0 Western Digital 2.5 inch external; took roughly the same time as eSATA; about 4.5 hours, even over USB 3.0 (the CentOS 6.2 Live media's kernel fully supports my USB 3.0 ExpressCard controller, by the way). I did this because the laptop's internal hard drive is doing sector reallocations; there are 97 reallocated sectors at this point, which can be a predictor of drive failure, so it was time to image it (Les is likely to mention clonezilla at this point.but my partitioning and use of unallocated space for things precludes clonezille; tried it, didn't work). CAINE or similar tool would work jsut as well; but I'd rather set up a CentOS USB stick to do it rather than yet another distribution, even though CAINE has uses beyond just imaging and should be seriously considered for forensics even for die-hard CentOS users; the Fedora-based NST is a close second in my book. Something like CAINE or NST based on CentOS would be fun. :-) Now, SAN snapshotting or VM snappshotting can help reduce downtime (take the snap, start imaging the snap, re-image/re-install to the underlying LUN/volume while the snap is imaging, then blow away the snap once it's imaged; requires lots of space for the snap delta files but the downtime is only the time required to take the snap (extremely quick on SAN, slightly less quick on something like vSphere) plus the time to reimage/reinstall to the underlying LUN/volume). Even here a large VM can take hours to re-image/re-install. Better to plan ahead for failover while forensic imaging takes place. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Need help in writing a shell/bash script
On 12/30/2011 09:00 PM, ankush grover wrote:
> Hi Friends,
>
> I am trying to write a shell script which can merge the 2 columns into
> 3rd one on Centos 5. The file is very long around 31200 rows having
> around 1370 unique groups and around 12000 unique user-names.
> The 1st column is the groupname and then 2nd column is the user-name.
>
> 1st Column (Groupname)2nd Column (username)
> admin ankush
> admin amit
> powerusers dinesh
> powerusers jitendra
>
>
>
>
> The desired output should be like this
>
> admin: ankush, amit
> powerusers: dinesh, jitendra
>
>
> There are commands available but not able to use it properly to get
> the desired output. Please help me
Hi Ankush,
This will do what you want. But please read the comments in the code.
As a side note, this sort of thing is way more natural in Postgres. That
will become more apparent as the file contents grow. In particular, the
concept of appending tens of thousands of names to a single line in a
file is a little crazy, as most text editors will start choking on
display without a \n in there somewhere to relieve the way most of them
read and display text.
###BEGIN collator.sh
#! /bin/bash
#
# collator.sh
#
# Invocation:
# If executable and in $PATH (~/bin is a good idea):
# collator.sh input-filename output-filename
# If not executable, not in $PATH, but in present working directory:
# sh ./collator.sh input-filename output-filename
#
# WARNING: There is NO serious attempt at error checking implemented.
# This means you should check the contents of OUTFILE before
# using it for anything important.
INFILE=${1:?"Input filename missing, please read script comments."}
OUTFILE=${2:?"Output filename missing, please read script comments."}
awk '{print $1 ": "}' $INFILE | uniq > $OUTFILE
for GROUP in `cat $OUTFILE | cut -d ':' -f 1`
do for NAME in `cat $INFILE | grep $GROUP | awk '{print $2}'`
do sed -i "s/^$GROUP: /&$NAME,\ /" $OUTFILE
done
done
###END collator.sh
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
Lamar Owen wrote: > On Thursday, December 29, 2011 12:33:41 PM Ljubomir Ljubojevic wrote: >> If you use denyhosts or fail2ban, attacker needs 10,000 attack PC's that >> never attacked any denyhosts or fail2ban server in recent time. > > That would be a very small botnet. > > And with gamers out there with CUDA-capable GPU's getting botted.. And, as a co-worker says, let's not forget renting time on Amazon's cloud mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On Friday 30 December 2011 19:40:55 夜神 岩男 wrote: [snip] > We can start a 10,000 computer botnet (or, more realistically, a 10m > computer botnet these days, and this is a technique used right now) > working on the problem of assembling a new index table that orders and > assigns every possible valid hash said algorithm can produce, and start > assigning values. > > Essentially, we can move the computing cost up-front by assuming that we > indeed *do* have to try *every* possible password, which means computing > done 5 years ago applies to your brand new password today. [snip] > In short, keys, man, keys. Its not perfect, but it is much stronger than > passwords and in my experience FAR much less hassle. You are basically saying that, given enough resources, you can precalculate all hashes for all possible passwords in advance. Can the same be said for keys? Given enough resources, you could precalculate all possible public/private key combinations, right? Please don't get me wrong --- I'm not saying that the resources needed are equal (or even comparable) for the two cases. But theoretically, both keys and passwords rely on the assumption that the "inverse operation" (be it calculating a password from a hash or factoring a large integer into primes) is too expensive to be feasible. But "given enough time and resources", you could in principle have prebuilt tables for both, right? Just asking... :-) ...while waiting for the first successful build of a quantum computer, which will fundamentally redefine all current concepts of security... ;-) Best, :-) Marko ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Need help in writing a shell/bash script
Hey, supergiantpotato (and btw, this list is plain text, not unicode, and
most of us don't read Japanese...),
å¤ç¥ãå²©ç· wrote:
> On 12/30/2011 09:00 PM, ankush grover wrote:
>>
>> I am trying to write a shell script which can merge the 2 columns into
>> 3rd one on Centos 5. The file is very long around 31200 rows having
>> around 1370 unique groups and around 12000 unique user-names.
>> The 1st column is the groupname and then 2nd column is the user-name.
>>
>> 1st Column (Groupname)2nd Column (username)
>> admin ankush
>> admin amit
>> powerusers dinesh
>> powerusers jitendra
> This will do what you want. But please read the comments in the code.
> ###BEGIN collator.sh
> INFILE=${1:?"Input filename missing, please read script comments."}
> OUTFILE=${2:?"Output filename missing, please read script comments."}
>
> awk '{print $1 ": "}' $INFILE | uniq > $OUTFILE
> for GROUP in `cat $OUTFILE | cut -d ':' -f 1`
> do for NAME in `cat $INFILE | grep $GROUP | awk '{print $2}'`
> do sed -i "s/^$GROUP: /&$NAME,\ /" $OUTFILE
> done
> done
> ###END collator.sh
This is really complicated and fiddly. Look at the one awk script that was
posted, which is *far* simpler, and uses awk the way it's intended to be
used, not as a replacement for cut
mark
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On Dec 30, 2011, at 8:24 AM, Lamar Owen wrote: > On Tuesday, December 27, 2011 10:13:12 PM Bennett Haselton wrote: >> Roughly what percent of the time is there such an unpatched exploit in the >> wild, so that the machine can be hacked by someone keeping up with the >> exploits? > > While I did reply elsewhere in the thread, I want to address this > specifically. > > I can give you a percentage number very easily. The answer is 100%. There > is always an unpatched exploit in the wild; just because it's not been found > by the upstream vendor (and by extension the CentOS project) doesn't mean > it's not being used in the wild. I would hazard to say the risk from an > unknown, but used, exploit is far greater than the 'window of opportunity' > exploits you seem to be targeting. > > I would also hazard to say that it would be similar in risk to 'window of > opportunity' exploit timing in the Windows world; not because the OS's are > similar in terms of security but because 'window of opportunity' exploit > timing is the same regardless of the general security of the OS. And I think > studies of 'window of opportunity' exploits have been done and are publicly > available. > > I say this after having performing a risk assessment of our infrastructure > myself, incidentally. It's not a matter of 'if' you will be hacked, but > 'when,' and this is being acknowledged in high-level security circles. > > So you plan your high-availability solution accordingly, and plan for outages > due to security issues just like you'd plan for network or power outages. > This is becoming standard operating procedure in many places. to reiterate my thoughts... I still don't understand the logic of the list indulging the OP's rampant speculation of various causes when his first action was to eliminate all possibility to find out what actually happened. An apt analogy is to find out that your horses have been stolen so you burn down the barn where they were kept, drag the ground to remove all evidence of footprints & tire tracks and then decide that you want to figure out how the thieves got in and made away with your horses. Craig ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Need help in writing a shell/bash script
looked like English to me...
On Dec 30, 2011, at 9:41 AM, m.r...@5-cent.us wrote:
> Hey, supergiantpotato (and btw, this list is plain text, not unicode, and
> most of us don't read Japanese...),
>
> 夜神 岩男 wrote:
>> On 12/30/2011 09:00 PM, ankush grover wrote:
>>>
>>> I am trying to write a shell script which can merge the 2 columns into
>>> 3rd one on Centos 5. The file is very long around 31200 rows having
>>> around 1370 unique groups and around 12000 unique user-names.
>>> The 1st column is the groupname and then 2nd column is the user-name.
>>>
>>> 1st Column (Groupname)2nd Column (username)
>>> admin ankush
>>> admin amit
>>> powerusers dinesh
>>> powerusers jitendra
>
>> This will do what you want. But please read the comments in the code.
>
>> ###BEGIN collator.sh
>
>> INFILE=${1:?"Input filename missing, please read script comments."}
>> OUTFILE=${2:?"Output filename missing, please read script comments."}
>>
>> awk '{print $1 ": "}' $INFILE | uniq > $OUTFILE
>> for GROUP in `cat $OUTFILE | cut -d ':' -f 1`
>> do for NAME in `cat $INFILE | grep $GROUP | awk '{print $2}'`
>> do sed -i "s/^$GROUP: /&$NAME,\ /" $OUTFILE
>> done
>> done
>> ###END collator.sh
>
> This is really complicated and fiddly. Look at the one awk script that was
> posted, which is *far* simpler, and uses awk the way it's intended to be
> used, not as a replacement for cut
>
> mark
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
--
Craig White ~ craig.wh...@ttiltd.com
1.800.869.6908 ~~ www.ttiassessments.com
Need help communicating between generations at work to achieve your desired
success? Let us help!
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On Friday, December 30, 2011 11:19:46 AM Marko Vojinovic wrote: > You are basically saying that, given enough resources, you can precalculate > all hashes for all possible passwords in advance. > Can the same be said for keys? Given enough resources, you could precalculate > all possible public/private key combinations, right? Public key crypto's security is based on the cost of factoring and finding large prime numbers; hashing is somewhat different and relies on 'one-way' functions that are very difficult to reverse. There are similarities and some sharing between the algorithms, but the difficulty of reversal is based on different mathematical properties. However, at least for some hashes on some OS's, precalculation of partial hashes is no theory; lookup 'Rainbow Tables' some day. (see https://en.wikipedia.org/wiki/Rainbow_tables ) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Need help in writing a shell/bash script
Craig White wrote: > looked like English to me... > > On Dec 30, 2011, at 9:41 AM, m.r...@5-cent.us wrote: > >> Hey, supergiantpotato (and btw, this list is plain text, not unicode, >> and most of us don't read Japanese...), >> >> å¤ç¥ãå²©ç· wrote: ^^ doesn't look like English, or ASCII, to me. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Need help in writing a shell/bash script
On Dec 30, 2011, at 9:52 AM, m.r...@5-cent.us wrote: > Craig White wrote: >> looked like English to me... >> >> On Dec 30, 2011, at 9:41 AM, m.r...@5-cent.us wrote: >> >>> Hey, supergiantpotato (and btw, this list is plain text, not unicode, >>> and most of us don't read Japanese...), >>> >>> 夜神 岩男 wrote: > ^^ doesn't look like English, or ASCII, to me. > > > >mark let me see if I get this straight... you are objecting to him using his real name? Craig ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Need help in writing a shell/bash script
On 12/31/2011 01:41 AM, m.r...@5-cent.us wrote: > Hey, supergiantpotato (and btw, this list is plain text, not unicode, and > most of us don't read Japanese...), Thanks for the info > This is really complicated and fiddly. Look at the one awk script that was > posted, which is *far* simpler, and uses awk the way it's intended to be > used, not as a replacement for cut I tried it before writing that. It starts printing names on newlines after the second name in a group. Not so good. It also has variable output when the group names are not sorted prior to input. Etc. Given that, I'd say it is more fragile than what I wrote. But whatev. Let the OP decide which one is more useful. Easy to fix, yes. And perhaps you don't like awk being used that way. Fine. It can be substituted -- but awk is an old habit of mine. The whole script could have been written in just one or two blazingly complex sed commands... but that sucks even more for the OP if he has to debug it later... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On 12/31/2011 01:19 AM, Marko Vojinovic wrote: > > On Friday 30 December 2011 19:40:55 夜神 岩男 wrote: > [snip] >> We can start a 10,000 computer botnet (or, more realistically, a 10m >> computer botnet these days, and this is a technique used right now) >> working on the problem of assembling a new index table that orders and >> assigns every possible valid hash said algorithm can produce, and start >> assigning values. >> >> Essentially, we can move the computing cost up-front by assuming that we >> indeed *do* have to try *every* possible password, which means computing >> done 5 years ago applies to your brand new password today. > [snip] >> In short, keys, man, keys. Its not perfect, but it is much stronger than >> passwords and in my experience FAR much less hassle. > > You are basically saying that, given enough resources, you can precalculate > all hashes for all possible passwords in advance. > > Can the same be said for keys? Given enough resources, you could precalculate > all possible public/private key combinations, right? > > Please don't get me wrong --- I'm not saying that the resources needed are > equal (or even comparable) for the two cases. > > But theoretically, both keys and passwords rely on the assumption that the > "inverse operation" (be it calculating a password from a hash or factoring a > large integer into primes) is too expensive to be feasible. But "given enough > time and resources", you could in principle have prebuilt tables for both, > right? > > Just asking... :-) ...while waiting for the first successful build of a > quantum > computer, which will fundamentally redefine all current concepts of > security... > ;-) Yes, theoretically it is possible to precalculate the hashes of everything against everything. Seriously. Of course, the only groups with the current resources to actually build hash indexes against serious keys are governments, and there are limits there even. The cost is what prevents this, which is why cryptographic security can never, ever sit still. And you're right about quantum computing changing the game. In fact, it can change the game so much that physical and information security will once again become one and the same, period [1]. Considering this and how close we are to quantum computing, I find the "rush to the cloud" for business and personal data storage laugably shortsighted. -Iwao 1.Ok, there is actually a way around this which relies on quantum hashing, but I don't know the terms for this in English. It depends on the idea that you can only observe some articles of data a single time before the act of observation forces an alteration of state: In other words it does nothing to encrypt the data, but rather you can know 100% if the data has been intercepted at all. But its ridiculously finnicky right now because its so new, so don't expect this for a long time. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Need help in writing a shell/bash script
On 12/31/2011 01:56 AM, Craig White wrote: > > On Dec 30, 2011, at 9:52 AM, m.r...@5-cent.us wrote: > >> Craig White wrote: >>> looked like English to me... >>> >>> On Dec 30, 2011, at 9:41 AM, m.r...@5-cent.us wrote: >>> Hey, supergiantpotato (and btw, this list is plain text, not unicode, and most of us don't read Japanese...), 夜神 岩男 wrote: >>^^ doesn't look like English, or ASCII, to me. >> >> >> >> mark > > let me see if I get this straight... you are objecting to him using his real > name? > > Craig Its ok, I'm totally about to change my private email address header for one guy on one mailing list. And anyway, shame on me for trying to help someone on a list with a quick script. What was I thinking! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Need help in writing a shell/bash script
On Fri, Dec 30, 2011 at 11:52:21AM -0500, m.r...@5-cent.us wrote: > Craig White wrote: > > looked like English to me... > > > > On Dec 30, 2011, at 9:41 AM, m.r...@5-cent.us wrote: > > > >> Hey, supergiantpotato (and btw, this list is plain text, not unicode, > >> and most of us don't read Japanese...), > >> > >> å¤ç¥ãå²©ç· wrote: >^^ doesn't look like English, or ASCII, to me. I speak Japanese, so didn't even notice. At any rate, it's the poster's name--interestingly, when I hit reply here, it does come out with various odd symbols rather than the name. I understand Mark's point but in this case, I don't really think it's fair to ask someone to change their name specifically for this list. (That is, tell them, You can't write your name in your own language). And no, my wife isn't watching over my shoulder as I watch this, [1] she just has me well trained about we English centric Americans. :) [1] I can think of at least one list member here who will automatically assume that's why I wrote this. :) -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6 Angel: You've never done this before. Look, it takes tremendous strength -- mental strength. Wesley: Resistence to suggestion. Yes, I understand that. I like to think of myself as possessing a certain... Angel: Wesley, you don't even have sales resistance. How many thigh masters do you own? Wesley: The second one was a free gift with my Buns of Steel. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Need help in writing a shell/bash script
On Dec 30, 2011, at 10:19 AM, Scott Robbins wrote: > On Fri, Dec 30, 2011 at 11:52:21AM -0500, m.r...@5-cent.us wrote: >> Craig White wrote: > > >>> looked like English to me... >>> >>> On Dec 30, 2011, at 9:41 AM, m.r...@5-cent.us wrote: >>> Hey, supergiantpotato (and btw, this list is plain text, not unicode, and most of us don't read Japanese...), å¤ç¥ãå²©ç· wrote: >> ^^ doesn't look like English, or ASCII, to me. > > > I speak Japanese, so didn't even notice. At any rate, it's the poster's > name--interestingly, when I hit reply here, it does come out with > various odd symbols rather than the name. not for me it doesn't... On Dec 30, 2011, at 10:10 AM, 夜神 岩男 wrote: but it obviously depends upon the mail client and languages that are available to be used by the mail client you are using at the moment. > I understand Mark's point but in this case, I don't really think it's > fair to ask someone to change their name specifically for this list. > (That is, tell them, You can't write your name in your own language). absolutely absurd but you only need to consider the source. Craig ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Need help in writing a shell/bash script
On Friday 30 December 2011 11:41:47 m.r...@5-cent.us wrote: > Hey, supergiantpotato (and btw, this list is plain text, not unicode, and > most of us don't read Japanese...), You are not using "plain text" and "unicode" correctly here. I've read pleasantly his emails in *plain text* encoded in *ASCI*. Only his name is in UTF-8 encoding (which still *is* plain text). >From the email headers: Content-Type: text/plain; charset="us-ascii" My email client can do *plain text* in ASCI encoding as well as in UTF-8 It seems yours cannot Regards ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Need help in writing a shell/bash script
å¤ç¥ãå²©ç· wrote: > On 12/31/2011 01:56 AM, Craig White wrote: >> On Dec 30, 2011, at 9:52 AM, m.r...@5-cent.us wrote: >>> Craig White wrote: looked like English to me... On Dec 30, 2011, at 9:41 AM, m.r...@5-cent.us wrote: > Hey, supergiantpotato (and btw, this list is plain text, not unicode, > and most of us don't read Japanese...), > > å¤Å神ãâ¬â¬Ã¥Â²Â©Ã§â· wrote: >>>^^ doesn't look like English, or ASCII, to me. >>> > Its ok, I'm totally about to change my private email address header for > one guy on one mailing list. And anyway, shame on me for trying to help > someone on a list with a quick script. What was I thinking! *shrug* Fine, so if I want to address you, in response to a post, I'll just use SGP for supergiantpotato. Whatever floats your boat. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Need help in writing a shell/bash script
On Fri, Dec 30, 2011 at 6:00 AM, ankush grover wrote:
> Hi Friends,
>
> I am trying to write a shell script which can merge the 2 columns into
> 3rd one on Centos 5. The file is very long around 31200 rows having
> around 1370 unique groups and around 12000 unique user-names.
> The 1st column is the groupname and then 2nd column is the user-name.
>
> 1st Column (Groupname) 2nd Column (username)
> admin ankush
> admin amit
> powerusers dinesh
> powerusers jitendra
>
>
>
>
> The desired output should be like this
>
> admin: ankush, amit
> powerusers: dinesh, jitendra
>
>
> There are commands available but not able to use it properly to get
> the desired output. Please help me
>
Here's a perl approach:
#!/usr/bin/perl
my ($group,$name);
my %groups=();
while (<>) {
chomp();
($group,$name) = split(/ /);
push @{ $groups{$group} }, $name;
}
foreach $group (sort keys(%groups)) {
print "$group: " . join("," , @{$groups{$group}}) ."\n";
}
Cat or redirect the list to the program input, output is on stdout.
--
Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Need help in writing a shell/bash script
On 12/30/11 9:58 AM, Les Mikesell wrote: > Here's a perl approach: which, unlike all the other versions, doesn't require the data be pre-sorted, by virtue of adding all the tuples to a hash. I don't even think that sort in the output loop is required, unless you want the groups output in alphabetic order. -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Need help in writing a shell/bash script
John R Pierce wrote: > On 12/30/11 9:58 AM, Les Mikesell wrote: >> Here's a perl approach: > > which, unlike all the other versions, doesn't require the data be > pre-sorted, by virtue of adding all the tuples to a hash. I don't even > think that sort in the output loop is required, unless you want the > groups output in alphabetic order. IIRC, the awk will come out in order, given the hash. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Checkinstall rpm for CentOS-6 x86_64?
On 12/30/2011 03:34 PM, James B. Byrne wrote: > Does anyone have a source for an rpm of this package that > runs on CentOS-6_x86_64 or can recommend a replacement for > it? > > consider using fpm instead ? it kind of address's the same problem in a different way. -- Karanbir Singh +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh ICQ: 2522219| Yahoo IM: z00dax | Gtalk: z00dax GnuPG Key : http://www.karan.org/publickey.asc ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
Reinl, On Thu, 2011-12-29 at 15:28 +0100, Reindl Harald wrote: > why do you not tell this the idiot who is argumentating against kyes > and thinks using password-login is smart? I don't like your tone. I'm not sure if it's me or Bennett you are calling an idiot or both, but in any case you should mind your words and try to understand the argument others are making before shooting off your mouth. I merely responded to Bennett's inquiry why a 12 char password wouldn't be sufficiently strong. I believe Marko also made the point that it is always arbitrary where to draw the line as to what you consider strong/safe enough. I made my point why I believe using 9 to 12 character passwords is sufficiently secure for my purposes (I do not run a military facility). Now if you have an argument to make about that statement I'm very interested to hear it. On the other hand, if you start calling people idiots on a public channel because you think they do not understand what you are telling (where it's actually you who seems to be missing the point they are making) I don't consider you a suitable conversation partner. You should understand discussions on lists like these are made on arguments not insults. Leonard. -- mount -t life -o ro /dev/dna /genetic/research ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
Leonard den Ottolander wrote: > Reinl, > > On Thu, 2011-12-29 at 15:28 +0100, Reindl Harald wrote: >> why do you not tell this the idiot who is argumentating against kyes >> and thinks using password-login is smart? > > I don't like your tone. I'm not sure if it's me or Bennett you are > calling an idiot or both, but in any case you should mind your words and > try to understand the argument others are making before shooting off > your mouth. > Now if you have an argument to make about that statement I'm very > interested to hear it. On the other hand, if you start calling people > idiots on a public channel because you think they do not understand what > you are telling (where it's actually you who seems to be missing the > point they are making) I don't consider you a suitable conversation > partner. You should understand discussions on lists like these are made > on arguments not insults. Agreed. I don't even label as idiots the idiots who post here, asking us to tell them how to do the job they were hired for, without any indication that they've read man pages, or googled for an answer. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On 12/30/2011 05:47 PM, Craig White wrote: > > to reiterate my thoughts... I still don't understand the logic of the list > indulging the OP's rampant speculation of various causes when his first > action was to eliminate all possibility to find out what actually happened. > > An apt analogy is to find out that your horses have been stolen so you burn > down the barn where they were kept, drag the ground to remove all evidence of > footprints& tire tracks and then decide that you want to figure out how the > thieves got in and made away with your horses. > > Craig > Because it is not only OP that is interested in this type of info. There are many small-time admins (like me) that can greatly benefit from the knowledge of the people doing this as part of their regular job. OP was just the aperitif, already mostly forgotten :D -- Ljubomir Ljubojevic (Love is in the Air) PL Computers Serbia, Europe Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman... StarOS, Mikrotik and CentOS/RHEL/Linux consultant ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 x86_64 can't detect raid 10
On 12/30/2011 12:46 AM, Alexander Dalloz wrote: > Either get a real RAID controller which does hardware RAID or use > CentOS's software raid function. +1. For Linux/CentOS/mdadm RAID 10 use "far" setting to get better (2x ??) read speed on mirroring. -- Ljubomir Ljubojevic (Love is in the Air) PL Computers Serbia, Europe Google is the Mother, Google is the Father, and traceroute is your trusty Spiderman... StarOS, Mikrotik and CentOS/RHEL/Linux consultant ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] CentOS 6 x86_64 can't detect raid 10
Dear All, I just got a new server with the following specifications: motherboard : Intel S5500BC CPU : Xeon Quad Core 2.6Ghz RAM : 8GB HDD : 4 x 2TB SATA with configured raid 10 using raid embedded server. The problem is the centos installer can't detect raid virtual disk. I can't find any log error with the following error messages during installation process: Disks sda, sdb, sdc, sdd contain BIOS RAID metadata but are not part of any recognized BIOS RAID sets. I'm already use search engine to find the information regarding to this issue, but I can't find the solutions for CentOS. Thanks in advance -- -- Best regards, David http://blog.pnyet.web.id ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 x86_64 can't detect raid 10
On 12/31/2011 04:31 PM, David wrote: > Dear All, > > I just got a new server with the following specifications: > motherboard : Intel S5500BC > CPU : Xeon Quad Core 2.6Ghz > RAM : 8GB > HDD : 4 x 2TB SATA with configured raid 10 using raid embedded > server. > > The problem is the centos installer can't detect raid virtual disk. I > can't find any log error with the following error messages during > installation process: > > Disks sda, sdb, sdc, sdd contain BIOS RAID metadata but are not part of > any recognized BIOS RAID sets. > > I'm already use search engine to find the information regarding to this > issue, but I can't find the solutions for CentOS. > > Thanks in advance > You may be better using the linux software raid - this intel board is using fake raid - thus turn off the raid in the bios and use the linux tools to set up mdraid. This is what I have done on my intel low level server systems. YMMV ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 6 x86_64 can't detect raid 10
> Dear All, > > I just got a new server with the following specifications: > motherboard : Intel S5500BC > CPU : Xeon Quad Core 2.6Ghz > RAM : 8GB > HDD : 4 x 2TB SATA with configured raid 10 using raid embedded > server. > > The problem is the centos installer can't detect raid virtual disk. I > can't find any log error with the following error messages during > installation process: > > Disks sda, sdb, sdc, sdd contain BIOS RAID metadata but are not part of > any recognized BIOS RAID sets. > > I'm already use search engine to find the information regarding to this > issue, but I can't find the solutions for CentOS. > > Thanks in advance > I believe it's possible, it's just that you need to install the drivers. CentOS/RedHat does not include them. I would start here with the Intel Deployment Assistant http://www.intel.com/design/servers/ism/deployment.htm ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
I think the best password policy is the one you've never told anyone and never posted on a public mailing list. How many of you out there know of cases where administrators' passwords were compromised by brute force? Can we take a count of that? I believe in passwords. I don't believe in PKI. It's a lot more likely that I will forget my laptop somewhere, or that someone will steal my usb key than that someone will guess my password and have opportunities to try it. PKI is convenience and if your password is 20-30 characters it will take long time to break it. Password crack estimator http://www.mandylionlabs.com/documents/BFTCalc.xls Spreadsheet is safe (take my word for it) ha,ha Scenario of botnet with 1000 PCs making attempts to crack are password ain't gonna happen. -Alex -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of ?? ?? Sent: Friday, December 30, 2011 9:07 AM To: centos@centos.org Subject: Re: [CentOS] what percent of time are there unpatched exploits against default config? On 12/31/2011 01:19 AM, Marko Vojinovic wrote: > > On Friday 30 December 2011 19:40:55 夜神 岩男 wrote: > [snip] >> We can start a 10,000 computer botnet (or, more realistically, a 10m >> computer botnet these days, and this is a technique used right now) >> working on the problem of assembling a new index table that orders >> and assigns every possible valid hash said algorithm can produce, and >> start assigning values. >> >> Essentially, we can move the computing cost up-front by assuming that >> we indeed *do* have to try *every* possible password, which means >> computing done 5 years ago applies to your brand new password today. > [snip] >> In short, keys, man, keys. Its not perfect, but it is much stronger >> than passwords and in my experience FAR much less hassle. > > You are basically saying that, given enough resources, you can > precalculate all hashes for all possible passwords in advance. > > Can the same be said for keys? Given enough resources, you could > precalculate all possible public/private key combinations, right? > > Please don't get me wrong --- I'm not saying that the resources needed > are equal (or even comparable) for the two cases. > > But theoretically, both keys and passwords rely on the assumption that > the "inverse operation" (be it calculating a password from a hash or > factoring a large integer into primes) is too expensive to be > feasible. But "given enough time and resources", you could in > principle have prebuilt tables for both, right? > > Just asking... :-) ...while waiting for the first successful build of > a quantum computer, which will fundamentally redefine all current concepts of > security... > ;-) Yes, theoretically it is possible to precalculate the hashes of everything against everything. Seriously. Of course, the only groups with the current resources to actually build hash indexes against serious keys are governments, and there are limits there even. The cost is what prevents this, which is why cryptographic security can never, ever sit still. And you're right about quantum computing changing the game. In fact, it can change the game so much that physical and information security will once again become one and the same, period [1]. Considering this and how close we are to quantum computing, I find the "rush to the cloud" for business and personal data storage laugably shortsighted. -Iwao 1.Ok, there is actually a way around this which relies on quantum hashing, but I don't know the terms for this in English. It depends on the idea that you can only observe some articles of data a single time before the act of observation forces an alteration of state: In other words it does nothing to encrypt the data, but rather you can know 100% if the data has been intercepted at all. But its ridiculously finnicky right now because its so new, so don't expect this for a long time. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] what percent of time are there unpatched exploits against default config?
On 12/30/11 9:02 PM, Alex Milojkovic wrote: > I believe in passwords. I don't believe in PKI. > It's a lot more likely that I will forget my laptop somewhere, or that > someone will steal my usb key than that someone will guess my password and > have opportunities to try it. you're supposed to password protect your PKI keystore. -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
