Re: Install Wizard 'Looks Too Complicated'
Op zondag 29-11-2009 om 00:47 uur [tijdzone +0800], schreef John McCabe-Dansted: > There are also algorithms for extracting the password from XP as > well... XP passwords are compared to hashes, and you can't extract the password from a hash. -- Jan Claeys -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Install Wizard 'Looks Too Complicated'
2009/11/30 Jan Claeys : > Op zondag 29-11-2009 om 00:47 uur [tijdzone +0800], schreef John > McCabe-Dansted: >> There are also algorithms for extracting the password from XP as >> well... > > XP passwords are compared to hashes, and you can't extract the password > from a hash. There are brute-force password cracking methods, but including something like that as part of the Ubuntu installation would be a bad idea for several reasons. -- Matt Wheeler m...@funkyhat.org -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Install Wizard 'Looks Too Complicated'
On Mon, Nov 30, 2009 at 12:55 PM, Matt Wheeler wrote: > 2009/11/30 Jan Claeys : >> Op zondag 29-11-2009 om 00:47 uur [tijdzone +0800], schreef John >> McCabe-Dansted: >>> There are also algorithms for extracting the password from XP as >>> well... >> >> XP passwords are compared to hashes, and you can't extract the password >> from a hash. > > There are brute-force password cracking methods, but including > something like that as > part of the Ubuntu installation would be a bad idea for several > reasons. > List some not-silly reasons. "Because people could use it for theoretical/practicable attacks" is not a reason, because 1) you could decline to reveal the password (but allow verification); and 2) there are other tools for this that are just as accessable. I guess I can give a longer example here, but I'd rather not get into the specifics of this discussion: In the state of the art, I can pop in a BackTrack CD, fix 1 line in Kismet's config (is this automatic now? It could be), run one command, and drop keys for all the WEP networks around me. There are tools included that find "hidden" SSIDs and you can even find MAC addresses in use to get around all the maze-like non-security. I have made the argument that Ubuntu could contain a version of Network-Manager (I prefer by default, but it could be an additional package) that automatically does all the hidden SSID detection in the background, and does some monitoring and WEP cracking, marking off "Secured, broken" networks. This usually brings up arguments that this is somehow "bad," but doesn't explain exactly how it's bad. It doesn't decrease security, because well... if you want to "steal internet," you're a mostly harmless leech; if you want to do something serious, you're going to have the skills anyway. I figure it would probably make it extremely visible to the owners of 6 (of 7) WiFi networks reachable from my apartment that their @*#$ is not secure when it becomes common knowledge that most of that stuff is flat-out ignored and automatically bypassed by some operating systems. Cost-benefit arguments aside, it seems that the above extreme case doesn't actually de-securify anything (it is, however, a good way to make fun at hilariously bad security devices that actually got released to market). A quick and painless password cracking mechanism (background, started as soon as the CD can see a partition with a SAM, and time-restricted) doesn't seem like an issue to me. Of course, I'm a very coarse person and have no desire to play nice. Sure, I definitely advocate NOT flashing the cracked passwords in peoples' faces, and keeping them in secured RAM (i.e. XOR'd with a canary, in locked memory, until needed; or better, hash them out for storage in shadow and clear the originals out of RAM). But I see no reason to care about the difference between "we could easily crack these passwords" and "we have cracked these passwords," unless you're uploading the passwords (hashed?) to Canonical for further use. > -- > Matt Wheeler > m...@funkyhat.org > > -- > Ubuntu-devel-discuss mailing list > Ubuntu-devel-discuss@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss > -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Install Wizard 'Looks Too Complicated'
With regards to cracking tools being bad, I imagine they do come in handy during security audits. If there's going to be hacking tools out there anyway, the good guys may as well have them too, since you can't really take them away from the bad guys. On Mon, Nov 30, 2009 at 10:47 AM, John Moser wrote: > On Mon, Nov 30, 2009 at 12:55 PM, Matt Wheeler wrote: > > 2009/11/30 Jan Claeys : > >> Op zondag 29-11-2009 om 00:47 uur [tijdzone +0800], schreef John > >> McCabe-Dansted: > >>> There are also algorithms for extracting the password from XP as > >>> well... > >> > >> XP passwords are compared to hashes, and you can't extract the password > >> from a hash. > > > > There are brute-force password cracking methods, but including > > something like that as > > part of the Ubuntu installation would be a bad idea for several > > reasons. > > > > List some not-silly reasons. "Because people could use it for > theoretical/practicable attacks" is not a reason, because 1) you could > decline to reveal the password (but allow verification); and 2) there > are other tools for this that are just as accessable. > > I guess I can give a longer example here, but I'd rather not get into > the specifics of this discussion: > > In the state of the art, I can pop in a BackTrack CD, fix 1 line in > Kismet's config (is this automatic now? It could be), run one > command, and drop keys for all the WEP networks around me. There are > tools included that find "hidden" SSIDs and you can even find MAC > addresses in use to get around all the maze-like non-security. > > I have made the argument that Ubuntu could contain a version of > Network-Manager (I prefer by default, but it could be an additional > package) that automatically does all the hidden SSID detection in the > background, and does some monitoring and WEP cracking, marking off > "Secured, broken" networks. > > This usually brings up arguments that this is somehow "bad," but > doesn't explain exactly how it's bad. It doesn't decrease security, > because well... if you want to "steal internet," you're a mostly > harmless leech; if you want to do something serious, you're going to > have the skills anyway. I figure it would probably make it extremely > visible to the owners of 6 (of 7) WiFi networks reachable from my > apartment that their @*#$ is not secure when it becomes common > knowledge that most of that stuff is flat-out ignored and > automatically bypassed by some operating systems. > > Cost-benefit arguments aside, it seems that the above extreme case > doesn't actually de-securify anything (it is, however, a good way to > make fun at hilariously bad security devices that actually got > released to market). A quick and painless password cracking mechanism > (background, started as soon as the CD can see a partition with a SAM, > and time-restricted) doesn't seem like an issue to me. > > Of course, I'm a very coarse person and have no desire to play nice. > Sure, I definitely advocate NOT flashing the cracked passwords in > peoples' faces, and keeping them in secured RAM (i.e. XOR'd with a > canary, in locked memory, until needed; or better, hash them out for > storage in shadow and clear the originals out of RAM). But I see no > reason to care about the difference between "we could easily crack > these passwords" and "we have cracked these passwords," unless you're > uploading the passwords (hashed?) to Canonical for further use. > > > -- > > Matt Wheeler > > m...@funkyhat.org > > > > -- > > Ubuntu-devel-discuss mailing list > > Ubuntu-devel-discuss@lists.ubuntu.com > > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss > > > > -- > Ubuntu-devel-discuss mailing list > Ubuntu-devel-discuss@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss > -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Install Wizard 'Looks Too Complicated'
On Mon, Nov 30, 2009 at 2:36 PM, Shentino wrote: > With regards to cracking tools being bad, I imagine they do come in handy > during security audits. > If there's going to be hacking tools out there anyway, the good guys may as > well have them too, since you can't really take them away from the bad guys. > Yeah, but the issue here seems to be centered around the concept of actively cracking passwords (locally, without reporting to anyone anywhere, and possibly not even displaying the password to the user or storing it plaintext anywhere) during the install process-- or more basically, including something like that on the default install CD. Again, for my part, I don't really see a problem with breaking what can be broken and informing the user, "We could import these passwords because they were insecure and could be broken by dictionary attack." The effort in testing this, then actually doing the crack is roughly twice as much as just doing the crack with the right tools first. > On Mon, Nov 30, 2009 at 10:47 AM, John Moser wrote: >> >> On Mon, Nov 30, 2009 at 12:55 PM, Matt Wheeler wrote: >> > 2009/11/30 Jan Claeys : >> >> Op zondag 29-11-2009 om 00:47 uur [tijdzone +0800], schreef John >> >> McCabe-Dansted: >> >>> There are also algorithms for extracting the password from XP as >> >>> well... >> >> >> >> XP passwords are compared to hashes, and you can't extract the password >> >> from a hash. >> > >> > There are brute-force password cracking methods, but including >> > something like that as >> > part of the Ubuntu installation would be a bad idea for several >> > reasons. >> > >> >> List some not-silly reasons. "Because people could use it for >> theoretical/practicable attacks" is not a reason, because 1) you could >> decline to reveal the password (but allow verification); and 2) there >> are other tools for this that are just as accessable. >> >> I guess I can give a longer example here, but I'd rather not get into >> the specifics of this discussion: >> >> In the state of the art, I can pop in a BackTrack CD, fix 1 line in >> Kismet's config (is this automatic now? It could be), run one >> command, and drop keys for all the WEP networks around me. There are >> tools included that find "hidden" SSIDs and you can even find MAC >> addresses in use to get around all the maze-like non-security. >> >> I have made the argument that Ubuntu could contain a version of >> Network-Manager (I prefer by default, but it could be an additional >> package) that automatically does all the hidden SSID detection in the >> background, and does some monitoring and WEP cracking, marking off >> "Secured, broken" networks. >> >> This usually brings up arguments that this is somehow "bad," but >> doesn't explain exactly how it's bad. It doesn't decrease security, >> because well... if you want to "steal internet," you're a mostly >> harmless leech; if you want to do something serious, you're going to >> have the skills anyway. I figure it would probably make it extremely >> visible to the owners of 6 (of 7) WiFi networks reachable from my >> apartment that their @*#$ is not secure when it becomes common >> knowledge that most of that stuff is flat-out ignored and >> automatically bypassed by some operating systems. >> >> Cost-benefit arguments aside, it seems that the above extreme case >> doesn't actually de-securify anything (it is, however, a good way to >> make fun at hilariously bad security devices that actually got >> released to market). A quick and painless password cracking mechanism >> (background, started as soon as the CD can see a partition with a SAM, >> and time-restricted) doesn't seem like an issue to me. >> >> Of course, I'm a very coarse person and have no desire to play nice. >> Sure, I definitely advocate NOT flashing the cracked passwords in >> peoples' faces, and keeping them in secured RAM (i.e. XOR'd with a >> canary, in locked memory, until needed; or better, hash them out for >> storage in shadow and clear the originals out of RAM). But I see no >> reason to care about the difference between "we could easily crack >> these passwords" and "we have cracked these passwords," unless you're >> uploading the passwords (hashed?) to Canonical for further use. >> >> > -- >> > Matt Wheeler >> > m...@funkyhat.org >> > >> > -- >> > Ubuntu-devel-discuss mailing list >> > Ubuntu-devel-discuss@lists.ubuntu.com >> > Modify settings or unsubscribe at: >> > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss >> > >> >> -- >> Ubuntu-devel-discuss mailing list >> Ubuntu-devel-discuss@lists.ubuntu.com >> Modify settings or unsubscribe at: >> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss > > -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Install Wizard 'Looks Too Complicated'
2009/11/30 John Moser : > List some not-silly reasons. "Because people could use it for > theoretical/practicable attacks" is not a reason, because 1) you could > decline to reveal the password (but allow verification); and 2) there > are other tools for this that are just as accessable. Mainly just the bad press that Ubuntu would get as a result. Can you imagine the headlines there would be? "Ubuntu operating system hacks Windows computers" Technically speaking other tools are not "just as accessible" - who else ships out free live CDs? > I guess I can give a longer example here, but I'd rather not get into > the specifics of this discussion: > > In the state of the art, I can pop in a BackTrack CD, fix 1 line in > Kismet's config (is this automatic now? It could be), run one > command, and drop keys for all the WEP networks around me. There are > tools included that find "hidden" SSIDs and you can even find MAC > addresses in use to get around all the maze-like non-security. > > I have made the argument that Ubuntu could contain a version of > Network-Manager (I prefer by default, but it could be an additional > package) that automatically does all the hidden SSID detection in the > background, and does some monitoring and WEP cracking, marking off > "Secured, broken" networks. Again, while I have no problems with such tools being available, and find them useful, I think it would be a bad move for such a public distro such as Ubuntu to start including such tools by default, purely from a marketing point of view. There's no way you're going to get “It can be used to test how secure my network is” to fly with even most tech press, let alone mainstream media. I'm all out of ideas, so apparently I only have 1. But I think it's a good one :-) Thanks -- Matt Wheeler m...@funkyhat.org -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Install Wizard 'Looks Too Complicated'
On Mon Nov 30 13:47:34 -0500 2009 John Moser wrote: > List some not-silly reasons. You're serious? Ok. * Takes a long time to crack any password that's not in the dictionary and more than a few characters long. * Rainbow tables would be too large to fit on the CD. * We can't know up-front whether we will be able to crack a particular password. Therefore the installer would say "please wait" for some time, probably as long as the entire rest of the install, then may have nothing to show for it. * One OS intentionally "cracking" another would (perhaps rightly) not be seen in a good light, regardless of how noble the reasons or careful the implementation. * It's a feature of dubious value to begin with. After it had taken some time doing its thing you would need to have the user type in the password anyway to confirm (you can't assume, and you can't really show it to them). This will take far longer than just asking for it in the first place, just to have them type it in once, rather than twice, when they should be used to typing it anyway (though those at UDS may find it ironic that I am the one saying that :-). Can we please spend our time on other worthwhile features and not argue about whether "cracking" tools should exist for all to use or not? Thanks, James -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Install Wizard 'Looks Too Complicated'
2009/11/30 James Westby : > On Mon Nov 30 13:47:34 -0500 2009 John Moser wrote: >> List some not-silly reasons. > > You're serious? Ok. > > * Takes a long time to crack any password that's not in the dictionary and > more than a few characters long. > * Rainbow tables would be too large to fit on the CD. > * We can't know up-front whether we will be able to crack a particular > password. Therefore the installer would say "please wait" for some time, > probably as long as the entire rest of the install, then may have > nothing to show for it. > * One OS intentionally "cracking" another would (perhaps rightly) not be > seen in a good light, regardless of how noble the reasons or careful > the implementation. > * It's a feature of dubious value to begin with. After it had taken some > time doing its thing you would need to have the user type in the password > anyway to confirm (you can't assume, and you can't really show it to them). > This will take far longer than just asking for it in the first place, just > to have them type it in once, rather than twice, when they should be > used to typing it anyway (though those at UDS may find it ironic that I > am the one saying that :-). > > Can we please spend our time on other worthwhile features and not argue about > whether "cracking" tools should exist for all to use or not? Oh, yeah, plus this. My first reason was "it would take too long" - then I must have had mental block! -- Matt Wheeler m...@funkyhat.org -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Install Wizard 'Looks Too Complicated'
Matt Wheeler wrote: > 2009/11/30 John Moser : > > Mainly just the bad press that Ubuntu would get as a result. Can you > imagine the headlines there would be? "Ubuntu operating system hacks > Windows computers" Agreed on marketing, though again I tend to not care. It doesn't send information back anywhere and presents itself as a fairly useless tool for extracting the information to the human operator, this is just a useful feature. > > Technically speaking other tools are not "just as accessible" - who > else ships out free live CDs? Download and burn is easier than mail to my house 5 months from now... > > Again, while I have no problems with such tools being available, and > find them useful, I think it would be a bad move for such a public > distro such as Ubuntu to start including such tools by default, purely > from a marketing point of view. There's no way you're going to get “It > can be used to test how secure my network is” to fly with even most > tech press, let alone mainstream media. > Oh, that example was more for a technical argument. Although I like to publicly hammer brokenness, and shipping a network-manager-cracker in the repos would pretty much do just that; shipping it by default would make even the most basic "low hanging fruit" argument about how "WEP makes you more secure than plaintext" visibly moot. I can't actually see how this would be garnering bad press, aside from the business end (who wants the liability?) -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Install Wizard 'Looks Too Complicated'
James Westby wrote: > On Mon Nov 30 13:47:34 -0500 2009 John Moser wrote: >> List some not-silly reasons. > > You're serious? Ok. > > * Takes a long time to crack any password that's not in the dictionary > and > more than a few characters long. > * Rainbow tables would be too large to fit on the CD. Actually, that's probably the best reason right there. -- derek -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
