If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#71
|
|||
|
|||
Any GIMP users (Linux)
J. Clarke wrote:
Sounds to me like you're grasping at a straw to find something to complain about. Has there ever been a case of a Windows system being compromised by extracting the password list via a buffer overrun then cracking the password list using a rainbow table attack? As far as I know, no. It has never been necessary to go to all that trouble. The basic problem is that Windows was *designed* to be insecure. The notion was to enable outsiders, including Microsoft, to download and run programs on a machine without user permission. This was meant as a feature. It also meant that companies could enforce rights management again without user permission. This was known at the time to be an *awful* design, but Microsoft knew better. Ever since Microsoft has been attempting to build security into a badly designed original OS. One hopes that the next version will be better. I'll also add that depending on users using long random sequences of characters as passwords and similar good ideas (seriously) are doomed to failure because user's simply won't do that. A good security model has to take that into account too. --- Paul J. Gans |
#72
|
|||
|
|||
Any GIMP users (Linux)
"J. Clarke" writes:
Måns Rullgård wrote: "J. Clarke" writes: Måns Rullgård wrote: "J. Clarke" writes: Måns Rullgård wrote: "David J. Littleboy" writes: "Richard Kettlewell" wrote: "J. Clarke" writes: I'm not sure why you're on about this though. Any decent system locks out attempted logins after a few failures, so rainbow table attacks don't work for gaining access. This kind of brute-force attack does not attempt to login, but works directly on the encrypted passwords. How do you get access to encrypted passwords without logging in? You might be able to trick some server into sending them, for instance using a buffer overflow attack. At that point you've already busted the server so why do you need them? Perhaps all you can use that bug for is reading files already on the system. Getting the passwords will allow you full access. Sounds to me like you're grasping at a straw to find something to complain about. Has there ever been a case of a Windows system being compromised by extracting the password list via a buffer overrun then cracking the password list using a rainbow table attack? I don't know of any cases where it was actually used. However, I do recall there being a bug in the form handling in some web browser whereby it could be made to send any file as a POST upload. Any file, or just those to which the user had access? No difference on most windows machines. -- Måns Rullgård |
#73
|
|||
|
|||
Any GIMP users (Linux)
"David J. Littleboy" writes:
"Richard Kettlewell" wrote: "J. Clarke" writes: I'm not sure why you're on about this though. Any decent system locks out attempted logins after a few failures, so rainbow table attacks don't work for gaining access. This kind of brute-force attack does not attempt to login, but works directly on the encrypted passwords. How do you get access to encrypted passwords without logging in? Steal a backup tape. Exploit a bug which gives you RO access to the relevant file. Bribe or otherwise coerce someone. Crack a different system where someone uses the same password. Take a copy before you got fired. If it wasn't possible, nobody would need to invent password encryption schemes... -- http://www.greenend.org.uk/rjk/ |
#74
|
|||
|
|||
Any GIMP users (Linux)
Måns Rullgård wrote:
"J. Clarke" writes: Måns Rullgård wrote: "J. Clarke" writes: Måns Rullgård wrote: "J. Clarke" writes: Måns Rullgård wrote: "David J. Littleboy" writes: "Richard Kettlewell" wrote: "J. Clarke" writes: I'm not sure why you're on about this though. Any decent system locks out attempted logins after a few failures, so rainbow table attacks don't work for gaining access. This kind of brute-force attack does not attempt to login, but works directly on the encrypted passwords. How do you get access to encrypted passwords without logging in? You might be able to trick some server into sending them, for instance using a buffer overflow attack. At that point you've already busted the server so why do you need them? Perhaps all you can use that bug for is reading files already on the system. Getting the passwords will allow you full access. Sounds to me like you're grasping at a straw to find something to complain about. Has there ever been a case of a Windows system being compromised by extracting the password list via a buffer overrun then cracking the password list using a rainbow table attack? I don't know of any cases where it was actually used. However, I do recall there being a bug in the form handling in some web browser whereby it could be made to send any file as a POST upload. Any file, or just those to which the user had access? No difference on most windows machines. Only those on which users run as administrator. -- --John to email, dial "usenet" and validate (was jclarke at eye bee em dot net) |
#75
|
|||
|
|||
Any GIMP users (Linux)
Richard Kettlewell wrote:
"David J. Littleboy" writes: "Richard Kettlewell" wrote: "J. Clarke" writes: I'm not sure why you're on about this though. Any decent system locks out attempted logins after a few failures, so rainbow table attacks don't work for gaining access. This kind of brute-force attack does not attempt to login, but works directly on the encrypted passwords. How do you get access to encrypted passwords without logging in? Steal a backup tape. Exploit a bug which gives you RO access to the relevant file. Bribe or otherwise coerce someone. Crack a different system where someone uses the same password. Take a copy before you got fired. If it wasn't possible, nobody would need to invent password encryption schemes... If someone is willing to go to that amount of trouble they're going to get in no matter what you do. Salt or no salt is going to make no real difference at that level. -- --John to email, dial "usenet" and validate (was jclarke at eye bee em dot net) |
#76
|
|||
|
|||
Any GIMP users (Linux)
"J. Clarke" writes:
Richard Kettlewell wrote: Steal a backup tape. Exploit a bug which gives you RO access to the relevant file. Bribe or otherwise coerce someone. Crack a different system where someone uses the same password. Take a copy before you got fired. If it wasn't possible, nobody would need to invent password encryption schemes... If someone is willing to go to that amount of trouble they're going to get in no matter what you do. Salt or no salt is going to make no real difference at that level. So the whole thing is just a ruse to keep underemployed cryptographers off the street? Right... -- http://www.greenend.org.uk/rjk/ |
#77
|
|||
|
|||
Any GIMP users (Linux)
Richard Kettlewell wrote:
"J. Clarke" writes: Richard Kettlewell wrote: Steal a backup tape. Exploit a bug which gives you RO access to the relevant file. Bribe or otherwise coerce someone. Crack a different system where someone uses the same password. Take a copy before you got fired. If it wasn't possible, nobody would need to invent password encryption schemes... If someone is willing to go to that amount of trouble they're going to get in no matter what you do. Salt or no salt is going to make no real difference at that level. So the whole thing is just a ruse to keep underemployed cryptographers off the street? Right... There are applications in which it is necessary to "keep ahead of the Joneses" so to speak, but generally neither Linux or Windows would be used in such situations. -- --John to email, dial "usenet" and validate (was jclarke at eye bee em dot net) |
#78
|
|||
|
|||
Any GIMP users (Linux)
"joe mama" wrote in
om: hi, i am muther-f'ing sick of windows, bill gates, and redmond, wa. as well. i want to migrate over to linux, but need to know if the gimp is even close to PS CS2 in quality. my main concern is being able to use layers via PS, and curves. I don't use too many filters, and the soft focus, Gausiann blur ones seem to be inthe gimp. thanks for any help.... Hi, A little late to the party, but check this one out: 32bit, layers and colour management: http://www.koffice.org/krita/ |
#79
|
|||
|
|||
Any GIMP users (Linux)
On Sun, 14 May 2006 04:53:26 +0000 (UTC), Paul J Gans wrote:
"As for updates/upgrades and security -- far better than windows" Never has been the case. At least if you disregard 95x, 98x+ products which never had security in mind from its outset. In fact IP was not a default, and was added later after the Internet took off. How many years did NT run before its first breach? A breach enabled via a hacked Unix server/s. This is incorrect. NT was good but never a real target for hackers. Windows XP started out terribly and had a totally insecure design. The idea that an outside agent can download a program into your computer and run it without your intervention is (a) a Microsoft idea incorporated in Windows and (b) a horrible security hole that was *known* to be a horribe hole before Microsoft used it. As to haxoring Linux? LOL, from its inception it was rootable, yes, things have tightened up considerably and now they tighten up the software as well, why? In the hopes we won't have fun. If Linux users are like Windows Users, and most are nowadays, they don't bother to get the security fixes so their systems are as open as any others. Wrong. The only real change in the Linux security model was to turn on all security by default. That was done some time ago. It is not easy to hack into a Linux system. Further, if one does, it is usually not by exploiting a hole in the system. That's basically not done. The reason is that the few holes get fixed within hours, days at the most. Most break-ins are due to guessable passwords and the like. Even so, if you break into a user account, that does NOT give you access to the entire system. You can screw the user but you won't bring the system down. Hope you're right, but I came across a message the other day from a couple of months ago in alt.comp.hardware.amd.x86-64 that's a bit chilling in its premise that new technology will be arriving that in the right/wrong hands of a select few may give total access to any computers not isolated from the internet or local networks. Here's part of the msg: ============================================= NNTP-Posting-Date: Sat, 25 Mar 2006 21:39:44 -0600 From: billy Newsgroups: alt.comp.hardware.amd.x86-64 Subject: Will Intel catch up to AMD this year? Date: Sat, 25 Mar 2006 19:40:35 -0800 Message-ID: snippage Intel quietly adds DRM to new chips Friday 27 May 2005 - 11:02 http://www.digitmag.co.uk/news/index.cfm?NewsID=4915 Microsoft and the entertainment industry's holy grail of controlling copyright through the motherboard has moved a step closer with Intel Corp. now embedding digital rights management within in its latest dual-core processor Pentium D and accompanying 945 chipset. Officially launched worldwide on the May 26, the new offerings come DRM-enabled and will, at least in theory, allow copyright holders to prevent unauthorized copying and distribution of copyrighted materials from the motherboard rather than through the operating system as is currently the case. While Intel steered clear of mentioning the new DRM technology at its Australian launch of the new products, Intel's Australian technical manager Graham Tucker publicly confirmed Microsoft-flavored DRM technology will be a feature of Pentium D and 945. "[The] 945g [chipset] supports DRM, it helps implement Microsoft's DRM ... but it supports DRM looking forward," Tucker said, adding the DRM technology would not be able to be applied retrospectively to media or files that did not interoperate with the new technology. However, Tucker ducked questions regarding technical details of how embedded DRM would work saying it was not in the interests of his company to spell out how the technology in the interests of security. The situation presents an interesting dilemma for IT security managers as they may now be beholden to hardware-embedded security over which they have little say, information or control. Conversely, Intel is heavily promoting what it calls "active management technology" (AMT) in the new chips as a major plus for system administrators and enterprise IT. Understood to be a sub-operating system residing in the chip's firmware, AMT will allow administrators to both monitor or control individual machines independent of an operating system. Additionally, AMT also features what Intel calls "IDE redirection" which will allow administrators to remotely enable, disable or format or configure individual drives and reload operating systems and software from remote locations, again independent of operating systems. Both AMT and IDE control are enabled by a new network interface controller. "We all know our [operating system] friends don't crash that often, but it does happen," Tucker said. Intel's reticence to speak publicly about what lies under the hood of its latest firmware technology has also prompted calls to come clean from IT security experts, including Queensland University of Technology's assistant dean for strategy and innovation, IT faculty, Bill Caelli. "It's a dual use technology. It's got uses and misuses. Intel has to answer what guarantees it is prepared to give that home users are safe from hackers. Not maybes, guarantees". Caelli said it was "critical Intel comes clean" about how the current DRM technology is embedded into the new CPU and chipset offering. Microsoft was unavailable for comment at press time. ============================================= Sounds like nothing less than an undetectable back door buried in the hardware, to allow corporate and gov't snoops to do more than just administer networks, but to also allow clandestine remote examination and possibly manipulation of the hardware and software contents of computers. This new hardware could *really* be useful to the "right" people if it is installed in voting machines. Both MS and Intel have in the past been caught designing "stealth snoop" features in their software and hardware. "Say no more, say no more." -- John Cleese |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Your choice of editing software? | RobG | Digital Photography | 33 | December 4th 05 05:21 PM |
Apple releases Photoshop killer: Aperture. Where's GIMP? | Karen Hill | Digital Photography | 53 | November 3rd 05 05:25 PM |
Linux and Canon Camera Users - "s10sh" Utility Update (V0.2.2B)! | Doug Mitton | Digital Photography | 0 | March 28th 05 10:38 PM |
hi gang any linux users here | Mr Jessop | 35mm Photo Equipment | 17 | December 29th 04 12:00 PM |
Linux and Canon Camera Users - "s10sh" Utility Update! | Doug Mitton | Digital Photography | 0 | December 20th 04 12:06 AM |