[CentOS] an actual hacked machine, in a preserved state

m.roth at 5-cent.us m.roth at 5-cent.us
Tue Jan 3 22:35:21 UTC 2012


Bennett Haselton wrote:
> On 1/3/2012 12:32 PM, m.roth at 5-cent.us wrote:
>> Bennett Haselton wrote:
>>> mark wrote:
>> <snip>
>>>>> 1. How will you generate "truly random"? Clicks on a Geiger counter?
>>>>> There is no such thing as a random number generator.
<snip>
>>>
>>> To date, *nobody* on this thread has ever responded when I said that
>>> there are 10^21 possible such passwords and as such I don't think that
>>> the password can be brute-forced in that way.  Almost every time I said
>> Ok, I'll answer, here and now: YOU IGNORED MY QUESTION: HOW WILL YOU
>> "RANDOMLY" GENERATE THE PASSWORDS? All algorithmic ones are
>> pseudo-random.
>> If someone has any idea what the o/s is, they can guess which
>> pseudo-random generator you're using, and can try different salts.

> I generally change them from the values assigned by the hosting company,
> and just bang my fingers around on the keyboard, with the shift key
> randomly on and off for good measure :)  This also removes the

Real random, there. Do you also use a Dvorak keyboard, or a std. querty?
You want to be there aren't algorithms out there for guessing that?
Certainly, until this minute, I hadn't thought of it, but I'll be there
is.

> possibility that an incompetent hosting company will store their own

Hosting co? You're hosted somewhere? And an admin there can't get into
your snapshot and add a back door?

> copy of the password somewhere that it can be compromised.  Even when
> that possibility is very unlikely, it's still astronomically more likely
> than the attacker guessing the password by brute force.

Question 1: why is it that brute force attacks go on, day and night,
everywhere? I see plenty of them here, when fail2ban tells me it's banning
an IP.
>
> But even if someone did not do that, don't most Linux distros a good
> crypto-random number generator for generating new passwords, when
> they're picked by the machine and not the user?  You can use salts that

They're all pseudo-random. Unless, maybe, you can get truly random with
quantum computing, all you can ever do is pseudo-random.
<snip
>> Without fail2ban, or something like it, they'll hit your system
>> thousands of times an hour, at least. Sooner or later, they'll get lucky.
>
> OK do you *literally mean that* -- that with 10^21 possible passwords
> that an attacker has to search, I have to worry about the attacker
> "getting lucky" if they're trying "thousands of times per hour"?
>
>> But I suppose you'll ignore this, as well.

Oh, and your system wasn't compromised, so all of us are wrong, and you're
correct.

This thread's killfiled for me - it's pointless.

      mark




More information about the CentOS mailing list