[CentOS] an actual hacked machine, in a preserved state

Tue Jan 3 21:06:55 UTC 2012
Bennett Haselton <bennett at peacefire.org>

On 1/3/2012 12:32 PM, m.roth at 5-cent.us wrote:
> Bennett Haselton wrote:
>> mark wrote:
> <snip>
>>>> 1. How will you generate "truly random"? Clicks on a Geiger counter?
>>>> There is no such thing as a random number generator.
> <snip>
>> That there are 10^21 possible random 12-character alphanumeric passwords
>> -- making it secure against brute-forcing -- is a fact, not an opinion.
>>
>> To date, *nobody* on this thread has ever responded when I said that
>> there are 10^21 possible such passwords and as such I don't think that
>> the password can be brute-forced in that way.  Almost every time I said
> Ok, I'll answer, here and now: YOU IGNORED MY QUESTION: HOW WILL YOU
> "RANDOMLY" GENERATE THE PASSWORDS? All algorithmic ones are pseudo-random.
> If someone has any idea what the o/s is, they can guess which
> pseudo-random generator you're using, and can try different salts.
I generally change them from the values assigned by the hosting company, 
and just bang my fingers around on the keyboard, with the shift key 
randomly on and off for good measure :)  This also removes the 
possibility that an incompetent hosting company will store their own 
copy of the password somewhere that it can be compromised.  Even when 
that possibility is very unlikely, it's still astronomically more likely 
than the attacker guessing the password by brute force.

But even if someone did not do that, don't most Linux distros a good 
crypto-random number generator for generating new passwords, when 
they're picked by the machine and not the user?  You can use salts that 
depend on the low bits of high-precision performance counters, and other 
values that are impossible for an attacker to predict.  If any Linux 
implementation is using anything less than a cryptographically strong 
generator for creating passwords, like I said it's not my problem, but I 
would take that up with the developers.

> Someone
> here posted a link to the Rainbow tables, and precomputed partial lists.
> <snip>
>> Again: Do you think I'm wrong that if you use a 12-character mixed-case
>> alphanumeric password, then switching to sshkeys or using fail2ban will
>> not make the system any more secure?  If you think I'm wrong, why?  What
>> is the exact scenario that you think those would prevent?
> Without fail2ban, or something like it, they'll hit your system thousands
> of times an hour, at least. Sooner or later, they'll get lucky.

OK do you *literally mean that* -- that with 10^21 possible passwords 
that an attacker has to search, I have to worry about the attacker 
"getting lucky" if they're trying "thousands of times per hour"?

> But I suppose you'll ignore this, as well.
>
>          mark
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos