Re: Have I been hacked?

To: debian-user@lists.debian.org
Subject: Re: Have I been hacked?
From: Gene Heskett <gheskett@wdtv.com>
Date: Tue, 13 Jan 2015 11:04:26 -0500
Message-id: <[🔎] 201501131104.26321.gheskett@wdtv.com>
In-reply-to: <[🔎] 20150113171319.GA31019@fever.havannah.local>
References: <[🔎] 20150106180456.GA8657@fever.havannah.local> <[🔎] 9799365.fXC8NsNPWO@merkaba> <[🔎] 20150113171319.GA31019@fever.havannah.local>

On Tuesday, January 13, 2015 12:13:19 PM Danny did opine
And Gene did reply:
> Hi,
> 
> I have read with interest all the responses and followed all the
> links. However, I realized something that I think we all (well, at
> least myself) forgot about ... and that is the importance of choosing
> a proper username ...
> 
> Authentication (usually) is a 2 step process ... as we all know ... a
> username and a password ... and since ssh is (mostly) referred to
> here ... we can accept that it is most definately a 2 step process
> ...
> 
> So ... if I know the username I am already halfway there ... I just
> need to get the OTHER remainig 50% (by breaking the password) ... and
> (like someone mentioned) it will take immensely long for someone to
> break a 10 (I think it was 10) character password ... then why is the
> importance of a good username ignored ... if I have a (creepy)
> username of 10 characters it will take a black hat twice as long to
> get what he wants ... or am I misleading myself (and others) here ...
> are we not putting too much emphasis/pressure on a good password
> where the pressure could be spread between the username AND password
> ... just asking ...

10 characters is entirely within the realm of being solved by john in a 
surprisingly sort time.  But every character you add makes it job around 
62 more times as difficult.  ANY password I am forced to use online, has 
an automatic minimum by my own rules of 18 chars, and it its acceptable 
on the other end, may be 23 or 24.

Please be aware that your banking site may appear to accept a 24 char 
password, but they will silently clip off the surplus above 12 or so.
So your password is always wrong. In that case its best to get on the 
squawkbox with them so they can reset your access since most will lock 
you out for a day or more after 3 fails.  Then try again, stripping one 
character at a time off what you enter, until you find their idiotic 
smaller limit and it works.  Frankly it's a right Pain In The Ass. 

> Someone also mentioned black-hats ... I think that black-hats are a
> necessary evil ... just like lawyers ;) ... I understand some
> mechanical things better than others, like hydraulics and pneumatics
> ... mechanical engineering is no obstacle to me ... however ... I
> have difficulty in getting my head wrapped around things like squid,
> iptables, procmail, regexp ... some of you have no difficulty in any
> of these but have difficulty in mechanical stuff ... it is supposed
> to be like that ... when I think of black-hats I think of the green
> Matrix screen ... they are a special breed ... they see things that
> white hats don't see because it is their nature ... Just like car
> mechanics can tune/alter an engine so can black-hats tune alter a
> TCP/IP stream/payload ...
> 
> Am I right in saying that there is actually nothing new when it comes
> to networking ... hear me out ... the internet (and most networks out
> there) still works on TCP/IP which is 40 odd years old (70's) ... a
> car mechanic only needs to know how an engine works ... you can bolt
> on many other things onto an engine and add a pletora of sensors to
> it but essentially it remains an engine ... if you understand the way
> an engine or an automatic/manual transmission works you can
> confidently service/overhaul any engine/transmission  because they
> all are made up of the same stuff and they all work the same ... and
> this is my point with TCP/IP ... EVERYTHING is dumped on top of
> TCP/IP ... yet it remains the same ... a black hat only needs to know
> TCP/IP in order to knock on your door ... once he knocked on your
> door it means that he has found you ... he knows you are there ...
> all he has to do is look at the Matrix screen ... am I making sense?
> ...
> 
> Have a nice day
> 
> Danny

Perfect sense Danny, but I have no clue if a new, potentially more secure 
method is in development.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>
US V Castleman, SCOTUS, Mar 2014 is grounds for Impeaching SCOTUS

Reply to:

Follow-Ups:
- Re: Have I been hacked?
  - From: Bob Proulx <bob@proulx.com>

References:
- Have I been hacked?
  - From: Danny <mynixmail@gmail.com>
- Re: Have I been hacked?
  - From: Martin Steigerwald <Martin@lichtvoll.de>
- Re: Have I been hacked?
  - From: Danny <mynixmail@gmail.com>

Prev by Date: Sendmail greeting delay
Next by Date: Re: Sendmail greeting delay
Previous by thread: Re: Have I been hacked?
Next by thread: Re: Have I been hacked?
Index(es):
- Date
- Thread