New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
csf lets you block by country. Probably other firewalls do as well.
That's a post hoc fallacy. Just because the vast majority of the abuse you see today comes from China (or Russia would be my other guess, based on the origins of the attacks I see myself) doesn't mean that absolutely everyone there is out to get you.
All you really know is that 100% of the attacks come from the networks that are attacking you. No matter what you decide to block, you will still end up with 100% of the attacks coming in that way.
It's not a post hoc fallacy because you added that lat part to @thomaz's argument. He didn't say that.
Here's a different take: I may have a site with zero legitimate users in China. So if I block China, I lose nothing and also avoid one of the major sources of attacks. I don't see a problem with that.
No, I actually have millions of other tautologies at my disposal.
What are you talking about? I didn't attribute anything to thomaz that he didn't say. I merely pointed out that it makes no sense to blame all of China because you see a sample of 3 days of abusive traffic that originates (even 100%) from there.
How large a sample could that really be? 100+ IPs? 50 distinct networks? The list of Chinese IP subnets I have numbers over 5000. I'll be happy to drop any one of them into my firewall if it is a source of abuse, but I'm not going to preemptively cut off all those billions of people for no other reason than the circumstance of their birth.
Nor do I. Nor would I have a problem with someone who could reasonably consider themselves the target of a state-sponsored attack. Nor someone who takes issue with China's human rights record. Nor someone who is just a straight-up racist. Those are all "reasonable" excuses to block by country.
But they're all complete straw man arguments; the issue here is about what can and can't be concluded from looking at a log file. Just because all A are C doesn't mean that all C are A.
It's very tedious to dialogue with someone who insists on splitting every hair.
@thomaz said zero about blame. You said:
"That's a post hoc fallacy. Just because the vast majority of the abuse you see today comes from China (or Russia would be my other guess, based on the origins of the attacks I see myself) doesn't mean that absolutely everyone there is out to get you."
That is an attempt by you to put a post hoc fallacy on @thomaz's mouth. @thomaz never said that he thought all of China was out to get him. You said @thomaz said that, and then accused him of a post hoc fallacy. For all you know, @thomaz is consumed with regret at blocking hundreds of millions of innocent users.
Why not? If I had 10,000+ attacks from one country in 3 days I'd surely draw some conclusions.
I think you're missing the bigger picture:
OMG.
Here's a practical example. @Francisco 's BuyVM is popular with the Chinese market. I've periodically got a box from him and seen a ton of connections from China - presumably people looking for whatever was on that old box.
Now I could be surgical and drop each IP or each subnet into iptables...or I could just block cn. The latter accomplishes the goal faster without constant attention. Your quibble about being overbroad really doesn't apply. Different story if we're running un.org and it needs to be available for anywhere, but for lots of things...it's OK to paint with broad strokes.
Except for this part
@impossiblystupid has got it quite right. (No, it's not just the number of bits but also the domain, i.e. the set of chars out of which the password can be formed).
I'd like to add/mention two points that are usually not seen:
Unfortunately computers are much better at remembering arbitrary long character string than humans and so many security people (real ones or clueless ones) suggest using "weird sentences" like "dog accumulator perceiving ridiculous poems". Unfortunately that's bad advice as there is quite some algorithmic progress made in cracking multi word passphrases (the problem there is that the components/words are still normal dictionary material).
Probably the best way is hence to come up with and use "maimed" passphrases, i.e. :
come up with something you can remember, say "Melpomene strongly prefers 36bit Sempuku computers", then to replace spaces by some scheme that is individual but which you can remember well, for instance by the characters in a long word, preferably one that is not in a dictionary, such as your city of birth. Also be sure to use upper/lower case ignoring grammar rules. If you want considerably better security (due to larger domain) you should add some special characters according to some scheme you can remember well. Another way to considerably enhance passphrase strength is to make up your base sentence in a language that is not yours nor english.
Putting all that to work, the passphrase might end up being: "melPomèneBAimeoquerdeSd36ebItesemPukuaordinateurs" (I left out weird symbols due to this being shown in html).
Alternatively, let the computer help you ->
echo "my super secret password" | sha256I thought the theory was that keys were slightly more magic because they were "something you have" in addition to "something you know". You might be using your space satellite to peer through my office window and oversee me typing my password and learn the phrase. But with a key, you also have to have that private key file - just knowing its passphrase isn't enough.
AES amirite?
In reality keys are more secure due to two factors: a) larger domain, and b) fully used domain.
The first one meaning that keys actually use all 8 bits in a char where humans usually use but about 6 bits. Doesn't sound like much but looking at the math and at typical password length the difference gets huge.
The second one meaning that key algorithms at least look and to a large degree indeed create pseudo random keys. Humans, however, following - brutally limiting - inner logic, things like grammar and words which limits to just a tiny fraction of what the domain could produce.
Practical view: Any key generated by some algorithm looks like just an arbitrary string. Passphrases, however, don't, they are usually made up by words and it's exactly that, that "human inner logic" based on which pass phrases are created, that are pretty much always the basis for attacks. Dictionary based attacks are a good example.
As for the "you have" vs. the "you know" it's much more complicated than what most people think. Example: "Some key I have" actually must mean "some key only I have" to make sense, which, however immediately leads to a predicate in that the "only I" must be safely true.
Ugly example: Since a while the cops in some countries sneak up on you and take away your smartphone while you use it. Then one of them takes care of you while the other one only touches and swipes the phone so as to keep it open and to bring it to their lab where they steal all your "I have".
Another ugly example of attacks on "I have" are MITM attacks and/or faked or double or stolen certs or private keys. That's a major problem domain and it all falls back on the above predicate not being true.
Possibly. There is not yet consensus on AES. I personally don't assume it to be tainted for 3 reasons: a) It was developed in Belgium, b) I know the designers behind it and they are very experienced and knowledgable experts and not the kind of persons who easily sell out, c) the math is right (and has been extensively checked by experts.
That said, in my own software I pretty much always have multiple ciphers that are also based on different base constructs and typically from different regions. One should not bet everything on 1 cipher only. The reason is not even so much that I distrust some cryptographers (I do) but that math has the inherent property that something that was extremely hard today might well be very easy tomorrow (the most well known example is pq crypto).
My biggest concern re. nist-tainted are pseudo random number generators and anything rsa related (rsa is a crapbox whore).
Yes, keys are more secure in the sense that key are "random" bits. Only brute force attack can crack a key. Passwords, on the other hand, can easily be found in dictionary (e.g. "password", "Passw0rd" and "P@ssw0rd" are commonly used passwords which can be found in password dictionary).
But password can be remembered, you don't need a hard copy. Keys, on the other hand, cannot be remembered. You need to bring the physical keys in order to do the decryption. I found many times that the keys were retained in /tmp, c:/windows/temp (php upload folder) , or even in the desktop.
Me too. Most of my software use multiple (combination of) ciphers. So even you got the key, you still cannot decrypt the data because you don't know the ciphers behind. My belief is: Cracking a known cipher is much easier than cracking an unknown cipher.
That not only isn't what I said but that actually strikes me as questionable.
I was talking about, e.g. Feistel based and sponge based algorithms or about rsa and ecc algorithms. While my software usually isn't open sourced (due to clients not wanting that) I would absolutely not rely on "attackers don't know my ciphers"; frankly, I think that would be lousy security. Kerckhoff's principle absolutely applies and is correct. Do not rely on secret magic but rather rely on high quality ciphers.
And: Definitely no, cracking a known cipher is not easier. Not if it's a good quality cipher.
Partially agree. My experience is once the hackers know the cipher, their remaining job is simply peeking the program's runtime memory (or evening program's static data - inexperience programmer will hard coded the key in the program) or debug the program to reveal the key.
So our rules in data encryption programming are 1. Use a combination of high quality ciphers; 2. Never store the key in program or in memory (variables).
And then you go on to do exactly that kind of hair splitting to mischaracterize my statements. Has jarland been passing around whatever it was he was huffing a couple weeks ago? :-)
No, I didn't. I never said he said anything at all. I simply used an analogy and a colloquialism to point out how it is a fallacy to conclude that blocking all of China makes sense. Yes, it would accomplish the task of stopping all the attacks he had seen, but so would my suggested "tautology" of simply blocking the networks that had directly been the source of abuse.
If so, that'd be another good reason to rethink his conclusion.
We all can and do, but we'd all be better served if we thought about the validity of those conclusions. And we can think about whether we like the idea of the same conclusions being drawn about us (I certainly wouldn't like my entire country to be blocked because of a few jerks I have no real connection with). And we can think about whether or not that approach will make sense in the general case/long term (What if next week 98% of attacks come from Russia? And from the USA the week after that? And on and on...)
I'm not. What you insist on missing is that your straw man really has nothing to do with examining log files for abuse at all. It boils down to:
Case closed. No need to find an excuse to block them beyond that. Or any other country. Abuse in the log files or not. At some point, of course, it'll just make more sense to blacklist by default and whitelist networks you want to allow.
Again, I have no problem with large blacklists. I just questioned whether or not a country-wide ban was the right thing to do in this case, especially for someone who admits to being inexperienced and in his first week of screwing around with a VPS.
@bsdguy, if you suggest to people to use hash of password as password some will understand hash('a') = very long/secure/random, it's not like that..