понедельник, 25 июня 2012 г.

What do you know about perlsecret?

All perl lovers - please check perlsecret. It's fun and worth reading. I liked operator called Kite or ... sperm, which looks like  "~~<>". :)  

понедельник, 18 июня 2012 г.

Why Privacy Matters Even if You Have 'Nothing to Hide'

Maybe you heard such opinion about privacy before -  "I've got nothing to hide. Only if you're doing something wrong should you worry, and then you don't deserve to keep it private."
You can check this intresting article about this matter, why this logic is false.

воскресенье, 10 июня 2012 г.

Password cracking, again

I've been intrested in IT security, cryptoigraphy and password security long time ago, I even made
presentation about password security on PerlMova 2010 (sorry, slides in Russian only). So, I was curious, what's new things happened in this area - LinkedIn password hash leak, and Lastfm / Eharmony hash leak shortly after it. In both cases non-salted hashes was used (I'm sorry, but it's totall f*cked up) - LinkedIn uses sha1 and md5 was used in Lastfm! (no hashes was shown in second case, but 95% of all hashes was bruted for 1 year afterb leak).
So, after that mayhem one of famous FreeBSD hacker, Poul-Henning Kamp, ask all people to stop using his own md5crypt password hashing scheme, which was developed in 1995, because it's not secure anymore - modern GPU-based bruteforce programs able to crunch over 1 billion MD5 hashes per sec (it's about 1 million md5crypt/sec), and it's too much for short and/or weak passwords. You can see this impressive presentation by yourself - Speeding up GPU-based password cracking, but I'll show very intresting table from it -
So, eight characters alphanumeric passwords can't be securely hashed in MD5 - 2 days for total bruteforce on commodity hardware, it's disaster from security point of view.
What we can do? Of course, we need to use special thing for password hashing - bcrypt, scrypt or PBKDF2 - many of them already implemented on many programming languages now.
Also you can see very good presentation from PHDays 2012 conference by also famous security resercher Alexander Peslyak aka Solar Designer - wind up video up to 14:00:00 (sorry, but presentation on Russian only, but you can check slides).

понедельник, 4 июня 2012 г.