There's a long conversation about how terrifying rainbow tables are and how almost nobody salts their hashes. Once you get your head around it - you'll shit bricks at how insecure the way everyone uses their passwords is. But the short version is that you know how you use the same password with minor changes for everything? Don't do it. It's bad. It's so fucking bad. It's pinning the security of everything you do online to the weakest security of any place you use that password. And since almost nobody follows best practice, and anything less than best practice it catastrophically bad? Just don't reuse passwords.
Can even a person with a photogenic memory remember 180 passwords? Not to derail from celebrity titties, but isn't that's the problem with passwords in general? Between multiple passwords needed for work, various bank sites and even places like this, it's nearly impossible for the average person to remember or not reuse any. It has to be something you can remember, but a program can't easily crack. At work they have to be at least XX long, can't be a discernible pattern etc, required to change every 90 days and it cannot be similar to or an old one reused. And to think as the cracking software improves, passwords could become obsolete. RFID chips? Biometrics? Those have a whole host of issues within themselves.
My BIL has become a favorite punching bag of identity thieves. I highly suspect its because he uses similar passwords for his social media and banking. Hell he may even have used the same password for his Facebook as for his bank. It seems like every three months or so he's getting his banking account hacked or someone in Poland has assumed his identity.
I'm finding it interesting how even the outrage is neatly falling along fame lines. Jennifer Lawrence, to this point, has had largely classy nude photos of herself leaked. Jessica Brown Findlay, in contrast, had a video leaked where her (presumably) boyfriend smacked her in the face with his dick, and then she begged to smell his butthole. Yet all of the focus is on Jennifer Lawrence and what a violation it is for her, and ain't no one giving a shit about Jessica.
Jennifer Lawrence's pictures were a fucking lot hotter. Also, while I only barely care about catching fire? It's still a lot better than dolton abbey
That's the point with password managers. Nobody can remember 180 distinct passwords. So you use a password manager to take care of it - that password manager becomes the weak point, but it's a hell of a lot easier to remember ONE super long, not-dictionary-word password and use two factor authentication there, than for everything. Plus it makes it super easy to rotate passwords - I click the website, click the change password link, LastPass generates a new, random, 14+ character password, and I click OK. Done. Passwords are great in limited use. They've come to really suck, though, when you've got a distinct account for a thousand different services just so that you can function in life. The future is likely something similar to YubiKeys or another cryptographic device. Google is working on a standard called U2F - Universal 2nd Factor. Basically, the idea is that you have a hardware device (your phone, a USB device, something) and every site supports the ability to use it to log in. So you need a password AND a device, which means passwords no longer have to be insanely complex and unique. It's still got a lot of holes - losing the device or getting it stolen is painful, and you need a backup plan for that. But hey - solve this problem and win a billion dollars. Biometrics are generally not good as a universal authentication factor because they can't be changed. It's fine for businesses because you can be changed. But as a person, you never want your authentication to be permanent and immutable.
The problem with all those things is that they're only as good as the read in process - after that it's just a password - a series of data being passed over the network. A fingerprint or voice print or retina scan or RFID chip authentication system is just a longer password - while it alleviate's some problems - it doesn't change the fundamental flaw of having the same authentication information for multiple important systems.
Based on the lack of updates Im guessing we've seen we all going to see. If he had more wouldn't have been best to dump it all at once? Now if he uploads anything there is a much higher chance authorities would be watching right? I really wanted to see Wynona Ryder nekkid. Also, Rhianna, has done nudes before but her private photos probably put Bar Refaeli to shame.
A certificate based hardware authentication mechanism combined with a server-side password, though, is pretty good. Dismissing it as just a long password isn't exactly telling the story - the received data in a certificate signature cannot be effectively reversed to get the source (at least, not en masse), unlike a password (which has its entire hashed digital contents stored on the server). It requires someone to both break the password (stored on the server) AND forge the certificate (stored on the client). It's still not ideal for targeted attacks but it would do a lot to reduce the trolling for random passwords on weakly secured sites and then side-stepping into other user accounts using those credentials. It's not a panacea, but forcing an attacker to basically compromise a matched client/server sets the bar pretty high for your average user account.
I don't know man. If that really was her, and at this point I have no reason to think otherwise, she set a standard that most average people don't even meet. Sure people can see buttholes all the time in pictures. But she's pretty much pulling her's open. I doubt she even did that for Leo. Rihanna has had pictures leak before and they were relatively tame by comparison. Even Vanessa Hudgens has some stuff leak a few years ago. And she looked good. But nothing even remotely gynecological.
We're getting pretty far away from things that one could fap too here - but it's mostly my inherent cynicism about the mickey mouseness of the IT industry. I fundamentally don't expect anything to ever be done right - I mean people still store passwords in their databases in plain text when it's utterly piss easy to hash them. So few people salt their hash tables even though it's really fuck all effort. I just struggle to conceptualize a near term future where well implemented client side certificate authentication as even a significant portion of digital authentication.
Leave it to a Ayran Isreali to set the bar for stretching your asshole in selfies. My guess would be that she was just trying to do a run of the mill ass cheek spreading but over shot it during the weird positioning angle while taking it. Of all the angles to take when photographing ones self with a camera phone I'd assume this would be on the tougher end of the scale. I also would assume Leo could probably, and has probably, asked and received much more lurid shit than an errant finger over stretching an asshole in a selfie.
Relevant xkcd: Scootah and Binary have already talked a bit about security issues, but the other main type of security breach is due to misconfiguration of public facing services. The internet was initially built around a "trust everything" headspace. That means that the guys building it didn't even think anyone would do anything bad with what they were doing... there was no security, no SSL, no HTTPS... only telnet and other simple protocols that are easily hacked or taken advantage of. This meant that when you installed software or operating systems, everything took a default stance of trusting everything that was around it, which, as it turned out, was very naive. As a result when you installed a mail server, for instance, it was insecure and open for all to use, because, well, why would you want to block it off from anyone to use? Spammers hadn't been thought of, because, that's just a wrong thing to do in such a trusting place. Welcome to the Internet, THE one place you can't trust. It's like the Internet grew up as a naive, fun-loving boy, only to find out that he was being sexually abused by his uncle and all of his drinking buddies. The point is, it's only been in the last little while that Internet developers have shifted their installation targets from simply "up and running" to "up and running securely" as the default. This is, usually, only a configuration issue... not a fault of the software itself. You can misconfigure a web server to be insecure quite easily. But part of the problem is that there are some really, really old servers and computers still running on the Internet, and they're not secured and available for use by people that run across them. The simplest example of this is an open relay mail server, which will allow anyone to use them to send email to anyone, and just like that you have spammers sending out hundreds of thousands of email. On top of that, Script Kiddies (idiots who find a script to hack a box and just arbitrarily run it without understanding how it works or what its doing) will just run scripts that scour the internet looking for these old, insecure boxes, running tests that are known to hack those targets. If/when they find them, then they have someone else's machine to use as a porn server, or to launch other attacks from, create a botnet with, etc. So just the natural evolution of working software that is old and has a non-secure default setting, the discovery of software bugs over time, and the failure to keep that software current and up to date, means that there are a bunch of insecure servers out there. Combine this natural software development evolution with the fact that a large part of the Internet is run on free software, and it makes for a very complex problem. The web server we're using here is called Apache, which is almost the de facto web server used by the Internet. Likewise we're using PHPBB3 as the forum software, which is free, and used everywhere. On top of that, OpenSSL is the open-source, de-facto standard for secure internet connection, used by governments, banks, and just about everyone else that uses HTTPS. Well, sometimes bugs are discovered (as is the case of the Heartbleed issue from April of this year that you probably heard about) and that software is used EVERYWHERE. Therefore, if you're quick on the ball, hear about an exploit in a very common and widely used piece of software, you can take advantage of that huge number of sites/users that are using that software before a fix is made, never mind applied. That's just the nature of the internet, and why good/solid system administrators stay on top of software updates and get their shit patched up as quickly as possible... it removes their systems from that large pool of targets. And speaking of targets, it's not like a site is always specifically targeted... usually, in the case of a known exploit to a common software package, targets are found by systematically scanning ranges of IP addresses until something of "interest" is found. It's not hard to test an IP address and see if there's a web server running on it, and in most cases, the server itself will tell you the exact web server and version that is running on it. The script then compares that to it's "I can fuck up these specific versions of these specific web servers" list, and if your server software is on that list, it'll run the attack, and bang, you're hacked. All done automatically by scripts that run constantly on the net at all times by hundreds of thousands of people and botnets. None of that takes into account targeted attacks by groups like governments, corporate spies, etc. The best hacks are the ones that nobody knows has even happened. Security is a moving target and is hard to do, and you can go from being as safe as you can be to fully vulnerable in the blink of an eye or a single internet post describing a newly found vulnerably. Weeeeeeeee.
For the most part, online security is a pipe dream. You generally follow the "layers of an onion" approach, whereby you set up multiple barriers that an intruder has to get around to get "the good stuff", and then set up monitoring and alerts that warn you when your defenses are being broken down. If you have a desirable enough payload, somebody somewhere with enough cash and motivation and time will get at it. If your enemy is going to try and shoot you, a bullet proof vest is probably good enough. If your enemy is going to nuke you, then you build yourself a bunker in a mountain.
I kind of hate that particular XKCD point - largely because of rainbow tables. Bruteforcing is largely defeated by lockout policies and Tr0ub4d0r&3 is actually much harder to break using rainbow tables of unsalted hash values than correct horse battery staple. Using a rainbow table to essentially brute force a compromised credential store is somewhere between 1000 and 50,000 times faster than conventional brute forcing - and it's way easier to generate rainbow tables of dictionary words than of mixed alpha numerics like the troubador abomination. That said, replacing vowels in dictionary words with numbers in the standard l33t substitution code of a/4 e/3 i/1 0/o set doesn't really add any substantial complexity to the rainbow table generating library. I feel like we're nerding up a thread about fapping to hunger games.
How exactly is a rainbow table going to be of any help against a 24 character string with multiple words and spaces in it, when using properly salted hashes on the server side? The point is that the #1 attack vector in any password scheme is the end user, and the password they're using is the one that they're not writing down on a post-it note on their monitor because it's too hard to remember. Give them something that is longish and easily remembered, and you've got a solid password.
It is relevant, though, and interesting even though I don't understand all of it. I just always assumed that it doesn't matter what password I use for anything - if somebody really wants what's on my computer, they'll get it. Back to Currer Bell 's comment about a teachable moment for daughters. If you have a daughter, tell her to take a naked selfie when she is 16. If she ever decides to post other nudes, or send them to her boyfriend, she just needs to make sure she always stores them with that underage photo. If somebody steals them or passes them around, they're in trouble.
And I just did some investigation and learned something new: https://www.schneier.com/blog/archives/ ... ure_1.html http://arstechnica.com/security/2013/05 ... passwords/ While the latest round of password crackers might include combined dictionary attacks, I'm still going to go with the end-user being the weakest link. Let them use a password that they are going to remember that isn't a dictionary word or one that follows simple l33t substitution. Bruce has an interesting approach: So yeah, the one thing you need to know about online security / security engineering is that it's always changing and you have to stay up on it. Constantly. And I've never learned anything from someone who agreed with me.