--- Log opened Fri Sep 04 00:00:53 2020
05:59 <@Dolemite> mr0ning, be0tches and h0ez!
06:29  * aestetix hugs Dolemite 
07:22 -!- _neb_imgur[m] [nebimgurma@gateway/shell/matrix.org/x-wusfnzdghazyhrfl] has quit [Quit: killed]
07:30 -!- _neb_imgur[m] [nebimgurma@gateway/shell/matrix.org/x-ceqlcrrppcslprbh] has joined #se2600
10:28 <@Evilpig> Mirage: they all loaded pretty much the minute I climbed into bed last night
10:29 <@Evilpig> stupid automated internet
10:37 -!- dc0de [~dc0de@198.46.153.211] has joined #se2600
10:37 -!- mode/#se2600 [+o dc0de] by ChanServ
10:42 <@Dagmar> Just so ya'll are aware... yeah I'm basically calling this guy out https://www.troyhunt.com/we-didnt-encrypt-your-password-we-hashed-it-heres-what-that-means/
10:42 < PigBot> Troy Hunt: We Didn't Encrypt Your Password, We Hashed It. Here's What That Means: (at www.troyhunt.com) http://tinyurl.com/y66axruy
10:42 <@Dagmar> This article is bullshit
10:43 <@Dagmar> He is just missing the fucking point about why passwords are changed after the ciphertext is compromised
10:43 <@Dagmar> ...and complaining about md5 being computable millions of times a second is fuckin' pointless.
10:44 <@Dagmar> Of course it can be computed that quickly.  Twenty years ago we didn't have hashcat and rack full of GPU accellerators
10:44 <@Dagmar> That whole article is a goddamn gish gallop
10:46 <@Dagmar> "Encrypting" the fucking passwords isn't going to make a goddamn bit of difference
10:47 <@Dagmar> Once a site is compromised, attackers have a list of _all the usernames_ (WAI R NO WUN ENCRYPTING TEHSE?)...
10:48 <@Dagmar> ...so that they can go look to see if those fuckers reused a password from some other, previously cracked site (WHICH THE GUY WHO RUNS 'HAVE I BEEN PWNED?' SHOULD FUCKING KNOW)...
10:48 <@Dagmar> ...and, most importantly, they can merrily actually try brute forcing passwords without having to await 2-4 seconds after each fucking attempt.
10:49 <@Dagmar> Users don't need to understand the difference between hashing and encryption
10:49 <@Dagmar> Users need to stop using the same password everywhere and stop picking shitty passwords.
10:50 <@Dagmar> Anyway, let's say someone actually encrypted their fucking password database
10:51 <@Dagmar> Is someone really going to compromise their servers and NOT steal the key used to encrypt the database?
10:51 <@Dagmar> IS anyone going to be mad enough to generate a different encryption key for every fucking user, or will this mean someone compromising the site and stealing the encryption key will then have ALL the fucking user passwords
11:01 -!- dc0de1 [~dc0de@198.46.153.211] has joined #se2600
11:01 -!- mode/#se2600 [+o dc0de1] by ChanServ
11:04 -!- dc0de [~dc0de@198.46.153.211] has quit [Ping timeout: 256 seconds]
11:10 <@dc0de1> Dagmar: I agree with all of that... but what's the solution?
11:10 -!- dc0de1 is now known as dc0de
11:11 <@Dagmar> To plan fuckin appropriately
11:12 <@Dagmar> It's quite _reasonable_ to expect people to change their passwords after someone's stolen the entire store of secrets from a site
11:12 <@Dagmar> We're hashing and salting things so that users actually have some _time_ to change their passwords, rather than everything being open to the attackers right away
11:14 <@Dagmar> If it's really, really that important, it should be handled like a billing database
11:15 <@Dagmar> Shove all those secrets onto a machine that's separate from the rest, to which access is striclty limited to "absolutely fucking no one who isn't in the datacenter at the console" and only let it be accessed over an API
11:16 <@Dagmar> ...but this is a bunch of overkill which won't mitigate the problem of assholes who use 'mydogname!2' as their password everywhere
11:18 <@Dagmar> Requiring two-factor with a physical token goes a long damn way, but people who lose hashed password database probably won't fare much better at protecting the secrets database used by their selected OTP or time-based password mechansim.
11:18 <@Dagmar> ...but at least the vendors for those often mandate that shit gets it's own machine
11:48 <@Dagmar> Using hashed passwords with a decent salt pushes the difficulty of attacking that aspect well past hte point where it's time to harden some other part of the system
11:48 <@Dagmar> Throwing a whole bunch of weak arguments out, one after th other, isn't going to change that
11:49 <@Dagmar> Ain't no magic bullet going to fix problems at that level
11:53 <@Dagmar> Don't get me wrong.  I'm a fan of Troy's work, but I think being exposed to all this breach data has made him forgot there's actually a _strategy_ involved in all this
11:56 <@Dagmar> @#$@#$# VPNs
12:16 -!- dc0de [~dc0de@198.46.153.211] has quit [Remote host closed the connection]
12:19 -!- dc0de [~dc0de@198.46.153.211] has joined #se2600
12:19 -!- mode/#se2600 [+o dc0de] by ChanServ
15:43 -!- dc0de [~dc0de@198.46.153.211] has quit [Remote host closed the connection]
20:49 <@Evilpig> hadn't thought about this magazine in years and a friend just brought it up.  https://archive.org/details/boardwatchmagazine
20:49 < PigBot> Boardwatch Magazine : Free Texts : Free Download, Borrow and Streaming : Internet Archive (at archive.org) http://tinyurl.com/yymb628u
21:12 -!- northrup [~northrup@bragi.8bitwizard.net] has quit [Ping timeout: 240 seconds]
21:39 -!- northrup [~northrup@104-186-58-185.lightspeed.nsvltn.sbcglobal.net] has joined #se2600
21:39 -!- mode/#se2600 [+o northrup] by ChanServ
21:42 -!- northrup [~northrup@104-186-58-185.lightspeed.nsvltn.sbcglobal.net] has quit [Client Quit]
22:05 -!- northrup [~northrup@104-186-58-185.lightspeed.nsvltn.sbcglobal.net] has joined #se2600
22:05 -!- mode/#se2600 [+o northrup] by ChanServ
22:47 -!- northrup [~northrup@104-186-58-185.lightspeed.nsvltn.sbcglobal.net] has quit [Read error: Connection reset by peer]
22:47 -!- northrup [~northrup@104-186-58-185.lightspeed.nsvltn.sbcglobal.net] has joined #se2600
22:47 -!- mode/#se2600 [+o northrup] by ChanServ
22:50 -!- lastchild [~lastchild@c-67-187-104-215.hsd1.tn.comcast.net] has quit [Ping timeout: 260 seconds]
23:11 -!- northrup3 [~northrup@bragi.8bitwizard.net] has joined #se2600
23:11 -!- mode/#se2600 [+o northrup3] by ChanServ
23:15 -!- northrup [~northrup@104-186-58-185.lightspeed.nsvltn.sbcglobal.net] has quit [Ping timeout: 240 seconds]
23:15 -!- northrup3 is now known as northrup
--- Log closed Sat Sep 05 00:00:55 2020