The Glade 4.0

"Turn the lights down, the party just got wilder."
It is currently Sun Nov 24, 2024 1:51 pm

All times are UTC - 6 hours [ DST ]




Post new topic Reply to topic  [ 68 posts ]  Go to page Previous  1, 2, 3  Next
Author Message
 Post subject:
PostPosted: Mon Aug 09, 2010 10:17 am 
Offline
Near Ground
User avatar

Joined: Wed Sep 02, 2009 10:38 pm
Posts: 6782
Location: Chattanooga, TN
I paid the six bucks and got one. It just hangs around on my keychain. No big.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Aug 09, 2010 11:13 am 
Offline
Commence Primary Ignition
User avatar

Joined: Thu Sep 03, 2009 9:59 am
Posts: 15740
Location: Combat Information Center
Yeah that'd go great. "Honey, what's that on your keychain?"

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Mon Aug 09, 2010 2:47 pm 
Offline
User avatar

Joined: Sat Sep 05, 2009 2:40 am
Posts: 3188
Uinan wrote:
Stealing Blizzard accounts is sadly a multi million dollar industry.

Snagging an Authenticator seems to be worth it. I recently got one for my Itouch.



Seriously. It's an extremely high reward for practically no risk.

And while it may seem silly to do all of this over a video game, it is essentially data that represents several years-worth of investment for most people.

_________________
Les Zombis et les Loups-Garous!


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 09, 2010 7:09 pm 
Offline
User avatar

Joined: Wed Sep 02, 2009 7:59 pm
Posts: 9412
Diamondeye wrote:
Couldn't they add some other method of authentication, like answering having you put in answers to 20 questions, and then having you answer a random one when you log in?

Redundant. Basic security: something you know, something you have, something you are.
You've already got a password, that's your Something You Know. A secret question or whatever would only be an additional Something You Know, and would be vulnerable to the same vectors of attack that your password is. Keylogger catches both, for instance, and is a common means of stealing Blizzard account information.

_________________
"Aaaah! Emotions are weird!" - Amdee
"... Mirrorshades prevent the forces of normalcy from realizing that one is crazed and possibly dangerous. They are the symbol of the sun-staring visionary, the biker, the rocker, the policeman, and similar outlaws." - Bruce Sterling, preface to Mirrorshades


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 09, 2010 9:47 pm 
Offline
Commence Primary Ignition
User avatar

Joined: Thu Sep 03, 2009 9:59 am
Posts: 15740
Location: Combat Information Center
Kaffis Mark V wrote:
Diamondeye wrote:
Couldn't they add some other method of authentication, like answering having you put in answers to 20 questions, and then having you answer a random one when you log in?

Redundant. Basic security: something you know, something you have, something you are.
You've already got a password, that's your Something You Know. A secret question or whatever would only be an additional Something You Know, and would be vulnerable to the same vectors of attack that your password is. Keylogger catches both, for instance, and is a common means of stealing Blizzard account information.


I'm not all that concerned; I have an exceedingly strong password. Keyloggers are a worry though, but you beat those by putting the choices on a pulldown menu; your right answer and 4 or 5 random answers that pertain to the question.

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 09, 2010 9:57 pm 
Offline
God of the IRC
User avatar

Joined: Wed Sep 02, 2009 7:35 pm
Posts: 3041
Location: The United States of DESU
You can defeat pulldown menus by taking screenshots when the choice is selected. You can also defeat a virtual keyboard this way. The advantage of an RSA token is that without the token's seed, having one sequence of numbers does not allow you to guess the next set of numbers. Also, each token is only accepted once. Once the server validates a token, it is no longer valid, even if the window has not yet expired for that token.

RSA tokens aren't perfect, though. It's still possible to defeat them if your system is compromised. But it would require working within the 30-45 second window where any particular token is valid.

_________________
Image


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 09, 2010 10:16 pm 
Offline
Commence Primary Ignition
User avatar

Joined: Thu Sep 03, 2009 9:59 am
Posts: 15740
Location: Combat Information Center
Mookhow wrote:
You can defeat pulldown menus by taking screenshots when the choice is selected. You can also defeat a virtual keyboard this way. The advantage of an RSA token is that without the token's seed, having one sequence of numbers does not allow you to guess the next set of numbers. Also, each token is only accepted once. Once the server validates a token, it is no longer valid, even if the window has not yet expired for that token.

RSA tokens aren't perfect, though. It's still possible to defeat them if your system is compromised. But it would require working within the 30-45 second window where any particular token is valid.


What if you randomized the locations of the keys on the virtual keyboard at each use?

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 09, 2010 10:43 pm 
Offline
God of the IRC
User avatar

Joined: Wed Sep 02, 2009 7:35 pm
Posts: 3041
Location: The United States of DESU
If you can see the keys on the virtual keyboard, then the keylogger can capture that visual data. The keylogger can capture everything on the screen including your cursor position. Not to mention that even if you randomize the onscreen keyboard, eventually you have to enter your password, which can be sniffed from memory as you're typing it in.

edit: http://en.wikipedia.org/wiki/Keystroke_logging, http://en.wikipedia.org/wiki/SecurID#Th ... rabilities

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Aug 09, 2010 10:57 pm 
Offline
User avatar

Joined: Wed Sep 02, 2009 7:59 pm
Posts: 9412
Not to mention, randomizing key locations on a virtual keyboard is getting into "**** annoying" territory from a useability standpoint, so it seems like you're working backwards there, DE, since your initial objection to a dongle was convenience.

_________________
"Aaaah! Emotions are weird!" - Amdee
"... Mirrorshades prevent the forces of normalcy from realizing that one is crazed and possibly dangerous. They are the symbol of the sun-staring visionary, the biker, the rocker, the policeman, and similar outlaws." - Bruce Sterling, preface to Mirrorshades


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Tue Aug 10, 2010 8:02 am 
Offline
Commence Primary Ignition
User avatar

Joined: Thu Sep 03, 2009 9:59 am
Posts: 15740
Location: Combat Information Center
Kaffis Mark V wrote:
Not to mention, randomizing key locations on a virtual keyboard is getting into "**** annoying" territory from a useability standpoint, so it seems like you're working backwards there, DE, since your initial objection to a dongle was convenience.


I don't think virtual keyboards with random key locations would be annoying. I'm also a little unclear on how a keylogger capturing cursor location would matter if you randomized what was at that location, but I guess it doesn't matter if it can pull the keystrokes from memory.

I think the little dongle thing, or needing to have some fancy phone application, is more annoying, since the dongle can get lost or damaged, and the phone.. well, means you have to have the phone, but then again, I have objections to BlackBerrys, IPhones, DROIDs, and all that jazz that really don't pertain to most people.

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Aug 10, 2010 11:30 am 
Offline
Web Ninja
User avatar

Joined: Wed Sep 02, 2009 8:32 pm
Posts: 8248
Location: The Tunt Mansion
Guess at the end of the day, it's just not for you, DE. For the rest of us, it's an easy, nearly unbreakable way to secure our accounts.


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Tue Aug 10, 2010 11:41 am 
Offline
Commence Primary Ignition
User avatar

Joined: Thu Sep 03, 2009 9:59 am
Posts: 15740
Location: Combat Information Center
Lenas wrote:
Guess at the end of the day, it's just not for you, DE. For the rest of us, it's an easy, nearly unbreakable way to secure our accounts.


If it works for you guys, that's awesome. I'd just like to see another method that doesn't cost extra and isn't easily lost.

I might be more inclined to it if fancy phones weren't such a problem. One of the main reasons my wife and I share a phone is that it has no camera. Do you know how hard it is to get a phone with no camera?

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."


Top
 Profile  
Reply with quote  
 Post subject: Re: Re:
PostPosted: Tue Aug 10, 2010 11:48 am 
Offline
I got nothin.
User avatar

Joined: Thu Sep 03, 2009 7:15 pm
Posts: 11160
Location: Arafys, AKA El Müso Guapo!
Diamondeye wrote:
Lenas wrote:
Guess at the end of the day, it's just not for you, DE. For the rest of us, it's an easy, nearly unbreakable way to secure our accounts.


If it works for you guys, that's awesome. I'd just like to see another method that doesn't cost extra and isn't easily lost.


The token's not easily lost. I have it attached to my keys, and I always know where they are :)

_________________
Image
Holy shitsnacks!


Top
 Profile  
Reply with quote  
 Post subject: Re: Re:
PostPosted: Tue Aug 10, 2010 4:36 pm 
Offline
Commence Primary Ignition
User avatar

Joined: Thu Sep 03, 2009 9:59 am
Posts: 15740
Location: Combat Information Center
Müs wrote:
Diamondeye wrote:
Lenas wrote:
Guess at the end of the day, it's just not for you, DE. For the rest of us, it's an easy, nearly unbreakable way to secure our accounts.


If it works for you guys, that's awesome. I'd just like to see another method that doesn't cost extra and isn't easily lost.


The token's not easily lost. I have it attached to my keys, and I always know where they are :)


You're not married.

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Aug 10, 2010 5:27 pm 
Offline
I got nothin.
User avatar

Joined: Thu Sep 03, 2009 7:15 pm
Posts: 11160
Location: Arafys, AKA El Müso Guapo!
What does being married have to do with knowing where my keys are?

_________________
Image
Holy shitsnacks!


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Tue Aug 10, 2010 5:29 pm 
Offline
User avatar

Joined: Fri Feb 05, 2010 11:59 am
Posts: 3879
Location: 63368
Müs wrote:
What does being married have to do with knowing where my keys are?

You don't have kids living with you.

_________________
In time, this too shall pass.


Top
 Profile  
Reply with quote  
 Post subject: Re: Re:
PostPosted: Tue Aug 10, 2010 9:22 pm 
Offline
Commence Primary Ignition
User avatar

Joined: Thu Sep 03, 2009 9:59 am
Posts: 15740
Location: Combat Information Center
Taskiss wrote:
Müs wrote:
What does being married have to do with knowing where my keys are?

You don't have kids living with you.


That and he doesn't have a wife asking what that little new gadget on the keychain does, and then asking why you spent ten dollars on it.

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."


Top
 Profile  
Reply with quote  
 Post subject: Re: Re:
PostPosted: Tue Aug 10, 2010 9:57 pm 
Offline
I got nothin.
User avatar

Joined: Thu Sep 03, 2009 7:15 pm
Posts: 11160
Location: Arafys, AKA El Müso Guapo!
Diamondeye wrote:
Taskiss wrote:
Müs wrote:
What does being married have to do with knowing where my keys are?

You don't have kids living with you.


That and he doesn't have a wife asking what that little new gadget on the keychain does, and then asking why you spent ten dollars on it.


0.o

Ouch.

_________________
Image
Holy shitsnacks!


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 10, 2010 10:00 pm 
Offline
Commence Primary Ignition
User avatar

Joined: Thu Sep 03, 2009 9:59 am
Posts: 15740
Location: Combat Information Center
Oh yeah, almost forgot. My kid has an account too, and that damn authenticator would be lost in under a week. She can't even keep track of a housekey.

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 11, 2010 12:21 am 
Offline
Grrr... Eat your oatmeal!!
User avatar

Joined: Wed Sep 02, 2009 11:07 pm
Posts: 5073
Diamondeye wrote:
Oh yeah, almost forgot. My kid has an account too, and that damn authenticator would be lost in under a week. She can't even keep track of a housekey.


My daughter loses housekeys like they grew on a tree. But she has not once lost her authenticator

_________________
Darksiege
Traveller, Calé, Whisperer
Lead me not into temptation; for I know a shortcut


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 11, 2010 12:52 pm 
Offline
Lean, Mean, Googling Machine
User avatar

Joined: Thu Sep 03, 2009 9:35 am
Posts: 2903
Location: Maze of twisty little passages, all alike
Diamondeye:

Two factor authentication.

In brief, there are 3 basic categories of authentication:

  • Something you know (passwords, "secret" questions, etc.)
  • Something you have (ex. RSA authenticator frob or a smart card)
  • Something you are (i.e. biometrics - fingerprints, retinal scans, etc.)

In a nutshell, two-factor authentication uses two of these areas instead of just one. In principle, this is vastly more secure than almost any single-factor system. Three-factor authentication would be even more secure, but this is rarely done outside of very high security applications. One reason for this is that, practically speaking, the only reasonably affordable biometric authentication available to consumers is fingerprint scanners. Unfortunately, fingerprint scanners are relatively easy to fool. But beyond that, a lot of people just don't like biometrics from a security point of view. If compromised, it's easy enough to change your password or have your authenticator/keycard replaced. Replacing your fingerprints or your retinas, on the other hand...

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 11, 2010 3:37 pm 
Offline
User avatar

Joined: Thu Sep 03, 2009 3:08 am
Posts: 6465
Location: The Lab
Hmm... Scary stuff here...
http://www.dailymail.co.uk/sciencetech/ ... ounts.html

Thinking about this, I give Blizzard a lot of credit for putting 2 factor auth in as an option.

Makes me wonder why banks don't do this?

I think I'll be sending them an email today...


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Wed Aug 11, 2010 3:44 pm 
Offline
Commence Primary Ignition
User avatar

Joined: Thu Sep 03, 2009 9:59 am
Posts: 15740
Location: Combat Information Center
Stathol wrote:
Diamondeye:

Two factor authentication.

In brief, there are 3 basic categories of authentication:

  • Something you know (passwords, "secret" questions, etc.)
  • Something you have (ex. RSA authenticator frob or a smart card)
  • Something you are (i.e. biometrics - fingerprints, retinal scans, etc.)

In a nutshell, two-factor authentication uses two of these areas instead of just one. In principle, this is vastly more secure than almost any single-factor system. Three-factor authentication would be even more secure, but this is rarely done outside of very high security applications. One reason for this is that, practically speaking, the only reasonably affordable biometric authentication available to consumers is fingerprint scanners. Unfortunately, fingerprint scanners are relatively easy to fool. But beyond that, a lot of people just don't like biometrics from a security point of view. If compromised, it's easy enough to change your password or have your authenticator/keycard replaced. Replacing your fingerprints or your retinas, on the other hand...


Yeah I understand all that. However, doing any one of those factors more than once in a different way is still more secure than one factor one time. That's all I was pointing out.

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 11, 2010 4:00 pm 
Offline
User avatar

Joined: Wed Sep 02, 2009 7:59 pm
Posts: 9412
Not reliably so. If one password is compromised, any other "known" factor should be assumed to be compromised, or compromiseable, too. How does a "known" security measure get compromised? Coercion, interception, or social engineering. I've forced, spied, or tricked you into revealing your password to me. And you think I didn't get the second password/secret question/whatever out of you, too?

_________________
"Aaaah! Emotions are weird!" - Amdee
"... Mirrorshades prevent the forces of normalcy from realizing that one is crazed and possibly dangerous. They are the symbol of the sun-staring visionary, the biker, the rocker, the policeman, and similar outlaws." - Bruce Sterling, preface to Mirrorshades


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Aug 11, 2010 4:25 pm 
Offline
I got nothin.
User avatar

Joined: Thu Sep 03, 2009 7:15 pm
Posts: 11160
Location: Arafys, AKA El Müso Guapo!
I secure my wow account with a one-time pad cipher.

_________________
Image
Holy shitsnacks!


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 68 posts ]  Go to page Previous  1, 2, 3  Next

All times are UTC - 6 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 219 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group