Hey all,
just in case you guys/gals have purchased anything on Steam, and you didn't know - apparently Steam was hacked and private user info (credit card numbers, passwords, etc.) were stolen!:

http://www.gamasutra.com/view/news/38517/Steam_Accounts_Hacked_Credit_Card_Info_Obtained.ph p

cheers,
Paul

As far as i know, creditcard details are only saved client side. Also all data should be RSA-256+salt crypted which should take a millenium to break :) But it's still good to know when these happen just in case.

From the article if you couldn't read it:

a database containing private user information has been stolen.

That information includes user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information, according to an email sent by Valve managing director Gabe Newell to Gamasutra.

According to Newell, the company does not currently have any evidence of credit card misuse at press time, though warns that Steam users should nonetheless closely monitor their credit card activity.

Also all data should be RSA-256+salt crypted which should take a millenium to break :) But it's still good to know when these happen just in case.

I don't think that dada encryption would help in preserving users information nowadays.
While 5 years ago having 8 character long alphanumeric password (combination of asci leters and numbers) was considered safe (would take more than a year breaking it by brute force attack), nowadays this same pasword can be cracked in just a few days on a single computer (using combined power of multicore CPU and GPU). Not to metion how quickly can this pasword be broken using the power of cloud computing (probably just a few hours).
Also knowing wich encryption algorithm has been used to encrypt data in the first place makes decrypting it a lot easier.

Also all data should be RSA-256+salt crypted which should take a millenium to break :)
This is assuming that all data was encrypted, hashed and so on. You would be surprised how many modern web sites and service still do not encrypt their data and sometimes even forget to hash passwords! In addition, as SilverWarior said, solving hashed/salted/encrypted password and/or credit card number for distributed computing is not a problem these days. Sometimes, when using additional information about the user (e.g. name, credit card bank & country) this information can be decrypted in minutes.

I'd say they've screwed up big time and it's yet another example why you should not let web sites remember your credit card information.

256-bit encryption is still nowadays secure. In computer theory it's quantum computers that some decades later may revolutionize decryption, but modern supercomputers can't do it.

If interested you can try something like:
http://www.golubev.com/hashgpu.htm
It even uses GPU power to greatly utilize all the power computer has for MD5 hash cracking. If you assume that word is only 1..8 characters long (256-bit would mean 32 characters) and only contain small letters from a..z it will take many hours. Now add numbers and big letters in the force and it'll take forever...

256-bit encryption is still nowadays secure. In computer theory it's quantum computers that some decades later may revolutionize decryption, but modern supercomputers can't do it.

If interested you can try something like:
http://www.golubev.com/hashgpu.htm
It even uses GPU power to greatly utilize all the power computer has for MD5 hash cracking. If you assume that word is only 1..8 characters long (256-bit would mean 32 characters) and only contain small letters from a..z it will take many hours. Now add numbers and big letters in the force and it'll take forever...

I agree that breaking 256-bit enkcyption on a single computer would be usles becouse it would take to much time. But what if you do this with thousands of computers, each trying out just a portion of posibilities? Then the time greatly decreases. And what is cloud computing that just dividing some work between a few thousands computers.

Why do you think that larger hacker groups are creating their own so caled botnets? Becouse this can provide them with a great computational power. And with large enough botnet you could achive computational power even compared to some supercomputers.

Also rapid advancments in computer technology are making data encryption less and less secure every day. Are you aware that most mobile phones nowadays have more computational power than 15 years old computers have. For instance my Nokia 5320 has 369 MHz ARM processor and it isn't considered as smartphone. Most smartphones have 1 GHz ARM procesor in them already, and some even have multicore procesors. And theese can easily cope with 10 years old computers if now even newer.

256-bit encryption is still nowadays secure. In computer theory it's quantum computers that some decades later may revolutionize decryption, but modern supercomputers can't do it.
Yes, but you need to consider what type of data is being encrypted. For large text documents of unpredictable data - sure, it's pretty secure. Now consider credit card number, which uses only 16 digits (which itself fits only in 128-bit block), some of which can be easily guessed using regional information from the user. You don't need even a super computer to crack this. Yes, there are ways to make it more secure by adding random data and such, but as I said before, I doubt they even use encryption in the first place, let alone other advanced techniques.


It even uses GPU power to greatly utilize all the power computer has for MD5 hash cracking. If you assume that word is only 1..8 characters long (256-bit would mean 32 characters) and only contain small letters from a..z it will take many hours. Now add numbers and big letters in the force and it'll take forever...
On your integrated Nvidia card... sure, it may take some time. :) But have you tried running it on more serious personal computer (http://www.originpc.com/genesis-gaming-desktop-features.asp) or nice entertainment system (http://www.originpc.com/thebigo-features.asp)?

On your integrated Nvidia card... sure, it may take some time. :) But have you tried running it on more serious personal computer (http://www.originpc.com/genesis-gaming-desktop-features.asp) or nice entertainment system (http://www.originpc.com/thebigo-features.asp)?
How did you go and guess that? :) I can actually play Crysis and Skyrim on high settings smoothly. It's a computer built from custom parts, but more than year ago.

I dare you to try that... There was a small programming challenge about it some month back, about MD5. If you use Google Chrome it will propably translate it properly:
http://www.ohjelmointiputka.net/posti.php?tunnus=md5h

In short, there is a list of hashes in file (http://www.ohjelmointiputka.net/postit/md5h/md5h.txt)where first line hash is 1 character, second 2 character... and finally 20 character long word hashed. These all only consist of small a..z. Many good people have tried it, and best break is only 11 characters long hash. I was able to do 9, with limiting search ranges and guessing. That is why i say, if it has capital letters and numbers i'd not have even broken 8.
The words are random; 5 character word could well be like "asgwz".

Oh.. and MD5 is designed to be a fast hash to make for file verification. RSA256 is designed for encryption, and much slower to calculate for single word.

How did you go and guess that? :) I can actually play Crysis and Skyrim on high settings smoothly. It's a computer built from custom parts, but more than year ago.
I have added the smile after my question to identify it as a rhetorical. My point was that the hardware used in question may affect computational time greatly (by a factor of ten and more). And seriously, your machine is close to the ones I've mentioned? Did you check their specs? Quad Nvidia GTX 480, 1920 CUDA cores in total, dual Intel Xeon clocked at 4.3 Ghz with 12 physical cores total and 24 logical cores total... My rig can also run Crysis smoothly at highest settings, but it's nowhere near the above specs.

I did see the links, but they are not supercomputers that i mentioned, they are like this:
http://upload.wikimedia.org/wikipedia/commons/thumb/d/d3/IBM_Blue_Gene_P_supercomputer.jpg/800px-IBM_Blue_Gene_P_supercomputer.jpg
256-bit encrypted text which any password can be made into, is unbreakable for them. I didn't find very good references yet, but this is some:
http://en.wikipedia.org/wiki/Key_size#Brute_force_attack
or this: http://www.innovativedevice.com/keyoscrypt/morelink/Exemple2.asp
or how maker of password recovery tool explains, that length of 8 small a..z characters would take 3 years on his home computer
http://www.dekart.com/howto/howto_disk_encryption/howto_recover_lost_password/

I did see the links, but they are not supercomputers that i mentioned, they are like this:
http://upload.wikimedia.org/wikipedia/commons/thumb/d/d3/IBM_Blue_Gene_P_supercomputer.jpg/800px-IBM_Blue_Gene_P_supercomputer.jpg

Ma! Ma!...can I have one of those for christmas Ma?...please??!? :D

@User137
Your last link point to an article wich explains aproximate times wich would be needed for password breaking. But have you checked on what kind of a computer (P4 1.6 GHz with 512 MB of RAM). Man that's almost ten years old computer now. If you check http://www.cpubenchmark.net/cpu_list.php wich provide some benchmarking results you could se that Intel Pentium 4 1.4GHz processor got Passmark CPU Mark score 166 , while my AMD Turion X2 Dual Core Mobile RM-70 wich I have on my laptop got Passmark CPU Mark score 1019. That means that my processor has about 6 times more computational power than Intel Pentium 4 1.4GHz wich would result in using 6 times les time for data decryption. And my processor isn't near as powerful as some other processors are today. Acording to the benchmarks on pre mentioned page the processor with the most processing power is Intel Core i7-3930K @ 3.20GHz wich have Passmark CPU Mark score 15153. That is prox. 91 times more than Intel Pemtiom 4 1.4GHz. This means that it would dercypt the data about 90 times faster. So don't belive the times in that old article of yours.
And until now I was only talking about decryption with the plain power of CPU while also utilizing GPU power makes decryption much fster, upto 7 times faster on recent graphics cards and that is by asumption that you use only one graphic card. But if your system has more than one graphic card the gain would be even greater.

Now imagine that you use 1000 computers equiped with Intel Core i7-3930K @ 3.20GHz processor, each also utilizing the power of graphic card and do some calculation in what would be the requred time for breaking data 256- bit encyption.

Yes i did see that it is an old article... I also noticed that it paid no attention to encryption algorithm, only that it will attempt a password bruteforce with all possibilities. It depends on encryption, software built in delays for password attempts and so forth.

1.6GHz is not actually too old computer. Even if modern gaming PC is 100 times faster it's still not reaching the speeds required. Multiply mega multimedia PC by 1000 and we are still only at 100000 readings. The calculation times for this kind of encryption at 256 characters is a number with thousands of zeroes. He didn't even display it, you can only talk about it in theory level as they are too large numbers to put on a calculator.

I mean, the number 3.3 years (or 1204days) was a little irrelevant to the topic because passwords aren't normally just small letters. 4032yrs he counts for a..Z,0..9 which is 1471680 days. Given 100000 times more processing power multimedia computer network would crack that in 2 weeks. Now add to that a complex encryption algorithm that multiplies calculation time for single word by 1000. That's propably what AES-256 or something would do.

Then add salt to the password to make it 256 characters long and the calculation time goes out of charts.

I mean, the number 3.3 years (or 1204days) was a little irrelevant to the topic because passwords aren't normally just small letters. 4032yrs he counts for a..Z,0..9 which is 1471680 days. Given 100000 times more processing power multimedia computer network would crack that in 2 weeks. Now add to that a complex encryption algorithm that multiplies calculation time for single word by 1000. That's propably what AES-256 or something would do.
You are continuously basing your arguments on Nirvana fallacy (http://en.wikipedia.org/wiki/Nirvana_fallacy) by assuming unrealistic base case scenario and supporting your arguments on False dilemma (http://en.wikipedia.org/wiki/False_dilemma) fallacy by assuming that the solutions you have mentioned are the only ones to exist (or assuming lack of better alternatives thereof).

Yes, some people like yourself, me and others on this forum might use different letters and symbols, but inexperienced people, which are the majority, keep using passwords with the name of their pets, ex-girlfriends, movie characters and even their own names. You also keep insisting that the password is perfectly unique, has perfect entropy, has been salted properly, has been hashed properly and that no information is used about the user to guess the password faster. You also assume that hackers will be using some non-professional freeware program made by some random guy on a random machine that was meant to run some games and word applications to crack the perfectly ciphered password.

If you wish to tie yourself to unrealistic theoretical best-case scenarios to achieve false sense of security, it is okay, but I believe that in this particular case of hacked Steam accounts doing so would be a mistake.

LOL! Wow! I certainly started a big 'discussion'! :D

LOL! Wow! I certainly started a big 'discussion'! :D
Stream is actually a popular topic and the security concerns everybody, so something interesting can come up out of these discussions.

In my own case I'm lucky not to use Steam, but what would happen if to the same degree GMail/Hotmail/Yahoo accounts would get stolen?

Nobody has really given any counter argument to math i have provided. I gave different propability scenarios that should give some kind of hints. It's true that:
- If you prove that bruteforcing through all password combinations takes 1000000 years, how likely is it that someone can optimize the algoritm by 99.9999% so that calculation is done in reasonable time?
- You don't have to bruteforce the full range of random words, just up till first match. You may be lucky sooner or later.
- If no salt is involved, you can use many optimizations like premade lists that guess by ignoring unlikely words like aaa*, bbg* and so forth. There can be alot more optimizations i don't know about.
- If hackers get to know salt algorithm they wouldn't need to go through all 128-256 lengths, but usual 8-10 char lengths that are unsalted passwords.

This wasn't Steam talk now. There is nothing to discuss about it as long as we have no details on how their systems work. In general, if hackers get access to passwords its fault of other things. Low security systems. Most hacked sites that get news popularity propably had their passwords stored as plaintext. Properly encrypted system is truly unbreakable, there's just too many web hosters that make errors in 1 thing or another. It is tough to protect against all possible attacks, but that is a different topic.

It is that you make encryption sound as breakable as cookie that makes me defend it so heavily. To give another simple example, if i selfkeep a 256 bit xor key for text, how would you be able to crack the text? Nobody could, in million years.

<edit>
After some thinking I've got your point that you are only defending the encryption method itself. There are also some flaws in the reasoning you provide to which I do not agree, but maybe this is for a another discussion.

To resume, my point is that although in a perfect scenario it is infeasible to break 256-bit encryption on a purely theoretical level, the specific case of stolen Steam account information has a high chance (e.g. bigger than 50%) of being revealed to third party, even though it *might* have used 256-bit encryption to secure its data.

All I wanted is to point out that having ecrypted data does not guarantee its security. Nowadays computers and especialy computer clouds offer huge computational power wich makes data encryption wich has been considered perfectly safe a few years ago, not so safe anymore. If we are hones no data encryption is perfectly safe.

But now I'll point out another thing that might result in ever bigger discusion.

What if hackers don't have to do any data decryption afterall?
Various articles about Steam hack only says that data from the user accounts database was stollen, but no article wich I read doesn't says how that was done. If hackers managed to copy database data as copying database file-s then they will definitly need to decrypt the data before using it. But what if they managed to copy database data by interfaceing to the database itself fooling it that they are some steam web application? This way they might have managed to retrive already decrypted data as usualy data encryption is done with database engine itself.

If we take into account that steam system isn't run just on one server it means that the database itself had to be globally available. This means that hacker had ability to imposter as being one of those servers and accesing a database this way. Offcourse they needed to have proper database login creditentials to gain acces to the database data, but since it isn't very likly that database creditentials are being periodicaly changed they had lot's of time in trying it out (trying a few hundreds of password one day, a few hundreds next day, and so on). All that they had to do is keep number of login trials (guesing of passwords) low enough for not trigering anny alarms and that is all.

Nowadays computers and especialy computer clouds offer huge computational power wich makes data encryption wich has been considered perfectly safe a few years ago, not so safe anymore. If we are hones no data encryption is perfectly safe.
And i don't agree with that :P Not all encryptions are perfectly safe, but some are. You may have also noticed increasing amount of sites which demand password to contain at least 1 number and capital letter, to improve even the bad ones.


If we take into account that steam system isn't run just on one server it means that the database itself had to be globally available. This means that hacker had ability to imposter as being one of those servers and accesing a database this way. Offcourse they needed to have proper database login creditentials to gain acces to the database data, but since it isn't very likly that database creditentials are being periodicaly changed they had lot's of time in trying it out (trying a few hundreds of password one day, a few hundreds next day, and so on). All that they had to do is keep number of login trials (guesing of passwords) low enough for not trigering anny alarms and that is all.
From end to start, the password guessing is in my opinion history already, unless system is built really bad. Admins will most likely get big red alarms after 5 wrong password attempts already, and ban the IP. They can shut it down if they see the attacks continuing on numerous IPs. Well, it doesn't require even admins, systems can prevent repeated attempts automatically usually.

If i was admin to such cloud server network, i'd use same IP whitelist for each server. As we know, the hackers were able to crack into something else than normal steam login because otherwise they wouldn't access all users at once. So, if each server only allows connections from other servers that are in the whitelist, wouldn't that solve everything? Admins themselves only need localhost connection to the server they are at. Allowing remote connection to big amount of data can be a root of problems. Even most server software (FileZilla FTP, Apache etc) lets admins only login from local network, by default.

And i don't agree with that :P Not all encryptions are perfectly safe, but some are. You may have also noticed increasing amount of sites which demand password to contain at least 1 number and capital letter, to improve even the bad ones.

There is no encryption that is perfectly safe.
As for various sites requesting for using numbers in passwords it is only to prevent pasword breaking by using dictionarry attack wich is a lot faster as brute force attack becouse it is guesing password with the help of prechoosen words. Ass for using capital letters it only prolongs brute force attack, that's all.

From end to start, the password guessing is in my opinion history already, unless system is built really bad.
...or, unless, that system is being used by users who are humans.


Admins will most likely get big red alarms after 5 wrong password attempts already, and ban the IP.
Sure and prevent all legitimate users from the entire subnet access to the server. Banning IPs is a very bad idea as some ISPs serving thousands of users may have only one public IP. By doing so you've just helped a successful DOS attack, which denied access to many legitimate users.


They can shut it down if they see the attacks continuing on numerous IPs.
...and simplify DOS attacks further to this server: just access this server from multiple IPs and it will automatically shut down, how cool is that! :)


If i was admin to such cloud server network, i'd use same IP whitelist for each server.
I would consider such server system highly insecure because if you rely on IP address whitelist, you are immediately a candidate for IP spoofing (http://en.wikipedia.org/wiki/IP_address_spoofing).

Various articles about Steam hack only says that data from the user accounts database was stollen, but no article wich I read doesn't says how that was done.
This is actually very speculative. From what we can tell, they could just as well put a gun on sysop's face in an armed assault to the datacenter, download the necessary data in raw unencrypted format and be gone. Who knows...

First off, i'm not making things up. I have built web services and seen many configuration options. You seem to be tackling on minor details now on things you could have thought of solutions yourself too.


...or, unless, that system is being used by users who are humans.
What does bots password guessing have to do with humans?


Sure and prevent all legitimate users from the entire subnet access to the server. Banning IPs is a very bad idea as some ISPs serving thousands of users may have only one public IP. By doing so you've just helped a successful DOS attack, which denied access to many legitimate users.
Ban IP for 10 hours or ban user, that's minor details. ISP's dynamic IPs usually change at frequency of once per 24 hours, but may vary alot. I used to have same IP for many weeks. Getting 1 user a "access denied" for preventing 1 hacker would be perfectly acceptable trade any day. User can request his password to his email if its lost, no system will let you attempt it more than 10 times, normally just 5.


...and simplify DOS attacks further to this server: just access this server from multiple IPs and it will automatically shut down, how cool is that! :)
It doesn't have to be an automatic shutdown. Or don't pull the plug and let system get hacked with all user database stolen, yay! I'd rather stop the system, call the police and see what they can do about the ongoing attack. Doublecheck security settings, maybe change admin passwords and if all ok, restart.


I would consider such server system highly insecure because if you rely on IP address whitelist, you are immediately a candidate for IP spoofing (http://en.wikipedia.org/wiki/IP_address_spoofing).
I would consider it an additional layer of security that makes hackers job even harder than if there was no whitelist. Coming at the cost of less admin access though, but still worth it.

First off, i'm not making things up. I have built web services and seen many configuration options. You seem to be tackling on minor details now on things you could have thought of solutions yourself too.
No, I've just mentioned major flaws in the security solutions you have suggested. What solution to use for Steam? I don't know because I don't have knowledge of their specific system and most likely neither do you. The rest is just pure speculation as I've said earlier.



What does bots password guessing have to do with humans?
Because accounts are hosted for human users, not spam bots. Therefore, you can still guess passwords set by humans which have the nature of using easy to remember passwords instead of random letters.



Ban IP for 10 hours or ban user, that's minor details. ISP's dynamic IPs usually change at frequency of once per 24 hours, but may vary alot. I used to have same IP for many weeks. Getting 1 user a "access denied" for preventing 1 hacker would be perfectly acceptable trade any day.
It seems that you did not understand my reply. Please, check (or recheck) what subnetting (http://searchnetworking.techtarget.com/definition/subnet) is about. That is, ISP may have only one public IP with many internal (local) IP addresses given to their users. If by means of spoofing or by using proxy you thought of an IP address to be spammer and blocked it, not only you have blocked one single user, but the entire subnet! Therefore, many users will get denial of service, while the attacker can simply use a different IP address then and continue the attack. You may try to block the specific port instead of IP, but it won't help either because ports can be reused in ISP for different users and attacker can simply use a different port or most likely use as many ports and as many IP addresses as possible. Therefore, as I've said, IP blocking (http://en.wikipedia.org/wiki/Ip_blocking) (check the Wikipedia link, it actually mentions the risks involved) is not an efficient security measure.

What to do in this case? It's a difficult scenario, which will most likely require multiple solutions and it still won't protect you completely. Hardware firewalls, packet filtering, redundancy, symmetric authentication are some things you can do to detect what information is legitimate, but sooner or later you will have to assume that your system will be messed up with and you will need to include steps for recovery instead of defense. This is where raw data encryption comes into play, which we have discussed earlier.


It doesn't have to be an automatic shutdown. Or don't pull the plug and let system get hacked with all user database stolen, yay! I'd rather stop the system, call the police and see what they can do about the ongoing attack. Doublecheck security settings, maybe change admin passwords and if all ok, restart.
What you are saying is fiction, that the system somehow will detect if is being hacked and say "Warning! System is being hacked, shut down? Y/N". What you are really getting are login attempts, but there is no way for you to know whether they are legitimate or some sort of attack. For instance, there are users, including myself, who may insist on logging in, more than 5 times in a row. In my own example, I have over ten passwords and sometimes I don't remember which one I've used on the particular web site, therefore I have to try all of them. An alternative solution would be simply a delay (e.g. few seconds) so that it will take quite some time for an automatic solution to guess the password, which you can detect later in the logs and do the necessary investigation on the matter without affecting any of the users or shutting down the system prematurely.

As for calling the police, that was funny. You may want to try calling FBI or NSA first. :)



I would consider it an additional layer of security that makes hackers job even harder than if there was no whitelist. Coming at the cost of less admin access though, but still worth it.
There are other ways to ensure security instead of using IP whitelist, which as I've said earlier, won't do the job.

What solutions should you use to improve security? It depends on the particular implementation. You may use both hardware and software solutions, packet filtering, redundant internal servers and a lot more (http://en.wikipedia.org/wiki/Network_security). However, as it has been said earlier, you will most likely never achieve total impenetrable security as long as you are connected to another network, just the same as you will never protect your hardware completely from the lightning strikes (btw, yet another interesting topic which we should sometime discuss ;)) as long as you are connected to a power outlet.

First off, i'm not making things up. I have built web services and seen many configuration options. You seem to be tackling on minor details now on things you could have thought of solutions yourself too.

Would you mind sharing wich ones? I gues that they arent such prosperous targets as Steam accounts for instance, wich lowers chances off hackers trying to hack them in the first place.


What does bots password guessing have to do with humans?

Everything becouse most of the humans can remember only simple passwords wich have some predictable patters. This means that guesing those passwords is easier.


Ban IP for 10 hours or ban user, that's minor details. ISP's dynamic IPs usually change at frequency of once per 24 hours, but may vary alot. I used to have same IP for many weeks. Getting 1 user a "access denied" for preventing 1 hacker would be perfectly acceptable trade any day. User can request his password to his email if its lost, no system will let you attempt it more than 10 times, normally just 5.

Yes most ISP-s would assign specific IP's to be used by specific users for some period of time, but most ISP's still alow users to request to be assigned a different IP to them anytime. This meanst that one user cah launch hack attempt from even more than 100 different IP's in the same day.
But here is the problem. After you blacklist certain IP address hacker just request for new one. And since old IP is no longer being assigned to the hacker it can be assigned to another user. And if this another user is a legitimate user you would just prevent him prom accesing your sevices.


It doesn't have to be an automatic shutdown. Or don't pull the plug and let system get hacked with all user database stolen, yay! I'd rather stop the system, call the police and see what they can do about the ongoing attack. Doublecheck security settings, maybe change admin passwords and if all ok, restart.

I would rather have some decoy system than stop the whole system for every attack. Why? If you stop the system you clearly tell the hackers that you discovered their hacking atempt and before you would even managed to explain the police that someone tried to hack your system the hackers would already erase all traces behind them. So you only get your system not being available to legitimate users and have no leads to the hackers for police to arest them.
But if you use some kind of a decoy you might hold hackers online long enough to backtrace to them. And how to make a dcoy system. For instance if you detect an atempt to access your database give the hacker impresion that he realy hacked your database engine and start feding him with false information. If you do this long enough it might be posible to backtrace the wareabouts of this hacker. But there is no quarantee that backtracing would be sucsessful.
Most todays hacking attmepts are launched from botnets nad not from a single computers. What this means. This means that hakcing attempt is actualy being launched from certain computers wich have been infected with some troyan's wich gives hackers controll off those computers. Usualy hackers even use pretimed attacks. This means that they actually arent online when athe hack is actually taking place. This makes them erasing traces behind them a lot easier and they have a firm alliby that they have been doing something else at the time making aoutorities a lot harder job in putting them in prison. And sometimes some inocent pepole actually get in trouble becouse the atack actualy originated from their computer and they didn't even know it. That's why most ISP providers usage terms have a clause that the user of the service can be prosecuted and fined if the ISP detects that a hacking attempt originatet from their computer even if their computer was under someones elses controll at the time.

Would you mind sharing wich ones?
Just on local computer, trying different software throughout the years. I have a ftp server as hidden service online with computer every day, which only accepts localhost for admin.

About subnetting or IP manipulation, that really is just a DoS attack. Consider it as a mail that you send anonymously to someone. The receiver has no way to send you its "thanks", such as "welcome to the system", because it doesn't know where you are. So this method directly cannot be used to gain access to the system but its just harrassment.


..humans can remember only simple passwords wich have some predictable patters. This means that guesing those passwords is easier.
That was maybe so 5 years ago, but now assume that every password has number and letter (Nobody cares about passwords that don't, thats just stupidity and everyone knows that). Pick a random steam name and try guessing his password just like that... How many attempts would it take? 10? Try a botnet to login to his account... oh wait, his user account has 10 second delay between login attemps, and 10 total limit till it locks up waiting for email verification or something.

Should i rephrase it. Could i guess your pascalgamedev password easily in under 1000000 attempts?

I'm just saying of various techniques you can use with net services, not that they are best and flawless just on their own or without much further planning through the whole thing. Just because you say there are flaws in a techique, do you think nobody uses them?

Also, you might think that locking up someones account for hacking attempt is a too harsh method. It's actually reality on many systems, it's just that hacking in general is not that common against certain user accounts. Even a game server as old as Diablo 2 visibly said the player last failed login attempts to see if someone had tried to hack him.


An alternative solution would be simply a delay (e.g. few seconds) so that it will take quite some time for an automatic solution to guess the password, which you can detect later in the logs and do the necessary investigation on the matter without affecting any of the users or shutting down the system prematurely.
And that's exactly the same thing i was talking about, i'm just not mentioning all minor details. Server admins may still shut it down for safety reasons if they wish to do so, IP logs are there anyway, be it useful or not. It should be in most cases very easy to see sudden spike in failed login attempts. Assuming system has any such graph tracking at all.

About subnetting or IP manipulation, that really is just a DoS attack.
Subnetting is not a DOS attack, it is a common technique to overcome IPv4 address exhaustion and improving routing performance for local networks connected to Internet.


That was maybe so 5 years ago, but now assume that every password has number and letter (Nobody cares about passwords that don't, thats just stupidity and everyone knows that).
Please, you are just being stubborn, we've replied on this multiple times. Nothing has changed in 5 years. People still prefer to use easy to remember passwords. I personally know people that use such passwords, actually all people I know personally use such passwords with myself being the only exception. If some web site forces you to use letters and different case, people simply use something trivial like John2011. Therefore, your assumption that every password has number and letter is grossly fallacious.

Should everyone switch to random letters and numbers? No, I think this is not necessary. If you are storing some random family photos and use e-mail to talk to some friends, there is no need for ultra-high security. Even if you don't use password at all it's unlikely someone will have interest in your data anyway.


I'm just saying of various techniques you can use with net services, not that they are best and flawless just on their own or without much further planning through the whole thing. Just because you say there are flaws in a techique, do you think nobody uses them?
No, this is a typical logical fallacy called Argumentum ad populum (http://en.wikipedia.org/wiki/Argumentum_ad_populum), saying that because others are doing it you should do it as well (check C/C++ vs Pascal thread here on PGD to see how this fallacy is used on geometric scales). You proposed IP banning and IP whitelists, I've demonstrated that these techniques do more damage than good and should not be used at all. Yes, other people might be using them (curiously including the developers of vBulletin). *Should* you ever use these techniques? No, you should use something different that doesn't involve in blocking large user masses.

If you find my arguments reasonable, you may try simply agreeing that you were wrong. This is not a contest and I'm sure everyone including myself will respect you even if you are mistaken about something (as I've said earlier, we are supposedly humans). I've myself edited one of my earlier posts about encryption because I've misunderstood you and was wrong to discuss it any further since I've agreed that breaking properly ciphered document was significantly difficult.


Also, you might think that locking up someones account for hacking attempt is a too harsh method. It's actually reality on many systems, it's just that hacking in general is not that common against certain user accounts. Even a game server as old as Diablo 2 visibly said the player last failed login attempts to see if someone had tried to hack him.
I'm not sure if this is on purpose, but you are doing Red herring (http://en.wikipedia.org/wiki/Ignoratio_elenchi#Red_herring). I've never mentioned and never referred to individual account blocking. You recommended IP banning, I've said that this might result in many innocent people being banned, while not resolving the issue. Redirecting the subject to a different topic doesn't support your original argument.

I will admit where i'm wrong but it doesn't feel like that yet :) I'm sworm follower of pure logic.

I'm not Red herring, you just didn't read my post. I did agree that banning IP for long time can be bad for masses of people, therefore i suggested shorter (maybe even minutes) IP ban and/or user account (or in whitelist case, admin account) related temporary ban.

That is still on topic of whitelists, which under this logic is still a valid technique. It does not block large user masses, it only makes hacking attempting harder. And like i said, if you fake your IP you can't hack, only DoS. Subnetting is about communicating with computers in same network group. You cannot form a network group with a computer out in the Internet, especially if he is using a fake IP. Packets only move in 1 way, to the server (well, you can form a VPN, but that requires acceptance and setup from all parties involved).

I can prove the subnetting restriction with example: From your home computer, it is not possible to directly connect to local universitys internal network even if you fake your own IP network mask same. That is why schools have SSH or VPN login systems.

About easy passwords people make, ok, could be that large amount of people try to make them as easy as possible for them. However this topic was about hackers trying to guess them. I have been trying to make it clear that most systems will not let them try it many times in a row. They have to guess it right in 10 attempts in most cases. I don't want to try how many times Steam actually allows. Login policies for admins can be built even stricter.

And like i said, if you fake your IP you can't hack, only DoS.

Fake IP? What are you talking about?


I can prove the subnetting restriction with example: From your home computer, it is not possible to directly connect to local universitys internal network even if you fake your own IP network mask same. That is why schools have SSH or VPN login systems.

That's becouse in this case your computer doesn't physicly belongs to the same network. Computers belonging to local network actualy belongs to same physical network and acces the web trough router wich transmits local network data to WAN network and vice versa. In a way router is come kind of a bridge between LAN and WAN networks.
But if you have some system wich needs to run on miltiple servers wich are spreaded troughout the globe you can't connect all theese servers to same physical network wich means that your network is somehow exposed to internet and this also increases its vulnerability.


About easy passwords people make, ok, could be that large amount of people try to make them as easy as possible for them. However this topic was about hackers trying to guess them. I have been trying to make it clear that most systems will not let them try it many times in a row. They have to guess it right in 10 attempts in most cases. I don't want to try how many times Steam actually allows. Login policies for admins can be built even stricter.

Yes this topic is about hackers and what do you mean what have been hackers thinking even before they have done the hacking. One of the subjects was definitly thinking of whatkindoff passwords are most offtenly used. What do you think how was dictionary approach off breaking passwords developed in a first place?
And yes most systems have some safty feture wich prevents quesing passwords by trying thousands off different passwords in a short period. But since most of theese passwords is the same for longer periods the hacker actualy has so much time as that period lasts. Becouse of this there are a lot off systems wich actualy forces their users to change the passwords regulary. But since most humans have difficultis remembering their passwords they actually just use the same base password and just ads number a the end (predictable pattern wich makes guesing easier).

And like i said, if you fake your IP you can't hack, only DoS.
This is an interesting point. Actually, I think you can if you use a combination of IP spoofing and sniffing so that you have continuous communication with the server, which believes you are somebody else. This may not be as easy as it sounds, but it is certainly a possibility.

In either case, both issues are related as you are trying to protect against hacking by making the server vulnerable to DOS attacks.


Subnetting is about communicating with computers in same network group. You cannot form a network group with a computer out in the Internet, especially if he is using a fake IP.
Actually you can by using NAT (http://en.wikipedia.org/wiki/Network_address_translation) and ports translated to local addresses, this is how actually subnetting works. In addition, you can always resort to using proxies, including those running as trojans on random user's machines.


I can prove the subnetting restriction with example: From your home computer, it is not possible to directly connect to local universitys internal network even if you fake your own IP network mask same. That is why schools have SSH or VPN login systems.
Again, please be careful with red herring (http://en.wikipedia.org/wiki/Red_herring). SSH, VPN, Subnetting and IP spoofing are four different independent topics not directly related to each other.


About easy passwords people make, ok, could be that large amount of people try to make them as easy as possible for them. However this topic was about hackers trying to guess them. I have been trying to make it clear that most systems will not let them try it many times in a row.
Good, now let's take the premise to which you have agreed, that many people use simple passwords instead of strong ones. Now take another premise that Stream accounts were hacked. Therefore, even if data was encrypted, it is easier to crack these passwords than the best-case scenario as these passwords are prone to guessing and once the hackers have this data, their guessing potential is unrestricted by delays, processing power and so on. Therefore, there is a high chance that they actually acquire user's private information. This was my original point. :)


Fake IP? What are you talking about?
IP spoofing is a technique of modifying IP packet header to change the source address to fool the server into thinking that the packet was sent by somebody else. This is sometimes accompanied by a sniffer, which can also intercept the packets to interpret their contents.

Btw, is it just me or there have been no discussions on PGD other than this one lately? We urgently need more controversial topics! :)

Btw, is it just me or there have been no discussions on PGD other than this one lately? We urgently need more controversial topics! :)

I agree...and I started this thread! haha :D

More other topics please! ;)

cheers,
Paul