FYI: Steam accounts were hacked (around 10th November)

[User137]

Would you mind sharing wich ones?

Just on local computer, trying different software throughout the years. I have a ftp server as hidden service online with computer every day, which only accepts localhost for admin.

About subnetting or IP manipulation, that really is just a DoS attack. Consider it as a mail that you send anonymously to someone. The receiver has no way to send you its "thanks", such as "welcome to the system", because it doesn't know where you are. So this method directly cannot be used to gain access to the system but its just harrassment.

..humans can remember only simple passwords wich have some predictable patters. This means that guesing those passwords is easier.

That was maybe so 5 years ago, but now assume that every password has number and letter (Nobody cares about passwords that don't, thats just stupidity and everyone knows that). Pick a random steam name and try guessing his password just like that... How many attempts would it take? 10? Try a botnet to login to his account... oh wait, his user account has 10 second delay between login attemps, and 10 total limit till it locks up waiting for email verification or something.

Should i rephrase it. Could i guess your pascalgamedev password easily in under 1000000 attempts?

I'm just saying of various techniques you can use with net services, not that they are best and flawless just on their own or without much further planning through the whole thing. Just because you say there are flaws in a techique, do you think nobody uses them?

Also, you might think that locking up someones account for hacking attempt is a too harsh method. It's actually reality on many systems, it's just that hacking in general is not that common against certain user accounts. Even a game server as old as Diablo 2 visibly said the player last failed login attempts to see if someone had tried to hack him.

An alternative solution would be simply a delay (e.g. few seconds) so that it will take quite some time for an automatic solution to guess the password, which you can detect later in the logs and do the necessary investigation on the matter without affecting any of the users or shutting down the system prematurely.

And that's exactly the same thing i was talking about, i'm just not mentioning all minor details. Server admins may still shut it down for safety reasons if they wish to do so, IP logs are there anyway, be it useful or not. It should be in most cases very easy to see sudden spike in failed login attempts. Assuming system has any such graph tracking at all.

[LP]

About subnetting or IP manipulation, that really is just a DoS attack.

Subnetting is not a DOS attack, it is a common technique to overcome IPv4 address exhaustion and improving routing performance for local networks connected to Internet.

That was maybe so 5 years ago, but now assume that every password has number and letter (Nobody cares about passwords that don't, thats just stupidity and everyone knows that).

Please, you are just being stubborn, we've replied on this multiple times. Nothing has changed in 5 years. People still prefer to use easy to remember passwords. I personally know people that use such passwords, actually all people I know personally use such passwords with myself being the only exception. If some web site forces you to use letters and different case, people simply use something trivial like John2011. Therefore, your assumption that every password has number and letter is grossly fallacious.

Should everyone switch to random letters and numbers? No, I think this is not necessary. If you are storing some random family photos and use e-mail to talk to some friends, there is no need for ultra-high security. Even if you don't use password at all it's unlikely someone will have interest in your data anyway.

I'm just saying of various techniques you can use with net services, not that they are best and flawless just on their own or without much further planning through the whole thing. Just because you say there are flaws in a techique, do you think nobody uses them?

No, this is a typical logical fallacy called Argumentum ad populum, saying that because others are doing it you should do it as well (check C/C++ vs Pascal thread here on PGD to see how this fallacy is used on geometric scales). You proposed IP banning and IP whitelists, I've demonstrated that these techniques do more damage than good and should not be used at all. Yes, other people might be using them (curiously including the developers of vBulletin). *Should* you ever use these techniques? No, you should use something different that doesn't involve in blocking large user masses.

If you find my arguments reasonable, you may try simply agreeing that you were wrong. This is not a contest and I'm sure everyone including myself will respect you even if you are mistaken about something (as I've said earlier, we are supposedly humans). I've myself edited one of my earlier posts about encryption because I've misunderstood you and was wrong to discuss it any further since I've agreed that breaking properly ciphered document was significantly difficult.

Also, you might think that locking up someones account for hacking attempt is a too harsh method. It's actually reality on many systems, it's just that hacking in general is not that common against certain user accounts. Even a game server as old as Diablo 2 visibly said the player last failed login attempts to see if someone had tried to hack him.

I'm not sure if this is on purpose, but you are doing Red herring. I've never mentioned and never referred to individual account blocking. You recommended IP banning, I've said that this might result in many innocent people being banned, while not resolving the issue. Redirecting the subject to a different topic doesn't support your original argument.

[User137]

I will admit where i'm wrong but it doesn't feel like that yet I'm sworm follower of pure logic.

I'm not Red herring, you just didn't read my post. I did agree that banning IP for long time can be bad for masses of people, therefore i suggested shorter (maybe even minutes) IP ban and/or user account (or in whitelist case, admin account) related temporary ban.

That is still on topic of whitelists, which under this logic is still a valid technique. It does not block large user masses, it only makes hacking attempting harder. And like i said, if you fake your IP you can't hack, only DoS. Subnetting is about communicating with computers in same network group. You cannot form a network group with a computer out in the Internet, especially if he is using a fake IP. Packets only move in 1 way, to the server (well, you can form a VPN, but that requires acceptance and setup from all parties involved).

I can prove the subnetting restriction with example: From your home computer, it is not possible to directly connect to local universitys internal network even if you fake your own IP network mask same. That is why schools have SSH or VPN login systems.

About easy passwords people make, ok, could be that large amount of people try to make them as easy as possible for them. However this topic was about hackers trying to guess them. I have been trying to make it clear that most systems will not let them try it many times in a row. They have to guess it right in 10 attempts in most cases. I don't want to try how many times Steam actually allows. Login policies for admins can be built even stricter.

[SilverWarior]

And like i said, if you fake your IP you can't hack, only DoS.

Fake IP? What are you talking about?

I can prove the subnetting restriction with example: From your home computer, it is not possible to directly connect to local universitys internal network even if you fake your own IP network mask same. That is why schools have SSH or VPN login systems.

That's becouse in this case your computer doesn't physicly belongs to the same network. Computers belonging to local network actualy belongs to same physical network and acces the web trough router wich transmits local network data to WAN network and vice versa. In a way router is come kind of a bridge between LAN and WAN networks.
But if you have some system wich needs to run on miltiple servers wich are spreaded troughout the globe you can't connect all theese servers to same physical network wich means that your network is somehow exposed to internet and this also increases its vulnerability.

About easy passwords people make, ok, could be that large amount of people try to make them as easy as possible for them. However this topic was about hackers trying to guess them. I have been trying to make it clear that most systems will not let them try it many times in a row. They have to guess it right in 10 attempts in most cases. I don't want to try how many times Steam actually allows. Login policies for admins can be built even stricter.

Yes this topic is about hackers and what do you mean what have been hackers thinking even before they have done the hacking. One of the subjects was definitly thinking of whatkindoff passwords are most offtenly used. What do you think how was dictionary approach off breaking passwords developed in a first place?
And yes most systems have some safty feture wich prevents quesing passwords by trying thousands off different passwords in a short period. But since most of theese passwords is the same for longer periods the hacker actualy has so much time as that period lasts. Becouse of this there are a lot off systems wich actualy forces their users to change the passwords regulary. But since most humans have difficultis remembering their passwords they actually just use the same base password and just ads number a the end (predictable pattern wich makes guesing easier).

[LP]

And like i said, if you fake your IP you can't hack, only DoS.

This is an interesting point. Actually, I think you can if you use a combination of IP spoofing and sniffing so that you have continuous communication with the server, which believes you are somebody else. This may not be as easy as it sounds, but it is certainly a possibility.

In either case, both issues are related as you are trying to protect against hacking by making the server vulnerable to DOS attacks.

Subnetting is about communicating with computers in same network group. You cannot form a network group with a computer out in the Internet, especially if he is using a fake IP.

Actually you can by using NAT and ports translated to local addresses, this is how actually subnetting works. In addition, you can always resort to using proxies, including those running as trojans on random user's machines.

I can prove the subnetting restriction with example: From your home computer, it is not possible to directly connect to local universitys internal network even if you fake your own IP network mask same. That is why schools have SSH or VPN login systems.

Again, please be careful with red herring. SSH, VPN, Subnetting and IP spoofing are four different independent topics not directly related to each other.

About easy passwords people make, ok, could be that large amount of people try to make them as easy as possible for them. However this topic was about hackers trying to guess them. I have been trying to make it clear that most systems will not let them try it many times in a row.

Good, now let's take the premise to which you have agreed, that many people use simple passwords instead of strong ones. Now take another premise that Stream accounts were hacked. Therefore, even if data was encrypted, it is easier to crack these passwords than the best-case scenario as these passwords are prone to guessing and once the hackers have this data, their guessing potential is unrestricted by delays, processing power and so on. Therefore, there is a high chance that they actually acquire user's private information. This was my original point.

Fake IP? What are you talking about?

IP spoofing is a technique of modifying IP packet header to change the source address to fool the server into thinking that the packet was sent by somebody else. This is sometimes accompanied by a sniffer, which can also intercept the packets to interpret their contents.

Btw, is it just me or there have been no discussions on PGD other than this one lately? We urgently need more controversial topics!

[paul_nicholls]

Btw, is it just me or there have been no discussions on PGD other than this one lately? We urgently need more controversial topics!

I agree...and I started this thread! haha

More other topics please!

cheers,
Paul