Posts Tagged ‘cracking’

A Minor Note on the Myth of admin

Sunday, 12 February 2017

This evening, I was looking at a record of recent failed attempts to log into this 'blog. I found that relatively few attempts tried to do so with the popular username of admin, whereäs by far the majority were with the username oeconomist (that it to say with the second-level domain name). There is not and never has been an account here with username oeconomist; the would-be intruder was guessing mistakenly — but not unreasonably. If my logs are representative, then having an account name match a second-level domain name is less secure than having it be admin. With people avoiding admin, it is natural for crackers to try other likely candidates, including candidates whose probabilities are conditional upon the domain names.

Mind you that the reasoning of my earlier explanation of why the avoidance of admin doesn't add a discernible amount of security if passcodes are properly selected can be applied to avoiding a username that matches a domain name. An account with a known username and a well-chosen password of m+n characters is more secure than an account with a secret m-character username and an n-character password.

Choose a username that pleases you. Choose a password that is long and that looks like chaos, and make occasional changes to it.

Passcodes Redux

Friday, 1 July 2016

To-day, I found myself unable to log-in to this 'blog. I got a diagnostic that I were entering the wrong password. I don't want to burden my readers with a detailed retelling, but what had actually happened was that an up-date of WordPress rejected my password — it wasn't that I were entering the wrong password; it was that the password that I was entering was now prohibitted.

On top of the login code misreporting the problem, the code for resetting the password wouldn't tell me why my password was being rejected. But it was rejected for containing a particular sub-string; and when I removed that sub-string, the password was then accepted.

If you understand passcodes (perhaps in part from reading my previous entry in which they were discussed), then you should see that there is something literally stupid in the WordPress software. Let's say that the forbidden sub-string were 8675309 and that my password were X.52341-hunao-8675309.Y. If I drop the 8675309, the password becomes X.52341-hunao-.Y. That is now accepted, though it is less secure!

If a would-be intruder knew where in the original password 8675309 appeared, and knew the length of the password, then the password would effectively be p1p2p148675309p22p23 where each pi were an unknown character, and the new password would be p1p2p14p22p23 so that the two passwords would be equally secure!. (Either way, an intruder must find a sequence of sixteen unknown characters.) But, as it is, would-be intruders wouldn't be sure that the sub-string appeared, let alone where in the code it would appear, nor how long the password were. One could, in fact, conceptualize the sub-string 8675309 as if it were a single character of extraordinary length (a macro-character) and of great popularity which character might appear within a string of equal or greater length, in which case prohibiting the sub-string would be rather like prohibiting the use of E.

That's not to say that common sub-strings should simply be accepted as passwords or within passwords. A great many systems have been hacked because someone foolishly used passwords such as password, root, or batman. But, instead of rejecting a password because it contained a popular sub-string, the software could, for example, test to see whether the password would be secure if the sub-string were excised, in which case it should be at least slightly more secure if the sub-string were retained.

(Note that this approach works with popular sub-strings of any length, including those of just one character! In fact, when there is no upper-limit on the length of passcodes, they may be securely constructed of nothing but popular sub-strings each of which has multiple characters; a secure password could be made by concatenating ten or more of the one hundred most popular passcodes. Mathematically, the problem of using just one popular passcode is fundamentally the same as that of using a short passcode!)

Sometimes, it's smart programming to write stupid programs, because the costs of designing, implementing, and maintaining more sophisticated software out-weigh the benefits. But, here, the WordPress programmers have opted for cheapness in a way that needlessly thwarts and insults some users, and can actually make systems less secure in those cases. (And the poor diagnostics are simply inexcusable.)

Username Administration[0]

Thursday, 24 March 2016

Those managing 'blogs are frequently told that the administrative account should not have a username of admin nor of administrator.[1] Indeed, 'bots attacking this 'blog try the username admin multiple times every day. None-the-less, I think that concern about easily guessed usernames is quite misplaced.

Ordinary access to an account requires two pieces of identification, the username and a passcode. We can conceptualize these jointly as a single string, the first part of which is practically fixed, the second part of which is changeable. For example, if one had the username admin and the passcode h3Ll0p0p3y3, then the string would be adminh3Ll0p0p3y3 Some might imagine that two strings represent two hoops and therefore more security; but, actually, each character is a hoop. If usernames and passcodes were equally secure, then the username-passcode pairs kelsey5 dO0DL3bug and kelsey 5dO0DL3bug would be perfectly equivalent as far as security were concerned. So we can imagine the two strings concatenated, so long as we remember that one set of its characters are unchangeable, while the others may be changed. In general, the form of the string can be conceptualized as u1u2ump1p2pn where each ui represents an unchangeable username character and each pj represents a changeable passcode character. Now, if we simply know that the administrative account username is admin adminp1p2pn unauthorized access is a matter of guessing the characters of the passcode, without knowing how many they might be. (How passcodes are stored may limit or effectively limit the length of passcodes, but this will typically not have much effect unless those limits are very tight.) On the other hand, if the administrative username is completely unknown, then the string is the apparently more mysterious u1u2ump1p2pn That might seem significantly more secure. However, the number of characters in the passcode is unknown to the opponent, and u1u2um-kp1p2pn+k is more secure for all 0 < km,[2] because usernames are unchangeable. (Were usernames as changeable as are passcode, then the two would be equally secure.) And adminp1p2pn+m is more secure than u1u2ump1p2pn

So real security here is to be found in long and strong passcodes, for which secret usernames are poor substitutes, and one can easily compensate for a readily guessed username by having a stronger passcode.


[0 (2016:03/30, 04/09)] I've fleshed-out this entry a bit, in an attempt to make in more easily understood.

[1] See, for example, the entry for 23 March at the Wordfence 'blog.

[2] The case k = m represents a zero-length username, which really is to say no username at all. It would be quite possible to create a system with just passcodes and no distinct usernames — or, equivalently, a system with very changeable usernames and no passcodes — though this would present some practical difficulties.

Tearing off the Masks

Wednesday, 28 October 2015

I've read that Anonymous has found the names of about a thousand members of the Ku Klux Klan, and is preparing to release them.

I'm hoping that none of the 10 other people in this nation with the same first and last name as I are members, because it could be Hell for the rest of us. I'm also hoping that Anonymous doesn't add names of people whom it dislikes, especially as I might be amongst them.

A few years ago, I challenged their attack on Stratfor. Stratfor was a journalistic enterprise, focussing on issues of global politics (including military action) and security, and publishing both free content and content that required a paid subscription. Some at Anonymous were sure that Stratfor were, effectively, a criminal undertaking because

  • Stratfor communicated off-the-record with policy wonks and with state officials (as did and do almost every other major journalistic enterprise and many of the minor journalistic enterprises); and
  • Stratfor expressed opinions with which Anonymous vehemently disagreed.

So Anonymous stole e.mail, e.mail addresses, and credit-card information from the Stratfor servers. If one had so much as subscribed to a free newsletter from Stratfor, then one's e.mail address was made public, and one was subjected to hoax e.mail from Anonymous. Many who had simply paid for something from Stratfor had their credit card information used to make contributions to charitable organizations (each of which then had to spend resources on returning the stolen money, at a net loss).

The e.mail itself was given to WikiLeaks, which processed it with the help of other journalistic institutions. Some of these institutions shamelessly used the stolen information to their own advantage, though it didn't provide evidence of wrong-doing by Stratfor. Indeed, after almost four years, no evidence of criminal wrong-doing has ever been presented. Stratfor's greatest sin was gross incompetence in the field of security.

None of the major media outlets has drawn attention to the point that the supposed end that was to justify Anonymous's means was not met. They have been virtually silent about this attack on journalistic freedom. That's because, as I suggested in my entry of some years ago, these outlets are themselves afraid of being attacked by Anonymous.

Journalists are fond of seeing their profession as brave. Well, there truly are some brave journalists in this world, but they're in a minority, and the rest don't deserve to see themselves as heroes for keeping company with that minority.

Don't Bank on It

Saturday, 25 July 2015

This morning, I discovered that a number of attempts in 2012, in '13, and in '14 to breach the security of this 'blog came from an IP number assigned to the Federal Reserve Board (132.200.32.34).

No, I don't think that Ben Bernanke and Janet Yellen wanted to crack my site. Rather, I'm pretty sure that a Fed computer was itself cracked, and was operating as a 'bot, for years. 'Cause that's how our government rolls.

No News Is Bad News

Thursday, 16 February 2012

On 24 December, the Stratfor computer site was learned to be hacked; e.mail, e.mail addresses, and credit-card information were stolen. Initially, Anonymous couldn't agree within itself whether its members were responsible, but the deniers fell silent.

The credit-card information was used to make charitable donations, which subsequently had to be returned (at a net loss) by the charities. Those whose e.mail addresses were stolen had them publicly dumped (and thus made available to spammers), and were subjected to hoax mailings by Anonymous.

And we were told that the e.mail itself would be released, so that the world could see that Stratfor were really a malevolent force, which revelation would ostensibly justify the hacking.

After seven weeks, the e.mail that was supposed to expose the wickedness of Stratfor has not been released. There's more than one possible explanation. Perhaps the responsible members of Anonymous have obscure but compelling reasons to release the information all-at-once, and to organize it before doing so. Perhaps these members have been found and whisked-off to secret internment camps, along with anyone who might have reported their disappearances. Or perhaps the e.mail would reveal no more than that Stratfor communicates off-the-record with sources, some of whom could (reasonably or otherwise) be regarded as villains, and perhaps other members of Anonymous noted that almost any reporting and news-analysis service does the same thing, so that Anonymous would appear to subvert freedom of the press.

(I kinda favor that third explanation. Like many members of the Occupation Movement — who also like to claim the prerogatives but duck the responsibilities of association, and to wear Guy Fawkes masks and fantasize about being Vs — many members of Anonymous seem inclined to try to silence those whose views they find greatly disagreeable, but only so long as these members aren't made to recognize that they're engaged in censorship. [Up-Date (2012:02/27): It has now been announced that the e.mail is being released in coöperation with WikiLeaks.])

But, whatever may be the reason, the e.mail has not been released, and that failure or delay is itself a news story — which story you've not read in the Times (of London, of New York, or of Los Angeles) nor heard from the major broadcasters. Possibly that's because they're such lack-wits that it hasn't occurred to any of them that there's a story here. I rather suspect, however, that it's because they're scared. A group such as Anonymous could take-down pretty much any of these news services just as they did Stratfor.

Monkey Dancers

Tuesday, 25 October 2011

[This post was delayed from yester-day, as my hosting service had a technical failure, and it took me rather a long time to persuade them of such.]

I read

This past week it was reported that the hacktivist collective known as Anonymous claimed credit for taking offline over 40 websites used for sharing pedophilia — and for exposing the names and identifying information of more than 1500 alleged pedophiles that had been using the sites.
But the actual list is of user aliases, not of personal names.

Not only are pædophiles not being exposed here, but non-pædophiles who've had the misfortune of pædophiles' using the same aliases (by chance or from malice) are going to come under suspicion by those who think that they recognize them on this list.

Further, if agents of law enforcement were themselves working to track-down the actual legal identities of the pædophiles, their investigation has now been severely compromised, possibly fatally so.

Once again, Anonymous has done less good than they have led the gullible to believe, and have caused more damage than they have acknowledged.