Roger at
InfoWorld
has been running a password-cracking contest for some time now and just
recently received the first correct cracks at his first password: a
10-character password with normal complexity. The other two that have
still yet to be cracked, is a 15-character password with no complexity
(lowercase, one or more English words), and a 15-character (or longer)
password with minor complexity containing one or more English words.
This doesn't mean that a short and complex password is easier to crack
than a longer one with no complexity, though. The problem, is what we
perceive as complex (meeting the requirements), is not really so. Here's
why:
First, if you require an eight-character-minimum password, most
users will choose an eight-character password. If you require a
capital letter, they will put it at the beginning because we are
trained in writing class to do that. If you require a number, most
users will put the number at the end, and the number will be 1 or 2.
Even though users have 94 characters to choose from on the keyboard,
80 percent of passwords will contain the same 32 characters and
symbols..
In conclusion, longer passwords are better than shorter ones...
Posted by Marcin on Friday, November 10, 2006 in
Security.
A new version of Gaim has
been released,
2.0.0beta5. I cannot
find release notes on this version, but I am going to try it out now.
We'll see if they have fixed the url
translation
bug when using the Jabber protocol.
Posted by Marcin on Friday, November 10, 2006 in
Tech.
NIST has released
SP800-100,
Information Security Handbook: A Guide for Managers. I'm sure it'd
benefit everyone in the security community, since you either are or one
day will be a manager (or at least help make managers make more informed
decisions). Here's a quick run down on the sections it covers:
- Introduction
- Information Security Governance
- System Development Life Cycle
- Awareness and Training
- Capital Planning and Investment Control
- Interconnecting Systems
- Performance Measures
- Security Planning
- Information Technology Contingency Planning
- Risk Management
- Certification, Accreditation, and Security Assessments
- Security Services and Products Acquisition
- Incident Response
- Configuration Management
Posted by Marcin on Friday, November 10, 2006 in
Security.
Information
Week
is reporting a story involving a family of five, who await a hearing for
charges of conspiring to export U.S. defense information to China.
Chi Mak, 66, of Downey, Calif., was an engineer with Power Paragon,
a Navy contractor. He allegedly collected technical information
about U.S. warship technologies, and then he and his wife, Rebecca
Laiwah Chiu, copied it onto CD-ROMs. According to the U.S.
Department of Justice, another family member then allegedly
encrypted the defense data in preparation for a "surreptitious
delivery" to the People's Republic of China.
A report from the DOJ contends that Chi Mak received ''task lists''
that requested specific defense-related information, including
information on Naval research into nuclear-powered submarines.
The sad fact is there are many, many more incidents like this happening
that go unnoticed.
Posted by Marcin on Monday, November 6, 2006 in
Defense and
Intelligence.
The U.S. intelligence community recently unveiled Intellipedia, a
top-secret wiki available to sixteen various agencies to share
information and resources better. You can catch more on the story at
GCN,
Infowars,
and a blog dedicated to
Intellipedia!
My concern is information that was once compartmentalized, giving those
with a need to know access, now makes 28,000 pages available to over
3,600 registered users. Three points need to be met before you are given
access to classified information:
- Clearance (do you have the correct level of clearance?)
- Access (have you been given access to this information?)
- Need to know (and finally, do you need to know this information to do
your job?)
On the other hand, making information this "available", could help
improve the accuracy and timeliness of reports now that the information
has more eyes reviewing it. It definitely is a compromise, between
having information confidential and having it available.
Hopefully this system will help our intelligence community make better,
more informed decisions with regards to our national security.
Posted by Marcin on Thursday, November 2, 2006 in
Intelligence and
Security.
