What is Digg?58 Comments
- sTiVo, on 10/12/2007, -0/+4"I think Steve Gibson is best described as an opportunist. He latches on the problem du jour and presents himself as an expert. I put him in the category "Informed enough to be occasionally dangerous and somewhat correct" where he keeps good company with Leo Laporte."
This is just ignorant. I don't consider myself a Steve Gibson proponant, but he's been doing cutting edge stuff longer than Leo has been on TV/Radio. He identified something that people were interested in and created a little utility to generate the key. It's not like he's selling it. Let's keep it real. - AggieTales, on 10/12/2007, -0/+3If anyone actually listened to podcast of episode 14 of SecurityNow, they see that Leo explained for all you nit-pickers that when they say unbreakable they mean "unbreakable" meaning that its so complex and difficult to do that it would take almost "the lifetime of the universe"(Leo's own words) to crack.
- tomi, on 10/12/2007, -0/+3Imagine entering one of the ASCII strings on your PSP. Torture. >_
- elfguy, on 10/12/2007, -0/+2It's not a password meant to be used as one. It's a WPA pass phrase, something you enter once in all your devices. WPA is indeed unbreakable to this day, as long as you have a completely random pass phrase.
As for the strengh of those pass phrases, it all depends on what he used to generate them. But of course you could easily take one and change a couple of chars here and there to be sure. - st71398, on 10/12/2007, -0/+2Steve Gibson has an interesting, but basic web tool here. I guess we are getting hung up on words like "unbreakable".
WPA, is more secure than WEP, although I am sure theoretically it can be broken given enough time & resource (especially if you use the RC4 version, as I do).
I guess that Steve is suggesting that to get the most security on WPA, you should use the full 63 characters available for the password. I just use a simple pass phrase, which I know is open to dictionary attack, it has the advantage of being easy for me to remember, and is still more than good enough to stop my neighbors accidental using my router.
If you use one of Steve's jumble of characters (yes I know that they are unlikely to be truly random), you are not open to dictionary attack, and are using the maximum length of password. Both of which theoretically increase your wireless security.
As you only have to enter this password once (when you set up WPA for the first time), just copy one of his passwords, save it in notepad, and copy and paste it in to the wireless set-up. Then save the notepad file on a USB stick, for when your mates come round and want to use your network.
So thanks Steve for doing this, it has stimulated debate, and if it has made people think a little about using appropriate security, then it is a good thing. - skippy1979, on 10/12/2007, -0/+2I also use http://passnerd.com
- daball99, on 10/12/2007, -0/+2I'd like some other Security experts come to Steve's defense. Steve Gibson is a Security expert. To say he doesn't know what he's talking about says more about your lack of knowledge than his.
- G4techTV, on 10/12/2007, -0/+2It wouldn't let me link to any of the following links:
http://grc.com/passwords
http://grc.com/pass
https://grc.com/passwords
https://grc.com/pass
... - maloney_633, on 11/13/2007, -1/+2people who criticize Steve don't know what they are talking about. the fact that he is regarded as an expert in his Field. i know no one who knows more about security then Steve.
- lickmygiggle, on 10/12/2007, -0/+1mailrepository-
It's not misleading at all. thats the point of putting "unbreakable" in quotation marks. - mattclare, on 10/12/2007, -0/+1This can also be done via Passnerd.com
- Presentlight, on 10/12/2007, -1/+2listen to "Security Now" I thinkthat this might be the unbreakable password type that Steve Gibson spoke of. Furthermore, Steve Gibson knowswhat ihe is talking about. If he makes the bold statement "unbreakable" I believe him. Unbreakable by everyone but God.
- ThePict, on 10/12/2007, -0/+1No password is unbreakable.
Throwing around phrases like 'entropic heat death of the universe' is meaningless, because it doesn't take into consideration future technological advancements. In ten to twenty five years, quantum computers will eat modern encryption like candy and go on to discover billion + digit prime numbers for an encore.
Final word on Steve Gibson: Yes, he's a tool, but a good tool. As in a good tool to have in your toolbox. One of many you should have. He's a good starting point, but should not be allowed to have the final word. Most of what he says is true, or at least pointing to truth. Trust but verify. I use Steve Gibson the same way I use my RSS feeder - he brings things to my attention, but if you really need to make first post, go to the source.
Furthermore, he brings things to the attention of the not-so-technically elite, which, face it, cannot be a bad thing. - dbr_onix, on 10/12/2007, -0/+0Sure, it's not complete unbreakable, but you really think anyone cares about your AP enought to break it? Sure, with WEP someone might get bored and try, but even that's stupidly unlikely.. Why bother when you could walk another 2 minutes and find a load of open APs..?
Also, using horribly huge long passwords is totaly useless if you leave it lying about on a bit of paper.. But for WAPs, that's not really a problem
And as for the "OMG it's not totaly random!11!1", you really think that matters for something like this?! It.. doesn't..
"just download roboform free version. it includes their password generator. how does a 512 character random password grab you?"
Useless really (For this purpose anyway), WPA passwords are limited to ~64 characters :P
- Ben - wookiekiller, on 10/12/2007, -0/+0Looks like some serious passwords
- jorgevargas, on 10/12/2007, -0/+0>"...and it is marked as having expired back in 1999... will not be cached >or be visible to anyone else."
>So, can't I just set my system clock to 1998 to workaround this?
if you want google to cache your password, then go ahead.... - doxtorray, on 10/12/2007, -0/+0The thing I like about the GRC generator is that it gives alpha-numeric as well as all-character passphrases. Restricting to alpha-numeric is not as safe, but some websites, such as my bank's site, require it.
- toliman, on 10/12/2007, -1/+1well, its been said before, and i'll say it again, steve gibson is a opportunistic fool who promotes himself as a security expert by proxy of all those other useful people who actually do the serious work. his efforts are wholly unoriginal and derivative, and he doesnt have the decency to quote or promote the original sources over his own efforts. he is not alone in this regard, but he is the only person i know who can shamelessly take an idea, sell it and promote it as his own, and still be called upon as an authority. he just leeches genius and innovation from people who don't want the attention, then sells it to others for profit.
still, this program depends on just how you want to think about the problem. from a rational perspective, random seeded encrypted keys are fabulously complicated, and prove difficult to brute-force for a human mind, since we're obsessively pattern oriented creatures. long, obsessively comlicated, non-memorable phrases like public keys and WPA keys are fantastic and look strong to the untrained eye. which is you.
for a brilliant mathematician or codebreaker, patterns exist in the miotic chaos of encrypted data that reduce the possibilities. the two major halves of decryption is breaking the solution's complexity by attacking the weak points in the math, i.e. human intervention and the other half comes from patterns that form in the resulting public/private keys, salts, hashes, and ciphertext.
the reality is that 'pseudorandom' sequences as a seed for public key encryption are fine, it simply reduces the time needed, in terms of the possible number of universes that need to die of entropic heat death before a solution is found. the danger is in having predictable pseudorandom sequences, since it can be used to pare down the resulting possibilities.
half of the programs used in semi-serious encryption, i.e. SSL, use the system clock which leads to a reduced range of possible seed values. to counter this problem, time is used to make the problem harder. to break SSL or kerberos transactions, a handshake is required to begin the transaction, but only after limiting the time for the transaction, like enabling a keypad for 20 seconds so you can enter a password before the keypad is disabled and the sequence of buttons re-arranged. the rest of the transaction is encoded by using that agreed upon key, and then completed by both parties.
the process of encryption & decryption will continue to work for some time, until a computer can be made to reduce the mathematical effort to seconds of processing effort, nullifying nearly all current encryption methods - n3r0, on 10/12/2007, -1/+1by definition something that is truly random can and will repeat
- dopmwd, on 10/12/2007, -0/+0This is handy, my login/pw at work is getting ready to expire... :)
- adam, on 10/12/2007, -0/+0This one is nice too.. http://www.kurtm.net/wpa-pskgen/
- sublime, on 10/12/2007, -0/+0I bet a million dollars that even those keys will be breakable within a couple years.
- deut, on 10/12/2007, -2/+2>Steve Gibson is a tool, always has been.
>Is it possible to anti-digg something?
Actually that is an excellent idea matt. Keven should have two buttons for the story. "Digg" of course and "Shun". Shun would subtract one vote from the digg-o-meter. It would be instantly visual and better than that combo box that's used at the moment. - angelwspr, on 10/12/2007, -0/+0unbreakable unless you're nsa... fem dom.
- nevin, on 10/12/2007, -1/+1pretty cool.
yeah, unbreakable is an over statement. - quanta, on 10/12/2007, -0/+0You want Random? Then you need HotBits-
Genuine random numbers, generated by radioactive decay
http://www.fourmilab.ch/hotbits
The only way to go!!! - trogdoor, on 10/12/2007, -0/+0If you have a mac this type of feature is built into system preferences with more options and personally I think I could program something just as secure even if it isn't as random (please correct me if I am wrong and someone really could more easily crack a password made using java.util.Random to generate random chars)
- Presentlight, on 10/12/2007, -0/+0I always find these websites that try to debunk people interesting. The usually latch on to a few key phrases that a person said at some point in their life and ride them to the grave. GRC sucks is as much propaganda as they accuse Mr. Gibson of being. Regardless of his expertise, that is whether it is "expert" or not, all ought to applaud him for bringing security flaws to the tech mainstream.
- ptknight, on 10/12/2007, -0/+0Could be handy. Nice to know it exists
- sailor, on 10/12/2007, -0/+0Steve Gibson is a expert in his field. I find no reason to believe the rantings of a few posters who think he is a "tool".
You could do much worse than trusting Mr. Gibson, much much worse.
He predicted the problems with windows xp long before it was released, he contacted MS and was ignored. I didn't hear anyone else bringing it up...if you have examples of his borrowing resources lets hear them...waiting... - meshgiath, on 11/13/2007, -4/+3Steve Gibson... he reminds me of a slightly introverted IT version of Billy Mays (the oxy clean guy).
My only problem with him is that I can't believe a thing that comes out of his mouth - he tries to take credit for too many things that aren't his to claim. All he does is go to shows like TWiT or other podcasts and throws buzzwords that he claimed to invent and points out obvious things like "a virus is only a virus if it replicates itself" in an attempt to look educated. Thanks Steve. YOU, sir, are a genious. By genious I mean annoyance. - sekyuritei, on 10/12/2007, -1/+0@vinniepaz - good link - I had no idea about that grcsucks.com. You can see links everytime he gets shot down... nice...
- Quickstrike, on 10/12/2007, -2/+1How can you guys use passnerd and other alternatives? They are held in your pc's cache and don't have a proxy-proof high-security SSL connection!!
GOD! Major security risk right there. ;) - matx, on 10/12/2007, -1/+0Not bad, would be useful for network admins.
However, not many people in the real world want to use a password that long. - surfing, on 11/13/2007, -1/+0"...and it is marked as having expired back in 1999... will not be cached or be visible to anyone else."
So, can't I just set my system clock to 1998 to workaround this? - Chasuk, on 10/12/2007, -2/+1To translate meshgiath's statement:
"I dislike Steve Gibson because it is currently trendy to do so, for the same reason that many lemmings dislike PayPal and Google. I know far less about virtually everything than Steve stores in just four of his brain cells, but it is SOOO fun to criticize!" - Chasuk, on 10/12/2007, -1/+0jasqwerty:
I don't _care_ who fyodor is; unsubstantiated rhetoric cannot be defended, and that was all that was provided in that quote. Steve Gibson is admittedly a bit too smug, but that doesn't address his indisputable talents or capabilities.
Spinrite is a beautiful piece of work, and written in assembly, no less. ShieldsUp and LeakTest are both useful tools. Steve wrote the very first ant-spyware program, for chrissake!
Self-aggrandizement may be annoying, and of this Steve is definitely guilty, but to criticize him for anything else is just penis envy.
The obsessive at grcsucks.com needs to get a life. - jbchrist, on 10/12/2007, -2/+1Steve Gibson is not considered a security expert among the security professionals.
Read the true story behind Steve Gibson
http://www.grcsucks.com - znxster, on 10/12/2007, -1/+0nothing is "unbreakable".. but ok.. i'd like to see the source myself
- Philip_McClure, on 10/12/2007, -3/+2http://www.grcsucks.com/
--quote--
Steve Gibson often is referred to as being a "Security Expert", yet one has to see his appearances on *real* security
boards/interviews/gatherings. Where was Steve Gibson at Defcon/BlackHat Conference ? Why doesn't he comment/ on Bugtraq or
other Security Focus mailing lists?
The answer is quite simple: he would get nailed down by arguments and facts from real security experts in less then a
minute. These persons tend not to be very impressed by self-proclaimed Security Experts and his obfuscation of the real
issues and intentions.
As you can read on his resume page, Gibson worked for years as a marketer "Gibson founded a proprietorship specializing in
media advertising and public relations" , and that's what he is really good at.
Stating Patricia McNeill : "Gibson is masterful at stirring up an emotional response in the people who come to his site,
and then manipulating these people into believing exactly what he wants them to. The tragedy is that these people come to
him looking for facts and information, and come away thinking that they have found some! Gibson tries to present himself as
a selfless source of public information, yet his entire site is full of emotional manipulation, misinformation, and
misdirection. This man is nothing more that a self-promoting braggart."
--end quote-- - dragoonz, on 10/12/2007, -1/+0"Truely random? Prove it Gibson. Post the source."
Obviously it's not truely random, as it's computer generated.
Smartass. - inactive, on 10/12/2007, -1/+0http://tinyurl.co.uk/nvk7
- mattt, on 10/12/2007, -2/+1Steve Gibson is a tool, always has been.
Is it possible to anti-digg something? - sekyuritei, on 11/13/2007, -3/+1My guess is that you couldn't post the links because they blocked his domains. Steve steals all his "ideas"
from http://seclists.org/nmap-hackers/2001/Apr-Jun/0010.html
Steve Gibson is a media slut and should be treated as such. If you look
at how he writes up things on his own web site, you can see they're made
to look just like how they might in print. In my surveying of what he's
done, he's done...well...nothing very exciting. His "nanoprobes" were
really lame (a different spin on what nmap does) and if people would
just start ignoring him, we'd be much better off.
[ Moderator note: I agree 100% with Darren & Andy. Gibson is a
charlatan whose "research" is written for clueless media reporters
(for press attention) and the teeming masses of internet newbies (to
whom he sells various products). His "findings" are not new, are
always filled with massive hyperbole, and are frequently completely
false. Instead of presenting evidence to prove his points, he tends
to just state them using goofy blue or green fonts as if that
somehow adds credibility. We recommend avoiding this guy!
-Fyodor ] - anastrophe, on 10/12/2007, -2/+0just download roboform free version. it includes their password generator. how does a 512 character random password grab you?
RupMTFmO@&vRWZjyO&JePsCk!aNMa^#ymCzaHnKZNomikhd^Uq!hi*zhPcDT!Z*w%#DV^FS!tP#N#@cp$%LdNOrQciIbEJjNyDKTLYbRLvUOixmBQGFkgtFq%n#dmitOLJXEBWhOB*FXhu&OxI%BexREPMNEzFZPAbQDNwWj^EsMaKW#Jhhktvj@LMWmnLa^boyhFQilcwvPCcfmy*VG&iAH#mKCakViUzHclRg#ThbA*jTdgKQFOk%!&LoKQb&HdnqkACEksyW!w^VIgRCy$oZxFGevjclDsZlcnbBsh*fYwk*fT!dNjLTSVPfI!EIsxdXiANQ@nDc$mYWGO!AVF^gyihP!ajqwH%*VHfgFTjyzRkCdnhH%ldn#XMWK&IM@#JcrZTPVnXWIKLKWwZeJyI@EamtsjnIpWwJKtTatqjCPG*nbxQAtuCJ$LmXyxwr#nyYpVCzYbi!NSh&bvNkA@F*EEMaOkFtSrcxw!uyZsAIhZRQImkbqC&jKWoMOOsro - snlildude87, on 10/12/2007, -2/+0*bookmarked
- http://nerdnirvana.org/ - inactive, on 10/12/2007, -2/+0"there is never a password that can't be broken"
-a true hacker - _jd_, on 11/13/2007, -3/+1I think Steve Gibson is best described as an opportunist. He latches on the problem du jour and presents himself as an expert. I put him in the category "Informed enough to be occasionally dangerous and somewhat correct" where he keeps good company with Leo Laporte.
-
Show 51 - 58 of 58 discussions
© Digg Inc. 2009
— Content created and posted by Digg users is