|
is this by chance what keepass uses to make breaking your password DB more difficult?
|
|
|
|
|
id like to ask what is the hologram made of, as in materials. i ask this because i may have figured a way to see the key behind it without opening it, xray ,air pressure and infrared light could possibly be used. they are also one time expenses, therefore you could pretty much mess up the whole system for the same price as doing just 1 coin.
|
|
|
|
Wait, my head exploded when I read this line: SMF hashes passwords with SHA-1 and salts the hash with your (lowercase) username. This is unfortunately not an incredibly secure way of hashing passwords.
F... fucking... REALLY?! No, no, not what it's saying, but... that you're actually SAYING THIS? It's like, let's see here, some clown sneaks onto a military base and puts on some kind of demonstration in middle of a road there. Ouch, that's embarrassing. But in the official response, they say... "Well, we only have one guard stationed at the gate between 4am and 8am, and the rest of the time there are 2 guards except during their lunch break at 12pm and 1pm. And one of them really likes F-16s and is easily distracted by the launches." WHAT THE FUCK KIND OF SECURITY RESPONSE IS THAT?! What user needs to know those intricate details? Harm versus Benefit analysis. Assume, for example, that the script kiddie(s) responsible for the hack weren't thinking of stealing any passwords. They just wanted to make some lulz. In the process, they got the passing idea to back up the database. They came, they lul'd, they left, watching the aftermath (server shut down for what, almost 2 days?). Now they come along and see that post, and say "OH WOW! I DIDN'T EVEN THINK TO CHECK THE PASSWORDS, LOL, BUT THIS MORON JUST GAVE US THE KINGDOM FOR FREE!". No Googling necessary... in fact, it PROMOTES the idea of curiously trying this theory on their backup database they stole for the lulz. Sure enough, it reveals some admin password, "penis" (which would TYPICALLY be too short to use, but with this lack of security... who knows!). O LOL WOW, IT WORKS, LETS CRACK ALL THESE PASSWORDS WITH OUR MINING GPUs  Srsly? what your saying is stupid on all kinds of levels. any and all information should be shared in any and all forms of communications. you trying to hid information that others could use to increase security elsewhere might not make it to where it needs to be, all because you thought you were helping. |
|
|
|
How do I know if my wallet is corrupted? It's a stupid question, but I'd rather be on the safe side before I start sending out my vanity-addresses to people.
valid question, if you know how to run a brand new windows install or linux live cd or somthing, send a test amount of coins to a made address. then on the brand new OS run bitcoin and let all blocks download. then disconnect the internet and never reconnect it after this point now import the keys into the wallet with pywallet and slap it in the bitcoin client. now run the bitcoin client with the -rescan parameter. if you see the coins, your set, if not something messed up. if you ran the whole thing with a live cd your just turn the computer off and your good, if you installed an OS, use DBAN to wipe it out. |
|
|
|
|
+9001
never have and never will trust a 3rd party to have claim over any of "my" coins. its just stupid.
|
|
|
|
|
lawl? that $30 thing was not a bubble? if that was not a bubble then i dont know what is
|
|
|
|
Anyway, I think I shall buy some eventually - I can't resist a good shiny novelty trinket. But let's just say I have no unrealistic expectations of them actually functioning as advertised, the omens are not good  . Anyone holding a significant quantity of bitcoins in these before they are thoroughly proved could get burnt. I will give you five for free if you break them open and redeem them on video and post your experience on YouTube. You still have to buy them and provide the BTC, but I will refund you the premium you paid to acquire the coins plus your shipping cost. You of course will get back your BTC by redeeming them. You don't even have to tell me who you are - I won't know which order is you - which essentially means that unless you identify yourself, the first person who does this will get it. And if you do, you'll have 5 worthless coins that still function as shiny novelty trinkets. If you want "five for free" to be good ones, then buy ten. Break open any five of your choice, post on YouTube, and I'll refund the premium on all ten. sounds fair, although depending on volume, it could be easy to tell. |
|
|
|
|
whats wrong with this idea? i think its a good idea, mtgox should not be doing FRB, but i think 2 weeks if a bit much, maby 3 days?
|
|
|
|
i finally realized what the cowboy bebop currency is, its bitcoins, or as they call it woolongs. they are able to transfer coins from one person to another through the use of handheld devices. i always wondered how they did it without being able to dupe money. just thought i would throw that out there for any other otaku おたく / オタクhttp://cowboybebop.wikia.com/wiki/Woolong |
|
|
|
|
YKs only help protect you against people trying to guess your password and some types of exporting the pw hash DB. otherwise, if its an inside job or a hack, depending on how its set up, you could and probably will loose all your coins.
edit: i would like to add, this is not only YK's, but any and all other security tokens. also includes sms and other types of devices.
|
|
|
|
|
i think you guys need to answer one question before you start making anymore theories, WHY WOULD THEY WANT TO SLAM PLANES INTO SOME BUILDINGS?
edit: or make it look like some planes did hit some buildings.
|
|
|
|
couple of quick questions. you did contact the authorities correct? nothing about this hack was a joke and or funny in my opinion. why were extremely old admin accounts still active? shouldn't those have an expired setting and or be deleted? manually you should have removed admin priviledges after a certain amount of time.
hardly mattered, from what i can gather from the situation, anyone could have been the first target that then got root access. I thought they used the satoshi admin to get root? i don't know how exactly they have the accounts set up, but they could have gained access to any of the root account, from what is in the post. |
|
|
|
couple of quick questions. you did contact the authorities correct? nothing about this hack was a joke and or funny in my opinion. why were extremely old admin accounts still active? shouldn't those have an expired setting and or be deleted? manually you should have removed admin priviledges after a certain amount of time.
hardly mattered, from what i can gather from the situation, anyone could have been the first target that then got root access. |
|
|
|
I'd like to see vBulletin used as well. I've read that it takes lower cpu load than most php free boards and it has some features I think would be nice here. Ubuntu forums and many other busy forums run on it. I know it costs some money but not that much.
Edit: I don't know if there is an import tool for vB. I'd hope so because losing past posts and all the info held in them is not really an option.
vBulletin uses more resources than SMF (in fact, vBulletin is one of the worst at resource usage), and certainly isn't any more secure - if anything, vBulletin has an even worse track record than SMF in terms of vulnerabilities. (in fact, SMF is one of the lightest forum platforms there is.) i don't care for vb or smf, i like phpbb myself, but i think vb has the largest market share, so it fall under than windows thing, where they are the largest target, therefore they get targeted type thing. |
|
|
|
I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.
You have the same password that you had before the attack. Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on". The password reset form has a "current password" field with a length limit of 20 characters, even though you can initially create an account with a password longer than 20 characters. I ran into this issue. You can still change your password by logging out, and then clicking the "Forgot your password?" link on the login page. It will email you a link that lets you reset your password. my original password was 64char hexadecimal, my new password is 64char tetrasexagesimal, or base 64 according to wikipedia,i was able to change it, so obviously your wrong Oh, you're right. I created a new account with a 64 character password, and then changed it to a different 64 character password via the profile settings page, and it worked fine. I did run into the same issue as BkkCoins with my own account, whatever it is. And, trying once more on the new account, now I'm hitting the issue:  what browser, version and os+version are you using |
|
|
|
I just tried changing my password and it says my current password is wrong.
So I cannot change to a new one now.
You have the same password that you had before the attack. Hmnm. Well something has gone wrong. I use a pwd safe and call up and paste in my previous password and it rejects it. My password had 25 chars including letters, number, symbols. Unless the validity of symbols was changed at some point I don't know why it won't work now. I've probably only used it once when created as typically I'm "always logged on". The password reset form has a "current password" field with a length limit of 20 characters, even though you can initially create an account with a password longer than 20 characters. I ran into this issue. You can still change your password by logging out, and then clicking the "Forgot your password?" link on the login page. It will email you a link that lets you reset your password. my original password was 64char hexadecimal, my new password is 64char tetrasexagesimal, or base 64 according to wikipedia,i was able to change it, so obviously your wrong |
|
|
|
Don't rely on a forum for secure authentication!  (or sign your messages and encrypt PMs) 9/10 people will not verify your message because all existing gpg or pgp is made stupid for windows, you either cough up like 500$ for a proprietary product, pgp or be stuck with unstable trash for free, neither is good for security related things. |
|
|
|
|
some of the most helpful people dont really put up donation adresses, because they understand that it is "advertising". and typically smart people understand that its not good in many cases. for example, Ubuntu, you have to hunt down a way to donate to them. i don't know if you can donate anymore, because they technically are a profitable business.
|
|
|
|
|
i still think bcrypt is stupid because i refuse to change my ways, you will never change me, you communist.
yes its a joke.
|
|
|
|
<whole lotta' bullshit>
Totally wrong. Basically, all of your "advice" is garbage. Some real programmers, please chime in. I am a programmer from 14 years, and FYI, i have written some stron cryptography myself from scratch. So stop talking bullshit. <whole lotta' bullshit>
Totally wrong. Basically, all of your "advice" is garbage. Some real programmers, please chime in. You should be using bcrypt(). Not whatever many rounds of hashing. Hashing is meant for huge amounts of data (such as files) and is meant to run fast - which means it can be bruteforced fast. By using bcrypt with a high work factor, logins take one second to process - and bruteforcing takes one second per hash as opposed to 10 billion hashes per second. Wait, just let me get something straight before i continue this discussion. If i generate a password hash using bcrypt with X rounds, and then i increase it to Y rounds, will both functions generate the same hash ? I mean is bcrypt(pwd, rounds = 10, salt) equal to bcrypt(pwd, rounds = 20, salt) ? Am I understanding this correctly ? id assume no, or else it would be pointless to increase round time. If no is the answer, then there is completely no advantage of using bcrypt versus multi hashes with multi salt as I have already written a recurrent function which does exactly the same as bcrypt(). You simply use the_hash_function($data, salt1, salt2, salt3, rounds) and basically what it does is it recurrently repeats hash_algo1(salt1 + hash_algo2(salt2 + hash_algo3(salt3 + data)))
, each time salting everything again. Once the hardware becomes more powerful, i can simply increase the number of rounds to Y. he said it uses a slow key schedule, so i dont think this is the same thing if you are using traditional hashing. |
|
|
|
|
Show Posts
