Author Topic: Episode #586  (Read 3824 times)

0 Members and 1 Guest are viewing this topic.

Offline Swagomatic

  • Frequent Poster
  • ******
  • Posts: 2370
Re: Episode #586
« Reply #45 on: October 05, 2016, 03:34:36 PM »
I use LastPass.  My password vault is protected by a very long passphrase (hashed locally with multiple rounds of SHA265; not even LastPass knows my passphrase) and two-factor authentication. The passwords are encrypted locally with AES-256 and transmitted to the server where they are stored in encrypted form. To get access to my passwords, someone would have to get not only my master passphrase but also physical access to my phone and the ability to unlock it (my phone itself is protected by a very long passphrase & TouchID).  Well, I suppose if they got hold of the password hash from LastPass servers they could try to calculate a collision.  But that's pretty much impossible, and even if they did they'd still run into my two-factor authentication.

The passwords I have stored in LastPass are all long, randomly-generated, mixed-case, alphanumeric with special characters.  I have no idea what any of them is, but I don't need to.

The passphrase sounds like a good idea. 
Beware of false knowledge; it is more dangerous than ignorance.
---George Bernard Shaw

Offline daniel1948

  • Stopped Going Outside
  • *******
  • Posts: 4657
  • Cat Lovers Against the Bomb
Re: Episode #586
« Reply #46 on: October 05, 2016, 05:05:10 PM »
I like the idea of two-factor authentication, except that I regularly travel to places where I have internet but no cell service. For eight to ten weeks out of the year I'd have no access to any of the web sites I visit or services I use. :(
Daniel
----------------
"Anyone who has ever looked into the glazed eyes of a soldier dying on the battlefield will think long and hard before starting a war."
-- Otto von Bismarck

Offline murraybiscuit

  • Off to a Start
  • *
  • Posts: 28
Re: Episode #586
« Reply #47 on: October 06, 2016, 02:54:40 AM »
I like the idea of two-factor authentication, except that I regularly travel to places where I have internet but no cell service. For eight to ten weeks out of the year I'd have no access to any of the web sites I visit or services I use. :(
2fa can often be done via app (eg Google authenticator), allowing for offline use. Problem with GA is that if you lose your device, or forget to migrate prior to factory reset, you lose your auth keys. Which can be somewhat catastrophic if your provider doesn't have recovery via SMS (eg Bitbucket). To solve this, you can use a cloud synced 2fa provider like authy across devices and as a Chrome extension.

Sent from my Moto G (4) using Tapatalk


Offline AtheistApotheosis

  • Doesn't Panic
  • *
  • Posts: 42
Re: Episode #586
« Reply #48 on: October 06, 2016, 05:58:52 AM »
Well, the first rule of buying solar, never buy solar from your electricity supplier is a given. Always go to a dedicated independent solar retailer. It's not in the utilities best interest for their customers to install solar so naturally they will try to drive the cost of solar as high as possible. In Australia the power companies can't force you to use panels supplied by them alone. My parents paid $7000 to install 12 panels and something like $1,500 for the regulator and meter. They haven't had a power bill in three years and the system will have paid for itself by early 2019 at the latest. I nearly fell off my chair when Steve said he paid $60,000. How big is his roof? that's about 400 cheap Chinese panels or about 200 of the most expensive ones. They really are trying to cripple the solar energy industry in the US. It costs $25 to about $50 to produce a single panel and they retail for around $150 to $280 per panel at around the time my parents got their panels installed. Then the Aussie dollar was running at parity with the US dollar. I thought they paid to much. Steve must be blasting aliens with a 2,000,000,000 watt triple phased ionisation consecutive magnetically constricted accelerated rail mounted plasma cannon to use that much. Maybe CERN has been tapping his power.

Offline daniel1948

  • Stopped Going Outside
  • *******
  • Posts: 4657
  • Cat Lovers Against the Bomb
Re: Episode #586
« Reply #49 on: October 06, 2016, 08:17:24 AM »
Well, the first rule of buying solar, never buy solar from your electricity supplier is a given. Always go to a dedicated independent solar retailer. It's not in the utilities best interest for their customers to install solar so naturally they will try to drive the cost of solar as high as possible. In Australia the power companies can't force you to use panels supplied by them alone. My parents paid $7000 to install 12 panels and something like $1,500 for the regulator and meter. They haven't had a power bill in three years and the system will have paid for itself by early 2019 at the latest. I nearly fell off my chair when Steve said he paid $60,000. How big is his roof? that's about 400 cheap Chinese panels or about 200 of the most expensive ones. They really are trying to cripple the solar energy industry in the US. It costs $25 to about $50 to produce a single panel and they retail for around $150 to $280 per panel at around the time my parents got their panels installed. Then the Aussie dollar was running at parity with the US dollar. I thought they paid to much. Steve must be blasting aliens with a 2,000,000,000 watt triple phased ionisation consecutive magnetically constricted accelerated rail mounted plasma cannon to use that much. Maybe CERN has been tapping his power.

Steve did not pay for his solar installation. His system was installed by a company that foots the entire bill and retains ownership of the panels. He will then pay that company for the electricity, at a rate lower than his public utility is charging.

He did not say what company installed his system, but it sounds like the same model used by Solar City.

He also said that both sides of his house are covered, since the orientation allows that.
Daniel
----------------
"Anyone who has ever looked into the glazed eyes of a soldier dying on the battlefield will think long and hard before starting a war."
-- Otto von Bismarck

Offline AtheistApotheosis

  • Doesn't Panic
  • *
  • Posts: 42
Re: Episode #586
« Reply #50 on: October 06, 2016, 08:30:49 AM »
Well, the first rule of buying solar, never buy solar from your electricity supplier is a given. Always go to a dedicated independent solar retailer. It's not in the utilities best interest for their customers to install solar so naturally they will try to drive the cost of solar as high as possible. In Australia the power companies can't force you to use panels supplied by them alone. My parents paid $7000 to install 12 panels and something like $1,500 for the regulator and meter. They haven't had a power bill in three years and the system will have paid for itself by early 2019 at the latest. I nearly fell off my chair when Steve said he paid $60,000. How big is his roof? that's about 400 cheap Chinese panels or about 200 of the most expensive ones. They really are trying to cripple the solar energy industry in the US. It costs $25 to about $50 to produce a single panel and they retail for around $150 to $280 per panel at around the time my parents got their panels installed. Then the Aussie dollar was running at parity with the US dollar. I thought they paid to much. Steve must be blasting aliens with a 2,000,000,000 watt triple phased ionisation consecutive magnetically constricted accelerated rail mounted plasma cannon to use that much. Maybe CERN has been tapping his power.
Steve did not pay for his solar installation. His system was installed by a company that foots the entire bill and retains ownership of the panels. He will then pay that company for the electricity, at a rate lower than his public utility is charging.

He did not say what company installed his system, but it sounds like the same model used by Solar City.

He also said that both sides of his house are covered, since the orientation allows that.
Sorry, I missed that bit.

Offline Mormegil

  • Seasoned Contributor
  • ****
  • Posts: 526
  • Know Evolution, know life. No Evolution, no life
Re: Episode #586
« Reply #51 on: October 07, 2016, 01:29:41 PM »
Well, the first rule of buying solar, never buy solar from your electricity supplier is a given. Always go to a dedicated independent solar retailer. It's not in the utilities best interest for their customers to install solar so naturally they will try to drive the cost of solar as high as possible. In Australia the power companies can't force you to use panels supplied by them alone. My parents paid $7000 to install 12 panels and something like $1,500 for the regulator and meter. They haven't had a power bill in three years and the system will have paid for itself by early 2019 at the latest. I nearly fell off my chair when Steve said he paid $60,000. How big is his roof? that's about 400 cheap Chinese panels or about 200 of the most expensive ones. They really are trying to cripple the solar energy industry in the US. It costs $25 to about $50 to produce a single panel and they retail for around $150 to $280 per panel at around the time my parents got their panels installed. Then the Aussie dollar was running at parity with the US dollar. I thought they paid to much. Steve must be blasting aliens with a 2,000,000,000 watt triple phased ionisation consecutive magnetically constricted accelerated rail mounted plasma cannon to use that much. Maybe CERN has been tapping his power.
Steve did not pay for his solar installation. His system was installed by a company that foots the entire bill and retains ownership of the panels. He will then pay that company for the electricity, at a rate lower than his public utility is charging.

He did not say what company installed his system, but it sounds like the same model used by Solar City.

He also said that both sides of his house are covered, since the orientation allows that.
Sorry, I missed that bit.

Another thing to consider is the number of panels required for his house.  Up in the higher latitudes, you'll need a lot more panels.  I'm in Los Angeles, and get away with 19 panels, which cost about $35k before rebates and tax breaks.  Honestly though, I got the best bang for my buck through insulation.  My AC bills dropped by about half, and with the solar, I'm barely paying for anything.


As to the password thing, don't tell anybody, but this is my password.

Offline Gerakion

  • Brand New
  • Posts: 1
Re: Episode #586
« Reply #52 on: October 31, 2016, 05:40:55 PM »
I ended up skipping this episode due to a busy week at the beginning of October. I am really really glad I went back to it.

The DARPA project on unhackable code is indeed fascinating. I was glad the podcast mentioned the founding program manager, Kathleen Fisher by name. I knew her as Professor Fisher, and she taught me Programming Languages when I was an undergrad studying Computer Science at Tufts University (a couple years ago). She is a fantastic professor, and, as evident from her work being on the podcast, has impressive research to boot.

A significant portion of the course was studying functional programming languages. Informally, most of us programmers use Imperative languages which execute code line by line.
Functional languages are an entirely different beast, they execute a single line for a single program, but end up propagating out program logic out based on functions called within that single line. If you've ever done calculations in excel, this is similar. Excel only executes one calculation in a cell when you hit "enter", but the equation for that cell may involve operations on other cells.

Though they tend to be more challenging to implement, functional languages are much easier to reason about. Given a program, you can use formal evaluations on paper to construct a proof to show what a program will output. We did this in the class for simple inputs (showing a program that takes in '3' as an input will give 'false' as output. Stuff like that), and it makes complete sense how you can extend this to a larger program.

It's a tedious process to prove correctness for a large program, I doubt it will become commonplace anytime soon for most applications. It is very useful when the code is essential (like an airplane autopilot). The podcast did a very good overview of the topic.

Offline gmalivuk

  • Well Established
  • *****
  • Posts: 1861
    • http://gmalivuk.livejournal.com
Re: Episode #586
« Reply #53 on: January 09, 2017, 04:55:57 PM »
I fell way behind on episodes, so just finished this one today. Sorry for the necro.

Yeah, but how much less secure is my strong password after a year, compared to after 3 months?  Is 3 months some sort of optimized compromise between how often hackers get access to my mid-sized engineering consulting company's password list and how often I need to enter my password?  Or is it some arbitrary bullshit thing that makes upper management feel better, as per TSA theater at the airport?
How less secure it is after a year compared to 3 months depends entirely on how often you re-use that password, because the more it is reused and the more time as passed, the likelier that the password has been stolen from a hacked website on which you used it.  Once that happens, all your other accounts using the same password are highly vulnerable.
Right, password change policies are a response to bad password practices (i.e. reusing the same one for multiple services). But if you have different passwords for everything, there's no risk in keeping the same one indefinitely for any particular service, as long as that service isn't hacked. (Or if you think they won't reveal hacks, change it as often as you think that's likely to happen.)

Plus part of the reason people reuse passwords is because recommendations often amount to suggesting passwords that are harder to remember than to brute-force guess.

Quote
That's not how large-scale attacks work.  They work by compromising the service and stealing the database of hashed and salted passwords (pray that they are at least hashed and salted!)  They can then run unconstrained offline attacks on these databases using dictionaries and, if they manage to find the salt, rainbow tables.  Then, once they've obtained your password through an offline attack, they will use it to log in.
Yeah, I'm immediately suspicious of any site with an overly restrictive length requirement for passwords, because it suggests they're doing something with the plaintext password (possibly even storing it that way).

Quote
Quote
Again, I don't use guessable passwords.
If it's 10 characters or less and contains any dictionary words, it probably wouldn't last very long against an offline attack.
Sure, but remember the community you're talking to here. I can't speak for Daniel but my bank password is something like "CRd9P59Bl63l+DSYZ/kG", and my first Google passphrase was "I wouldn't have thought this morning that today would be the day I changed my password to this." It doesn't quite have the full entropy of random English sentences (as it's self-referential about changing a password), but I suspect it's still got around 96 bits of entropy or so.

Quote
Strong passwords help protect against this, but the older they are the greater the likelihood they have been cracked or stolen.
More significantly, the more reused they are the greater likelihood they have been cracked or stolen. Using the same unique password for a long time for office intranet (for a company unattractive to hackers), which seems to be where most of the ridiculously frequent password-change policies come from, is probably considerably less risky than using one password for a bunch of your things and changing it every couple of months.
The world is so exquisite with so much love and moral depth, that there is no reason to deceive ourselves with pretty stories for which there's little good evidence. Far better...is to look death in the eye and to be grateful every day for the brief but magnificent opportunity that life provides.