Firefox's 'retreat' ensures Microsoft excels

Contractor UK ^ | Aug 22, 2005 | Contractor UK

[N3WBI3]

A noob doing a redhat install would click the desktop button or the server button depending on what they are installing, these options do not install all the software.

I am fine counting 100% of Flaws on the redhat distro, I just think it makes a valid comparison to windows impossible unless you count the same apps on windows. There is also the serious issue of how different vendors count bugs. do they roll them up like MS and Oracle? or do the note them one at a time like RedHat? What is time time from a security flaws discovery to a patch? Trying to sum up all that information onto one chart displays the meaning of the phrase "lies damn lies and statistics"

My point was that there was a severely flawed methodology to the study that B2K lifted a graph from. So flawed, in fact, that the study itself mentions it! Yet B2K posted up the graph and tried to deny the importance of the data collection method and refused to address the content when I posted it to him.

[antiRepublicrat]

Interesting, so Rainbow Crack is able to defeat strong password of a windows hash?

Yep, look it up. In this case, it uses a 64GB pre-computed hash cracking table. Videos of it in action are available at the site.

If I get time later today is it okay if I freepmail you a windows 2000 hash to see how easy it is to crack.

I don't have the $500 to blow on buying the pre-computed table, so I can't do it.

[antiRepublicrat]

Explain to me one buffer overlow you can exploit on a fully patched box?

This one in W2K3. It isn't remote (as you never specified it must be), but it is an unpatched buffer overflow error that can give system-level access.

[for-q-clinton]

Earlier in my post I mentioned physical security. If the machine isn't physically secure you have all the info you ever need. So that doesn't count.

Name one where the box is physically secure.

[for-q-clinton]

Interesting. And what does Linux do to prevent a brute force attack?

For that matter how does any security prevent a brute force attack?

In regards to windows you don't need physical access to the box, but just need to sniff the wire for the hash to be passed. Then you can crack away (brute force style). What does Linux do to prevent such an attack?

[antiRepublicrat]

Earlier in my post I mentioned physical security. If the machine isn't physically secure you have all the info you ever need. So that doesn't count.

Don't change the terms after the challenge has been taken. You didn't mention physical security in your challenge in the post I replied to, and I provided it for you. Challenge met. End of story.

But now you see why I wanted to nail down terms for the bet on your Mac "virus." If you don't, you can easily lose.

BTW, that Rainbow Crack program won't work on Linux since Linux salts its hashes.

[antiRepublicrat]

Then I'll email you the password so you can see that it wasn't some super crazy password with like alt key codes in it?

Oh, forgot, as of now it doesn't do the alt key codes, but it does do every character that almost all users use for passwords. As for alt key codes, just wait. IIRC, when Rainbow Crack first came out it didn't do the special characters either. But until then, what percentage of people even know it's possible to use them in passwords? What percentage of people even know they exist?

Why doesn't Windows just salt its hashes and eliminate the problem?

[antiRepublicrat]

Interesting. And what does Linux do to prevent a brute force attack?

It salts the hash; therefore, Rainbow Crack won't work on it.

[for-q-clinton]

Don't change the terms after the challenge has been taken. You didn't mention physical security in your challenge in the post I replied to, and I provided it for you. Challenge met. End of story.

Well the challenge was beat before it was ever offered. Any IT hack knows if you don't have physical security the box might as well be considered compromised.

Having said that, and I grant your loophole victory--if that makes you feel good. Let me restate a new challenge. Show me one buffer overrun that can be exploited where the physical security of the box isn't compromised.

[for-q-clinton]

I must not understand something. If Rainbox Crack can work on a strong password hash, why can't it work on a salted hash?

The salt hash only puts in something unique per user then hashes it. Think of it as extending each users password by his user name than hashing it. It helps to ensure that no user has the same hash; however, it doesn't do one thing to stop something like Rainbow Crack from brute force attacking their hash.

Unless I'm missing something. What salting gives you (and it's a good thing) is that I can't do a quick dictionary attack against your hash (unless adding the unique salt to the password yields a dictionary word).

But Rainbow Crack is brute force 64GB hash table attack. It should still work against a linux salt hash.

[antiRepublicrat]

Show me one buffer overrun that can be exploited where the physical security of the box isn't compromised.

For that we'll have to wait for the next remote buffer overflow exploit that Microsoft decides to sit on.

[for-q-clinton]

For that we'll have to wait for the next remote buffer overflow exploit that Microsoft decides to sit on.

Score: Me 1 you 1/2 (since it was a parsing of the words).

[ShadowAce]

The salt hash only puts in something unique per user then hashes it.

Yes, but look at it from this perspective. Rainbow uses a brute force method. It checks every possible combination to crack the password. Now add on a 4-digit (some are larger) unique ID to the beginning of the hash, and you increase the possibilities by 7,311,616 times. So--take Rainbow's 64GB table, multiply it by 7.3MB, and your table now becomes over 467TB. The time it would take to go through all that, makes it essentially unbreakable with today's speed and technology.

[for-q-clinton]

Yes, but look at it from this perspective. Rainbow uses a brute force method. It checks every possible combination to crack the password. Now add on a 4-digit (some are larger) unique ID to the beginning of the hash, and you increase the possibilities by 7,311,616 times. So--take Rainbow's 64GB table, multiply it by 7.3MB, and your table now becomes over 467TB. The time it would take to go through all that, makes it essentially unbreakable with today's speed and technology.

This isn't accurate. If windows has a policy for 12 character password with uniqueness (letters, caps, special) and Linux has a policy set to only 8 character passwords, then they'd be about the same.

[ShadowAce]

If windows has a policy for 12 character password with uniqueness (letters, caps, special) and Linux has a policy set to only 8 character passwords, then they'd be about the same.

So now you're changing the comparison? I was comparing the same length passwords between the two, and showing what the increase would be if Windows just salted their passwords.

[for-q-clinton]

Also that just proves Rainbow Crack isn't 100% against windows passwords (or even 90% with the right password policy).

Don't get me wrong, salting is a good thing, but it's not the fool proof against brute force. It's more of a way to help protect dumb admins that allow weak/short passwords.

Oh ya, as far as Rainbow goes...my brief reading of it says you can tailor the hash table to what you need. So if you know the linux password is 8 and the salt is 4...you'd start with 12 character passwords to hash. So Linux is just as vulnerable.

[for-q-clinton]

Nope not changing. Just applying a good administrator. So in the end the Linux user experience would be better because he only needs an 8 character password vs. a windows 12 character password. That's something to be happy about. Users hate long passwords.

Having said that, it doesn't make that much of a difference based on the way Rainbow Crack works (based on my limited read of the tool). Bascially you customize the hash table to the password policy in affect. So if you know the password is 8 characters and the salt is 4. And you know it must have caps and lower case. Then your hash table gens up hashs based on that info.

[Bush2000]

So then I cant expect you on every MS thread pissing and moaning about china and communism?

Dream on. MS poses many of the same problems that you guys pose in China. Its software is being used to hurt people. I'm not shy about admitting this issue and condemning it. When are you going to admit the same re OSS?

[ShadowAce]

So if you know the linux password is 8 and the salt is 4...you'd start with 12 character passwords to hash.

That is incorrect as well.

A 12-char password would produce a different hash than a 4 char salt+8 char password. You'd also have to know the 4 char salt, and that is a random string produced by the system for each user--so even if you know a user name, you wouldn't know the salt. Without the salt, you cannot run the hash through Rainbow, as it assumes the entire hash is a password.

Rainbow would just produce a password based on a 12 char policy and it wouldn't work.

[for-q-clinton]

Keep in mind antiRepublicrat said Linux wasn't vulnerable to Rainbow Crack brute force attack because it used salting. My point was to show that it is vulnerable. Not that Windows is better.