Firefox's 'retreat' ensures Microsoft excels

Contractor UK ^ | Aug 22, 2005 | Contractor UK

[antiRepublicrat]

It doesn't work. Or rather, it works, as long as SYSKEY hasn't been used to move the ADK out of the registry.

Putting another condition on it? Come on, we all (well, you and me, I don't know about Q) know any individual modern system can be locked down so well that will be impractically difficult to get anything off of it. Various third-party tools will make it almost impossible.

However, that represents a small section of well-guarded vines in a 500 acre vineyard that's ripe for the picking.

Mmmm, now I'm up for a glass of wine. How about you? And how's the Turbo doing with the latest gas prices? I had a friend with a late 70s Turbo Carrera and that thing had a voracious appetite.

[antiRepublicrat]

Yes, you replied then I replied and you changed and said this is only in regards to passwords.

Don't like it when people try to stop you from building strawmen, do you?

[for-q-clinton]

Don't like it when people try to stop you from building strawmen, do you?

What on earth are you talking about? But before I call you out [again], let's get a common definition of a strawman.

Main Entry: straw man
Function: noun
1 : a weak or imaginary opposition (as an argument or adversary) set up only to be easily confuted

Now explain. This should be good. I bet you have to try to tie at least 3 different points together to try and make some sense of that comment.

[general_re]

Come on, we all (well, you and me, I don't know about Q) know any individual modern system can be locked down so well that will be impractically difficult to get anything off of it. Various third-party tools will make it almost impossible.

Well, yeah, although SYSKEY is built right into Windows, and is enabled by default since Win2k. By default it stores the hash in the registry, but you can move it rather painlessly - which, since the obfuscation routine is well known, is a good idea.

However, that represents a small section of well-guarded vines in a 500 acre vineyard that's ripe for the picking.

Hey, security is a process, not a product - you know that as well as anyone, I'm sure. To a large degree, your fate is in your own hands, so it's incumbent on every admin and user to take an active role in securing systems, regardless of OS.

And then there are some things beyond anyone's control - no matter how salty your password hashes are, if the information on there is valuable enough, I'll just get a rubber hose and f'ing beat it out of you ;)

[antiRepublicrat]

Now explain. This should be good.

You're losing on Windows passwords, so you bring up Linux's generally inferior usability and shoot that down. That's a strawman.

[for-q-clinton]

Main Entry: straw man
Function: noun
1 : a weak or imaginary opposition (as an argument or adversary) set up only to be easily confuted

In order for that to work, I'd have to try and say Linux has better useability than Windows, just so other's could shoot it down. By my saying Linux isn't better in useability and everyone agreeing, is just the opposite of a strawman.

If anything, your assertion that Linux password feature that allows for better user experience (useability) is a strawman because it's clear Linux is not a better experience overall.

[killjoy]

Yes, they do. They reveal that Firefox momentum has chilled to the point that it's not gaining market share. That's significant, given all the bluster and bravado we've heard around here lately.

No, they have no meaning statistically. You are talking about a different of less than 1%. Try taking a statistics class and learning about standard deviation, confidence intervals, and standard error.

[Bush2000]

You're losing on Windows passwords, so you bring up Linux's generally inferior usability and shoot that down. That's a strawman.

Sigh. You can't seem to let go of that password issue. I've already taken you to the woodshed several times on this issue. Listen carefully: IT DOESN'T MATTER WHETHER YOU SALT THE PASSWORDS OR NOT. WHEN THE PHYSICAL SECURITY OF THE SERVER IS COMPROMISED, YOU'VE LOST THE SERVER. You're wasting everyone's bandwidth arguing over this. Give it a rest already.

[Bush2000]

No, they have no meaning statistically. You are talking about a different of less than 1%. Try taking a statistics class and learning about standard deviation, confidence intervals, and standard error.

Find another strawman. Whether or not it flucatuates +/- 1% is of no interest to me. What I got from this article is that Firefox market share has essentially stopped growing.

[Bush2000]

I say use Advanced EFS Data Recovery from Elcomsoft (they same guys who broke PDF protection) to get around the EFS, then use Rainbow Crack on the passwords.

As pointed out by general_re, anybody who cares about the physical security of the server being compromised and, therefore, uses EFS isn't going to store the SYSKEY on the same box. They're going to put it somewhere else. It doesn't make any sense to use EFS and leave the key on the server. So how are you going to crack it? Answer: It won't be easy. At least, not without throwing an inordinate amount of computing power at the problem. Your primary hope is to find the SYSKEY and compromise EFS.

So here's the bottom line and I hope you finally get this: Strong passwords and encrypted file systems are only flawed barriers. Arguing that one is more "inferior" to another is a ridiculous enterprise because they were never intended to provide uncrackable security under the scenario that you've laid out; namely, that the server's physical security has been compromised.

[killjoy]

Find another strawman. Whether or not it flucatuates +/- 1% is of no interest to me. What I got from this article is that Firefox market share has essentially stopped growing.

I couldn't care less about IE or Firefox. I use them both since they both have advantages and disadvantages. I am simply pointing out that the numbers mentioned in the article have no meaning.

[antiRepublicrat]

Arguing that one is more "inferior" to another is a ridiculous enterprise because they were never intended to provide uncrackable security under the scenario that you've laid out; namely, that the server's physical security has been compromised.

Again, why did all the *NIX vendors dump Crypt() if password security isn't important? Simple, poor password hashing leaves one layer of your security vulnerable, and you want all layers as strong as you can get them. There still remains the basic fact that you ignore, no matter what extra protections you come up with, that almost all Windows boxes in the world as they are right now can be easily password-cracked, while few *NIX boxes are so easy.

[antiRepublicrat]

IT DOESN'T MATTER WHETHER YOU SALT THE PASSWORDS OR NOT. WHEN THE PHYSICAL SECURITY OF THE SERVER IS COMPROMISED, YOU'VE LOST THE SERVER.

Most password cracking was done on *NIX password files pulled over the network. Crackers would then direct computer resources to cracking them, and later return to the machines with the valid passwords. Then the passwords were moved into a protected area, but all that meant was that rooting one box gave you a whole list of passwords to possibly use on others. Plus it meant that if the flaw that allowed rooting were later fixed, you still had access through the valid passwords.

We historically put a life span on passwords so that there is not enough time to crack them before they are changed. With the latest technology, the Windows password expiration should be in minutes.

You see a place where Windows security needs improvement, and you go into total denial. Sad, really.

[antiRepublicrat]

In order for that to work,

You're right. I used the wrong word. It still doesn't change the fact that you switched subjects to divert attention.

[for-q-clinton]

You're right. I used the wrong word. It still doesn't change the fact that you switched subjects to divert attention.

Try making up other things...like that word you tried to use because it sounded good. It's completely related and you know it.

But go ahead and get the word/post in if that will make you feel better.

[antiRepublicrat]

Try making up other things...like that word you tried to use because it sounded good. It's completely related and you know it.

Now you're trying to deflect the argument completely away from passwords.

[for-q-clinton]

But go ahead and get the word/post in if that will make you feel better.

Sorry I left out a word on that post...meant to say.

But go ahead and get the LAST word/post in if that will make you feel better.

[Bush2000]

I am simply pointing out that the numbers mentioned in the article have no meaning.

If you're talking about the difference between 8.7% and 8.1 %, I agree with you on that point. That could easily be statistical noise because it falls within the margin of error. But, more importantly (as I suggested earlier), Firefox's market share has essentially frozen at around 8%. Many Firefox advocates have been predicting that their browser would take significant market share away from IE. Now, it appears, Firefox is primarily gaining ground at the expense of Mozilla, not IE. While that may not be interesting to many people, it reaffirms that the dynamics of the Web client won't be shifting all that much for the forseeable future.

[Bush2000]

Again, why did all the *NIX vendors dump Crypt() if password security isn't important?

Read for comprehension. I didn't say that password security wasn't important. I said that not having physical custody over your machine essentially renders password protections moot.

There still remains the basic fact that you ignore, no matter what extra protections you come up with, that almost all Windows boxes in the world as they are right now can be easily password-cracked, while few *NIX boxes are so easy.

You have to get to the password hashes first. If you've lost root access on a 'nix box, your box is compromised and password protections aren't going to save you.