Posted on 04/19/2010 7:01:38 PM PDT by for-q-clinton
Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications.
(Excerpt) Read more at nytimes.com ...
You could use a RSA prime generator as the means to a one time pad.
The idea behind a one-time pad is that you create a cipher key so long that you use pieces of the key XOR’ed with your plaintext, and never, ever use that piece of the key again. The Soviets pioneered use of this in the field with the Verona ciphers, famous during the Cold War for frustrating MI-5 and the NSA for years and years.
The idea behind a OTP password generator card is that the card has a password. You enter that password to activate the card. Once your PW to the card is accepted, you tell it “generate a password string for me.” It does. You enter that password to whatever server or machine you’re logging into. If the algorithm on the server and your OTP card are in agreement as to your sequence of passwords, you’re in.
As soon as you use a password generated by the OTP card (ie, you use it to log into any server tied into the password generator service), that password is “burned” - it may never be used again. You can set an option on these OTP systems to either lock down the account upon receipt of a burned p/w, or to merely prompt for another one.
If you get out of sync (let’s say you bungle the entry of a password), you merely ask the OTP card to generate you a new password again. The server s/w generated ‘n’ passwords ahead of your current OTP card’s sequence. Once it accepts a password in that window of passwords, the password and all passwords prior to the password accepted are ‘burned’ and can never be used again.
The way this prevents attacks is this: OK, you (the hacker) log the keystrokes in a situation like this. That’s nice. You, the hacker, don’t have the OTP card or the algo, so you can’t generate a new password to log in at your own time and choosing. You can hijack a session once the user enters a password, but that means you’re going to be detected, because the user is sitting there, watching his computer be taken over.
What the point is about XP: a lot of large companies and installations sat out Vista, and they’ve not yet upgraded to 7. Microsoft has a KNOWN VULN, with a KNOWN EXPLOIT, in the wild, and they have not yet issued a patch for it.
Nobody with an ounce of computer security experience pays the least attention to those hacking "contests". They're just ad campaigns for the tech journals who sponsor them, and they set them up so that they make headlines to draw hits. Don't be so naive, you can't be that ignorant of how they work.
It's news when an Apple machine gets compromised first, and they know it. (Who would bother to read their pages, with a headline, "Windows falls first in hacking contest!"??? YAWN.)
So they set them up so that the long-practiced, completely-scripted, well-rehearsed exploits for the Apple products get done first. Well, duh -- they want to be able to write that headline with "APPLE" in it.
Besides, who gives a damn about such exploits unless they turn into REAL viruses??? How many of the Apple exploits have turned into real Mac viruses in the wild?
Ummm, none.
You can do better than that answer. Please try harder.
You don’t find SCM clients on smartphones. It was at least a laptop.
The hackers have found that the iPhone is the target of choice now. Easily hacked and used by millions that have no clue.
And is google in that lot of companies that use XP?
Wow so 0-day exploits don’t count now. Very interesting.
Ok, so now apple zealots are saying 0-day exploits don’t count. Well I guess we can erase half of Windows vulnerabilities.
I knew that was coming. Once I re-read my post I see I typed s instead of x. Too bad FR doesn’t allow for edits.
But if it did we wouldn’t have hugh and series (plus the stune that I was recently made aware of).
Could well be. Dunno. They’re big enough, certainly. And for most of what people who work with Google’s code base do, XP would do everything they ever need.
I’ve long maintained that Win XP, if all the patches are applied, does most everything everyone wants to do with a PC.
sshhh...don’t let the apple zealots know about that. They will deny it to no end. Or just deflect as needed. It’s one of those if a tree falls in the forest and the guy standing their is deaf, dumb and blind...did the tree really fall?
Except for directX 11. Yeah I’m a gamer. but even then there aren’t many games that take advantage of DX10 even...but we have to push the technology along or we’ll be stuck with DX9.
Well according to this...http://blogs.technet.com/keithcombs/archive/2007/06/02/do-google-employees-use-windows.aspx
It looks like google encourages Mac OSX and pretty much everything not microsoft. I wonder if this is one of those in the wild exploits the OSX guys deny exist.
Keith, A former colleague of mine has not long joined Google. On Day 1 he was asked the following questions:
1) Would you like a MAC or PC? Given he’d spent 8 years at MSFT and had no idea how to use a MAC he obviously opted for the PC. Needless to say there were a few raised eyebrows.
2) MS Office or OpenOffice? Unsurprisingly he chose Office having never used OO. Again more frowns.
3) IE of Firefox? Having never used FF he chose IE and was told tough he’d need to get used to it.
It’s available but actively discouraged.
Location-Aware Printing. Windows 7 utilizes different default printers for each of the network locations you’ve configured on the system so you won’t mistakenly print a child’s school project to the work printer. When you’re at work, you’ll print to the work printer, and when you’re at home, you’ll print to the home printer.
But then again they could have ran windows on their Mac. So who knows.
I’m pretty sure Mac has had emulation before Intel. It just runs better on Intel.
Don't put words in my mouth. I didn't say they didn't count. I just said, "Besides, who gives a damn about such exploits unless they turn into REAL viruses???" -- in other words, unless the exploit is actually exploitable by a virus writer, it's just another proof-of-concept laboratory curiosity.
Answer my question. How many of your precious Apple "contest" exploits have turned into real viruses?
For that matter, how many Windows "contest" exploits have turned into real viruses?
Don't confuse headline-grabbing tech journal "contest" crap with actual security issues. Given that all operating systems can have vulnerabilities, what counts to the REAL world are real viruses in the wild.
Zero-day or 12th-day or next-year, is just jerking off in a laboratory, unless the flaw is exploited in a real virus that makes a real botnet.
I'm saying this about Windows as much as MacOS, too -- it has nothing to do with OS. It's about REALITY. Your eagerness to pick up the mantle of the crap tech journalists is unbecoming, and I'm calling you on it.
Yes on the first half, and a very silly statement in the second hals.
What they had before the Intel Macs was software emulation. Now they have "virtualization" (in the form of VMware Fusion, Parallels, and others).
Now shock me and admit you don't know the difference between "emulation" and "virtualization".
I use Preview and the Firefox Plugin on the Mac and Foxit on Windows. I abandoned Adobe Reader on both platforms not because of security but because of bloat.
I also use 7-Zip on Windows instead of WinZip. More functionality, less vulnerability to security holes.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.