Page 14 of 22 FirstFirst ... 411121314151617 ... LastLast
Results 326 to 350 of 537
  1. #326
    Join Date
    Sep 2006
    Location
    Cardiff - United Kingdom
    Posts
    1,569
    Quote Originally Posted by RudiVisser View Post
    I'm trying to work out if you're being serious with everything I've quoted above.... You're so amazingly wrong.
    Yeah you're right - Harzem is basically saying "Please come and hack me". I give it 30 hours' CPU time needed to get the plain text of his password. And 2 hours' CPU time to find a collision which can be used to login to his WHT account here.

    Seriously guys, this is a security threat. Despite the first post, vBulletin *does not* use a "highly complex" hashing algorithm. MD5 was broken in 2005, it's weak (why vBulletin use it is beyond me) - relatively weak even with the salt. Change your passwords!
      0 Not allowed!

  2. #327
    Quote Originally Posted by tristanperry View Post
    Seriously guys, this is a security threat. Despite the first post, vBulletin *does not* use a "highly complex" hashing algorithm. MD5 was broken in 2005, it's weak (why vBulletin use it is beyond me) - relatively weak even with the salt. Change your passwords!
    It's true that MD5 isn't collision proof. However, that doesn't affect the ability to brute force a password. Salted and MD5 hashed passwords aren't feasibly reversed. It's still the de facto standard for password security.

    If you're still concerned, change your passwords.
    Novawave Inc.
    Nathan Lapierre | Director
      0 Not allowed!

  3. #328
    Join Date
    Sep 2006
    Location
    Cardiff - United Kingdom
    Posts
    1,569
    Quote Originally Posted by novanet View Post
    It's true that MD5 isn't collision proof. However, that doesn't affect the ability to brute force a password. Salted and MD5 hashed passwords aren't feasibly reversed. It's still the de facto standard for password security.

    If you're still concerned, change your passwords.
    I now prefer SHA1, although even its predecessor has been broken. And I agree that the salt does mean that it can't easily be reversed, however that isn't what's needed.

    If someone on WHT doesn't change their password, all you need to do is find a collision and you can login with that. And a collision can now be found (on average) in 2 hour's CPU time (8 hours on a 1.6Ghz single proc/core CPU)

    That's how the hacker yesterday was posting on someone elses account (a premium member's account with 1000+ posts, in fact). He simply found a collision and logged in using it.

    It isn't a case of changing your password if you can be bothered. It's a case that your WHT account can now easily be compromised using the old password. I agree that reverse engineering it into the plain text isn't too easy, but that really isn't the issue here.
    Last edited by Tristan Perry; 03-24-2009 at 07:56 AM.
      0 Not allowed!

  4. #329
    Join Date
    Sep 2004
    Location
    20 00 N, 77 00 E
    Posts
    51
    I believe iNET has more blame to bear since its their developers/adminstrators who makes the updates/changes on the code/server settings for including more features, and hence should know the systems like the back of their hand and its highly unlikely for a rackspace admin to administer the server effectively without knowing the details.
    Moreover, the dev team should constantly work in sync with their security/administrative team to ensure that that systems are thoroughly tested... and as the saying goes, security is not a one time stuff...but a way of life(for the developers/administrators/security specialists.)
    Id didnt excuse them i said there both to blame
      0 Not allowed!

  5. #330
    Join Date
    Dec 2006
    Location
    Hull, East Yorkshire (UK)
    Posts
    18
    Quote Originally Posted by novanet View Post
    It's true that MD5 isn't collision proof. However, that doesn't affect the ability to brute force a password. Salted and MD5 hashed passwords aren't feasibly reversed. It's still the de facto standard for password security.

    If you're still concerned, change your passwords.
    To be fair, it just means reversing the hash once, removing the salt, and reversing it again. Remember the "hacker" has the salts too..
    Rudi Visser, Senior Developer
    Mage UK Ltd - Website Design and Development, Corporate Software/Web Development Outsourcing, Online Payment Specialists.
      0 Not allowed!

  6. #331
    Join Date
    Mar 2009
    Posts
    3,816
    Quote Originally Posted by (dub) View Post
    I had to register again since I registered in January 2009. Sighs..
    Heh. Same here, I reg'd in Nov though.
      0 Not allowed!

  7. #332
    Join Date
    Feb 2006
    Location
    Kusadasi, Turkey
    Posts
    3,379
    Quote Originally Posted by tristanperry View Post
    Yeah you're right - Harzem is basically saying "Please come and hack me". I give it 30 hours' CPU time needed to get the plain text of his password. And 2 hours' CPU time to find a collision which can be used to login to his WHT account here.

    Seriously guys, this is a security threat. Despite the first post, vBulletin *does not* use a "highly complex" hashing algorithm. MD5 was broken in 2005, it's weak (why vBulletin use it is beyond me) - relatively weak even with the salt. Change your passwords!
    Then come and hack me

    MD5 is broken ONLY with a known input, I mean if you KNOW my password, you can find another one with the same MD5 result. If you don't know the input, you are out of luck.

    I'm an encryption expert, I have academically studied several encryption methods, hashing algorithms, RSA systems, collision and other types of attacks: I even devised a few encyption and hashing algorithms myself.

    And believe me, in terms of storing passwords, md5 is perfectly secure for now. This is why I can bravely show my password hash publicly, as well as the salt.

    However md5 is weak for authentication test, I mean if you want to verify the origin of a message, and if you suspect a third party has the source, then they might have created another message with the same md5 result. But for passwords, if the third party knows the password, then they have nothing to break.
    Fraud Record - Stop Fraud Clients, Report Abusive Customers.
    █ Combine your efforts to fight misbehaving clients.

    HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
    █ Large and awesome portfolio, just visit and see!
      0 Not allowed!

  8. #333
    Join Date
    Dec 2006
    Location
    Hull, East Yorkshire (UK)
    Posts
    18
    Quote Originally Posted by Harzem View Post
    Then come and hack me

    MD5 is broken ONLY with a known input, I mean if you KNOW my password, you can find another one with the same MD5 result. If you don't know the input, you are out of luck.

    I'm an encryption expert, I have academically studied several encryption methods, hashing algorithms, RSA systems, collision and other types of attacks: I even devised a few encyption and hashing algorithms myself.

    And believe me, in terms of storing passwords, md5 is perfectly secure for now. This is why I can bravely show my password hash publicly, as well as the salt.
    Really..? Are you being 100% serious in all of your posts..?

    I assumed they were a bad attempt at jokes
    Rudi Visser, Senior Developer
    Mage UK Ltd - Website Design and Development, Corporate Software/Web Development Outsourcing, Online Payment Specialists.
      0 Not allowed!

  9. #334
    Join Date
    Feb 2006
    Location
    Kusadasi, Turkey
    Posts
    3,379
    Quote Originally Posted by RudiVisser View Post
    Really..? Are you being 100% serious in all of your posts..?

    I assumed they were a bad attempt at jokes
    My regular jokes are a lot funnier, if you don't laugh, it's not a joke

    Yes I was serious about the passwords. But I just might have made a bad joke about my post count dropping a whooping 15%!
    Fraud Record - Stop Fraud Clients, Report Abusive Customers.
    █ Combine your efforts to fight misbehaving clients.

    HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
    █ Large and awesome portfolio, just visit and see!
      0 Not allowed!

  10. #335
    Join Date
    Apr 2004
    Location
    UK
    Posts
    1,334
    Quote Originally Posted by Harzem View Post
    I'm an encryption expert
    Then you would know that encryption and MD5 hashing have nothing to do with each other
      0 Not allowed!

  11. #336
    Join Date
    Feb 2006
    Location
    Kusadasi, Turkey
    Posts
    3,379
    Quote Originally Posted by Jamie Edwards View Post
    Then you would know that encryption and MD5 hashing have nothing to do with each other
    As a matter of fact they do Both are designed by the same guys and similar principles.

    The similarities occur to you when you are deep inside the job, something like spending months with pure binary.
    Fraud Record - Stop Fraud Clients, Report Abusive Customers.
    █ Combine your efforts to fight misbehaving clients.

    HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
    █ Large and awesome portfolio, just visit and see!
      0 Not allowed!

  12. #337
    Join Date
    Apr 2004
    Location
    UK
    Posts
    1,334
    Quote Originally Posted by tristanperry View Post
    Seriously guys, this is a security threat. Despite the first post, vBulletin *does not* use a "highly complex" hashing algorithm. MD5 was broken in 2005, it's weak (why vBulletin use it is beyond me) - relatively weak even with the salt. Change your passwords!
    Why is MD5 hashing with salt 'realitvley weak', and releative to what?
    .
    » Kayako customer service software and live chat software- your customers deserve better than helpdesk
      0 Not allowed!

  13. #338
    Join Date
    Sep 2006
    Location
    Cardiff - United Kingdom
    Posts
    1,569
    Quote Originally Posted by Harzem View Post
    Then come and hack me

    MD5 is broken ONLY with a known input, I mean if you KNOW my password, you can find another one with the same MD5 result. If you don't know the input, you are out of luck.

    I'm an encryption expert, I have academically studied several encryption methods, hashing algorithms, RSA systems, collision and other types of attacks: I even devised a few encyption and hashing algorithms myself.

    And believe me, in terms of storing passwords, md5 is perfectly secure for now. This is why I can bravely show my password hash publicly, as well as the salt.

    However md5 is weak for authentication test, I mean if you want to verify the origin of a message, and if you suspect a third party has the source, then they might have created another message with the same md5 result. But for passwords, if the third party knows the password, then they have nothing to break.
    Okay then. So what is the MD5 hash of:

    d131dd02c5e6eec4693d9a0698aff95c
    2fcab58712467eab4004583eb8fb7f89
    55ad340609f4b30283e488832571415a
    085125e8f7cdc99fd91dbdf280373c5b
    d8823e3156348f5bae6dacd436c919c6
    dd53e2b487da03fd02396306d248cda0
    e99f33420f577ee8ce54b67080a80d1e
    c69821bcb6a8839396f9652b6ff72a70

    and


    d131dd02c5e6eec4693d9a0698aff95c
    2fcab50712467eab4004583eb8fb7f89
    55ad340609f4b30283e4888325f1415a
    085125e8f7cdc99fd91dbd7280373c5b
    d8823e3156348f5bae6dacd436c919c6
    dd53e23487da03fd02396306d248cda0
    e99f33420f577ee8ce54b67080280d1e
    c69821bcb6a8839396f965ab6ff72a70

    To me it seems that they both lead to exactly the same MD5 hash, right?

    Meaning there is more than one way to get to your password hash (with the salt) - hence once this collision is found your WHT account can be compromised without knowing your main password.

    If I'm wrong here I'd like to know where

    Quote Originally Posted by Jamie Edwards View Post
    Why is MD5 hashing with salt 'realitvley weak', and releative to what?
    I said that *MD5* is weak. It's weaker than other hashing algorithms that haven't yet been broken (for example SHA1)

    And so, whilst MD5 hashing with a salt is fairly strong, it's still relatively weaker than other hashing algorithms (that haven't yet been broken) with a salt.
      0 Not allowed!

  14. #339
    Join Date
    Feb 2006
    Location
    Kusadasi, Turkey
    Posts
    3,379
    You are proving my point.

    They have the same hash, because the designer had access to one of the SOURCEs, and designed the other accordingly.

    That's what I'm talking since the beginning. You have to KNOW the password to devise another password that produces the same md5 hash. But since in the WHT case the attacker doesn't know the source password, he cannot create another with the same md5 hash.
    Fraud Record - Stop Fraud Clients, Report Abusive Customers.
    █ Combine your efforts to fight misbehaving clients.

    HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
    █ Large and awesome portfolio, just visit and see!
      0 Not allowed!

  15. #340
    Join Date
    Mar 2004
    Location
    Singapore
    Posts
    6,990
    Maybe you can give us some citations of journals you have written for those uninitiated like me to further admire your expertise? A Tier 1 journal will be great.


    Quote Originally Posted by Harzem View Post
    Then come and hack me

    MD5 is broken ONLY with a known input, I mean if you KNOW my password, you can find another one with the same MD5 result. If you don't know the input, you are out of luck.

    I'm an encryption expert, I have academically studied several encryption methods, hashing algorithms, RSA systems, collision and other types of attacks: I even devised a few encyption and hashing algorithms myself.

    And believe me, in terms of storing passwords, md5 is perfectly secure for now. This is why I can bravely show my password hash publicly, as well as the salt.

    However md5 is weak for authentication test, I mean if you want to verify the origin of a message, and if you suspect a third party has the source, then they might have created another message with the same md5 result. But for passwords, if the third party knows the password, then they have nothing to break.
      0 Not allowed!

  16. #341
    Join Date
    Apr 2004
    Location
    UK
    Posts
    1,334
    Quote Originally Posted by Harzem View Post
    As a matter of fact they do Both are designed by the same guys and similar principles.
    The only similarity they may share is that Mr. X who worked on MD5 also worked on encryption algorithms. I am not sure what "principals" the two concepts share. They serve two entirely different purposes. Hashing algorithms such as MD5, by their very nature, are not reverisble. The data is not recoverable from the resulting hash - the data is worthless. The hint is in the name - messages are digested.

    Encryption, on the other hand, is designed to preserve the integrity of data. The algorithm that encrypts data can decrypt the data (or a complimentary algorithm can do so), preserving its integrity in its entirety.

    There is a distinct difference between hashing (finger printing) and encryption. The two concepts are worlds apart.

    Anyway, it looks like we are drifting off topic
    .
    » Kayako customer service software and live chat software- your customers deserve better than helpdesk
      0 Not allowed!

  17. #342
    Join Date
    Apr 2004
    Location
    USA
    Posts
    445
    Quote Originally Posted by citricsquid View Post
    This thread makes me laugh, there's three type of people here:

    - I don't care, it's only a forum! Get over it!
    - OMFG INET ARE THE DEVIL AND RACKSPACE ARE MUTANT ALIENS WHO DID THIS
    - oh look, incompetence!
    That sums it up very well.

    I'm not too worried about losing posts. I never had many intelligent thoughts anyhow. Mostly I come here looking for help. I don't know enough to give any help.

    I'm not too worried about my password being stolen, either. I'm smart enough to use a different password for everything.
    ►►►Come join us at A Fun FRIENDLY Christian Forum◄◄◄
      0 Not allowed!

  18. #343
    Join Date
    Jul 2004
    Posts
    2,360
    Quote Originally Posted by linux-tech View Post
    So? Does that excuse you for being an incompetent admin (and no I'm not referring to you directly)? Absolutely not.
    Here's the deal, ultimately:
    Rackspace controls 10s of thousands of servers. Do you really think that they know EVERYTHING going on with ALL of them, as an administrator should? No, of course not. That's why "fully managed servers" can't exist at the datacenter level, ANY datacenter!

    TRUE administration comes from attention focused on a handful of machines or businesses, not on some slapstick "message us and we'll think about securing your server" approach!
    I've a online business and I am not a I.T. expert, and Rackspace market their business to people like us, "leave all the i.t. job to them". Now, whether they can do what they promise is another thing. At their price, I would assume they have a administrator for couple of machine.
      0 Not allowed!

  19. #344
    Join Date
    Feb 2006
    Location
    Kusadasi, Turkey
    Posts
    3,379
    Quote Originally Posted by Jamie Edwards View Post
    The only similarity they may share is that Mr. X who worked on MD5 also worked on encryption algorithms. I am not sure what "principals" the two concepts share. They serve two entirely different purposes. Hashing algorithms such as MD5, by their very nature, are not reverisble. The data is not recoverable from the resulting hash - the data is worthless. The hint is in the name - messages are digested.

    Encryption, on the other hand, is designed to preserve the integrity of data. The algorithm that encrypts data can decrypt the data (or a complimentary algorithm can do so), preserving its integrity in its entirety.

    There is a distinct difference between hashing (finger printing) and encryption. The two concepts are worlds apart.

    Anyway, it looks like we are drifting off topic
    I know all the differences between encryption and hashing, but thanks for enlightening those who don't

    Quote Originally Posted by boonchuan View Post
    Maybe you can give us some citations of journals you have written for those uninitiated like me to further admire your expertise? A Tier 1 journal will be great.
    One don't have to write journals to know something. I don't know why you and some others are determined not to believe me. If you don't believe me, please post your own facts about how an MD5 hash can be reverse engineered other than plain pur brute force attack.

    Please read http://www.cryptography.com/cnews/hash.html and several others before commenting how a collision vulnerability will reveal our passwords, I'm eager to see what you have to say.

    And I don't know why people are assuming that I'm lying when I say "I know how hashing works and we are still safe."
    Fraud Record - Stop Fraud Clients, Report Abusive Customers.
    █ Combine your efforts to fight misbehaving clients.

    HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
    █ Large and awesome portfolio, just visit and see!
      0 Not allowed!

  20. #345
    Join Date
    Sep 2006
    Location
    Cardiff - United Kingdom
    Posts
    1,569
    Thanks for the information Harzem, my logic must have been wrong

    I still don't feel secure with it out there, hence why I buffed up my security yesterday, although it's nice to know it's less of a risk than I had originally thought.
      0 Not allowed!

  21. #346
    Join Date
    Feb 2006
    Location
    Kusadasi, Turkey
    Posts
    3,379
    By the way, any experienced guy can create a hashing algorithm using an encryption algorithm, and anyone can cerate an encryption algorithm using a hashing algorithm. They are NOT that different topics.
    Fraud Record - Stop Fraud Clients, Report Abusive Customers.
    █ Combine your efforts to fight misbehaving clients.

    HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
    █ Large and awesome portfolio, just visit and see!
      0 Not allowed!

  22. #347
    Join Date
    Jun 2003
    Location
    Tampa FL
    Posts
    2,380
    so its a done deal they are sticking with this backup?
    Ceridius Networks Sales
    Email/MSN sales@ceridius.com
    Ceridius Networks - Reseller of Hivelocity Hosting
    Network Speed Test
      0 Not allowed!

  23. #348
    Join Date
    Apr 2004
    Location
    UK
    Posts
    1,334
    Quote Originally Posted by Harzem
    I know all the differences between encryption and hashing, but thanks for enlightening those who don't

    Quote Originally Posted by Harzem View Post
    As a matter of fact [encryption and hashing] do [have things in common] Both are designed by the same guys and similar principles.
      0 Not allowed!

  24. #349
    Join Date
    Oct 2004
    Location
    Oakville, ON
    Posts
    263
    Okay,... So I noticed that every day I have to change my password... Is this something caused by the hacked or is this a security thing thats just bugged?

    If I dont change the password I can't access the board.

    Just to be like the rest... hehe Lost 80 posts .
      0 Not allowed!

  25. #350
    Join Date
    Jul 2008
    Posts
    972
    Harzem; if MD5 has been 'cracked' then your password is notsecure. I could stuff together a basic program that brute forced your password, sure it'd take some time, but it's entirely possible. Ignoring that fact is silly. I don't believe you've not changed your password anyway, this is all for show.
      0 Not allowed!

Page 14 of 22 FirstFirst ... 411121314151617 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •