Falling asleep on a park bench will get the cops to check up on you. Ok, I’m fine with that. Then they decided that he wasn’t giving them the information they wanted, so they decided to arrest him. This sort of thing is why police immunity should be conditional on whether or not the police were acting within the law, within department policy, or at least making an attempt to do so.
Sometimes I wonder if we would be better off getting rid of the cops and handling criminals ourselves.
A company that makes pistol braces gets its customer database breached. There are four possibilities here:
I am betting that the incident is either 2, above. Some lefty is going to anonymously notify the ATF that they have a list of lawbreaking owners of SBRs. Since the new rule outlawing unregistered pistol braces was published today, you have 120 days to register your (now) SBR or become a felon. Isn’t that a sweet little coincidence?
The miscreants got away with each user’s credit card number, expiration date, CCV code, cardholder name, address, phone number, and email address. If you have ever done business with SB tactical, you should consider all of that information as being compromised and in the possession of people who mean to steal your money, your life, or your freedom.
We know that the feds are now enlisting people in the private sector to do their unconstitutional dirty work. It can’t be too much longer before the informers are everywhere and people become vzyali.
On a side note, as of today I will no longer be in possession of a pistol brace equipped firearm. I am not registering shit.
In our discussions of securing our information, we have discussed that there are multiple ways to authenticate a user. There are actually three main ways to authenticate someone:
Multifactor authentication is simply a method of using more than one of the above methods to secure your stuff. In order to gain access to your information, a black hat would need to possess or have knowledge of more than one of them. A couple of examples:
At the hospital, to gain access to patient medical records, I need to know my password and swipe my identification badge and the RFID tag inside of it. A thief would have to get an authorized employee’s password and my ID badge in order to gain access to medical records. Even then, only the patients who are assigned to me (or my department) are visible to me, and even then only if I am on an IP that belongs to my hospital or a partner organization.
What many companies do: you need the password, and the company sends a text to your cell phone containing a 6 digit PIN that expires relatively quickly, say 2 minutes or so. This is to verify that the person logging in not only knows the password, but is in possession of the legitimate user’s cell phone.
There are weaknesses to all of the above methods. The employee’s badge RFID code be read or intercepted and spoofed, and since it doesn’t change unless a new badge is issued, is not as secure as we would like.
The problem is that SMS isn’t a secure way to perform MFA.
This is because SMS messages rely on the security of phone networks and phone companies. Both, sadly, are notoriously easy to access. While some text messages are encrypted user-to-user – think iMessages between iPhones or WhatsApp messages – SMS messages are in plain text form. Plain text messages are not encrypted between sender and receiver, so if attackers can intercept the message, they can read the content. Unfortunately, SMS messages are easy to intercept. Even Microsoft is advising people to stop using SMS as a method of MFA.
Biometric MFA data has one large weakness- your retina, voice, and finger prints never change. If the hash of the image can be spoofed or copied, the black hat has your data forever. That isn’t secure.
The most secure MFA is a hardware key. There are many out there, and the way that they work is both simple and complex. Currently, the most secure method of hardware key MFA is carried out with a protocol called Universal 2nd Factor, or U2F. The method used here is something very familiar to old school Internet fans who remember the PGP encryption software: public-key cryptography.
In public-key cryptography, instead of using just one key, we use a pair of keys — one key is used to lock something away digitally and only the second key in the pair can unlock it. I can keep one key — my private key — and put the public key out there for you to use. Since only my private key can unlock anything locked up by the public one, once you lock it, no one else can use the key I left out there but the person in possession of the private key.
These keys are called a key pair and are mathematically linked. I can create as many public keys from a private key as I want, but you no one can recreate my private key from a public key. Genius, right? So how does this apply to MFA?
Key pairs can be created using software, but in the case of U2F, the private key is generated using a unique secret that is embedded during the manufacturing process and is hardwired into the circuitry of the hardware key, which is what makes it so secure.
So how it works is that you register for an account using the system that we are all familiar with- a user ID and password. Don’t forget to use a strong password. Then you register your hardware key. The server then sends a challenge consisting of a random number and an AppID to the user’s device. The hardware key then generates a nonce and hashes it together with the AppID and the secret key that is hidden in its electronic brain using HMAC-SHA256 to create a private key that is specific to that AppID. From this private key, a public key is derived, along with a checksum. This is returned to the server, who stores it for later. The next time you go to that website, the server will verify that the hardware key is the same one that it has dealt with before by sending you the public key, thus making sure that the server is valid and securing you from a man in the middle attack. Why? Because the domain is hashed together with the device secret password, so if you’re on a phishing website, the token will generate a different key, and the checksum will fail.
If the information was sent from a legitimate server, it should result in the same public key since the secret inside the device didn’t change. The device will then encrypt the challenge sent by the server with the private key and send it back to the server. Now both parties have verified that they are indeed talking to the people they think they are.
Since each nonce and checksum is unique to that login request, they change every time. This makes sure that your key cannot be spoofed. It’s like using a one time pad for MFA. All cryptographic operations happen inside the token. By the time the private key leaves the token, it already has been hashed using SHA-256, so even if the user doesn’t know that the client is compromised, it’s still safe to use the token.
Because of the nature of this system, it ensures that you are protected from:
No matter how you keep your passwords, they are vulnerable to being discovered or stolen. A hardware key that is properly setup will make the possession of the password irrelevant without possession of the key. If you lose the key, it is worthless without the password. The key also prevents you from logging into phishing sites, because it confirms for you that the site you are giving your credentials to is the legitimate one.
When you use a hardware key, always register two of them to each account, then lock one away in your safe. This insures that, should you lose the hardware key that you carry around, you aren’t permanently locked out of your accounts.
For right now, the most secure method of authentication is to use a unique user ID and password for each account you have. The password should consist of the four character types, random, and be at least 16 characters. Your passwords should change periodically. You should enable hardware key MFA for any sites and applications that support them, and use SMS MFA for any that do not. Although SMS MFA is flawed, it is better than not using MFA at all.
Internet crime is increasing, and the best defense is to harden your systems to the point where others are easier targets than you.
Some Illinois sheriffs are refusing to comply with the state’s new assault weapons ban.
The Uvalde Police Chief was interviewed the day after the school shooting. During that interview, he admitted that – well, you can read it for yourself:
When I opened the [school] door, I saw the smoke,” he recalled, saying “shots started firing” again as he and a colleague started nearing the classroom where Ramos was holed up with kids and teachers. “Obviously, I backed off and started taking cover,” the lead officer said, which CNN noted was in clear defiance of training that insists officers risk their own lives to “neutralize” active shooters.
“I know there’s probably victims in there and with the shots I heard, I know there’s probably somebody who’s going to be deceased,” he acknowledged of the room he backed away from.
But he felt the “priority” was the “preservation of life” of those not under the “immediate threat.”
“Once I realized that was going on, my first thought is that we need to vacate” the rest of the school, he said, telling arriving officers that “we’re taking [other] kids out first.”
You know what else would have saved the lives of those who weren’t under imminent threat? Enter the room and shoot the murdering bastard in the fucking face!
If he had any scruples at all, he would eat the barrel of his service pistol. Then again, if he had any scruples at all, this would never have happened.
Sorry, but cops are seldom heroes and when push comes to shove, they back out and hope someone else will take care of it. Parkland, Uvalde, and others have proven this to be the case.
This is yet another installment of the passwords series that I have been working on. I recently asked some of the people in comments how they secure their passwords. I got a few variations of “I don’t use technology” as an answer. They fell into the following general categories, with most people falling into more than one of them:
Let’s talk about them one at a time. The first one: “I use secure passwords for important stuff, but I use one common password for everything else.” This is a trap that I myself fell into at one point. Here is the basic pitfall: All the black hat needs is to access one of your “unimportant” accounts to access so many others. Back in 2014, Home Depot was compromised when credentials stolen from one of the retailer’s vendors were used to access their computer system. The files of their customer database were stolen. It was a gold mine, containing point of sale records, credit card numbers, names, addresses, login information, and passwords. The breach cost Home Depot nearly $180 million.
Now the black hats have your name, address, telephone number, zip code, the name of your credit card company or bank, credit card number, user name, and password. They enter your login name and password into the computer database that they are using to crack other accounts, and they can now gain access to your other accounts. In fact, stolen credentials are often the most valuable things stolen during a data breach. Do you want to see if your credentials are being distributed on the Internet? Click here. The email that I use for day to day business has been compromised in 8 different data breaches. This information is very useful in spear phishing attacks like this one.
The use of computer assistance in breaching systems makes it easier, cheaper, and faster than ever before. The black hats are using GPUs and PCIe SDDs to attack large numbers of passwords in a short period of time in a method that is very similar to, and much more lucrative than BitCoin mining. This allows your life to be attacked with easy profits. Passwords that are invented by you using some code that you think is clever is easily cracked by a black hat with a computer.
Even in the event that you don’t use a computer or a phone, you are still vulnerable to social engineering scams that use the information from large data breaches like the Home Depot breach. The attacker contacts the victim disguised as a representative of some institution, trying to get as much personal info as possible. There’s also a chance that by posing as a bank or Google agent, he or she might get the password or credit card info right away. Contrary to other techniques, social engineering can happen offline by calling or even personally meeting the victim. 22% of all cyber crime is the result of social engineering.
Think you are too small of a fish to be a target? Think again. Targeting individuals is fast becoming the trend. A black hat can set up a computer to target you, having selected you from the list obtained from a previous company data breach, and can empty your bank accounts with less than a weeks’ work. What’s in your bank account? Twenty grand? More? Would a thief find that amount to be fair in exchange for a week’s effort?
Watch the show “To catch a thief.” People on that show always think that they are clever because they hide valuables, but the thief in this show always manages to find the hiding spots because they don’t search in the same way a homeowner does. Electronic information and its security works the same way.
No matter how you decide to do it, take the time to secure your accounts and your information using the best practices we have discussed here. You make think you are clever and have invented a system that no one else has ever thought of, but you are probably wrong.
Or continue to play the odds. Just remember the statistics:
Here are some password security statistics:
You carry a gun to secure yourself from armed robbers, yet you are 200 times more likely to be the victim of internet crime. Think about that for a minute.
Frederick Douglass once said: “The limits of tyrants are prescribed by the endurance of those whom they oppress.” This is a universal truth. We get as much tyranny as we are willing to endure without taking action. That’s what caused me to write the post about workplace violence from today.
It’s also caused me to write my opinion on the Taqueria shooting in this post. We all know the story. A man is sitting in a restaurant enjoying dinner when an armed robber comes in. The armed robber takes everyone’s money, and our hero pulls his weapon and smokes his ass. Now the law is talking about prosecuting the hero.
There has been a lot of debate as to whether or not the man should have taken as many shots as he did. I will grant you that the law says shooting someone who is down and out of the fight is illegal. That’s where I have a problem. See, the dirtbag who was killed had already murdered one person while committing a similar robbery in 2015. He shot and killed a man and saw his charges pled down to aggravated robbery, for which he was sentenced to 15 years in prison. He served only about a third of that reduced sentence. For killing someone, he served about 5 years in prison. Keep in mind that there are people who committed the crime of trespassing in the US Capitol during the J6 protests that are still in prison awaiting trial two years later.
We as a people should decide that we have had enough. The law is not there to protect law abiding people from criminals. There are many more law abiding citizens than there are criminals. No, police are there to protect accused criminals so that they are ensured of getting a fair trial.
That system is broken. Now the criminals are getting more lenient punishment than are the law abiding.
I will never get put on a jury because I am a gun owning, employed white male. However, if I ever was, no one who takes out the trash like this would EVER be found guilty. I wouldn’t care if he had tied his hands behind his back and put a bullet behind his ear. As far as I am concerned, that would have been a public service.
Perhaps his lawyer can make the case that the critter, having been shot 8 times was already dead, and therefore his client’s only violation of the law was abuse of a corpse, then plea it down to something else like vandalism.
I firmly believe that no employee should have to sit at work and be threatened with physical violence. While at work, I am threatened with violence against my person and family several times per week. Since I was suspended for the patient’s accusations the week before Christmas, I have been threatened at least three more times.
One of the nurses that I work with told me that I have too short of a fuse when it comes to threats, and I need to understand that most people are just venting and don’t really mean it. I agree that most people don’t mean it, but how do you really tell the difference? Why should I have to? If a person has so little impulse control that they can’t stop themselves from issuing threats of death or physical violence every time something doesn’t go their way, when does it stop?
My hospital, like most employers, doesn’t permit concealed carry for employees. So what happens when one of these people who doesn’t mean it comes in and decides that they DO mean it? The one who pays the price for misjudging the idiot’s ill intent is me, but certainly not my employer.
It’s the attitude displayed by this fellow nurse that results in no one saying anything when a mass shooter turns out to have been saying all sorts of disturbing things, and people inevitably say “Why didn’t anyone report this before he snapped and killed half a dozen people?”
That’s my problem with the cop who threatened to kill me before physically attacking me. The police wouldn’t press charges because they said that the man had a medical problem and was delusional, therefore wasn’t responsible for his actions. OK, I can see that. But then why does someone who isn’t and can’t be responsible for their violent actions still permitted to carry a weapon under LEOSA because he is a retired cop?
It isn’t just my employer, it’s most employers. They have taken the attitude of “the customer is always right” to the extreme, and now we see attacks and threats by customers becoming commonplace. Why is that? Because our legal system absolves employers of liability for customers’ actions while at the same time punishing employers by making them liable for the actions taken by employees in self defense. It sets the stage for making employees more easily and cheaply being replaced than violent customers.
When I was younger, I was told that locks are there to keep honest people honest. I look at passwords the same way. Make your passwords as secure as they can be, but know that a thief can target you and take your stuff with enough effort. Just try to make your stuff harder to steal than other people’s stuff. They will move on to more easily stolen loot.
Hackers have advanced to using computers to crack passwords. The black hats are using GPUs and PCIe SDDs to attack large numbers of passwords in a short period of time in a method that is very similar to, and much more lucrative than BitCoin mining. When you have to guess from billions of combinations, computer assistance is required, and they are very good at it. These tools are easily downloaded from the Internet, and each tool has its pros and cons.
Here is a list of the most popular password cracking tools.
Featured in many popular password cracking tools lists, John the Ripper is a free, open-source, command-based application. It’s available for Linux and macOS while Windows and Android users use a version of the software called Hash Suite.
John the Ripper supports a massive list of different cipher and hash types. Some of those are:
There’s also a Pro version with extra features and native packages for supported OS. Word lists used in password cracking are on sale, but free options are available as well.
Ophcrack is a free and open-source password cracking tool that specializes in rainbow table attacks. To be more precise, it cracks LM and NTLM hashes where the former addresses Windows XP and earlier OSs and the latter associates with Windows Vista and 7. NTLM is also available, to a certain degree, on Linux and freeBSD. Both of these hash types are insecure – it’s possible to crack a NTLM hash in less than 3 hours with a fast computer, but there are still companies out there that use this hash, simply because they are too cheap to upgrade to newer, more secure software.
As you can see in the screenshot above, it took Ophcrack merely six seconds to crack an 8-symbol password while using a rainbow table that includes letters, numbers, and uppercases. An 8 symbol password using upper, lower, and numerical characters has 62^8 combinations (218.3 trillion possible combinations) doing nothing more than adding in symbols and increasing the number of characters to 10 would make the password 500 million times more difficult to crack. That six seconds becomes 5,700 years.
The password 9136668099 is 10 characters long and only made of numerical characters, and took 4 days to crack. Imagine how much longer that would have taken, had upper, lower, and special characters been added.
This tool comes with free Windows XP/Vista/7 rainbow tables and a brute force attack feature for simple passwords. Ophcrack is available on Windows, macOS, and Linux.
Downloaded almost 2 million times from its official source, Cain & Abel is another popular tool for password cracking. But contrary to John the Ripper, it uses GUI, making it instantly more user-friendly. That and the fact that it’s available on Windows only makes Cain & Abel a go-to tool for amateurs, also known as script kiddies.
This is a multi-purpose tool, capable of many different functions. Cain & Abel can act as a packet analyzer, record VoIP, analyze route protocols, or scan for wireless networks and retrieve their MAC addresses. If you already have the hash, this tool will offer a dictionary or brute force attack option. Cain & Abel can also display passwords that are hiding beneath the asterisks.
The biggest selling point of THC Hydra is the large number of protocols it supports. This is an open-source network login password cracking tool that works with Cisco AAA, FTP, HTTP-Proxy, IMAP, MySQL, Oracle SID, SMTP, SOCKS5, SSH, and Telnet, to name but a few.
The methods available with THC Hydra include brute force and dictionary attacks while also using wordlists generated by other tools. This password cracker is known for its speed. It can even run checks on different protocols simultaneously. THC Hydra is available on Windows, macOS, and Linux.
The world’s fastest password cracker, Hashcat is a free open-source tool that’s available on Windows, macOS, and Linux. It offers a number of techniques, from simple brute force attack to hybrid mask with wordlist.
Hashcat can utilize a computer’s CPU and GPU at the same time. This makes cracking multiple hashes simultaneously much faster. But what makes this tool truly universal is the number of supported hash types. Hashcat can decipher MD5, SHA3-512, ChaCha20, PBKDF2, Kerberos 5, 1Password, LastPass, KeePass, and many more. In fact, it supports over 300 hash types.
But before they can crack your passwords, black hats need to have the password hash. Here are some of the most popular tools for getting hash:
The best defense against password cracking is using a strong password. Using enough symbols and different types of characters ensures that even the fastest computer won’t crack your account in this century. And since remembering multiple strong passwords is unlikely, the best bet is to use a reliable password manager. Multi-factor authentication (MFA) is still a pain in the rear for any hacker, so adding that to your arsenal will go a long way to making things more secure. More on MFA later.
How did they do that? Because of the overly broad wording of their new assault weapons ban (edited to clean up the text to make it more readable, but not change the wording):
(3) "Assault weapon" means:(snip of irrelevant sections A and B)
(C) A semiautomatic rifle that can accept or can be modified to accept a detachable magazine and has at least one of the following:
emphasis added
(i) A folding, telescoping, or collapsible stock.
(ii) Any grip of the weapon, including a pistol grip, a thumbhole stock, or any other stock, the use of
which would allow an individual to grip the weapon, resulting in any finger on the trigger hand in
addition to the trigger finger being directly below any portion of the action of the weapon when firing.
Now picture any semiauto rifle you can think of. Now tell me which one, if any, sees the pinkie finger of the trigger hand not being below the action of the rifle.
Thus, all semiauto rifles in Illinois are now legally defined as assault weapons and are thus illegal to possess, transfer, or own.