Jump to content


Dedicated Members
  • Posts

  • Joined

  • Last visited

Everything posted by stingwray

  1. I'm actually in NYC for about two months and HOPE falls over those weekends which is why I'll have a look. I'm looking at CCC this year and Defcon next year hopefully. I'll bare in mind that it might be a little too political then! :-p
  2. I won't be making it to Defcon this year but probably next year all being well. However it is looking increasingly like I'll be attending The Next Hope in NYC this year. Anyone planning on getting to this?
  3. Although websites are good, I find that books can really be a cut above the rest. In which case I recommend: C++ Primer - http://www.amazon.co.uk/C-Primer-Stanley-B...6563&sr=8-1 and Effective C++ - http://www.amazon.co.uk/Effective-Specific...6622&sr=1-1 C++ Primer is very much a reference although you could read it cover to cover if you want. However Effective C++ is just a brilliant book which you really must read cover to cover. Not because what you learn in the beginning of it is need for later parts (in fact it pretty much references things all over the place which is a little annoying at times), but because what you will learn you will need later in your designs and implementations. You'll also pick up better practises which will make you a better programmer later. Both are well worth the cost and through Amazon they are pretty damn cheap.
  4. Sounds like you have got a pretty packed week ahead, hope you enjoy our country.
  5. Personally I like the look of the HP Mini 11 and the Sony W Series, if your wanting to spend a decent bit of money on it. Otherwise you don't seem to be able to go wrong with a Dell Mini 9 or 10. If your going to be using it for any decent amount of time, look for a screen with a resolution greater than 1024x600, as personally I find that the most limiting factor of netbooks. ION graphs is a great bonus if you can get it.
  6. Regexs are very lean, especially if used correctly, certainly no more intensive than the other methods that you have specified if doing the same job. This is also the beauty of perl, there are so many ways of doing things (admittedly it can be a bad thing as well), also Perl is an interpreted language, if you want out and out speed you should be using something like C++. Newlines are never more than 1 Byte, you might have a carriage return on a system, but that is an additional special character. Of course thats ascii with unicode slightly different. I never use chomp() as I dislike the function and they way it is used. Almost always I will match on what I want with a regex and just ignore the end.
  7. I use Avast Free on my Windows machine, mainly to shut up the security console from telling me that I'm not protected all the time and that I'm going to get AIDs. I can't remember the last time that I had a virus. I'm vaguely more worried about malware and such from browsing the internet, but most of the browsers do a decent job of prevent that or warning you before now, and you'd never guess, there are free applications which will search and remove malware and spyware as well! So wait a minute, if I can get all the tools that I need for free, but they are just not bundled as one, why should I be paying someone the privilege for bundling it all together? In my opinion paying for AV protection packs is for the idiots that can't use a computer and people who are tool lazy to administer their computer properly.
  8. Actually, if you use 10 character long password and 62 characters to produce it from you have 62^10 possible passwords, which is a lot less than 10^62. It doesn't matter whether Linux and Mac OSX have other PRNG, Python uses its own Mersenne Twister implementation in C. The difference would be in seeding the PRNG, which your letting the operating system do in its default way, which for the majority of systems is the current time, which is an extremely poor seed. An example of how this is done slightly better is in TrueCrypt which takes input from mouse movements to help randomize the seed. 'papapapa' is only an example, there are many others which are easily equatable. If you want to come back onto Maths, the chances of two characters coming up next to each other are 1/(62^2), Now 1/(62^2)*62^10 is not a trival number to reduce the number of possible tries. Plus I have the added benefit that you also don't allow three/four/five same characters in a row, so I can remove even more! Coding something to remove bad passwords wouldn't be hard or intricate to get good results, a good password has a high amount of entropy between characters, just don't accept password below a threshold, which should the user want, could be changed. I wouldn't worry about shoulder surfing, the user has to worry about that and given that 99% of all passwords breaking comes from attacking the hash its not really a problem anyway. I don't know why your say "Sorry for wasting your time,", I'm trying to help you make your software better. If you would rather produce poor quality software then please ignore all my comments.
  9. You need to understand random number and pseudo random number generators more before thinking this is a good idea. Start with the python documentation. Python Doc - Random In particular, you need to look at: So there is nothing random about your program and could very easily be repeatable. Also it makes generating list of passwords completely pointless as the PRNG is deterministic. Also, as an Attacker, thanks for removing all passwords with the same character next to each other, this cuts the size of my dictionary and brute force attacks considerably. A password with two characters next to each other is not a bad password. A bad password would be 'papapapa' where 'oP9nn7Ae' is miles better.
  10. I think we're starting at OpenTech today and then probably moving on to other exciting things. Come down if you can!
  11. Right, well the day is nearly upon us. I'm working tomorrow, but I'll hopefully be leaving a little early, god knows I've deserve it. I'll probably make my way to the pub for about 7:30 rather than going to Trocadero first, depends on my mood. As for Saturday, I looked at the Open Tech 2009 schedule and to be frank, it looks really crap, there was absolutely nothing there that made me think I want to go. So I'd love to find something else to do on Saturday. Looking forward to meeting a few of you.
  12. Its not even most, you have to handle all sorts of encodings to be really safe.
  13. Disk IO sucks really badly on Virtual machines generally, which means something like a File server is a bad thing to virtualize. Also as you don't want to make it suck even more, I wouldn't run virtual machine images across a network. Really the host machine should have decent local storage in a RAID setup that provides protection, the file server should have the same, but then can keep snapshots of the virtual machines backed up.
  14. Erm, same thing, the right hardware is the one that has good drivers written for it.
  15. You might want to offer equity in the company as compensation for initial services, you just have to be careful to specify the amount of time spent before receiving the equity and also how long they must hold the equity for. This means that anybody coming on board would be in it for the long run and have a vested interest in the company succeeding. However getting that all right is very difficult. It sounds like your going to want to be bringing more than just a developer on board, almost CTO level, with obviously practical skills as little of the initial work will be management. So you'll need someone with a good range of skills and be able to think outside the box. Startups are great fun but a lot of work, all the best with yours. If you don't know about it already, check out "This week in start ups" by Jason Calcanis, you'll definitely find useful information from it even if its not your first start up.
  16. I'll say Apple in a non-lame way. But to be fair, you can be unlucky with any laptop even if you paid twice as much for it, its the service that counts like Vako said. I've always found Apple service good and the fact they have retail stores with trained people in them is a big comfort.
  17. I would just go with virtualisation, pick up VMware server and you life will be so much easier. If your heart is set on having them natively on your machine, then install the hardest first, leaving free unpartitioned space on your hard-drives to install the next one, which you'll want to pick that has a good boot-loader, then go for the third and update the boot-loader. If you want to play with server stuff, stick with OpenBSD, knowing FreeBSD will help with OpenBSD, but not by as much as you think. Otherwise go with FreeBSD.
  18. He might just be trying to get you to improve you post, serious people won't look twice at your post because of lack of information, they aren't going to wait around for more information, they want it now so they can approach you for more information being actually serious about wanting to get involved. Personally I see this kinda of post daily and when they are posted like this, 99.9% of the time they go absolutely no where. If you want decent applicants, then write a decent post. You don't even mention what you are developing!
  19. Using a decent programming framework really takes the effort out of things like this, letting you concentrate on the real stuff, dammit I should like a brochure. For php and mysql I can recommend CakePHP, it will provide you with everything you need, and do what Sparda says, which is the correct answer.
  20. The reason isn't to take longer generating the hash at all. Nearly all hash and encryption algorithms have a number of rounds which, loosely, the more rounds the more messed up the information. But due to some quirks of Maths, if you do certain numbers of rounds they will be significantly less secure than if you added a couple more. The number of rounds that the algorithms do is normally set on the implementation. Passwords should always be hashed as the first thing that happens, even before looking up a username to compare the hashes against. I never looked into what OSs do this or not, but it should be all and all other software should do it as well.
  21. As we have all previously said, everyone is welcome and more the merrier. There is the general rule of 16 - 18 during the day 18+ all the time. So you may find yourself unable to join us in the evening, this may not be because we want to get rid of you but we may go places that don't admit under 18s. We certainly won't be buying you alcohol and no offense, but we aren't babysitters easier. I think we all just hope to get to do some cool stuff and learn alot as well as have a hell of a lot of fun.
  22. This is why I don't use TrueCrypt, they go about certain ways which are completely irrelevant and pointless. Hashing data multiple times does nothing but waste resources. For example, say you have some data (D), you hash that, and keep that (H1), hash it again and you get the output (H2) and you can see your way through the path. Now you want to build an exhaustive dictionary to brute-force with, fine. Now in building this exhaustive dictionary, you build it up, your going to have D, H1 and H2 in your dictionary to try, so you hash them to find and you get H(D) = H1, H(H1) = H2 and H(H2) = new hash but also in your dictionary. So I've found the key which was used and I've only done one hash, not two. You say encryption programs do it to waste resources, wasting resources does nothing to help anyone. A good encryption algorithm does not go through stages of activity, which could then help an attacker decrypt the information by looking at process cpu usage while it is encrypting, there is no need to waste resource to flatten out resource usage if your algorithm is good. Also I hate the TrueCrypt documentation for using "Salt" everywhere, salts really aren't that useful with encryption, if you use the proper definition of a salt. Without reading any more of their documentation I think they mean initialization vector. Which is random data used in the algorithm to prevent the same data encrypted with the same key at different times looking the same, as if it did this would be valuable information to an attacker. IVs are sent in the clear with the encrypted data, so anyone can read them if they want, they are designed to be of no use to an attacker, salts have to be kept secret and you would have to remember them so that you could apply them every time you wanted to decrypt your information. At which point you have to keep it like a password and it serves no additional use.
  23. The export of cryptographic algorithm is often heavily prohibited and they are often treated as military assets. I don't know of anyone which bans the import of them, but certainly some countries make it illegal for their citizens to use them, given the internet now, it is extremely difficult to manage this sort of thing. The US government generally doesn't care for backdoors anyway, they just prefer to put restrictions on shipping software, earlier US versions of IE were only allowed to use 64-bit versions of algorithms in SSL, so the government could break it if they wanted. I'll try and find a reference to that tonight.
  24. You could run something like this on AWS very cheaply, your biggest cost would be uploading the data if you had to do it by CUDA, it may even be cheaper to use a large number of instances and hadoop for creating the table. Storage on AWS is very cheap, sadly bandwidth anywhere is not. Transferring stuff around AWS is free though.
  • Create New...