Le fil de Jenfil: March 2017

Passphrases That You Can Memorize — But That Even the NSA Can’t Guess:

Having just read through these comments, my forehead hurts from banging it against the wall and I better flush this explanation out a bit more...

First of all, I'm amazed NO ONE mentioned the classic xkcd comic on memorized random password security: https://xkcd.com/936/ [xkcd.com]

Second, forget about it all you people with your **genius** schemes for generating unique 8-11 character passwords. Congratulations, you've just been hacked. Look up rainbow tables, people!

You are all reinventing square and pentagonal wheels here. It's not working against the threat profile you face, and it's a pain in the ass for you compared to the painless solution that is already out there and explained if you just knew about it...

OK, so here is the true situation you face if you actually want to be secure:
1) You have hundreds of passwords to store.
2) Each one better be 25+ characters of RANDOM data. Otherwise, you face a very realistic threat from brute force / rainbow tables cracking you in trivial amounts of time now or in the near future.
3) You better not be reusing any of them anywhere, cause, you know, hacking.
3a) If you use a standard root and "permute" it, you are relatively safer until one of your sites storing it in cleartext gets revealed, and then guess what, literally *everyone* uses the first character or two of the site name, or one or two letters more than the first characters to permute. So if you are ever an actual individual target as opposed to a mass script kiddie attack, you're toast. I know, and you thought you were so clever!

AND, even if you managed to memorize all this, it's a goddam PAIN IN THE ASS to type these passwords in, especially on phones.

Here is a solution that is 1) easier to remember, 2) faster to access your websites and login, and 3) order of orders of magnitude more secure:

Stesps:
1) Generate a SINGLE 6-7 word diceware PASSPHRASE. https://theintercept.com/2015/... [theintercept.com]
2) Memorize it. This should take you all of two minutes.
3) Download passwordsafe or keepass or another trusted OFFLINE password manager. I'm not going to press my personal preferences here. But it should have an automatic password generator feature.
4) Lock the password manager with your diceware passphrase and start generating 30+ character random, unique passwords for each site you use.

If you have a good tool (I use passwordsafe), you can store the URL, username, and password and with a combination of 3 hotkeys open any website, and login in under 2 seconds for any of the hundreds of TRULY SECURE passwords you store.

You can sync the encrypted pwd manager file to your mobile and other devices and access from there with equal security.

And a passphrase with all lower case letters to unlock your pwd manager is even faster to type on a computer or phone than a single one of these insecure, short, alpha-symbol-numeric jokes people are advocating the genius of here.

OK. Now you know. So spread the word and forget all this elaborate security theater nonsense.

'via Blog this'

University of California, Berkeley, To Delete Publicly Available Educational Content - Slashdot:

"University of California, Berkeley, To Delete Publicly Available Educational Content (insidehighered.com) 318
Posted by BeauHD on Monday March 06, 2017 @05:00PM from the gone-with-the-wind dept.
In response to a U.S. Justice Department order that requires colleges and universities make website content accessible for citizens with disabilities and impairments, the University of California, Berkeley, will cut off public access to tens of thousands of video lectures and podcasts. Officials said making the videos and audio more accessible would have proven too costly in comparison to removing them. Inside Higher Ed reports:

Today, the content is available to the public on YouTube, iTunes U and the university's webcast.berkeley site. On March 15, the university will begin removing the more than 20,000 audio and video files from those platforms -- a process that will take three to five months -- and require users sign in with University of California credentials to view or listen to them. The university will continue to offer massive open online courses on edX and said it plans to create new public content that is accessible to listeners or viewers with disabilities. The Justice Department, following an investigation in August, determined that the university was violating the Americans With Disabilities Act of 1990. The department reached that conclusion after receiving complaints from two employees of Gallaudet University, saying Berkeley's free online educational content was inaccessible to blind and deaf people because of a lack of captions, screen reader compatibility and other issues.

Cathy Koshland, vice chancellor for undergraduate education, made the announcement in a March 1 statement: "This move will also partially address recent findings by the Department of Justice, which suggests that the YouTube and iTunes U content meet higher accessibility standards as a condition of remaining publicly available. Finally, moving our content behind authentication allows us to better protect instructor intellectual property from 'pirates' who have reused content for personal profit without consent.""

'via Blog this'

Thursday, March 30, 2017

Wednesday, March 29, 2017

Monday, March 27, 2017

Sunday, March 26, 2017

Saturday, March 25, 2017

Friday, March 24, 2017

Thursday, March 23, 2017

Tuesday, March 21, 2017

Monday, March 20, 2017

Sunday, March 19, 2017

Saturday, March 18, 2017

Friday, March 17, 2017

Wednesday, March 15, 2017

Tuesday, March 14, 2017

Thursday, March 9, 2017

Wednesday, March 8, 2017

Tuesday, March 7, 2017

Monday, March 6, 2017

Saturday, March 4, 2017

Friday, March 3, 2017

Thursday, March 2, 2017

Wednesday, March 1, 2017