Talked to Sara (my muse) today about trying to work out in my head what to do next – what creative/skill-building exercise or learning opportunity to take on? I’m dying to break out, but hog-tied at the same time to try to assess among all the possible things I’ve thought of – which is most likely to give me the biggest payoff.
Yes I know that the only way to find out for sure is to try something and see how it fits. Yes I intellectually understand that if I’m so focused on outcomes from step one, the right brain creative impulses are necessarily being strangled in the crib. Of course it’s ridiculous to sort through so many things to find the perfect endeavour that lights the clear path to my next career.
All that said, and knowing how crazy I’m making myself, I have to acknowledge the simple truth of the complexities of being Mike: the situation I’m in right now, knowing I’m aspiring and working towards a more creative, ideas-oriented and wide-scoped style of work, and gathering to myself as I have been a preponderance of new things I’ve never tried and all of which occupy the sphere of user-centric creation that I’m convinced is where I belong…right now I have a perfect mental image of how that makes me feel right now:
I’m in a rowboat, surrounded by a sea of a thousand things I could, should and would like to try, I have no idea in which direction to row to find dry land.
So here’s some of the things that are rattling around just today (for which focusing efforts I’m grateful to Sara for her gentle nudges):
Why do I want to try these things?
– Take small bites of a lot of little things I’d like to become, to see which inspire me
– help me convey my big abstract ideas better to others
– demystify those creative expressions that have felt just behind the looking glass all my life
– tap into long-held adoration of abstract expressions that resonate with my soul
– personal enrichment that makes me feel more confident in my own very personal beliefs and ways of expressing myself
– spark new creative thoughts
– cultivate pure enjoyment at being part of the world of creative beings
– use more parts of my brain – tap into latent talents
A small selection of things I’d like to try:
– drawing classes
– glass blowing
– story boarding (visual)
– storytelling (verbal)
– try creating short videos to convey a personal idea
– more writing from places of conviction
– reading inspiring books in UX & ubiquitous computing
– 3D modelling and design
– certification and degrees
– volunteering to assist others who need my skills
A friend forwarded this to me today – one more in a long narrative of the incredibly reduced value of hashing
to make it hard for anyone seeing the hash to determine the original data being
hashed (for small-sized inputs). Hashing
a password/passphrase, hashing a “unique identifier” – these
approaches to obscuring (for lack of a better word) the password/unique ID seem
effectively moot to me. I honestly don’t
know that there’s any real value in performing the hash and then storing or
exchanging it – frankly, the difference in your risk between
“sending/storing the password” and “sending/storing the hash of
the password” seems pretty small.
Even small inputs + small salts seem doomed, given these
massive advanced in FP calculation arrays.
Further, it seems like “stored, single-value salts” are just
as pointless, given the amount of research that attackers generally put into
discovering these stored/fixed salt values – so storing a hugely long salt
value just feels wrong to me for many threat scenarios.
Do any of the SHA-3 algorithms take massively more time
on these hash-calculating clusters? If
not, what other options can our products use for protecting small values like
passwords and unique identifiers?
I get that there are still some attack vectors against
which a hashed password is a useful mitigation vs. the raw password
itself. It just seems like we’re getting
further and further away from the knee-jerk “hash it and you’re much better
off” that I was taught at the feet of my cryptographic elders.
Note: I believe there’s still value in using
modern/advanced hash functions to predict the integrity of a known piece of
information (digital signatures, message authentication):
- e.g. hash a large document and sign it to later assert
with some degree of confidence that the document hasn’t been tampered with
- e.g. compare the previously-stored password hash to
determine if the supplicant has possession of that password
“A presentation at the Passwords^12 Conference in
Oslo, Norway, has moved the goalposts on password cracking yet again.
Speaking on Monday, researcher Jeremi Gosney (a.k.a epixoip) demonstrated a rig
that leveraged the Open Computing Language (OpenCL) framework and a technology
known as Virtual Open Cluster (VCL) to run the HashCat password cracking
program across a cluster of five, 4U servers equipped with 25 AMD Radeon GPUs
communicating at 10 Gbps and 20 Gbps over Infiniband switched fabric. Gosney’s
system elevates password cracking to the next level, and effectively renders
even the strongest passwords protected with weaker encryption algorithms, like
Microsoft’s LM and NTLM, obsolete. In a test, the researcher’s system was able
to generate 348 billion NTLM password hash checks per second. That renders even
the most secure password vulnerable to compute-intensive brute force and
wordlist (or dictionary) attacks. A 14 character Windows XP password hashed
using LM for example, would fall in just six minutes, said Per Thorsheim,
organizer of the Passwords^12 Conference. For some context: In June,
Poul-Henning Kamp, creator of the md5crypt() function used by FreeBSD and
other, Linux-based operating systems, was forced to acknowledge that the
hashing function is no longer suitable for production use — a victim of GPU-powered
systems that could perform ‘close to 1 million checks per second on COTS
(commercial off the shelf) GPU hardware,’ he wrote. Gosney’s cluster cranks out
more than 77 million brute force attempts per second against MD5crypt.”
URL – http://it.slashdot.org/story/12/12/05/0623215/new-25-gpu-monster-devours-strong-passwords-in-minutes