Shared posts

12 Jul 23:52

Bypassing Passcodes in iOS

by Bruce Schneier

Last week, a story was going around explaining how to brute-force an iOS password. Basically, the trick was to plug the phone into an external keyboard and trying every PIN at once:

We reported Friday on Hickey's findings, which claimed to be able to send all combinations of a user's possible passcode in one go, by enumerating each code from 0000 to 9999, and concatenating the results in one string with no spaces. He explained that because this doesn't give the software any breaks, the keyboard input routine takes priority over the device's data-erasing feature.

I didn't write about it, because it seemed too good to be true. A few days later, Apple pushed back on the findings -- and it seems that it doesn't work.

This isn't to say that no one can break into an iPhone. We know that companies like Cellebrite and Grayshift are renting/selling iPhone unlock tools to law enforcement -- which means governments and criminals can do the same thing -- and that Apple is releasing a new feature called "restricted mode" that may make those hacks obsolete.

Grayshift is claiming that its technology will still work.

Former Apple security engineer Braden Thomas, who now works for a company called Grayshift, warned customers who had bought his GrayKey iPhone unlocking tool that iOS 11.3 would make it a bit harder for cops to get evidence and data out of seized iPhones. A change in the beta didn't break GrayKey, but would require cops to use GrayKey on phones within a week of them being last unlocked.

"Starting with iOS 11.3, iOS saves the last time a device has been unlocked (either with biometrics or passcode) or was connected to an accessory or computer. If a full seven days (168 hours) elapse [sic] since the last time iOS saved one of these events, the Lightning port is entirely disabled," Thomas wrote in a blog post published in a customer-only portal, which Motherboard obtained. "You cannot use it to sync or to connect to accessories. It is basically just a charging port at this point. This is termed USB Restricted Mode and it affects all devices that support iOS 11.3."

Whether that's real or marketing, we don't know.

12 Jul 23:50

Mentirinhas #1288

by F√°bio Coala

Que patada! PATAda, entenderam?! HAUHAUHhahah ok, desculpe ūüôĀ

O post Mentirinhas #1288 apareceu primeiro em Mentirinhas.

02 Jun 16:03


by Nuno-Tavares





Podemos interpretar este post como os três W's, um para cada capítulo.

Vamos passar pelos conceitos basicos do NTLM e do Kerberos. Quais são as principais diferenças entre eles, como funciona o fluxo e como podemos identificar qual protocolo está sendo usado.

Então, sem mais demora. Aqui vai a história ...



Capítulo 1

The What:


O que é o NTLM?
O NTLM √© um protocolo de autentica√ß√£o. Era o protocolo padr√£o usado nas vers√Ķes antigas do Windows, mas ainda √© usado hoje. Se por algum motivo o Kerberos falhar, o NTLM ser√° usado.
O NTLM possui um mecanismo de desafio / resposta.
Aqui est√° como funciona o fluxo NTLM:

1 - Um usuário acessa um computador cliente e fornece um nome de domínio, um nome de usuário e uma senha.
O cliente calcula um hash criptográfico da senha e descarta a senha real. O cliente envia o nome do usuário para o servidor (em texto sem formatação).

2 - O servidor gera um n√ļmero aleat√≥rio de 16 bytes, chamado desafio, e o envia de volta ao cliente.

3 - O cliente criptografa esse desafio com o hash da senha do usuário e retorna o resultado para o servidor. Isso é chamado de resposta.

4 - O servidor envia os três itens a seguir para o controlador de domínio:
- Nome do usu√°rio
- Desafio enviado ao cliente
- Resposta recebida do cliente

5 - O controlador de domínio usa o nome de usuário para recuperar o hash da senha do usuário. Ele compara o desafio criptografado com a resposta do cliente (na etapa 4). Se eles forem idênticos, a autenticação será bem-sucedida e o controlador de domínio notificará o servidor.

6 - O servidor envia a resposta apropriada de volta ao cliente.


O que é o Kerberos?
O Kerberos √© um protocolo de autentica√ß√£o. √Č o protocolo de autentica√ß√£o padr√£o nas vers√Ķes do Windows acima do W2k, substituindo o protocolo de autentica√ß√£o NTLM.
Aqui est√° como o fluxo do Kerberos funciona:

1 - Um usuário loga na máquina cliente. O cliente faz um pedido de texto simples (TGT). A mensagem contém: (ID do usuário; ID do serviço solicitado (TGT); O endereço de rede do cliente (IP); tempo de vida da validação)

2 - O servidor de autenticação verificará se o usuário existe no banco de dados do KDC. Se o usuário for encontrado, ele gerará aleatoriamente uma chave (chave de sessão) para uso entre o usuário e o Servidor de Concessão de Ticket (TGS). O servidor de autenticação enviará duas mensagens de volta para o cliente: - Um é criptografado com a chave secreta do TGS. - Um é criptografado com a chave secreta do cliente.

NOTA: A chave de sessão TGS é a chave compartilhada entre o cliente e o TGS. A chave secreta do cliente é o hash das credenciais do usuário (nome de usuário + senha).

3 - O cliente descriptografa a chave e pode fazer logon, fazendo o cache localmente. Ele também armazena o TGT criptografado em seu cache. Ao acessar um recurso de rede, o cliente envia uma solicitação ao TGS com o nome do recurso que ele deseja acessar, o ID do usuário / registro de data e hora e o TGT em cache.

4 - O TGS descriptografa as informa√ß√Ķes do usu√°rio e fornece um t√≠quete de servi√ßo e uma chave de sess√£o de servi√ßo para acessar o servi√ßo e envi√°-lo de volta ao Cliente depois de criptografado.

5 - O cliente envia o pedido para o servidor (criptografado com o tíquete de serviço e a chave de sessão)

6 - O servidor descriptografa o pedido e, se for genuíno, fornece acesso ao serviço.



Capítulo 2

The When:


Como podemos identificar quando estamos usando o NTLM ou o Kerberos?
Podemos confirmar a autenticação sendo usada pela simples coleta de um Fiddler. No Fiddler, podemos ver os pedidos sendo feitos nos Inspetores / Cabeçalhos:




Se a solicitação iniciar com o Kerberos e falhar, o NTLM será usado. Podemos ver a resposta nos cabeçalhos também:


Quais são as dependências do Kerberos?
Tanto o cliente quanto o servidor precisam estar executando o W2k ou vers√Ķes posteriores e estar no mesmo dom√≠nio ou confi√°vel.
Um SPN precisa existir no AD para a conta de domínio em uso para executar o serviço no qual o cliente está sendo autenticado.



Capítulo 3

The Why:

Os hashes NTLMv1 podem ser quebrados em segundos com a computação de hoje, pois eles têm sempre o mesmo tamanho e não são salted.
O NTLMv2 é um pouco melhor, desde o tamanho variável e o hash salted, mas não muito melhor. Mesmo que o hash seja salted antes de ser enviado, ele é salvo unsalted na memória de uma máquina.
E claro, quando falamos sobre o NTLM, falamos sobre um mecanismo de desafio / resposta, que exp√Ķe sua senha ao cracking off-line ao responder ao desafio.

O Kerberos fornece v√°rias vantagens sobre o NTLM:
- Mais seguro: Nenhuma senha armazenada localmente ou enviada pela rede.
- Melhor desempenho: desempenho aprimorado em relação à autenticação NTLM.
- Suporte à delegação: os servidores podem representar clientes e usar o contexto de segurança do cliente para acessar um recurso.
- Gerenciamento de confian√ßa mais simples: evita a necessidade de ter rela√ß√Ķes de confian√ßa p2p em ambientes de v√°rios dom√≠nios.
- Suporta MFA (Multi Factor Authentication)


O fim

11 Nov 22:18

Study Finds Robot Surgeons Are Actually Slower and More Expensive

by EditorDavid
"Robot-assisted surgery costs more time and money than traditional methods, but isn't more effective, for certain types of operations," reports the Register, in an article shared by schwit1: In a study of almost 24,000 laparoscopic surgeries just published in The Journal of American Medicine, researchers from Stanford University School of Medicine analyzed data from 416 hospitals around the U.S. from 2003 to 2015. Robotic assistance provides 3D-visualization, a broader range of motion for instruments, and better ergonomics for physicians, according to the study. While it has advantages in scenarios where a high-degree of precision is required or where improved outcomes have been demonstrated (like radical prostatectomy), it appears to be a waste of resources for the two operations examined... But the patient outcomes were more or less the same. A thematically-related economic study presented by the National Bureau for Economic Research on Monday suggests that while AI and machine learning have received substantial investment over the past five years and have been widely touted as a transformative technologies, "there is little sign that they have yet affected aggregate productivity statistics... The simplest possibility is that the optimism about the potential technologies is misplaced and unfounded," muse Erik Brynjolfsson and Daniel Rock (MIT), Chad Syverson (University of Chicago) in the paper. But instead the paper's author suggest that fully realizing the benefits of AI "will require effort and entrepreneurship to develop the needed complements, and adaptability at the individual, organizational, and societal levels to undertake the associated restructuring."

Share on Google+

Read more of this story at Slashdot.

21 Sep 19:28

09/15/17 PHD comic: 'Inner Gollum'

Piled Higher & Deeper by Jorge Cham
Click on the title below to read the comic
title: "Inner Gollum" - originally published 9/15/2017

For the latest news in PHD Comics, CLICK HERE!

01 Sep 01:06

Penny-Farthing: The Main Vehicle of Men in the Last Half of the 19th Century

by Alogueben
The penny-farthing, also known as a high wheel, high wheeler and ordinary, is a type of bicycle with a large front wheel and a much smaller rear wheel. It was popular after the boneshaker until the development of the safety bicycle in the 1880s. It was the first machine to be called a "bicycle".

Although the trend was short-lived, the penny-farthing became a symbol of the late Victorian era. Its popularity also coincided with the birth of cycling as a sport.

These interesting photos that show men with their penny-farthings from the last half of the 19th century.

See more ¬Ľ
01 Sep 00:55

Six Feet Above

by boulet
20 Aug 02:59


by (Laerte Coutinho)

30 Jun 12:56

by Loading Artist

02 May 16:54

Saturday Morning Breakfast Cereal - Monty Hall Problems


Click here to go see the bonus panel!

Actually, pretty much everything beyond intro calculus is run by goblins.

New comic!
Today's News:
23 Dec 03:33

petitesaretes: I made a comic about every comment thread under...

by madgastronomer


I made a comic about every comment thread under any content involving a fat person existing. Ever.
This counts as my inktober #1 because I spent way more time on it than I should have.

05 Nov 16:09

Live the Dream

by Doug
05 Sep 12:47

dustinteractive: Drone wars in Tokyo


Drone wars in Tokyo

27 Jan 13:52


by admin


16 Nov 12:10

Os fortes

by Will Tirando

fortes marombados inteligência inteligentes sabedoria entenderão suplemento whey

16 Nov 12:10

Tumblr | bc5.jpg

16 Nov 12:00

Viva Intensamente # 231

by Will Tirando

c√£o cachorro espa√ßo foguete marte urina marcar territ√≥rio nasa rob√ī

16 Nov 11:59

The Most Amazing Halloween Costume Ever by Doctor Popular

The Most Amazing Halloween Costume Ever by Doctor Popular

16 Nov 11:52


16 Nov 11:49

(via Andy H.)

(via Andy H.)

24 Aug 20:19



Sounds legit

24 Aug 19:51

RT @juliana_m: Eu nunca vou perdoar a Google por ter matado o reader. Nunca passou...

by Pai Osias


Author: Pai Osias
Source: Mobile Web (M2)
RT @juliana_m: Eu nunca vou perdoar a Google por ter matado o reader. Nunca passou de doer.
26 Jun 14:26

you-want-this-url-huh: nickxdee: THIS IS NEVER NOT FUNNY i...




i really thought they were talking about colons at first

26 Jun 14:24

El de Iron Man es mi favorito por @The_False_Joker

26 Jun 14:16



 Expaded from Oglaf's feed by Oglaf comic's expander.

28 May 12:58

Captain Metaphysics and the Wizard of Elea

Plus, everyone knows it's a stupid thought experiment anyway.
28 May 12:55

A Softer World: 1239

buy this comic as a print!
Or share on: facebookreddit
If you enjoy the comic, please consider supporting A Softer World on Patreon
28 May 12:54

2 for 1 drinks this week at QWOP tavern.

2 for 1 drinks this week at QWOP tavern.

28 May 12:54


by Lunarbaboon

Buy the book and help the ugly man behind this comic...

14 May 12:24

"Get a rat and put it in a cage and give it two water bottles. One is just water, and one is water..."


Get a rat and put it in a cage and give it two water bottles. One is just water, and one is water laced with either heroin or cocaine. If you do that, the rat will almost always prefer the drugged water and almost always kill itself very quickly, right, within a couple of weeks. So there you go. It’s our theory of addiction.

Bruce comes along in the ‚Äô70s and said, ‚ÄúWell, hang on a minute. We‚Äôre putting the rat in an empty cage. It‚Äôs got nothing to do. Let‚Äôs try this a little bit differently.‚ÄĚ So Bruce built Rat Park, and Rat Park is like heaven for rats. Everything your rat about town could want, it‚Äôs got in Rat Park. It‚Äôs got lovely food. It‚Äôs got sex. It‚Äôs got loads of other rats to be friends with. It‚Äôs got loads of colored balls. Everything your rat could want. And they‚Äôve got both the water bottles. They‚Äôve got the drugged water and the normal water. But here‚Äôs the fascinating thing. In Rat Park, they don‚Äôt like the drugged water. They hardly use any of it. None of them ever overdose. None of them ever use in a way that looks like compulsion or addiction. There‚Äôs a really interesting human example I‚Äôll tell you about in a minute, but what Bruce says is that shows that both the right-wing and left-wing theories of addiction are wrong. So the right-wing theory is it‚Äôs a moral failing, you‚Äôre a hedonist, you party too hard. The left-wing theory is it takes you over, your brain is hijacked. Bruce says it‚Äôs not your morality, it‚Äôs not your brain; it‚Äôs your cage. Addiction is largely an adaptation to your environment.


We’ve created a society where significant numbers of our fellow citizens cannot bear to be present in their lives without being drugged, right? We’ve created a hyperconsumerist, hyperindividualist, isolated world that is, for a lot of people, much more like that first cage than it is like the bonded, connected cages that we need. 

The opposite of addiction is not sobriety. The opposite of addiction is connection. And our whole society, the engine of our society, is geared towards making us connect with things. If you are not a good consumer capitalist citizen, if you‚Äôre spending your time bonding with the people around you and not buying stuff‚ÄĒin fact, we are trained from a very young age to focus our hopes and our dreams and our ambitions on things we can buy and consume. And drug addiction is really a subset of that.



Johann Hari,

Does Capitalism Drive Drug Addiction?

(via bigfatsun)

As a recovering addict this is an interesting read. I’m constantly battling right-wingers telling me it’s my fault and always being told by doctors it’s in my nature. But hearing this about my environment makes a lot of sense, I fell into addiction in a very bad time in my life when I was very isolated, and most of the addicts I know are the same. Addiction is definitely related to depression and this is affected by environment. I like this article.

(via soymilkbitch)

Bruce Alexander did the Rat Park experiments in the seventies.  I am kind of horrified and outraged that I’ve heard about the empty-cage rat experiments but never once about his.

(via animatedamerican)