We've read so many sad stories about communities that were fatally compromised or destroyed due to security exploits. We took that lesson to heart when we founded the Discourse project; we endeavor to build open source software that is secure and safe for communities by default, even if there are thousands, or millions, of them out there.

However, we also value portability, the ability to get your data into and out of Discourse at will. This is why Discourse, unlike other forum software, defaults to a Creative Commons license. As a basic user on any Discourse you can easily export and download all your posts right from your user page.

As a site owner, you can easily back up and restore your entire site database from the admin panel, right in your web browser. Automated weekly backups are set up for you out of the box, too. I'm not the world's foremost expert on backups for nothing, man!

Over the years, we've learned that balancing security and data portability can be tricky. You bet your sweet ASCII a full database download is what hackers start working toward the minute they gain any kind of foothold in your system. It's the ultimate prize.

To mitigate this threat, we've slowly tightened restrictions around Discourse backups in various ways:

• Administrators have a minimum password length of 15 characters.

• Both backup creation and backup download administrator actions are formally logged.

• Backup download tokens are single use and emailed to the address of the administrator, to confirm that user has full control over the email address.

The name of the security game is defense in depth, so all these hardening steps help … but we still need to assume that Internet Bad Guys will somehow get a copy of your database. And then what? Well, what's in the database?

• Identity cookies

  Cookies are, of course, how the browser can tell who you are. Cookies are usually stored as hashes, rather than the actual cookie value, so having the hash doesn't let you impersonate the target user. Furthermore, most modern web frameworks rapidly cycle cookies, so they are only valid for a brief 10 to 15 minute window anyway.

• Email addresses

  Although users have reason to be concerned about their emails being exposed, very few people treat their email address as anything particularly precious these days.

• All posts and topic content

  Let's assume for the sake of argument that this is a fully public site and nobody was posting anything particularly sensitive there. So we're not worried, at least for now, about trade secrets or other privileged information being revealed, since they were all public posts anyway. If we were, that's a whole other blog post I can write at a later date.

• Password hashes

  What's left is the password hashes. And that's … a serious problem indeed.

Now that the attacker has your database, they can crack your password hashes with large scale offline attacks, using the full resources of any cloud they can afford. And once they've cracked a particular password hash, they can log in as that user … forever. Or at least until that user changes their password.

⚠️ That's why, if you know (or even suspect!) your database was exposed, the very first thing you should do is reset everyone's password.

But what if you don't know? Should you preemptively reset everyone's password every 30 days, like the world's worst bigco IT departments? That's downright user hostile, and leads to serious pathologies of its own. The reality is that you probably won't know when your database has been exposed, at least not until it's too late to do anything about it. So it's crucial to slow the attackers down, to give yourself time to deal with it and respond.

Thus, the only real protection you can offer your users is just how resistant to attack your stored password hashes are. There are two factors that go into password hash strength:

1. The hashing algorithm. As slow as possible, and ideally designed to be especially slow on GPUs for reasons that will become painfully obvious about 5 paragraphs from now.

2. The work factor or number of iterations. Set this as high as possible, without opening yourself up to a possible denial of service attack.

I've seen guidance that said you should set the overall work factor high enough that hashing a password takes at least 8ms on the target platform. It turns out Sam Saffron, one of my Discourse co-founders, made a good call back in 2013 when he selected the NIST recommendation of PBKDF2-HMAC-SHA256 and 64k iterations. We measured, and that indeed takes roughly 8ms using our existing Ruby login code on our current (fairly high end, Skylake 4.0 Ghz) servers.

But that was 4 years ago. Exactly how secure are our password hashes in the database today? Or 4 years from now, or 10 years from now? We're building open source software for the long haul, and we need to be sure we are making reasonable decisions that protect everyone. So in the spirit of designing for evil, it's time to put on our Darth Helmet and play the bad guy – let's crack our own hashes!

We're gonna use the biggest, baddest single GPU out there at the moment, the GTX 1080 Ti. As a point of reference, for PBKDF2-HMAC-SHA256 the 1080 achieves 1180 kH/s, whereas the 1080 Ti achieves 1640 kH/s. In a single video card generation the attack hash rate has increased nearly 40 percent. Ponder that.

First, a tiny hello world test to see if things are working. I downloaded hashcat. I logged into our demo at try.discourse.org and created a new account with the password 0234567890; I checked the database, and this generated the following values in the hash and salt database columns for that new user:

hash
93LlpbKZKficWfV9jjQNOSp39MT0pDPtYx7/gBLl5jw=
salt
ZWVhZWQ4YjZmODU4Mzc0M2E2ZDRlNjBkNjY3YzE2ODA=

Hashcat requires the following input file format: one line per hash, with the hash type, number of iterations, salt and hash (base64 encoded) separated by colons:

type   iter  salt                                         hash  
sha256:64000:ZWVhZWQ4YjZmODU4Mzc0M2E2ZDRlNjBkNjY3YzE2ODA=:93LlpbKZKficWfV9jjQNOSp39MT0pDPtYx7/gBLl5jw=  

Let's hashcat it up and see if it works:

./h64 -a 3 -m 10900 .\one-hash.txt 0234567?d?d?d

Note that this is an intentionally tiny amount of work, it's only guessing three digits. And sure enough, we cracked it fast! See the password there on the end? We got it.

sha256:64000:ZWVhZWQ4YjZmODU4Mzc0M2E2ZDRlNjBkNjY3YzE2ODA=:93LlpbKZKficWfV9jjQNOSp39MT0pDPtYx7/gBLl5jw=:0234567890

Now that we know it works, let's get down to business. But we'll start easy. How long does it take to brute force attack the easiest possible Discourse password, 8 numbers – that's "only" 10⁸ combinations, a little over one hundred million.

Hash.Type........: PBKDF2-HMAC-SHA256  
Time.Estimated...: Fri Jun 02 00:15:37 2017 (1 hour, 0 mins)  
Guess.Mask.......: ?d?d?d?d?d?d?d?d [8]  

Even with a top of the line GPU that's … OK, I guess. Remember this is just one hash we're testing against, so you'd need one hour per row (user) in the table. And I have more bad news for you: Discourse hasn't allowed 8 character passwords for quite some time now. How long does it take if we try longer numeric passwords?

?d?d?d?d?d?d?d?d?d [9]
Fri Jun 02 10:34:42 2017 (11 hours, 18 mins)

?d?d?d?d?d?d?d?d?d?d [10]
Tue Jun 06 17:25:19 2017 (4 days, 18 hours)

?d?d?d?d?d?d?d?d?d?d?d [11]
Mon Jul 17 23:26:06 2017 (46 days, 0 hours)

?d?d?d?d?d?d?d?d?d?d?d?d [12]
Tue Jul 31 23:58:30 2018 (1 year, 60 days)  

But all digit passwords are easy mode, for babies! How about some real passwords that use at least lowercase letters, or lowercase + uppercase + digits?

Guess.Mask.......: ?l?l?l?l?l?l?l?l [8]  
Time.Estimated...: Mon Sep 04 10:06:00 2017 (94 days, 10 hours)

Guess.Mask.......: ?1?1?1?1?1?1?1?1 [8] (-1 = ?l?u?d)  
Time.Estimated...: Sun Aug 02 09:29:48 2020 (3 years, 61 days)  

A brute force try-every-single-letter-and-number attack is not looking so hot for us at this point, even with a high end GPU. But what if we divided the number by eight … by putting eight video cards in a single machine? That's well within the reach of a small business budget or a wealthy individual. Unfortunately, dividing 38 months by 8 isn't such a dramatic reduction in the time to attack. Instead, let's talk about nation state attacks where they have the budget to throw thousands of these GPUs at the problem (1.1 days), maybe even tens of thousands (2.7 hours), then … yes. Even allowing for 10 character password minimums, you are in serious trouble at that point.

If we want Discourse to be nation state attack resistant, clearly we'll need to do better. Hashcat has a handy benchmark mode, and here's a sorted list of the strongest (slowest) hashes that Hashcat knows about benchmarked on a rig with 8 Nvidia GTX 1080 GPUs. Of the things I recognize on that list, bcrypt, scrypt and PBKDF2-HMAC-SHA512 stand out.

My quick hashcat results gave me some confidence that we weren't doing anything terribly wrong with the Discourse password hashes stored in the database. But I wanted to be completely sure, so I hired someone with a background in security and penetration testing to, under a signed NDA, try cracking the password hashes of two live and very popular Discourse sites we currently host.

I was provided two sets of password hashes from two different Discourse communities, containing 5,909 and 6,088 hashes respectively. Both used the PBKDF2-HMAC-SHA256 algorithm with a work factor of 64k. Using hashcat, my Nvidia GTX 1080 Ti GPU generated these hashes at a rate of ~27,000/sec.

Common to all discourse communities are various password requirements:

• All users must have a minimum password length of 10 characters.
• All administrators must have a minimum password length of 15 characters.
• Users cannot use any password matching a blacklist of the 10,000 most commonly used passwords.
• Users can choose to create a username and password or use various third party authentication mechanisms (Google, Facebook, Twitter, etc). If this option is selected, a secure random 32 character password is autogenerated. It is not possible to know whether any given password is human entered, or autogenerated.

Using common password lists and masks, I cracked 39 of the 11,997 hashes in about three weeks, 25 from the ████████ community and 14 from the ████████ community.

This is a security researcher who commonly runs these kinds of audits, so all of the attacks used wordlists, along with known effective patterns and masks derived from the researcher's previous password cracking experience, instead of raw brute force. That recovered the following passwords (and one duplicate):

If we multiply this effort by 8, and double the amount of time allowed, it's conceivable that a very motivated attacker, or one with a sophisticated set of wordlists and masks, could eventually recover 39 × 16 = 624 passwords, or about five percent of the total users. That's reasonable, but higher than I would like. We absolutely plan to add a hash type table in future versions of Discourse, so we can switch to an even more secure (read: much slower) password hashing scheme in the next year or two.

bcrypt $2*$, Blowfish (Unix)  
  20273 H/s

scrypt  
  886.5 kH/s

PBKDF2-HMAC-SHA512  
  542.6 kH/s 

PBKDF2-HMAC-SHA256  
 1646.7 kH/s 

After this exercise, I now have a much deeper understanding of our worst case security scenario, a database compromise combined with a professional offline password hashing attack. I can also more confidently recommend and stand behind our engineering work in making Discourse secure for everyone. So if, like me, you're not entirely sure you are doing things securely, it's time to put those assumptions to the test. Don't wait around for hackers to attack you — hacker, hack thyself!

Gabe and Tycho play a game for 15 minutes and then judge it accordingly. This week they play Paparazzi.
You can watch the full length version of this episode here.

(I am working at a major breakfast chain as a waiter, on night shift. One of my coworkers was a diabetic, and I have a history of hypoglycemic episodes. Thankfully, [Diabetic] knows the signs. This occurred on a prom night, after I’d just spent two and a half hours running food and drinks to a group of 35.)

Diabetic: “[My Name], you’re getting derpy. First time I’ve seen you get a drink wrong in months!”

Me: “I’m fine.”

Diabetic: “No, you’re not fine.” *calling out louder* “[Manager], get over here and make [My Name] go sit down! He’s derping out!”

Me: “I’m not derping out!”

Manager: “His girlfriend’s over there; get his kit from her.”

Me: “I’m not derping out, [Diabetic]’s derping out! She just brought that short stack to the wrong table!”

(Manager grabs both of us by the ears, drags us to the break room, and makes us test our blood sugar. Diabetic’s meter shows 300, mine shows 20.)

Manager: “Okay, you!” *points at [Diabetic]* “Insulin, now. You!” *points at me* “Pancakes, now. And when you’re done eating, give her half your pancreas!”

(I work for an ISP that also provides e-mail. The phone rings.)

Me: “Thank you for calling [Provider]. How can I help you today?”

Customer: “Hi, I just got a new computer, and I can’t remember the password to log into my e-mail.”

Me: “I can certainly help you out with that. Give me one moment to bring up your account.”

(I verify some information with her and bring up her info, including her e-mail password. Because of what it is though, I’m having trouble figuring out how to give it to her.)

Me: “Okay… So, I have your password up now. So I just want to be clear that what I’m about to tell you is really what I’m seeing on my screen.”

Customer: “All right.”

Me: “Okay, well, the password is ‘f*** you.'”

(I hear some typing in the background.)

Customer: “Great! That was it! Thank you so much!” *click*

[Source: CommitStrip | Like CommitStrip on Facebook]

The post Scumbag Windows [Comic] appeared first on Geeks are Sexy Technology News.

[Source: Dragonarte | Like Dragonarte on Facebook]

The post Batman, Magician Extraordinaire! [Comic] appeared first on Geeks are Sexy Technology News.

(We are learning about sigma notation in math, and our teacher has just explained that sigma (Σ) is the Greek letter ‘S’ and what it means for the notation.)

Student #1: “So, did the ancient Greeks like use sigma to write ‘S’ in their language?”

Teacher: “Yes.”

Student #1: “And all the other math Greek letters too? Like pi and tau and theta and stuff?”

Teacher: “Yes. They still do.”

Student #2: “Wait, what? They still use the Greek alphabet?”

Teacher: “Yes, the modern Greek alphabet is still the same as the ancient one. All these letters are real letters in their alphabet.”

Student #2: “Oh. I thought they used the Cyrillic alphabet. I thought Greek letters were just for math now.”

Student #1: “How do Greek people do math? Don’t they get confused?”

Related:
It Was Greek To Me

via: [imgur | tickld]

(I am in a Java class, where I am a bored over-achiever and the person sitting next to me basically needs me to teach them everything. I have finished the weekly project early, so I open up a hacking type videogame for fun. I proceed to hack into a bank, and find the accounts in it, then proceed to hack into each account separately and transferred the money out into my game account, then delete all proof of my actions before the trace completes. Gaming need satisfied, I shut the game down and am about to start daydreaming, when I notice the guy next to me looking at my screen with big white eyes.)

Guy: “Did you just…” *too scared to say more out loud*

Me: *couldn’t help but smirk because it is funny*

(The guy proceeded to be very very careful around me and began studying Java seriously for the rest of the semester. Heh, go gaming.)

(In my high school, if you’re going to be called down to discuss a disciplinary issue you get a blue slip during homeroom. I get one and head down to the office. The slips themselves don’t say the reason for being issued.)

Me: *handing the teacher the slip* “I got this?”

Teacher: *looks it over sternly* “Do you know why you’re here?”

Me: “No…?”

Teacher: *glowers at me and generally putting off an exaggerated ‘bad cop’ vibe* “Where were you fourth period on the 16th?”

Me: “I… Um….” *I take a moment to think, as it’s been a stressful time and I haven’t been keeping track of dates* “Uh. Well, fourth period is math, so… Wait, was the 16th last Tuesday?”

Teacher: “Yes.”

Me: “Oh! I was skipping class.”

Teacher: “I… what?”

Me: “I was skipping class.”

(The teacher looks totally bewildered; he had clearly worked himself up to handle any answer I gave him but that.)

Teacher: “Um. May I ask why?”

Me: “My sister tried to kill herself the day before and was hospitalized. All my friends have their lunch during fourth period, so I skipped math to be with them. I needed emotional support that day.”

Teacher: “Oh. Well. All right. Ah…” *flips through his calendar* “I’ll just make an appointment for you to discuss this with the principal, then. You, ah, go ahead and get back to class.”

(I did end up getting a Saturday detention for skipping class… mostly because I wouldn’t help the principal talk himself out of it. I ended up telling him to go ahead and give it to me since I didn’t care much and I HAD been skipping class.)

(I have just finished counting my till and am heading towards the canteen to change and go home after a 10-hour shift. On my way there, a woman in a scooter stops me.)

Customer: “Excuse me!”

Me: “Yes?”

Customer: “Where can I find [specific liquor]?”

Me: *not willing to walk her to it as I’m off duty* “It’s in the next aisle, near the end.”

Customer: “Can’t you get it for me? I can’t go driving around the store just searching! I need a lot of things and you know where they are.”

Me: “I’m sure it’s there. Now, if you’ll excuse me…”

(I go to the canteen, take off my work clothes, and change into my regular clothes. I head out and bump into the same woman.)

Customer: “Oh, are you off?”

Me: “Yes, I’m heading home.”

Customer: “Can you get me the milk?”

Me: *waving* “It’s over there.”

Customer: “It’s too high up; I can’t get it from my scooter. Get it for me.”

(I sigh and figure I’d be off faster if I just follow her commands.)

Customer: “See, now we’re getting somewhere. This is customer service; you’d better learn it quick!”

(It is the early 2000s. Computers are still growing in use, and have only recently become commonplace at my mother’s office. Whenever someone is sick and has files on their computer that they need, one of her coworkers will get in to their computer. No one knows how he does it since he doesn’t work in the IT department, and everyone  just assume he’s an IT wizard. Then, one day…)

Coworker: “There, you’re in.”

Boss: “Thanks. How do you keep getting in, anyway?”

Coworker: “Oh, it’s easy. I just know the names of everyone’s pets.”

Boss: “…”

(It turns out everyone used their pet’s name as a password. Mystery solved!)

Could you get drunk from drinking a drunk person's blood?

Fiona Byrne

You would have to drink a lot of blood.

A person contains about 5 liters of blood, or 14 glasses.

If your blood is more than about half a percent alcohol, you stand a pretty good chance of dying. There have been a handful of cases of people surviving with a blood alcohol level of above 1%, but the LD₅₀—the level at which 50% of people will die—is 0.40 (0.4%).

If someone had a BAC of 0.40, and you drank all 14 glasses of their blood in a short amount of time,[1]Hey, there's a 50% chance they were going to die anyway. you would throw up:

You wouldn't throw up because because of the alcohol; you'd just throw up because you're drinking blood. If you somehow avoided vomiting, you would have ingested a total of 20[2]Thank you to Conor Braman, among others, for correcting a missing zero in the original version of this calculation. grams of ethanol, which is the amount you'd get from a pint of beer.

Depending on your weight, drinking that much blood could raise your own blood alcohol level to about 0.05. This is low enough that you could legally drive in many jurisdictions, but high enough to double your risk of an accident if you did.

If your BAC is 0.05, it means only 1/8th of the alcohol from the other person's blood made it into yours. Supposing that after you drank all this blood, someone killed you and drank your blood,[3]It's only fair. they would then have a BAC of 0.006. If this process were repeated about 25 times, there would be fewer than 8 molecules of ethanol left in the last person's blood. After a few more cycles, there would likely be none;[4]By homeopathic standards, this is still quite concentrated. they'd just be drinking regular blood.[5]Like a loser.

Whether there's any alcohol in it or not, drinking 14 glasses of blood wouldn't be fun. There's not a huge amount of medical literature on the subject, but anecdotal evidence from online forum posts suggests that any normal person who tries to drink more than about a pint of blood will vomit:

If you drink blood regularly, over a long period of time the buildup of iron in your system can cause iron overload. This syndrome, which sometimes affects people who have repeated blood transfusions, is one of the few conditions for which the correct treatment is bloodletting.[6]Others include PCV and PCT.

Drinking one person's blood probably wouldn't cause iron overload. What it could give you is a blood-borne disease. Most such diseases are caused by viruses that can't survive in the stomach, but they could easily get into your blood through scratches in your mouth or throat as you drank.

Diseases you could get from drinking an infected person's blood include hepatitis B and C, HIV, Hantaviruses, and Ebola. I'm not a doctor, and I try not to give medical advice in these articles. However, I will confidently say that you shouldn't drink the blood of someone with Ebola.

That said, drinking or eating blood is not unheard of. It's a taboo in many cultures, but the British eat "black pudding", which is largely blood, and there are similar dishes all around the world. Maasai pastoralists in east Africa once lived mainly on milk, but also sometimes drank blood, drawing it from their cattle and mixing it with the milk to form a sort of extreme protein shake.

So the bottom line is that drinking enough of someone's blood to get drunk would be very difficult, probably quite unpleasant, and might give you some serious diseases.

In the end, the blood itself would do awful things to your body long before the booze ever could.

(For months I received calls from a bill collector while at work, asking for a man who has never worked at the office. My company filed several complaints with the FCC but the calls still kept coming. I got permission from my boss to mess with the caller the next time they rang in. We had caller ID at the time, so I knew it was the bill collector before picking up the phone.)

Me: “Thank you for calling ‘Glitzy Coffins,’ where we stylize your loved ones straight to the grave.”

Collector: “Um… Is [Name] there?”

Me: “Let me check with the back and see if he has been sent to embalming. One moment, please.”

Collector: *click*

(10 minutes later, the phone rings again from the same number.)

Me: “Doctor Z’s purification clinic, zapping away herpes since 1992. How can I help you?”

Collector: “Is [Name] available?”

Me: “Do you have an appointment?”

Collector: “No. I need to speak with him regarding an urgent matter.”

Me: “I can’t help if you don’t have an appointment. Now what genital disease is causing your trouble? Our physicians are not only qualified, they are ordained by the lord to save your soul from your sinful ways.”

Collector: *hangs up*

(Another 10 minutes later.)

Me: “Quack.”

Collector: “Is [Name] available?”

Me: “Quack.”

Collector: “I need to speak with him regarding an urgent matter.”

Me: “Quack.”

Collector: “Is he available or not?”

Me: “Quack.”

Collector: “Don’t be a b****. Is he there? I must speak with him.”

Me: “Quack.”

Collector: “Look! Give me [Name] now or you’ll be in trouble!”

Me: “Quack.”

Collector: *throws out a string of profanities for a few minutes, threatening to sue me if I don’t put the man he’s contacting on the phone* “So, what do you have to say?”

Me: “…Quack.”

Collector: *click*

(At this point, I’ve coerced a few coworkers to join in on the fun since the calls were still coming in. Five minutes later…)

Coworker #1: “Dude.” *snickers* “I’m so high right now!”

Collector: *click*

(10 minutes later…)

Me: “D*** it Regina! Get yo a** back on the street. Pimp needs his mother-f****** money!”

Coworker #1: “I’m sorry, daddy!”

Me: “D*** right, b****!” *to phone* “Yeah?”

Collector: *click*

(10 minutes later…)

Coworker #2: “Hey. This is Darnell and you’re calling Bros for Hoes. What chocolatey confection can I serve you up with today?”

Collector: “F***!” *slams the phone down*

(They stopped calling after that.)

(Today all my customers have been placing the exact same order, so I decide to have fun with the next one who comes in.)

Me: “Hello. Can I help you?”

Customer: “Hi! Can I have—”

Me: “A pound of [Brand] oven roasted turkey? Sliced thin?”

Customer: “Um, yes…”

Me: “Yes, ma’am. Coming right up.”

(I slice the turkey for her and hand it to her.)

Me: “Would you like anything else today?”

Customer: “Can I also have—”

Me: “Yes, ma’am. One pound of [Brand] white American cheese, coming up.”

(Her eyes go wide but she doesn’t say anything. I look through the cold case but don’t find an open package of the cheese.)

Me: “Oh, looks like I need to open a new package. One moment, please.”

(I step out from behind the counter and open up the door on the front of the case to get a new package of cheese.)

Customer: “Wow! I didn’t know—”

Me: “That’s okay. Most people don’t know the doors open from the front.”

(Her eyes get even wider. I try not to snicker as I slice her cheese.)

Me: “Aaaaand there you go. Will that be all for you, ma’am?”

Customer: “What number am I—”

Me: “42.”

(She snatches the cheese and runs out the front door at full speed.)

Coworker: “How did you know what number she was thinking?”

Me: “Douglas Adams, dude. 42 is always the answer.”

Coworker: “You’re sick, man.”

Me: “I knew you’d say that.”

(I work in the ‘special collections’ department for the local authority. My job is to cover the reception area and take any orders for special collections over the counter. Usually people come in to get things such as TVs, furniture, and such uplifted.)

Customer: “Hi. Is this the right office for booking a collection?”

Me: “Yes. How many items do you need uplifted?”

Customer: “Just one.”

Me: “Okay, no problem. Is this for a business a personal residence?”

Customer: “Personal Residence.” *leans closer to me over the counter in a creepy manner* “Is there any way this can be done discreetly?”

Me: “What do you mean?”

Customer: “I mean, can you not record my details. Can I just have the uplift, and pay extra to not have my details logged?”

Me: “Um… No, not really. That’s not how we do it. We have to record your details. Now, what do you need uplifted?”

Customer: “A dead body.”

(We stare at each other in silence whilst I have the biggest mental panic attack ever. A few seconds pass before the customer bursts out laughing.)

Customer: “I am so sorry. I’m just messing with you. You’re face was priceless! I have ALWAYS wanted to do that!”

(The customer left, still laughing, while I stood there with my mouth hanging open in complete shock and amusement.)