Think passwords, people. Think long, complex passwords. Not because a breach dump's landed, but because the security-probing-oriented Kali Linux just got better at cracking passwords.
Kali is a Debian-based Linux that packs in numerous hacking and forensics tools. It's well-regarded among white hat hackers and investigators, who appreciate its inclusion of the tools of their trades.
The developers behind the distro this week gave it a polish, adding new images optimised for GPU-using instances in Azure and Amazon Web Services. The extra grunt the GPUs afford, Kali's backers say, will enhance the distribution's password-probing powers. There's also better supoprt for GPU cracking, hence our warning at the top of this story: anyone can use Kali and there's no way to guarantee black hats won't press it into service. And they can now do so on as many GPU-boosted cloud instances as they fancy paying for.
Could some users of Kali Linux technically be called "thugs?"
(Score: 0) by Anonymous Coward on Sunday April 30 2017, @06:57PM (4 children)
Not joking, anyone who thinks it is ok to fuck with someone else's life
in a criminal manner deserves to be imprisoned for life.
There are no justifications for such behavior, PERIOD.
(Score: 3, Insightful) by hemocyanin on Sunday April 30 2017, @07:50PM
You overstate your case. It is trivial to think of historical figures for whom it would be totally OK, even a moral obligation, to oppose with every tool available.
(Score: 3, Informative) by kaszz on Sunday April 30 2017, @09:14PM
Don't rely on others to not fuck with your life. Carry a hidden big stick that will ensure they will enlighten them if the need arises.
There's always people that will justify their own criminal behavior and do it because they can. So it might be more efficient to make sure they can't.
(Score: 3, Insightful) by Runaway1956 on Sunday April 30 2017, @09:20PM
As hemocyanin says, you overstate your case. I've had reason to examine things on a computer, that were locked behind a password. There really ARE good reasons to "hack" into an account. But, I can agree with you, if you are referring to the myriad of lowlifes who can't/won't get a job or something constructive to do. They think stealing money, identity, data, and whatever else is just great fun. Little fuckwads don't care, don't understand that they are well and truly fucking with people's lives.
That is what courts are for - unfortunately, cyber law is no different from real life law. People get burned for minor bullshit, while real criminals get a slap on the fingers.
(Score: 2) by NotSanguine on Monday May 01 2017, @02:17AM
There are no justifications for such behavior, PERIOD.
https://en.wikipedia.org/wiki/White_hat_%28computer_security%29 [wikipedia.org]
https://en.wikipedia.org/wiki/Penetration_test [wikipedia.org]
https://www.isc2.org/cissp/default.aspx [isc2.org]
Only use your powers for good™ [computerhope.com].
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 1, Interesting) by Anonymous Coward on Sunday April 30 2017, @08:26PM (5 children)
Can someone please explain why having a 14 digit complex password is any better than having a 6 letter dictionary word? This is in the context of logging onto my bank account or credit card online. With only 3 tries before getting locked out I can't see any value in a password more complicated than a simple word.
(Score: 2) by rigrig on Sunday April 30 2017, @09:10PM (1 child)
Because once someone seriously wants to target that bank they'll start brute forcing logins, locking out lots of customers. Then the bank has to choose between leaving all those customers unable to login, or disabling their three-strike policy...
No one remembers the singer.
(Score: 2) by hendrikboom on Monday May 01 2017, @01:49AM
The three-strike rule is particularly difficult for people with disabilities, such as Parkinson's disease. They simply cannot type the password correctly in only three tries.
(Score: 2) by http on Sunday April 30 2017, @11:50PM (1 child)
It isn't.
But it makes for great security theatre [xkcd.com].
I browse at -1 when I have mod points. It's unsettling.
(Score: 2) by hemocyanin on Monday May 01 2017, @02:23AM
Looks like a reference to Diceware makes sense in the context of that cartoon: https://en.wikipedia.org/wiki/Diceware [wikipedia.org]
(Score: 2, Informative) by davidjohnpaul on Monday May 01 2017, @01:11AM
There's an issue if the bank's password file/database is obtained by an attacker - they can then attempt to hack it while bypassing the "3 tries" rule, and dictionary words are much easier to try first. Hopefully the bank's just storing stretched, salted passwords, but that's impossible to know.
Of course, if somebody does get access to your bank's password file/database, there's likely to be bigger problems...
(Score: 3, Insightful) by Runaway1956 on Sunday April 30 2017, @09:31PM (2 children)
So - I can use the cloud to crack a password. Sounds great. A password that might take days to crack on my own hardware, might be revealed in minutes, or hours, with the help of the cloud. Cool. It all depends on how many CPU's I can bring to bear.
But, what trail does it leave? Who is going to know that I used fifty (or 500) powerful CPU's to crack a complicated password? Is Amazon going to know what I've been doing? Might Amazon (or whoever) decide that this data should be handed to the NSA? I am still suspicious of the cloud. I'd rather spend the extra hours or days, doing my work on my own hardware. I've never spent more than two weeks revealing a password yet. I guess that makes it obvious that none of my targets have used truly secure passwords. (That was on an early dual core Sledgehammer - the machine I have today would probably do the same job in three or four days.)
"Could some users of Kali Linux technically be called "thugs?""
But, of course. The tools found in Kali are just that - tools. Some owners of guns are thugs, other people who have guns are called "peace officer". It all depends on how you use your tools.
Oh - for those who don't know about them - rainbows. Gays don't get all the rainbows, LOL! There really isn't much need to brute force passwords anymore.
https://www.lifewire.com/rainbow-tables-your-passwords-worst-nightmare-2487288 [lifewire.com]
(Score: 2) by hendrikboom on Monday May 01 2017, @01:45AM (1 child)
I know what rainbow tables are. What I don't know is why they are called rainbow tables.
(Score: 1, Funny) by Anonymous Coward on Monday May 01 2017, @02:24AM
Guess:
Because there is a pot of gold at the end of the rainbow (access to the account)?
(Score: 0) by Anonymous Coward on Monday May 01 2017, @01:02AM
Are there any known benchmarks for using Kali for cracking passwords? I assume password hashes are being cracked rather than trying to guess a password by sending automated queries to a web form.
For example: how well does a salted bcrypt hash hold up to X number of Azure cloud GPU-using crack sessions?