Comments for Adventures of an Eternal Optimist http://eternallyoptimistic.com Fri, 29 Jan 2010 22:51:53 +0000 http://wordpress.org/?v=2.9.2 hourly 1 Comment on Oracle Waveset by » Soracle Waveset CQ2 | Ed Murphy http://eternallyoptimistic.com/2010/01/29/oracle-waveset/comment-page-1/#comment-554 » Soracle Waveset CQ2 | Ed Murphy Fri, 29 Jan 2010 22:51:53 +0000 http://eternallyoptimistic.com/?p=1492#comment-554 [...] Dingle from Ping Identity has an insightful post on the identity implications of the newly-approved Oracle acquisition of [...] [...] Dingle from Ping Identity has an insightful post on the identity implications of the newly-approved Oracle acquisition of [...]

]]> Comment on New Gig! by Dave Kearns http://eternallyoptimistic.com/2009/11/24/new-gig/comment-page-1/#comment-550 Dave Kearns Wed, 25 Nov 2009 05:32:15 +0000 http://eternallyoptimistic.com/?p=1418#comment-550 Does this mean leaving Calgary? Does this mean leaving Calgary?

]]> Comment on New Gig! by TerryG http://eternallyoptimistic.com/2009/11/24/new-gig/comment-page-1/#comment-549 TerryG Wed, 25 Nov 2009 04:45:19 +0000 http://eternallyoptimistic.com/?p=1418#comment-549 Congratulations, Pam, sounds like a great opportunity. Once you get settled we should talk, as both OpenID and now OAuth are likely in the (hopefully near) future. Does the new position imply a change of locale to Vancouver, Denver or Boston, or all three? Or none of the above? Keep in touch, and best regards...TCG Congratulations, Pam, sounds like a great opportunity. Once you get settled we should talk, as both OpenID and now OAuth are likely in the (hopefully near) future.

Does the new position imply a change of locale to Vancouver, Denver or Boston, or all three? Or none of the above? Keep in touch, and best regards…TCG

]]> Comment on New Gig! by stevenbender http://eternallyoptimistic.com/2009/11/24/new-gig/comment-page-1/#comment-547 stevenbender Tue, 24 Nov 2009 21:56:33 +0000 http://eternallyoptimistic.com/?p=1418#comment-547 Congratulations Pam! I am so happy for you. These Pingers are smart and I am sure you will contribute greatly. Please send me your new contact details, and PHONE me so we can catch up.:) As always wishing you the best, and grateful you are my friend. Steven Congratulations Pam!

I am so happy for you. These Pingers are smart and I am sure you will contribute greatly.

Please send me your new contact details, and PHONE me so we can catch up.:)

As always wishing you the best, and grateful you are my friend.

Steven

]]> Comment on Sears == Slimy by johndiii http://eternallyoptimistic.com/2009/09/24/sears-slimy/comment-page-1/#comment-544 johndiii Fri, 25 Sep 2009 23:43:50 +0000 http://eternallyoptimistic.com/?p=1383#comment-544 Wow. That's unbelievable. I'd be seriously angry at Sears. Of course, it's not helpful that the FTC took over eighteen months to come to some kind of solution - the story apparently came out in early January 2008. There ought to be a place to go to find out which companies use questionable practices like these. A net search is kind of hit or miss, depending on what one is looking for. Try googling "privacy practices". Wow. That’s unbelievable. I’d be seriously angry at Sears. Of course, it’s not helpful that the FTC took over eighteen months to come to some kind of solution – the story apparently came out in early January 2008.

There ought to be a place to go to find out which companies use questionable practices like these. A net search is kind of hit or miss, depending on what one is looking for. Try googling “privacy practices”.

]]> Comment on DIY Security for the Utterly Paranoid by futureidentity http://eternallyoptimistic.com/2009/08/26/diy-security-for-the-utterly-paranoid/comment-page-1/#comment-543 futureidentity Fri, 25 Sep 2009 16:49:00 +0000 http://eternallyoptimistic.com/?p=1348#comment-543 Absolutely agree. I have found it to be instructive (but scary) to ask IT security folks who manage authentication servers how the protection they give to password recovery questions stacks up against the protection they think appropriate to the passwords themselves. Absolutely agree. I have found it to be instructive (but scary) to ask IT security folks who manage authentication servers how the protection they give to password recovery questions stacks up against the protection they think appropriate to the passwords themselves.

]]> Comment on So funny I forgot to laugh by Pamela http://eternallyoptimistic.com/2009/08/24/so-funny-i-forgot-to-laugh/comment-page-1/#comment-542 Pamela Sat, 19 Sep 2009 05:25:46 +0000 http://eternallyoptimistic.com/?p=1317#comment-542 Great points - I suppose I think of a one-way hash as more of a bare minimum than "the" answer, but then considering that I called one-way hashes an industry best practice, perhaps I was setting the bar too low for banking best practices? Great points – I suppose I think of a one-way hash as more of a bare minimum than “the” answer, but then considering that I called one-way hashes an industry best practice, perhaps I was setting the bar too low for banking best practices?

]]> Comment on So funny I forgot to laugh by Raleigh http://eternallyoptimistic.com/2009/08/24/so-funny-i-forgot-to-laugh/comment-page-1/#comment-541 Raleigh Thu, 17 Sep 2009 06:05:14 +0000 http://eternallyoptimistic.com/?p=1317#comment-541 You have raised some good points. Here are a few things to consider. Using one way hash is not a good way to store passwords for e-commerce applications because anyone having access to hashed passwords can easily do a dictionary attack. Hashing algorithms are fast by design and you can hash around a million words on decent CPU. Try openssl speed to see what I mean here. Even a salt would not protect against this attack because the salt has to be stored some where and attacker can get that. A better way to protect passwords is to use FIPS 140-2 Level 3 or above devices which provide industrial strength encryption. The key never leaves the hardware crypto card and all crypto operations are performed inside the device. That's what most banks use. Asking for random characters from your password does protect against key loggers. Seems like a good idea to me. You have raised some good points. Here are a few things to consider. Using one way hash is not a good way to store passwords for e-commerce applications because anyone having access to hashed passwords can easily do a dictionary attack. Hashing algorithms are fast by design and you can hash around a million words on decent CPU. Try openssl speed to see what I mean here. Even a salt would not protect against this attack because the salt has to be stored some where and attacker can get that.

A better way to protect passwords is to use FIPS 140-2 Level 3 or above devices which provide industrial strength encryption. The key never leaves the hardware crypto card and all crypto operations are performed inside the device. That’s what most banks use.

Asking for random characters from your password does protect against key loggers. Seems like a good idea to me.

]]> Comment on So funny I forgot to laugh by Daily Digs – 09.15.2009 « Security Stallions Blog http://eternallyoptimistic.com/2009/08/24/so-funny-i-forgot-to-laugh/comment-page-1/#comment-540 Daily Digs – 09.15.2009 « Security Stallions Blog Wed, 16 Sep 2009 03:32:17 +0000 http://eternallyoptimistic.com/?p=1317#comment-540 [...] This was one of the best / most disturbing banking related articles I’ve read in a while.  It’s also why you shouldn’t do most any online business with HSBC.  I hope HSBC just had a PCI audit done by a large firm so that particular QSA can head to the chopping block.  This one’s just downright “special” (and not really from today, but I ran across it in my feeds). [So Funny I Forgot To Laugh] [...] [...] This was one of the best / most disturbing banking related articles I’ve read in a while.  It’s also why you shouldn’t do most any online business with HSBC.  I hope HSBC just had a PCI audit done by a large firm so that particular QSA can head to the chopping block.  This one’s just downright “special” (and not really from today, but I ran across it in my feeds). [So Funny I Forgot To Laugh] [...]

]]> Comment on Second Class (Non) Citizens by ignisvulpis http://eternallyoptimistic.com/2009/09/06/second-class-non-citizens/comment-page-1/#comment-538 ignisvulpis Mon, 07 Sep 2009 13:52:00 +0000 http://eternallyoptimistic.com/?p=1363#comment-538 Some time ago I made a fool out of myself by trying to share a video on a German video portal called Clipfish.de. I uploaded the video that I had created and notified friends where they could view it. Some potential viewers are from Canada and the US. But then messsages dropped in with complaints that they are not allowed to view my video because copyright reasons restrict the access to viewers in Germany. I felt so stupid :-/ Some time ago I made a fool out of myself by trying to share a video on a German video portal called Clipfish.de. I uploaded the video that I had created and notified friends where they could view it. Some potential viewers are from Canada and the US. But then messsages dropped in with complaints that they are not allowed to view my video because copyright reasons restrict the access to viewers in Germany. I felt so stupid :-/

]]>