Reusable Security

I'm struggling with the best way to graph some new data I just analyzed based on the RockYou list. Since I'm also too lazy to write up a full post on it right now, I thought I might as well throw it out as a challenge to the five or so people who read this blog. I'll buy a beer for the first person who can correctly state what the following graph shows. The beer is redeemable at any conference I happen to meet you at, (For example: Shmoocon). Here are a few hints: It is based on a subset of one million passwords from the RockYou set It has to deal with a project I am working on There is one word you MUST include in your submission for it to be valid Answers will only be accepted in the comments. This contest will run until someone gets it right or I actually get around to writing a post on this. Imaginary bonus points are applied if you have any suggestions on a better way to graph the data.

So it's been an interesting last couple of days. First of all, it's a bit amazing how popular the Rockyou list has become after it was mentioned in the New York Times article. While I'm not going to provide a link, let's be honest, if you can't find it, you are not looking . The thing that keeps going through my head is that we may have just narrowly missed having a black swan event , (Ok, Mr. O'Conner just posted about those in his blog so the term is stuck in my head, even though I'm using it wrong.) Can you imagine what would have happened if the public RockYou list had contained e-mail addresses? While lists of this size have been distributed before, (and black hats have been able to obtain the whole list + email addresses), I really don't know what a public disclosure of a list this size containing e-mail addresses and passwords would be like. It probably won't lead to an internet apocalypse , but we would have people looking up friends/co-wo...

When I was interviewed a week and a half ago by a reporter from the New York Times about the Rockyou hack, I honestly never expected for it to end up on the front page of the newspaper, but there you go . As a friend mentioned though, it doesn't really count since it's below the fold ;) While I'm ecstatic about being quoted, there are a few things I wish could have been changed. Just saying that makes me feel like the guy who won the million dollar lottery, but is annoyed that he didn't get the 10 million jackpot. That being said, I have a blog, and this is the internet so I might as well complain away ;) First of all, I feel the need to explain my quote. Here is an excerpt from my conversation with the reporter: Matt's Brain: "Don't say anything stupid. Don't say anything stupid. Don't say anything stupid..." Reporter: "I take it this is the largest password list ever stolen right?" Me: "Well, it's the largest one ever p...

I know, soon my titles will get so long I won't be able to fit them into a Twitter post. It was all I could do to leave off a tagline such as "Revenge of the Incremental Mode." I just received an e-mail from SolarDesigner, the creator of John the Ripper, who promptly set me straight on a few points about how the incremental attack works. I'm going to break down the e-mail into two parts. The first part is as follows: Matt, In your very interesting blog post at: http://reusablesec.blogspot.com/2009/11/analysis-of-10k-hotmail-passwords-part.html you made some incorrect statements/guesses about the incremental mode: "Unfortunatly it doesn't take into account the previous trigraphs that appeared before it," Not true. "(except when calculating the overall probability)." No idea what you mean here. "For example, if the first trigraph is "auq", the next trigraph's probability isn't increased if it starts with a 'u',...

So it looks like a spammer managed to modify the Hackers for Charity webpage so they could put all their fake drug medication links into it. Hint, view source-code and then scroll down to the very bottom. This does lead to some interesting observations though: The person who did this has no idea about the webpage they were hacking. If it was a targeted hit, (think ZF0), they probably would have done some visible defacing. If it is someone just looking to make money, there's no way they would knowingly tangle with all the heat that is probably going to be coming their way soon. Web page security is really hard. Over the last 6 months we've seen a large number of people in the security field have their webpages get hacked. Heck, even the NSA's main webpage was defaced. What does this say about the white-hat security community? As a member of that community this drives home the point that humility is important in this line of work. I expect that the Hackers for Charity webpag...

I know most people normally do this at the beginning of January, but like so much else I'm running behind ;) What I really wanted to do was give you readers, (all 10 or so of you now), an update on where I'm at, my goals for the following 6 months, and why my update schedule might be kind of wacky. Goal 1: Graduate Yes, I have been researching password cracking since August 2007, and as much as I love college, it's time to move on to the real world. Or I hope it's time, as I still have that pesky dissertation to write. Getting that done is my #1 priority right now, and to be honest I don't know how that will impact this blog. The dissertation itself will mostly cover my work developing a probabilistic password cracker , though I'll also be covering some of my other tools such as my dictionary based rainbow tables . I'm a little ashamed I haven't posted more about my probabilistic password cracker here since I've become a true believer in it. It's...

There's been a bunch of requests about this, so I thought I'd post a couple of screenshots of something I've been working on over the holiday break.