comp.lang.c - 4 new messages in 3 topics - digest

comp.lang.c
http://groups.google.com/group/comp.lang.c?hl=en

comp.lang.c@googlegroups.com

Today's topics:

* C - gets() function implementation help - 1 messages, 1 author
http://groups.google.com/group/comp.lang.c/t/7bd0bc765a2e9603?hl=en
* Looking for NNTP server - 1 messages, 1 author
http://groups.google.com/group/comp.lang.c/t/b27bbc7383c9d155?hl=en
* dynamic buffer allocation at char buf[1] - 2 messages, 2 authors
http://groups.google.com/group/comp.lang.c/t/969816eb2d0fdbaf?hl=en

==============================================================================
TOPIC: C - gets() function implementation help
http://groups.google.com/group/comp.lang.c/t/7bd0bc765a2e9603?hl=en
==============================================================================

== 1 of 1 ==
Date: Sun, Apr 11 2010 11:23 pm
From: Phil Carmody

Barry Schwarz <schwarzb@dqel.com> writes:
> On Mon, 12 Apr 2010 00:26:24 +0300, Phil Carmody:
>>Barry Schwarz <schwarzb@dqel.com> writes:
>>> On Sun, 11 Apr 2010 19:15:15 -0000, "bartc" <bartc@freeuk.com> wrote:
>>>>"Barry Schwarz" <schwarzb@dqel.com> wrote:
>>>>> Believe it or not, there are real security people who say that
>>>>> displaying those cute little asterisks is a bad idea.
>>
>>If we have the same security expert in mind, he changed his mind
>>over such things radically a while back. A perfect example of why
>>Appeal to Authority really can be a logical fallacy.
>>
>>>>> It allows any
>>>>> over-the-shoulder lurker to see how many characters are in your
>>>>> password, thus making attempts to hack the password easier.
>>>>
>>>>(Does it? What word am I thinking of at this minute? I'll give you a clue:
>>>>it's got 7 letters and not 6 or 8 or 9.
>>>
>>> So now my exhaustive attack no longer has to deal with any password
>>> length other than 7. Considering only letters and numbers, a
>>> 6-character password can contain any of pow(6,36) possible values.
>>> Similar values for the longer ones. By restricting my effort, you
>>> have reduced my task by 99.988%, from 2.28556E34 to 2.65173E30.
>>> (Calculation performed using Excel 2003 with default options.) A
>>> ten-thousand fold reduction in effort meets my definition of easier.
>>
>>If you'd be saving 99.988%, then you'd have been doing it wrong.
>>
>>You've not indicated in what order you would perform your exhaustive
>>attack. Most sensible techniques will start with the lowest entropy
>>ones first. Therefore you'd not even start any 8- or 9- character ones
>>until you'd completed the 7-character ones. Therefore you can't count
>>the fact that you don't search >7-character passwords as a saving.
>>
>>You can avoid searching shorter passwords, but that's a saving of 2.9%
>>(or 1.6% if you assume mixed case).
>
> So a divide and conquer strategy where different resources are used in
> parallel to test passwords of different lengths wouldn't be sensible.
> Neither would one where the resource are split depending on some
> initial sequence of characters.

By length, nope, chopping off only a couple of % of the work isn't
divide and conquer. If you were going to not use a dictionary-
based attack you would split the work based on initial sequences of
characters, as each of the work packets would be expected to take
the same length of time, and you can get "embarassing parallelism".
Using a dictionary, you'd probably split on the word you're doping
the attempt with, and again it would be mostly embarassingly parallel.
(The transforms you'd apply to the word would mean that you'd
probably be testing duplicates, and so you'd have more overhead trying
to reduce that.)

> I thought I read an article some
> years ago how a collaborative effort (along the lines of SETI) was
> able to factor a very large composite number into its two large prime
> constituents in a quite reasonable time frame.

As someone closely involved in distributed factoring, I find the
reference to SETI annoying. People were doing distributed factoring
long before nonsense like SETI ever existed. (But the protocols,
being email based and requiring humans to step through the state
machine manually, have been honed a lot since those days.)

> It seems that hacking
> a password could achieve the same benefit. But, since I don't attempt
> to hack passwords, I must allow for the possibility you're right.

These are all "embarassingly parallel" problems. It doesn't take
any experience of cracking passwords to model an attack on such a
problem. It's probably in the 101 class for distributed computing.

Phil
--
I find the easiest thing to do is to k/f myself and just troll away
-- David Melville on r.a.s.f1

==============================================================================
TOPIC: Looking for NNTP server
http://groups.google.com/group/comp.lang.c/t/b27bbc7383c9d155?hl=en
==============================================================================

== 1 of 1 ==
Date: Sun, Apr 11 2010 11:37 pm
From: Phil Carmody

Seebs <usenet-nospam@seebs.net> writes:
> On 2010-04-06, Default User <defaultuserbr@yahoo.com> wrote:
>> For text-only access, reasonable free options are <http://www.aioe.org> and
>> http://www.eternal-september.org/
>
> aioe.org is the host of the troll posting the "seebs/schildt" messages. A
> bit of research turns up general suspicions that this is not a good choice
> for news servers -- because the troll picked them for a good reason.

Any time I see idiocy on usenet, one of the first things that goes
through my mind is that it's just another aioe idiot. So much so
that kooks, cranks, and trolls from there now have a blanket ban
in some of the newsgroups I read:
~/News/rec.autos.sport.f1.SCORE:5: ("aioe.org!not-for-mail" -1000 nil s)
~/News/sci.crypt.SCORE:138: ("user.aioe.org" -1000 nil s)
~/sci.math.SCORE:342: ("X-Complaints-To: abuse@aioe.org" -1000 nil s)
(I'm surprised it not more than just 3 groups, to be honest!)

> Basically, their policy comes down to "you can pursue your vendetta here
> for free and with total anonymity", so the rational thing to do is probably
> to ignore anything from them -- making it a bad choice for people whose goals
> include participation in topical discussions.

It's not total anonymity any more, it's pseudonymity, as they do
have a consistent identification for each account that can be kill-
filed or reported for abuse purposes. However, there's little to
stop trolls registering a steady stream of such accounts. I've not
been tempted to remove aioe from any of the killfiles, shall we say.

Phil
--
I find the easiest thing to do is to k/f myself and just troll away
-- David Melville on r.a.s.f1

==============================================================================
TOPIC: dynamic buffer allocation at char buf[1]
http://groups.google.com/group/comp.lang.c/t/969816eb2d0fdbaf?hl=en
==============================================================================

== 1 of 2 ==
Date: Mon, Apr 12 2010 12:02 am
From: Michael Foukarakis

On Apr 11, 6:54 pm, Willem <wil...@turtle.stack.nl> wrote:

> Along with multi-character character initializers.
> For example: unsigned long exif_tag = 'EXIF';

Posting that as if it were a piece of code actually encountered in the
wild and considered half-useful made me shed a little tear.

== 2 of 2 ==
Date: Sun, Apr 11 2010 11:59 pm
From: Seebs

On 2010-04-12, Michael Foukarakis <electricdelta@gmail.com> wrote:
> On Apr 11, 6:54 pm, Willem <wil...@turtle.stack.nl> wrote:
>> Along with multi-character character initializers.
>> For example: unsigned long exif_tag = 'EXIF';

> Posting that as if it were a piece of code actually encountered in the
> wild and considered half-useful made me shed a little tear.

It was an idiom very popular on pre-OS X macs, where it was used to
create 32-bit values for use as "creator" and "type" tags.

Not a big fan, myself, but it was a plausible idiom, because it allowed
you to compare the 32-bit values rather than iterating through strings.

-s
--
Copyright 2010, all wrongs reversed. Peter Seebach / usenet-nospam@seebs.net
http://www.seebs.net/log/ <-- lawsuits, religion, and funny pictures
http://en.wikipedia.org/wiki/Fair_Game_(Scientology) <-- get educated!

==============================================================================

You received this message because you are subscribed to the Google Groups "comp.lang.c"
group.

To post to this group, visit http://groups.google.com/group/comp.lang.c?hl=en

To unsubscribe from this group, send email to comp.lang.c+unsubscribe@googlegroups.com

To change the way you get mail from this group, visit:
http://groups.google.com/group/comp.lang.c/subscribe?hl=en

To report abuse, send email explaining the problem to abuse@googlegroups.com

==============================================================================
Google Groups: http://groups.google.com/?hl=en