Bitcoin pool GHash.io commits to 40% hashrate limit after its 51% breach

Bitcoin pool GHash.io announced on Wednesday that “it is not aiming to overcome 39.99 [percent] of the overall Bitcoin hashrate."

This marks a clear departure from the large pool’s recent flirtations with 51 percent. If that threshold is crossed for sustained periods of time, it concentrates power in ways that Bitcoin’s decentralized design normally does not allow.

“If GHash.io approaches the respective border, it will be actively asking miners to take their hardware away from GHash.io and mine on other pools,” the statement continues. “GHash.io will encourage other mining pools to write similar voluntary statements from their sides.”

Read 6 remaining paragraphs | Comments

Cisco Addresses Wireless Residential Gateway Vulnerability

Original release date: July 16, 2014

Cisco has released an advisory to address a vulnerability in the web server used in multiple Wireless Residential Gateway products that could allow an unauthenticated, remote attacker to crash the web server and execute arbitrary code with elevated privileges.

  • Cisco products affected by this vulnerability include:
  • Cisco DPC3212 VoIP Cable Modem
  • Cisco DPC3825 8x4 DOCSIS 3.0 Wireless Residential Gateway
  • Cisco EPC3212 VoIP Cable Modem
  • Cisco EPC3825 8x4 DOCSIS 3.0 Wireless Residential Gateway
  • Cisco Model DPC3010 DOCSIS 3.0 8x4 Cable Modem
  • Cisco Model DPC3925 8x4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA
  • Cisco Model DPQ3925 8x4 DOCSIS 3.0 Wireless Residential Gateway with EDVA
  • Cisco Model EPC3010 DOCSIS 3.0 Cable Modem
  • Cisco Model EPC3925 8x4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA

Users and administrators are encouraged to review the Cisco Advisory and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


Mathematics makes strong case that “snoopy2” can be just fine as a password

By now, most readers know the advice cold. Use long, randomly generated passwords to lock down your digital assets. Never use the same password across two or more accounts. In abstract terms, the dictates are some of the best ways to protect against breaches suffered by one site—say, the one that hit Gawker in 2010 that exposed poorly cryptographically scrambled passwords for 1.3 million users—that spread like wildfire. Once hackers cracked weak passwords found in the Gawker database, they were able to compromise accounts across a variety of other websites when victims used the same passcode.

A team of researchers says the widely repeated advice isn't feasible in practice, and they've provided the math they say proves it. The burden stems from the two foundations of password security that (A1) passwords should be random and strong and (A2) passwords shouldn't be reused across multiple accounts. Those principles are sound when protecting a handful of accounts, particularly those such as bank accounts, where the value of the assets being protected is considered extremely high. Where things break down is when the dictates are applied across a large body of passwords that protect multiple accounts, some of which store extremely low-value data, such as the ability to post comments on a single website.

Employing even relatively weak, 40-bit passwords (say, one with eight lower-case characters) across 100 accounts is equivalent to recalling 1,362 randomly chosen digits or 170 random eight-digit PINs, something that's well beyond the capabilities of most people. Reducing the number of bits by choosing more memorable passwords such as "password123" and "123456" helps ease the burden. But even then, users must have under their control 525 bits just to remember which weak password goes with which account. That's more than double what's required to memorize the order of a shuffled deck of cards. Yes, people can use password managers, but those available in the cloud may be susceptible to online attacks, and those that aren't Web-based lose one of the major advantages of passwords, which is their ability to be entered across any client device.

Read 5 remaining paragraphs | Comments