Champions of LGBTQ life and culture in Rochester, NY since 1973.
Wednesday August 23rd 2017



Ireland’s gay leader marches in Montreal Pride

According to Canadian Prime Minister Justin Trudeau marched Sunday in Montreal’s Gay Pride parade, joined by Ireland’s first openly gay leader Leo Varadkar.

Sporting white jeans and a casual light blue button-up, Trudeau waved a rainbow flag with his Irish counterpart at his side as they participated in the annual event where several thousand people had gathered.

Earlier in the day at a joint press conference Trudeau vowed “strength through diversity” in the face of recent attacks in Spain and Burkina Faso.

“These recent acts of terror are despicable,” the Canadian leader said. “They seek to divide the global community, aiming to pit neighbor against neighbor.

“But these cowards will not win,” he continued. “We will continue to do as we have done, standing united and stronger in the face of hatred.

“We will be emboldened in our values, values of love, acceptance, and strength through diversity.”

Prime Minister Varadkar, who took office in June, is the first foreign head of government to join a Canadian pride celebration.

He said Canada and Ireland must work in tandem to advance equal rights, particularly in places where they are threatened.

-

Chile considers marriage equality bill

Michelle Bachelet

Gay Star News reports:

Chile’s president Michelle Bachelet will formally introduce a bill to allow same-sex couples to get married. The measure will be introduced on 28 August.

Chilean LGBTI advocacy group the Movement for Homosexual Integration and Liberation, has said the marriage and an adoption bill was reached as part of an agreement with Bachelet’s government in 2016. However, it remains unclear whether the bill will also extend adoption rights.

If the bill succeeds, Chile would become the world’s 25th nation to legalize same-sex marriage and the fifth to do so in South America after Argentina, Brazil, Colombia, and Uruguay.


Safer Computing: WannaCry, and Other Stories

By David Frier

You’ve probably read news stories in the past several weeks about the “WannaCry” worm (also known as WanaCrypt0r, or WCRY for short). Or, you may have seen the second wave mentioned; this one is named after an older malware, Petya. These are ransomware variants that exploit a vulnerability in WIndows known as ETERNALBLUE to get into your system.

If you’re wondering why the name of this thing looks like an NSA code-word… wonder no more. It is exactly that. ETERNALBLUE is one of a fistful of vulnerabilities that were discovered in Windows years ago by the NSA, who then named it, and kept it to themselves.

There’s plenty of speculation that Microsoft may have been “encouraged” — for years — not to patch this bug. Exploiting it on “bad guys’” computers was productive for the intelligence community. So this flaw remained and was even carried forward in all modern versions of the Windows operating system, dating back to Windows XP for end-user computers, and Windows 2000 for servers.

I know that was a lot of jargon. But this is what I want you to come away understanding: if you bought a Windows 8, 8.1 or 10 computer, it contained a security flaw that Microsoft knew about and may even have helped design. One that has been in all versions of Windows for over a decade.

In February, Microsoft took the highly unusual step of not releasing patches on Patch Tuesday (the second Tuesday of each month). Then in March, we got two things in quick succession. First was the so-called Vault7 release, a large Wikileaks dump of CIA and NSA documents about the tools and exploits they use to hack computers anywhere. It was in the Vault7 documents that we learned the name, ETERNALBLUE. A few days later, we got a very large Microsoft patch release, including a fix for ETERNALBLUE and a handful of similar vulnerabilities.

In late April, the WannCry ransomware hit it big, and it wormed its way into Windows systems via… you guessed it! ETERNALBLUE! The fix coming out so soon before the worldwide outbreak of the ransomware that used it, well, it raised eyebrows in the security community. The most charitable explanation is, that the Vault7 revelations led Microsoft to assume a malware exploiting the flaw would soon hit the scene, so they had no viable choice but to fix it now Besides, its publication by Wikileaks had already reduced the value of the flaw to the intelligence community. All good things must come to an end.

As a further measure of how seriously Microsoft was trying to atone, they released the ETERNALBLUE patches not only for all currently-supported versions of Windows, but also for Windows XP and Server 2003, two versions for which Microsoft had stopped issuing even security patches a couple of years back.

Password Guidance Updated

Have you been told, probably at work, to change your password(s) within the past 90 days? Are you required to make your passwords look L!k3-Thi$ because of seemingly insane complexity rules? It all stems from a publication by the National Institute of Standards and Technology (NIST) with the seemingly-innocuous name, “NIST Special Publication 800-63 Appendix A.”.

This was written primarily by a fellow named Bill Burr, and his suggestions of the complexity requirements plus frequent changes, have led to people to do things like make their password “P@55w0rd-001”. Then when it’s time to change it, they make it “P@55w0rd-002”. And so on. It gets the IT monkey off their back for another quarter, but, as you can easily tell, it doesn’t make the computing a whole lot safer. So people pick poor passwords, even though they fit the rules, and once they pick one poor one, they pick more and more like it because now those are easier to remember!

Well, now the retiree Bill Burr says, “N3v3R_m!^D” In a reversal that was a long time coming, the guidelines for good passwords are changing and look much more in line with common sense. New guidelines are being published now, in the brand-new “NIST Special Publication 800-63B”. Seriously, someone needs to help them with some snappier titles. The new guidelines are summarized:

  • Systems should allow at least 64 characters in length to support the use of passphrases.
  • Systems should encourage users to make passphrases as lengthy as they want, using any characters they like (including spaces), thus aiding memorization.
  • Systems should not impose other composition rules (e.g., mixtures of different character types) on passphrases
  • Systems should not require that passphrases be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of compromise.
  • Passphrases should be checked at creation time against lists of commonly-used or known-compromised ones, and rejected if they appear on those lists.

With these guidelines, passwords will be both safer AND less-annoying. A passphrase like “Jungle Fortune Dictionary Elephant Bubble”, can be easily memorable to someone who has an association with those words. It will fail the old rules but pass the new ones, and it will be much harder to brute-force guess that the old style of passwords.


 Page 3 of 3,228 « 1  2  3  4  5 » ...  Last »