At first I thought this was a headline from weekend update. Apple to patent using app while on the phone. REally??? Come on Apple. If you get to do that then I want to patent using another app while listening to my tunes, or checking out a website while the gps is mapping my location. Come on... This is not a novel new way of doing things. Same goes for that stupid patent you pulled out of your butt against HTC. My hat was off to Steve, but really you should fire half of your legal staff and hire some engineers to get some real innovation going again. SIRI is not a bad start, however, I'm sure that if your going to keep up with the inane suits the Goog will be forced to smack SIRI with some voice control patents... REALLY!!!
Impress me...
Wednesday, December 21, 2011
Tuesday, November 15, 2011
Verisign Fail!
Recently the sites I run started getting this odd cert error. "The certificate has expired or is not yet valid". I looked at the expiry date and it seems ok. So I went off to do some googling for my info. Could not find a thing. My boss was still not understanding. I thought maybe it had something to do with the diginotar hack. (I still suspect there might be something here)
Anyway revisiting this issue two weeks later, I finally found this.
So looking at the verisign site I found that the advisory was indeed dated Oct 20th 2011. They expired it on Oct 24th. 4 days...Really?
It still appears that verisign revoked the intermediate cert and left all their customers hanging… No sort of warning or notice about when this would happen or what to do about it. You would think that if they issued a cert to you that at some point they would contact you to tell you it's not good. I understand they had to revoke it... that's a whole other issue. What I'm annoyed with is their lack of communication. Email is a powerful thing...
Thursday, October 13, 2011
Dennis Ritchie 1941 - 2011
The Father of C has passed away at 70. Probably even more of a profound impact on modern computing than that of Steve Jobs who passed away a week ago. Many languages and operating systems owe their heritage to the concepts that he implemented in C, Multics, and Unix.
Labels:
software,
technology
Thursday, October 6, 2011
Steve Jobs 1955 - 2011
Technology has lost an incredible visionary, Apple has lost an incredible business mind and leader.
Every computing device we use today from laptop to cell phone, to tablet, to mp3 player is what it is today because that's the way Steve envisioned it. I'm no Apple fan boy, I think some of the products are overpriced (I'm cheap) and have unnecessary propriety, but I cannot deny the impact Mr. Jobs has had on shaping our world with his vision of computing for everyone. In fact, he has helped foster my fascination with computing. In high school, I started learning basic programming on an Apple II during my lunch period. In college I took a desktop publishing class in 1987. In this class I got to use an Apple Lisa. It was sooooo Cool!. But it showed me the possibilities of localized computing and the beautiful GUI. Thanks for that.
Steve, you will be missed...
Every computing device we use today from laptop to cell phone, to tablet, to mp3 player is what it is today because that's the way Steve envisioned it. I'm no Apple fan boy, I think some of the products are overpriced (I'm cheap) and have unnecessary propriety, but I cannot deny the impact Mr. Jobs has had on shaping our world with his vision of computing for everyone. In fact, he has helped foster my fascination with computing. In high school, I started learning basic programming on an Apple II during my lunch period. In college I took a desktop publishing class in 1987. In this class I got to use an Apple Lisa. It was sooooo Cool!. But it showed me the possibilities of localized computing and the beautiful GUI. Thanks for that.
Steve, you will be missed...
Labels:
get the job done,
iPhone,
technology
Tuesday, August 30, 2011
Thoughts on Social Networking and Trust Networks
So there is a lot of grousing about how you have to use your real name on Google +. Many observers are casting this service as an identity management service. Consider the possibilities of the Internet if you could count on someone's identity. Right now there is much anonymity on the Internet that allows much mischief to take place (child porn and victimization, scams, etc). Look at what this guy did to some neighbors http://technolog.msnbc.msn.com/_news/2011/08/16/7387638-man-steals-57k-from-neighbors-using-their-facebook-info. What services could be realized if you had a secure easy method of guaranteeing someone's identity that you had never met before? Would this make fraud type activities more prevalent or less? If more people trust a system is it easier to pull off a scam?
I had a database systems teacher tell me once that when the East German government collapsed, they discovered huge warehouses of documentation on the citizens. It was generated by the citizens on their friends, neighbors, and relatives and the government was was trying to leverage it to find the citizens that should be questioned about their allegiance. My instructor went on to ask what would East Germany be like if the government had a database capable of cross referencing all that data? Would East Germany still be totalitarian? Contrast that to the present day free world, Facebook has created that database, and has people standing inline to use it. Once you are in you can map the relationships and understand who associates with whom. Scary to think that this info could one day be used against you. I personally do not participate in Facebook, but I see where some sites are trying to leverage the Facebook login process to authenticate you to the site. I guess this means that Facebook has some sort of API for the login? There is an API for ranking your friends http://technolog.msnbc.msn.com/_news/2011/08/18/7407307-code-reveals-top-victims-of-your-relentless-facebook-stalking.
To pull off what Google + is trying to do, they will have to provide more benefits to the "authenticated" user, above and beyond what an unverified user could have. Obviously we have setup trust type networks before. Certificate Authorities issues / signed cryptographic certs that allow a company to establish an identity for their servers/sites. This allows transactions and communication between servers, but what about people? If I trust Bob and I trust Mary and they trust me, should Mary trust Bob? Angie's List is a list of contractors that understand their reputation is something to leverage to do more business. Contrast this with Craigslist. Most of this site is really about anonymity... and let's face it Craigslist does have a problem with fraud.
What do you you think?
I had a database systems teacher tell me once that when the East German government collapsed, they discovered huge warehouses of documentation on the citizens. It was generated by the citizens on their friends, neighbors, and relatives and the government was was trying to leverage it to find the citizens that should be questioned about their allegiance. My instructor went on to ask what would East Germany be like if the government had a database capable of cross referencing all that data? Would East Germany still be totalitarian? Contrast that to the present day free world, Facebook has created that database, and has people standing inline to use it. Once you are in you can map the relationships and understand who associates with whom. Scary to think that this info could one day be used against you. I personally do not participate in Facebook, but I see where some sites are trying to leverage the Facebook login process to authenticate you to the site. I guess this means that Facebook has some sort of API for the login? There is an API for ranking your friends http://technolog.msnbc.msn.com/_news/2011/08/18/7407307-code-reveals-top-victims-of-your-relentless-facebook-stalking.
To pull off what Google + is trying to do, they will have to provide more benefits to the "authenticated" user, above and beyond what an unverified user could have. Obviously we have setup trust type networks before. Certificate Authorities issues / signed cryptographic certs that allow a company to establish an identity for their servers/sites. This allows transactions and communication between servers, but what about people? If I trust Bob and I trust Mary and they trust me, should Mary trust Bob? Angie's List is a list of contractors that understand their reputation is something to leverage to do more business. Contrast this with Craigslist. Most of this site is really about anonymity... and let's face it Craigslist does have a problem with fraud.
What do you you think?
Thursday, July 28, 2011
Wow.. at least I don't get auditited by this guy
For you IT type that have to endure the PCI audit, you know it's bit of a grind. However, this link shows that if you have someone that does not know what they are doing, it can be HELL.
http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants
This auditor really does not know what he is asking for, Also he does not know how passwords are stored securely (one way hash). His biggest fault is not understanding when he is wrong and doing the leg work to understand what people are telling him.
Enjoy.
http://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants
This auditor really does not know what he is asking for, Also he does not know how passwords are stored securely (one way hash). His biggest fault is not understanding when he is wrong and doing the leg work to understand what people are telling him.
Enjoy.
Labels:
audit,
enterprise_software,
humor,
PCI,
security
Tuesday, July 19, 2011
Netflix parental controls suck
So... Price hike x incompatible Parental Controls x New Competition = me walking.
I have been waiting patiently for over a year for a competent parental control system for netflix. Nothing is happening. I work as a developer. THIS IS NOT THAT HARD A PROBLEM TO SOLVE!
The main problem here is that Barney: Now I know my ABC's is lumped in with movies like Room in Rome.
Please, Please Please fix this before I have to go to what ever competitor can figure this out.... Apple?
I have been waiting patiently for over a year for a competent parental control system for netflix. Nothing is happening. I work as a developer. THIS IS NOT THAT HARD A PROBLEM TO SOLVE!
The main problem here is that Barney: Now I know my ABC's is lumped in with movies like Room in Rome.
Please, Please Please fix this before I have to go to what ever competitor can figure this out.... Apple?
Labels:
Netflix prize,
parental controls
Sunday, July 17, 2011
Password Complexity Regex redeux
Previously I had post a password complexity regex. Reevaluating this post I have discovered a problem. It's too confusing! Regular Expressions are sometimes confusing to create and debug. This leads some developers to shy away from using them. My original regex is good enough at evaluating the passowrd, however I think if you were to utilize several simpler regexes in an if statement then you can provide your user with specific guidance to what needs to be changed with the password. Here is an example
What this allows you to do is to reply back with specific message that will tell the password creator how to alter the new password. In addition, we have reduced to the complexity of the regexs down to some very simple verifications.
function check password(password)
{
if (! password.matches([A-Z]{2}))
{
alert("You must have at least 2 capital letters in your password);
}
else if (! password.matches([0-9]{2}))
{
alert("You must have at least 2 numbers in your password);
}
else if (! password.matches([*$%@]{2}))
{
alert("You must have at least 2 of *,$,% or @ characters in your password); }
}
} What this allows you to do is to reply back with specific message that will tell the password creator how to alter the new password. In addition, we have reduced to the complexity of the regexs down to some very simple verifications.
Labels:
enterprise_software,
password,
regex
Friday, July 1, 2011
When pressed... Delay, delay, delay
So most of us developers have pride in coding an application that gets a user his answer as fast as possible. I would like you to consider slowing things down a bit. I'm not simply talking about tweaking users to make them mad, I'm talking about adding real delay when you know you are being attacked.
For most web applications this is easy to do. After you detect the attack just do this.
Now lets consider my wrapped keystore algorithm from previous post(s). A keystore is quite a portable thing. Most attackers will scoop up this gem and "take it back to my workshop" (sorry could not resist the Grinch reference). Once in then the attacker would be free to parallelize his hardware and software and eventually gain access to the keys. My supposition in creating the keystore with wrapped keys was that the attacker could fairly trivially brute force the keystore's PBE once he had it in his own environs. But what if we throw some delay in the decryption for the wrapped keys algorithm, or better yet, get java to add it to the PBE? A extra second or two won't hurt my users...
I absolutely understand that my code can be reversed, and the code for delay taken out. But what if the actual decryption algorithm could be altered to have real delay induced? Some sort of actual work that takes 1-2 seconds of time to resolve when the password hash is created? I believe bcrypt already does something like this. Then this delay would be intrinsic to the algorithm.
Wow. Mick and the Stones were right, time really is on my side.
For most web applications this is easy to do. After you detect the attack just do this.
//lets pause for a bit. this will force a scripted attack to take much longer.
// remember in extreme cases a regular user can get this so we don't want to
// make it take too long.
try
{
Thread.sleep(genRandomTimeMS(10000, 20000));
} catch (InterruptedException e) {
e.printStackTrace();
} Another application of this technique is when an attacker is trying to brute force a password. Modern GPU cracking algorithms can try ~4 billion per second. However, if you add some delay (just 1 second) to the password checking algorithm then the 4 billion attempts take ... 126 years. The extra second for the user to log in is fairly imperceptible. Now I realize this is a special instance. Most web applications will lock the user out after 3 - 5 wrong attempts. It's really not applicable here, or is it? If an attacker has your list of user names, they can DDoS your entire list of users quite easily and quickly. What if we take this limit off? In it's place we place a 1-2 second delay. The impact to my valid users is trivial. The attacker will never have enough time to brute force a password, my user accounts cannot be DDoSed, and the number of support calls is reduced because users do not lock themselves out as quickly. I understand the nature of parallelization will gnaw at this technique. Any attacker with a botnet or cloud resources can pound my site, but instead of getting the answer almost immediately, I now have a measure of time for my app security to lock out the IPs trying to brute force me.
Now lets consider my wrapped keystore algorithm from previous post(s). A keystore is quite a portable thing. Most attackers will scoop up this gem and "take it back to my workshop" (sorry could not resist the Grinch reference). Once in then the attacker would be free to parallelize his hardware and software and eventually gain access to the keys. My supposition in creating the keystore with wrapped keys was that the attacker could fairly trivially brute force the keystore's PBE once he had it in his own environs. But what if we throw some delay in the decryption for the wrapped keys algorithm, or better yet, get java to add it to the PBE? A extra second or two won't hurt my users...
I absolutely understand that my code can be reversed, and the code for delay taken out. But what if the actual decryption algorithm could be altered to have real delay induced? Some sort of actual work that takes 1-2 seconds of time to resolve when the password hash is created? I believe bcrypt already does something like this. Then this delay would be intrinsic to the algorithm.
Wow. Mick and the Stones were right, time really is on my side.
Labels:
encryption,
enterprise_software,
security
Tuesday, June 28, 2011
The Principal of Least Privlege
So in my previous post we talked about some low hanging fruit in terms of securing your web applications MySQL server. Many of the items we discussed are based on the Principal of Least Privilege. This principal guides us as we secure out applications. Quite simply it means to restrict functionality, users and programs to fit the task that they are supposed to do. For example in our previous post we discussed creating an application db user that the application will use to access the app data in the schema. This user is limited in to only have access to the web app schema. In addition, we restrict this ID to only have CREATE, UPDATE, and DELETE on the tables in this schema. This is the Principal of Least Privilege in action.
This Principal can be applied across IT and business in many different ways. Users within this application should be restricted to be able to perform only the functions we want to allow and no more. The security officer that rekeys the application encryption should have an id that will only be able to do that specific task. The UNIX permission system is a another example if configured correctly. A user has read, write execute over his files and can set others so they only have read. UNIX sudo is really a violation of this principal, however, it's usage is logged so that is a mitigating control.
This Principal can be applied across IT and business in many different ways. Users within this application should be restricted to be able to perform only the functions we want to allow and no more. The security officer that rekeys the application encryption should have an id that will only be able to do that specific task. The UNIX permission system is a another example if configured correctly. A user has read, write execute over his files and can set others so they only have read. UNIX sudo is really a violation of this principal, however, it's usage is logged so that is a mitigating control.
Labels:
enterprise_software,
security,
technology,
web development
Thursday, June 2, 2011
Securing MySQL
Just a quick running list of the techniques needed to secure a MySQL server. If you have comments or other techniques, post them!
1. Do not use the MySQL root pass as the application password. Do not use the root user as your application user.
2. Setup an application specific id and only give it SELECT, UPDATE, DELETE for the specific tables of the application or to the application schema only.
3. Passwords for these ids must be 15 chars long
4. DB Passwords stored in application files must have the correct ACLs.
5. Learn how to use the creation of the user id to lock the db for access only from the application server. For example if your app server is at 192.168.0.4 then the application user would be applicationuser@192.168.0.4. This 'locks' the db from only accepting traffic from the server listed. If the db is colocated with the app server, then specify the user like this - applicationuser@localhost. Also assuming you need to login to the DB server to do maint then your root user would be root@localhost. This would force you to have localhost access before you could login as root.
6. Use a Object Relational Mapping technology to front the DB, thus preventing SQL injection attacks. If you must script, NEVER EVER concatenate SQL. If no ORM is availble, use whatever languages parameterized SQL scheme.
1. Do not use the MySQL root pass as the application password. Do not use the root user as your application user.
2. Setup an application specific id and only give it SELECT, UPDATE, DELETE for the specific tables of the application or to the application schema only.
3. Passwords for these ids must be 15 chars long
4. DB Passwords stored in application files must have the correct ACLs.
5. Learn how to use the creation of the user id to lock the db for access only from the application server. For example if your app server is at 192.168.0.4 then the application user would be applicationuser@192.168.0.4. This 'locks' the db from only accepting traffic from the server listed. If the db is colocated with the app server, then specify the user like this - applicationuser@localhost. Also assuming you need to login to the DB server to do maint then your root user would be root@localhost. This would force you to have localhost access before you could login as root.
6. Use a Object Relational Mapping technology to front the DB, thus preventing SQL injection attacks. If you must script, NEVER EVER concatenate SQL. If no ORM is availble, use whatever languages parameterized SQL scheme.
Labels:
enterprise_software,
hack,
mysql
Tuesday, March 29, 2011
Everyone knows that the truck nuts are supposed to hang from the trailer hitch
So the Army was working on a IED defuser to help our boys in the IRAQ. They came up with something that looks like this. Full Wired article is here http://www.wired.com/dangerroom/2011/03/pentagon-still-hearts-its-bogus-bomb-zapper/. Wow.
Labels:
humor
Monday, March 28, 2011
ATT handicaps my wifes new smartphone
My wife finally decided to make the jump from the iPhone to a 'NICE' HTC Inspire. Great hardware, to bad it is hobbled by ATT's stupid Android 2.2 build. No SWYPE. Wow... SWYPE was a major reason for convincing my wife to switch. I purchased a Samsung Captivate with 'droid 2.1 and SWYPE is included in the build. So I think no problem, I'll just got to the app store and load it. IT'S NOT IN THE APP STORE. So off I go to the SWYPE site. They have the download available there but I have to violate my phones TOS to load it.
Look ATT, you have totally taken a nice 4G capable (ATT's network != 4G) phone and made it less usable than my Black berry curve from 5 years ago. Shame on you. The phone has a 30 day return policy and I am seriously thinking of taking it back.
Look ATT, you have totally taken a nice 4G capable (ATT's network != 4G) phone and made it less usable than my Black berry curve from 5 years ago. Shame on you. The phone has a 30 day return policy and I am seriously thinking of taking it back.
Labels:
Android,
ATM,
smart phone
Friday, March 11, 2011
Wednesday, March 2, 2011
Benchmarking Java IO on Solaris.
So my boss has informed me that our application is due for a large volume increase. To that end he is wanting some testing done to determine if the application can handle the increase. The application performs full text searches on file ranging from 1k to 900 MB uncompressed. With the volume increase the 900 MB may go to 4 GB. Right now all the files are gzipped and they are searched real time when the user submits the query. To bench mark the capabilities for uncompressing and searching a file, I need to come up with an average case and a worst case scenario. My worst case scenario is when the file is on the file system but not in file cache, however, once I read the file then all subsequent tests are invalid because the file-cache will be delivering the file instead of the disk.
I pinged my SA about this and did some research. I tried touching the file, and deleting the file and copying in new version, anything to get the file cache to invalidate the file. Nothing worked. Then in my research I found two techniques to achieve this. The first is loading up the file cache with enough files that the only room left is smaller than the target file. This seemed to be problematic, so I have not gone down this path. I did find a jewel in the mount_ufs man page which leads me to believe that I can mount a dir and tell Solaris to keep these files out of file cache. It is called forcedirectio. I hope it works.
I pinged my SA about this and did some research. I tried touching the file, and deleting the file and copying in new version, anything to get the file cache to invalidate the file. Nothing worked. Then in my research I found two techniques to achieve this. The first is loading up the file cache with enough files that the only room left is smaller than the target file. This seemed to be problematic, so I have not gone down this path. I did find a jewel in the mount_ufs man page which leads me to believe that I can mount a dir and tell Solaris to keep these files out of file cache. It is called forcedirectio. I hope it works.
Labels:
IO testing,
java,
Solaris,
unix
Wednesday, February 23, 2011
The ironic and sad circumstances of the Arab revolts
Wow, what an interesting time to live in. The Internet has fostered pro-Democracy protests and revolutions in Bahrain, Yemen, Egypt, Libya, Iran,
Just some inconsistent circumstances of some of these events.
Just some inconsistent circumstances of some of these events.
- In Egypt, the police tried to put down the protesters with American made teargas.
- It's very hard for the Obama administration to "comment" consistently when we are allies with the very government that is about to be over thrown. With friends like us they don't need enemies.
- Iran's President Mahmoud Ahmadinejad is a real piece of work. He admonishes other countries governements to listen to the people and at the same time puts down protests in his own country
- "This is very grotesque. It is unimaginable that there is someone who kills and bombards his own people. I strongly advise them to let nations have their say and meet their nations' demands if they claim to be the officials of those nations,"
Labels:
Egypt,
revolution
Monday, February 21, 2011
Sharks with laser beams
I always wanted to write a post titled that. For the geeks out there they understand that phrase came from a movie about a meglomaniac bent on world domination.... Dr. Evil. But the laser beam due to it's linear quality can only be used defensively. Let me explain. Since the a beam of light is not affected by gravity that means I can only shoot line of sight at a target. Deploying a large laser system like this one http://www.wired.com/dangerroom/2011/02/unexpectedly-navys-superlaser-blasts-away-a-record/ will only allow us to shoot stuff out of the sky. I can't even really shoot a ship 100 miles away because the curve of the Earth gets in the way. This really reduces this application to a defensive one. To be truly offensive (i.e. hit a target on the far side of the globe) you need a projectile on a ballistic trajectory. However, if you can stuff all that hardware into a satellite then you could cover a much larger area and the laser becomes offensive in nature. So really Dr. Evil was just concerned with his own protection, after all his companies make substantially more than one miLLion dollars per day. ;-)
Wednesday, February 16, 2011
ATT CEO just does not get it
Randy Stephenson just does not get it. He wants to move into more lucrative pastures than supplying bandwidth. But supplying bandwidth is about all he does well. I have ATT uverse and ATT wireless. Uverse is a nice product. ATT Wireless meh... it works. ATT is trying to inject itself at a higher level than just a being carrier. He has made the case that apps should be universal. So you buy Angry birds on your iPhone and then upgrade to Android, you should be able to get the same app on that Android. (Really he wants to make his ATT bloatware universally available.)
On my new cell I get preloaded apps like the ATT Music Store. Kind of cool concept. And it would get billed through my ATT bill which is fairly convenient. However, if you read the EULA you find that downloading songs will only occur over 3G even though wireless lan signal is available. huh? When I read this, I instantly determined that I would not be using the ATT music store, and any other upsell service from ATT. Uverse movies will not be at our house either. Netflix rocks!
http://www.wired.com/gadgetlab/2011/02/att-ceo-bloatware/
I'm close to rooting my cell so I can get rid of the ATT crapware.
Not that I like Steve Jobs much better. His insistence on creating great hardware with a proprietary cable blows me away. I refuse to pay big bucks for that awesome hardware because I have to pay $30 for a charger to charge it. For my android phone I can purchase 2 batteries, an external charger and a USB cord for the same amount. And that iTunes app? Why do I have to have an app to drag tunes to my phone. Why can't I just usb connect and drop'em in?
http://store.apple.com/us/product/MB352LL/B?fnode=MTY1NDA0MQ&mco=MTA4Mzg5MDE
Steve... Android is going to eat your lunch. It's open, its good, and it's everywhere.
On my new cell I get preloaded apps like the ATT Music Store. Kind of cool concept. And it would get billed through my ATT bill which is fairly convenient. However, if you read the EULA you find that downloading songs will only occur over 3G even though wireless lan signal is available. huh? When I read this, I instantly determined that I would not be using the ATT music store, and any other upsell service from ATT. Uverse movies will not be at our house either. Netflix rocks!
http://www.wired.com/gadgetlab/2011/02/att-ceo-bloatware/
I'm close to rooting my cell so I can get rid of the ATT crapware.
Not that I like Steve Jobs much better. His insistence on creating great hardware with a proprietary cable blows me away. I refuse to pay big bucks for that awesome hardware because I have to pay $30 for a charger to charge it. For my android phone I can purchase 2 batteries, an external charger and a USB cord for the same amount. And that iTunes app? Why do I have to have an app to drag tunes to my phone. Why can't I just usb connect and drop'em in?
http://store.apple.com/us/product/MB352LL/B?fnode=MTY1NDA0MQ&mco=MTA4Mzg5MDE
Steve... Android is going to eat your lunch. It's open, its good, and it's everywhere.
Friday, February 11, 2011
Egyptian regieme falls to disruptive power of the internet.
Out founding fathers knew that our freedom was granted by access to firearms. That is why they put the right to bear arms in the constitution. The firearm is a double edged sword. Both good and bad can come about from it's use. But this was 235 years ago, in a different age, a different technology and a different revolution.
This week we are seeing history being made. The Defense initiatives of the Cold War have yielded the biggest threat to dictators and despots ever devised. We called it the Internet. The free flow of information is what this is about. In years past with out the information delivered by the Internet no one in Egypt would have heard about a man immolating himself in Tunisia. Yet this simple news item along with free speech to discuss the event are what set Egypt on it's ear and sent Mubarak packing.
The Internet, like the right to bear arms, is a double edged sword. There is much about the Internet that is undesirable. It will be an interesting second decade to watch and see how the Internet will shape the world around us. I'm sure other Middle East regimes are sweating a further chain reaction. Will the next government of Egypt recognize the source of the peoples power and make Internet access a right? Should it be a right?
This week we are seeing history being made. The Defense initiatives of the Cold War have yielded the biggest threat to dictators and despots ever devised. We called it the Internet. The free flow of information is what this is about. In years past with out the information delivered by the Internet no one in Egypt would have heard about a man immolating himself in Tunisia. Yet this simple news item along with free speech to discuss the event are what set Egypt on it's ear and sent Mubarak packing.
The Internet, like the right to bear arms, is a double edged sword. There is much about the Internet that is undesirable. It will be an interesting second decade to watch and see how the Internet will shape the world around us. I'm sure other Middle East regimes are sweating a further chain reaction. Will the next government of Egypt recognize the source of the peoples power and make Internet access a right? Should it be a right?
Labels:
Egypt,
Internet,
revolution
Friday, January 21, 2011
Wow HP printer software is such a pig!
I just reinstalled the printer on my wife's PC. We have HP Photosmart C7180. Anyway, when it installed it it loaded over 800 MB of software. For a printer driver?
Bloat?
Bloat?
Saturday, January 15, 2011
Happy New Year - Change your passwords
So at the beginning of the year my wife and have resolved to change all out passwords. We feel that going forward a yearly rotation of password will help the security of all out online accounts. I got to thinking this could be a good thing if a significant amount of users would jump on the bandwagon. Why wait until the scammers actually drain your account? As a whole we could preempt them. I'm sure there are lists of cracked accounts just waiting to be culled through. Resetting your password(s) will nullify all that info. I propose that 15th of January be Global Change Your Passwords Day.
Think of all money that has changed hands for all the cracked accounts lists circulating on the internet. By collectively changing all your passwords you reduce the value of these lists significantly. Think of it as an anti scammer flash mob. Talk about taking a bite out of crime.
It is NOT a good idea to use the same password for all you accounts. My wife and I use the following scheme for passwords. We segregate passwords according to purpose. Here are our categories.
Choosing a password is half art, half science. You want to get a password that is easy to remember and associate with the account. At the same time it needs to be strong enough that it is not easily cracked. So many sites have a policy of just allowing letters and numbers. This is just a really poor decision on the part of the website designer. It really limits the user on the potential passwords that could be utilized. Unfortunately since some sites do not allow these special characters we are stuck with the least common denominator.
Strong passwords have some attributes that contribute to the password strength
Length
Complexity
Ease of association
Ease of entry
Unfortunately the processing power of cloud based cracking programs means that length of your passwords will need to increase. An eight character password used to be acceptable. With the advent of the cloud processing resources this will need to increase to 12-14 characters.
To address complexity a combination of letter and numbers will ensure that your password will be difficult to crack with a dictionary attack Dictionary attacks utilize a list of dictionary words to compose attempts at cracking your password. If your password contains a combination of numbers and letters then the complexity is increased, rendering a dictionary attack more difficult.
Ease of association is what allows a password to be memorable. A password that is not memorable is one that will need to be written down, thus destroying the security of the password. To facilitate your memorizing the password there are some memorable techniques (sorry I could not resist). Your password could be a phrase like "TheseAreTheVoyages" or "MyDogHasFleas" or "TheShadowKnows". To add more complexity you should add in capitalization and some numbers. Using our examples we now have "TheseAreThe93Voyages" or "MyDogHas23Fleas" or "TheShadowKnows1102". Each of these is memorable, long enough and complex enough to protect your services.
Another technique to add complexity is lEEt or l33t. This is a technique for replacing letters with numbers that have similar look. A = 4, S = 5, O = 0, G = 6 B = 8 are examples. Here are our original phrases using l33t. "The5e4reTheV0yages" or "MyD0gH4sFleas" or "TheSh4dowKn0ws"
In a previous post I provided a regex that could be used as a password complexity checker. For you non programmer types I will be turning this into a javascript powered checker so that you can check your passwords.
Happy Global Password change day!
Think of all money that has changed hands for all the cracked accounts lists circulating on the internet. By collectively changing all your passwords you reduce the value of these lists significantly. Think of it as an anti scammer flash mob. Talk about taking a bite out of crime.
It is NOT a good idea to use the same password for all you accounts. My wife and I use the following scheme for passwords. We segregate passwords according to purpose. Here are our categories.
- Brokerage - Brokerages accounts, 401k etc.
- Banking - checking accounts, Loan servicing sites.
- Accounts with a Credit Card attached - Amazon, iTunes, Paypal, etc.
- Email - all email accounts.
- Blogs, other internet logins, twitter, facebook etc.
- Throw away accounts
Choosing a password is half art, half science. You want to get a password that is easy to remember and associate with the account. At the same time it needs to be strong enough that it is not easily cracked. So many sites have a policy of just allowing letters and numbers. This is just a really poor decision on the part of the website designer. It really limits the user on the potential passwords that could be utilized. Unfortunately since some sites do not allow these special characters we are stuck with the least common denominator.
Strong passwords have some attributes that contribute to the password strength
Length
Complexity
Ease of association
Ease of entry
Unfortunately the processing power of cloud based cracking programs means that length of your passwords will need to increase. An eight character password used to be acceptable. With the advent of the cloud processing resources this will need to increase to 12-14 characters.
To address complexity a combination of letter and numbers will ensure that your password will be difficult to crack with a dictionary attack Dictionary attacks utilize a list of dictionary words to compose attempts at cracking your password. If your password contains a combination of numbers and letters then the complexity is increased, rendering a dictionary attack more difficult.
Ease of association is what allows a password to be memorable. A password that is not memorable is one that will need to be written down, thus destroying the security of the password. To facilitate your memorizing the password there are some memorable techniques (sorry I could not resist). Your password could be a phrase like "TheseAreTheVoyages" or "MyDogHasFleas" or "TheShadowKnows". To add more complexity you should add in capitalization and some numbers. Using our examples we now have "TheseAreThe93Voyages" or "MyDogHas23Fleas" or "TheShadowKnows1102". Each of these is memorable, long enough and complex enough to protect your services.
Another technique to add complexity is lEEt or l33t. This is a technique for replacing letters with numbers that have similar look. A = 4, S = 5, O = 0, G = 6 B = 8 are examples. Here are our original phrases using l33t. "The5e4reTheV0yages" or "MyD0gH4sFleas" or "TheSh4dowKn0ws"
In a previous post I provided a regex that could be used as a password complexity checker. For you non programmer types I will be turning this into a javascript powered checker so that you can check your passwords.
Happy Global Password change day!
Labels:
fraud,
hack,
javascript,
password,
security
Subscribe to:
Posts (Atom)
