Password Authentication Tag Cloud
Earlier posts on this topic: Passwords and the average user, More on passwords, And yet more on passwords, and Practically speaking, the end is in sight for passwords.
H/T to Bruce Schneier for the link.
September 15, 2010
August 20, 2010
“C will not only let you shoot yourself in the foot, it will hand you a new magazine when you run out of bullets”
Charles Stross enumerates some of the ways “we went wrong” in the rush to today’s computing world:
According to one estimate pushed by the FBI in 2006, computer crime costs US businesses $67 billion a year. And identity fraud in the US allegedly hit $52.6Bn in 2004.
Even allowing for self-serving reporting (the FBI would obviously find it useful to inflate the threat of crime, if only to justify their budget requests), that’s a lot of money being pumped down a rat-hole. Extrapolate it worldwide and the figures are horrendous — probably nearer to $300Bn a year. To put it in perspective, it’s like the combined revenue (not profits; gross turnover) of Intel, Microsoft, Apple, and IBM — and probably a few left-overs like HP and Dell — being lost due to deliberate criminal activity.
Where does this parasitic drag come from? Where did we go wrong?
I’m compiling a little list, of architectural sins of the founders (between 1945 and 1990, more or less) that have bequeathed us the current mess. They’re fundamental design errors in our computing architectures; their emergent side-effects have permitted the current wave of computer crime to happen . . .
I make it a rule never to believe the order of magnitude claimed by a self-interested party about how much money is “lost” because of their current hobby-horse mopery and dopery. Even if the amount claimed by the FBI is off by an order of magnitude, that’s still serious money.
Comments Off on “C will not only let you shoot yourself in the foot, it will hand you a new magazine when you run out of bullets”
August 16, 2010
Practically speaking, the end is in sight for passwords
Advances in computing are not always uniformly beneficial: short passwords are increasingly vulnerable to brute-force cracking:
The availability of password-cracking tools based on increasingly powerful graphics processors means that even carefully chosen short passwords are liable to crack under a brute-force attack.
A password of less than seven characters will soon be “hopelessly inadequate” even if it contains symbols as well as alphanumerical characters, according to computer scientists at the Georgia Tech Research Institute. The security researchers recommend passwords at least 12 characters long.
The number crunching abilities of graphics processors were recently applied to commercial password auditing and recovery tools from Russian developer ElcomSoft. It’s a safe assumption that black hats are able to use the same type of technology for less laudable purposes. Richard Boyd, of the Georgia Tech Research Institute, told the BBC that the number-crunching capacity of graphics cards compares to those of supercomputers built only 10 years ago.
Passwords are going to go away, sooner rather than later. All of us have too many passwords to remember that it’s pretty much guaranteed that you’re using one of the following coping strategies:
- Using the same password on many different sites (or, shudder, all of them)
- Using a simple password (among the most commonly used are “password” and “letmein”)
- Leaving a sticky note on your monitor or your keyboard with your passwords listed
- Using the name of the site as your password for that site
There are tools available to generate passwords that avoid the most obvious pitfalls (too short, no numeric or non-alphanumeric characters, using full words), but very few people use them consistently. I don’t know what the replacement for passwords will be, but we clearly need to move to more secure ways of verifying identity as soon as we can.
Comments Off on Practically speaking, the end is in sight for passwords
August 9, 2010
IPv6 still not ready for primetime?
As you’ve probably heard, the current internet addressing system, IPv4, is running out of unallocated addresses. The replacement is called IPv6 and was supposed to be in use by now. Security concerns are holding it back:
The internet’s next-generation addressing scheme is so radically different from the current one that its adoption is likely to cause severe security headaches for those who adopt it, a researcher said last week.
With reserves of older addresses almost exhausted, the roll-out of the new scheme — known as IPv6 or Internet Protocol version 6 — is imminent. And yet, the radical overhaul still isn’t ready for prime time — in large part because IT professionals haven’t worked out a large number of security threats facing those who rely on it to route traffic over the net.
“It is extremely important for hackers to get in here fast because IPv6 is a security nightmare,” Sam Bowne, an instructor in the Computer Networking and Information Technology Department at the City College of San Francisco, said on day one of the Defcon hacker conference in Las Vegas. “We’re coming into a time of crisis and no one is ready.”
Chief among the threats is the issue of incompatible firewalls, intrusion-prevention devices, and other security appliances, Bowne said. That means many people who deploy IPv6 are forced to turn the security devices off, creating a dangerous environment that could make it easier for attackers to penetrate network fortresses.
Comments Off on IPv6 still not ready for primetime?
August 6, 2010
Tide turning on porn prosecutions in the UK?
After the US government’s prosecution of a pornography company owner collapsed last month, the British anti-porn campaign has suffered a setback. The Register reports on the case:
A stunning reversal for police and prosecution in North Wales may herald the beginning of the end for controversial legislation on possession of extreme porn.
The case, scheduled to be heard yesterday in Mold Crown Court, was the culmination of a year-long nightmare for Andrew Robert Holland, of Coedpoeth, Wrexham, Clwyd as the CPS declined to offer any evidence, and he left court a free man. The saga began last summer when, following a tip-off, police raided Holland’s home looking for indecent images of children. They found none, but they did find two clips, one involving a woman purportedly having sex with a tiger, and one which is believed to have depicted sado-masochistic activity between adults.
Despite Holland’s protests that he had no interest in the material, and that it had been sent to him unsolicited “as a joke”, he was charged with possessing extreme porn. In a first court appearance in January of this year, the “tiger porn” charge was dropped when prosecuting counsel discovered the volume control and at the end of the action heard the tiger turn to camera and say: “That beats doing adverts for a living.”
The laws are seriously skewed when the potential punishment for simple possession of “extreme” pornography approaches the actual punishment for serious violent crime.
August 5, 2010
US governments still finding this “free speech” thing annoying
If you support the notion of free speech, it is most important to support it during elections . . . but not everyone feels this way:
The Associated Press reports that California’s Fair Political Practices Commission (FPPC) is considering “how to regulate new forms of political activity such as appeals on a voter’s Facebook page or in a text message.
Not whether to regulate these new forms of political speech, but how.
The recommendations apparently include “requiring tweets and texts to link to a website that includes . . . full disclosures, although some people feel the disclosure should be in the text itself no matter how brief . . . .”
To paraphrase Chief Justice John Roberts, this is why we don’t leave our free speech rights in the hands of FPPC bureaucrats. To bureaucrats like those at the FPPC, the Federal Election Commission or their analogues, there seems to be no need to show any evidence that Twitter, Facebook or text messages actually pose any threat to the public. It is enough that they these new forms of low-cost media aren’t currently regulated, but could be. Their primary concern, apparently, is that the regulation of political speech be as comprehensive as possible.
Free speech can be a messy thing — but censorship is worse.
July 26, 2010
The unwillingness to disbelieve
Mike Elgan debunks the latest “mind-crogglingly cheap computer for the masses” announcement:
“India unveils $35 computer for students,” says CNN.com. “India unveils prototype for $35 touch-screen computer,” reports BBC News. “India to provide $35 computing device to students,” says BusinessWeek.
Wow! That’s great! Too bad it will never exist. That this announcement is reported straight and without even a hint of skepticism is incomprehensible to me.
[. . .]
India itself doesn’t build touch screens. They would have to be imported from China or Taiwan. The current price for this component alone exceeds $35. Like touch screens, most solar panels are also built in China. But even the cheapest ones powerful enough to charge a tablet battery are more expensive to manufacture than $35.
Plus you need to pay for the 2GB of RAM, the case and the rest of the computer electronics. Even if you factor in Moore’s Law and assume the absolute cheapest rock-bottom junk components, a solar touch tablet with 2GB of RAM cannot be built anytime soon for less than $100.
More to the point, no country in the world can build a cheaper computer than China can. The entire tech sector in China is optimized for ultra-low-cost manufacturing. All the engineering brilliance in India can’t change that.
There’s also the point that government bureaucracies and university engineering departments are not designed for or experienced in the mass production techniques that any of these “ultra-cheap but powerful” computing initiatives all require. Have you ever heard of a government that could keep their hands (and political priorities) out of the critical decision of where this wonder device would be assembled, tested, packed, and distributed? The “industrial policy” wonks would need to get intensely involved in such a decision and the location would have to meet diverse electoral and financial requirements (note that the economics of the project won’t even make the top five priorities in the process).
Awarding the contract to just one area would be unthinkable: the benefits must be seen to be helping areas that elected the current government and emphatically not going to opposition ridings. The horsetrading over that alone would consume any possible price advantage such a scheme might have over ordinary computers and software bought commercially.
Comments Off on The unwillingness to disbelieve
July 23, 2010
July 14, 2010
The upgrade dance
With the reminder yesterday that Microsoft has ended support for Windows XP Service Pack 2, I figured it was time to look at upgrading my computers to Windows 7. I’m not a “bleeding edge” kind of guy: I figure it’s safer to let other folks be the quality assurance department and I usually wait until the cries of pain and anguish from the first bunch of upgraders dies down before trying it myself.
I looked at the array of options (remember the days when there were only one or two flavours of operating system to worry about?) I was going to upgrade my laptop first, as it’s already been blighted with Vista, which is supposed to mean that the upgrade preserves all your installed programs and settings. I have a variety of programs I need to run, some of which are getting a bit long in the tooth, so I thought it safer to get a version of Windows 7 that offers the “Windows XP Mode” just in case some of them won’t play nice in the new OS natively. That meant I needed to buy Windows 7 Professional or Windows 7 Ultimate. The differences between those two versions was price: Ultimate offers BitLockerTM and the option of working in 35 languages, neither of which is important to me. So I picked up a copy of Windows 7 Professional.
This morning, when I tried to run the upgrade, having backed up my laptop’s hard drive, I discover that I should have bought the Ultimate version instead — because the laptop was shipped with Vista Home Premium installed, I can’t upgrade directly to Windows 7 Professional using the “preserve files and settings” option, but instead would have to re-install everything.
Well, I guess I can use this copy to upgrade the desktop, since it’ll need the full re-install everything option anyway. Drat.
Update, 15 July: Well, the actual updating part went pretty smoothly (unlike the last few times I’ve installed OSes from Microsoft), so now it’s find the programs, download updates and drivers, and get back into a working state. The longest part so far has been using the Microsoft “Windows Easy Transfer” wizard: both saving the files off the original and re-installing them on the new OS is a multi-hour exercise.
Update, 20 July: It took time, but unlike previous OS-upgrade tales of woe, this was merely time-consuming. The last of the programs I was having issues with has started to behave (although in one case it was an extremely good idea that I got the version of Windows 7 that included Windows XP Mode: my backup program hiccoughs under native Windows 7).
I can comfortably recommend the Windows 7 Easy Transfer tool: it even eased the pain of updating iTunes. I can see why some folks don’t feel the urge to move on from Vista: it “feels” very similar to Vista so far.
July 8, 2010
July 6, 2010
The anti-ergonomic design of scanners
Having recently inherited Elizabeth’s printer/scanner because it stopped being willing to play nice with her computer, I found that if anything, James Lileks is being over-charitable to scanner ergonomic design teams:
I just fear dealing with the Canon scanner interface, although it can’t be worse than HP. Yes, yes, I know, buy VueScan. But I had just gotten used to the HP interface on the new scanner. It was designed, as usual, by engineers with no taste who presume Great-gramma is trying to scan something so she can send it by the inter-mails to someone, and needs to be shown in the most obvious way possible that she is old and stupid and should not use computers. Hence it has two icons: one says DOCUMENTS, with a little badge that says “300,” and another says IMAGES, with a badge reading “200.” I assume that means dpi, but who knows? You can make custom profiles, but it never remembers them. There’s no button that actually says SCAN, which would be helpful. It’s as if the GUI team is a bunch of malicious bastiches who came up with the most non-intuitive interface ever, then said “Okay, now let’s add one more step between deciding to scan and actually achieving a scan. Johnson, you’re good at this. What would you recommend?”
“Well, just off the top of my head, I’d say have the default setting for saving put it into some proprietary image-collection program buried deep in the User’s library, so it can’t be found no matter how hard they look.”
“Excellent! Make it so.”
Comments Off on The anti-ergonomic design of scanners
June 23, 2010
Bunch of “radical extremists”
Protest groups at the G20? No, the Heritage Minister’s sweeping characterization of the people and organizations opposed to the new copyright bill:
So when Moore warns about radical extremists opposing C-32, who is he speaking of? Who has criticized parts of the bill or called for reforms? A short list of those critical of the digital lock provisions in C-32 would include:
* Liberal MPs
* NDP MPs
* Bloc MPs
* Green Party
* Canadian Consumer Initiative
* Association of Universities and Colleges of Canada
* Canadian Association of University Teachers
* Canadian Federation of Students
* Canadian Library Association
* Business Coalition for Balanced Copyright
* Retail Council of Canada
* Canadian Bookseller Association
* Documentary Organization of Canada
While there are bound to be a few individual “radical extremists” in any organization, these particular groups aren’t known for their bomb-throwing agitator ways.
Comments Off on Bunch of “radical extremists”
June 18, 2010
Royal charter granted
The most recent recipients of a royal charter are the Worshipful Company of Information Technologists:
The Worshipful Company of Information Technologists received its Royal Charter yesterday — its mark of approval from the Queen.
The Livery Companies were originally proto-trade unions or professional standards bodies, depending which you look at it, based in the City of London. The first, the Worshipful Company of Mercers, got its Royal Charter in 1394 but was in existence for an unknown time before that. Although some retain a regulatory role — assay marks to show the purity of gold and silver are still overseen by the Company of Goldsmiths — most are now social and charitable bodies.
Yesterday’s ceremony was part of Evensong at London’s most beautiful building, St Paul’s Cathedral. The actual Royal Charter — a large vellum certificate — was blessed before freemen and livery men walked to Mansion House escorted by a ceremonial guard of Pikemen and Musketeers for a banquet with the Lord Mayor.
I was hoping that the recipients were the chaps with the morion helmets and the back-and-breastplates:
Comments Off on Royal charter granted
June 16, 2010
The irritating part of “mobile computing”
Cory Doctorow just got back from a book tour, but unlike all the other ones, he found this tour was both pleasant and productive, thanks to mobile computing:
I “rooted” my Nexus One, breaking into the OS so that I could easily “tether” it to my laptop, using it as a 3G modem between tour stops (we didn’t have to root my wife’s matching phone, as Google supplied us with an unlocked developer handset). My typical tour day started at 5am with breakfast and work on the novel, then a 6am interview with someone in Europe, then pickup, two to four school visits with a short lunch break, three or four interviews, then a bookstore signing or a plane (or both). As busy as that sounds, there’s actually a fair bit of dead time in it while sitting in the escort’s car, trying to find the next stop.
This time round, I plugged the laptop into the cigarette lighter and the phone into the laptop — this gave the phone a battery charge and the laptop internet access. And best of all, it meant that I could harvest those dead minutes to answer emails, keep on blogging, and generally stay abreast of things.
Which meant that I got lots more of the touring author’s most precious commodity: sleep. On previous tours, returning to the hotel meant sitting down for three to four hours’ worth of emails before bed, which cut my sleep time to less than four hours some nights.
So all is sweetness and light with modern mobile computing, yes? Not quite:
. . . the fundamental paradox of mobile — so long as the mobile carriers remain a part of mobile computing, it will only work for so long as you don’t go anywhere.
One of the more frustrating parts of travelling with my iPhone has been that I have to basically lobotomize it before crossing the border, reducing it from really powerful smart phone to a PDA with a phone line: the data and “roaming” charges are so high that it’s not economical to use them for anything other than an emergency. Just when being able to get driving directions or hotel or restaurant recommendations would be most useful — on the road or in an unfamiliar city — the cost is usually too high to justify turning on the damned feature.
Yes, you can hunt down wifi connections (and I did, on my last few trips to the US), but it hardly counts as convenient. The phone companies still assume anyone travelling with a smart phone is going to be spending their employers’ money and therefore won’t notice or care about the up-front costs.
Comments Off on The irritating part of “mobile computing”
May 18, 2010
QotD: Time to kill the “information wants to be free” meme
“Information wants to be free” (IWTBF hereafter) is half of Stewart Brand’s famous aphorism, first uttered at the Hackers Conference in Marin County, California (where else?), in 1984: “On the one hand information wants to be expensive, because it’s so valuable. The right information in the right place just changes your life. On the other hand, information wants to be free, because the cost of getting it out is getting lower and lower all the time. So you have these two fighting against each other.”
This is a chunky, chewy little koan, and as these go, it’s an elegant statement of the main contradiction of life in the “information age”. It means, fundamentally, that the increase in information’s role as an accelerant and source of value is accompanied by a paradoxical increase in the cost of preventing the spread of information. That is, the more IT you have, the more IT generates value, and the more information becomes the centre of your world. But the more IT (and IT expertise) you have, the easier it is for information to spread and escape any proprietary barrier. As an oracular utterance predicting the next 40 years’ worth of policy, business and political fights, you can hardly do better.
But it’s time for it to die.
Cory Doctorow, “Saying information wants to be free does more harm than good”, The Guardian, 2010-05-18
Comments Off on QotD: Time to kill the “information wants to be free” meme
