“Could Be The Worst Fire Season On Record”

Posted Tuesday, 23 January 2007, 2:43 pm | 9 comments

Every year. Every year. Come about April, my wife and I begin speculating about when the first utterance of the above sentence will occur on the local news. Without fail, every year, every local news station will air those words. If California had a light winter, with lower than average rain—then by May or so, the reports will be that there’s a ‘tinderbox’ of dry brush out there that could make this the worst fire season on record. If California had higher than normal rain, the reports will be that the "excess" rain has created a dense overgrowth of brush that’s going to become a ‘tinderbox’ of dry brush, which could make this the worst fire season on record.

Since every year deviates in some small proportion from the mathematical average for expected rainfall…then you can count on speculation every year that this could be the worst fire season on record.

And don’t get me started on droughts. The semi-arid Bay Area climate means that there will be stretches, every winter, where things dry out for a few weeks. By the end of the second week without rain—maybe early in the third week—some weather forecaster will allude to the dreaded "D word" as they refer to it in Happy Talk.

And don’t get me started on Global Warming/Climate change. Every deviation from seasonal averages is interpreted as a sign of the coming Climate Apocalypse. Every instance of extreme weather is interpreted similarly. We were told that the extremity of Hurricane Katrina was clearly a sign of things to come, all due to our evil burning of million-year-old plant matter. So…since there was no similarly devastating hurricane this past season, does that mean we’ve turned the corner? Or that the speculation is wrong? Why no, of course not! The absence of disaster is never tallied as a contrary indicator to the speculations. It’s merely ignored, until the next extreme weather event comes along…just as they’ve been coming along for the entirety of human history (and before, amazing!).

Grumble grumble mutter mutter.

If It’s Optional, Do You Have To Be Honest?

Posted Sunday, 21 January 2007, 3:55 pm | 1 comment

I tend to be against race-based discrimination, no matter what the reason. Whether it be cops profiling drivers ("Driving While Black"), or admissions policies that give preference to people of one color over another—any way you slice it, making a decision based on the color of one’s skin, rather than the content of their character, is wrong. If we’re to move to a place where race is meaningless, then we have to drop all pretense of using race for classification.

This comes up in relation to my previous article regarding changing my name. My petition went through, so now my legal name is Paul Theodoropoulos, rather than Paul Theodoropoulos. Joy!

My next step is to get a new Social Security card with the new name. In filling out the form, I came across the following section: Race/Ethnic Description Field from Social Security form

While I’m not of a mind to muck about with this—I’m merely going to leave it blank—I wonder…Since the information is voluntary, it should have no legally binding effect upon getting the card. So would there be any problem at all in checking a box other than your correct race? It’d be a dandy bit of civil disobedience. A sudden massive spike in the population of North American Indians would be nice.

This post brought to you by Lazy Sunday Ontological PeriMotivationalism©.

But When You Do Need Higher Security…

Posted Thursday, 18 January 2007, 12:04 am

Continuing on the theme of passwords and security—and I promise this will be my last on the matter, as I’m getting sick of it too—I’d like to make a software recommendation.

Even though I’m a Unix Systems Administrator by trade, I use Microsoft Windows on the Desktop. Have for more than a decade. It’s partly pragmatic, as it’s what most of the rest of the world uses on the desktop too. It’s partly for fun, as I enjoy "First-Person Shooter" games, and most are written either for the PC or for consoles. And beyond that, I like playing around in Windows. I have no particular religious sentiment in the matter, unlike many people. I don’t get my nose bent out of shape when I have to pay real, actual money to purchase software. I realize that Bill Gates is one of the wealthiest men ever to have lived, and that too doesn’t bend my nose out of shape. He’s rich, I’m poor, so what? I dislike fairly intensely the use of Windows in a server environment, and that’s largely due to the less than stellar performance of Microsoft products in that milieu. I prefer Solaris for bulletproof services, and to a lesser extent some flavors of Linux and FreeBSD. But I digress.

I do my online banking and finances on my Windows XP desktop PC. As a highly internet-centric individual, I have visited, and maintain accounts, on many, many websites that require username and password. For a long time, I used a very weak password of my own making, all of seven characters long, for almost every site I visited. I still do use it occasionally for sites that are of no significance—wherein if someone busted into the account, nothing of any importance would transpire from it.

Realizing the inherent danger in using such a weak password for everything, I took a look around several years back for a solution, and I found one that has served me exceptionally well: Roboform. Roboform automates creating and saving passwords, tied to the specific site that needs it. The passwords are encrypted, and you can set a master password with which you can prevent access to any stored passwords.  It is elegant in its simplicity, but exceptionally powerful at the same time. The built in password generator can create stunningly long, complex passwords, far more complex than one could easily remember—or for the ‘blackhats’ to break. When I was creating the examples for my followup article on obfuscated passwords, I used roboform to generate those strings. With just a mouse click, you can generate random password after random password, like this:

g*w4#Kg49785G8Q7f97F483Jp36BHb4xqQCe82P^

4rf8kXta73@%5!CKD&4co2EU4wdZdiS9Fn%

hBt#WjVY5363Mz5xz#2

4DJTP8u$xc$*H^95b8HB!^GMYXGgZGsXYpnJ7

And you don’t have to try to remember them! They’re all safely stored, tied to the username and site you created them for. Visit the site, and a box pops up offering to fill the fields (roboform recommends using their toolbar, but I don’t particularly care for it). Further, roboform can store Credit Card and personal information securely, and can autofill online forms with that information for you, speeding up checkout when making online purchases.

There are many, many more features beyond just these few I’ve listed. There is a ‘portable’ version you can install on a USB drive, and keep all your information with you, ready to hand, and yet still secure.

I can’t sing my praises for roboform enough. You can download it for free, and use it with up to ten stored passwords/sites. Roboform Pro is $29.95. Though it’s ten dollars more expensive, Roboform2Go, for USB drives, may be the better choice in the long run.

I give it 18.5 out of 20 klaatus! (so it must be good!)

I should add I have absolutely no affiliation with Roboform or Siber Systems (the company that makes roboform), besides being a very happy customer. I’m not getting any kickback from them for this fantastic review. Unfortunately.

But What I Really Meant To Write Was…

Posted Monday, 15 January 2007, 12:36 am | 7 comments

In the aftermath of the controversy that erupted concerning my article yesterday regarding passwords, it seems—from the repeated comments misconstruing the idea—that I should write this followup, and clarify things a bit.

Mistake #1: A less catchy title might have helped, along with a less aggressive photo. In going for something attention-getting, I immediately set a tone that apparently a great many people took literally—that one should just feel free to write their [minimally modified] password on a Post-it, include what the password was intended for ("Desktop password", "root", etc), and stick it on your monitor.

I thought while I was writing it that that was over-the-top enough that people would just laugh. Er, no, not so much! I undermined the message pretty seriously with that. One merely invites scrutiny that would otherwise not occur, by publicly sticking Post-its on their monitor with passwords, modified or not. It’s best to stick the Post-it under your keyboard! (yes, I’m kidding again).

Mistake #2: Don’t say ‘Here’s the rule’ when what you really mean is "Here’s an example". In the middle of the article, I wrote—in the emphatic, mind you—

Choose a letter or number that will be your "personal" password. One single character. Add that character to whatever password you have, anywhere in the password. The only caveat is that you must ensure that any password you use does not already contain that letter or number.

Well, no, not so much again. That’s one way to do it. As I tossed in at the end of the article, there’s a ‘reverse’ method that works too. But the reality is, there are numerous ways one can employ this idea, with great success. The more ways people do it, the more work the l33t haX0rs face when they stick their nose where they shouldn’t. So along the lines of remedying Mistake #2, here, in depth, is more. This may seem tedious, but I think it’s important to address the criticisms that were expressed.

Suggested method A: Pick a letter or number that will be your secret key, and add it in a random position to any password you write down.

Example: "My personal secret character is uppercase J". I have a password of 

 ph48Xc2Cz06fCoWY1

Since I can’t easily remember that, I write it down as

phJ48Xc2Cz06fCoWY1

Suggested method B: Pick two letters or numbers that will be your secret ‘key’, and add them in random positions to any password you write down.

Example: "My personal secret characters are b and 8". I have a password of

MSmc7UtC6Cy

Since I can’t easily remember that, I write it down as

bMS8mc7UtC6Cy

Suggested method C: Pick a letter or number that will be your secret ‘add’ key, and a letter or number that will be your secret ‘subtract’ key. You add the one character to the password you write down. The subtract character is one you always use in the password, but always remove when you write it down. This requires that you pick a position where you will always use the character in your actual password.

Example: "My personal secret ‘add’ character is G. My personal secret ‘subtract’ character is h". I have a password of

4To7oJR9oMyVomzqbWukAJyPnAbh

Since I can’t easily remember that, I write it down as

4GTo7oJR9oMyVomzqbWukAJyPnAb 

Suggested method D: Pick a count and position. For any password you have, at the position you chose, enter random characters in the amount you chose.

Example 1: "My count and position are 3 and 3." I have a password of

7DiD9w9W8gZo6

Since I can’t easily remember that, I write it down as

7D4R3iD9w9W8gZo6

Example 2: "My count and position are 4 and end." I have a password of  

5NSKhcD

Since I can’t easily remember that, I write it down as

5NSKhcDwW21 


By no means are the above suggested methods and their concomitant examples exhaustive. There are countless variations of the above that are reasonably easy to think up, and reasonably easy to remember.

But the most critical aspect of all of these methods and examples is that you pick the method, and you keep it to yourself. The most frequently repeated criticism has been—in a nutshell—"you have nine characters and you know that one of the fake, so it’ll take at most ten tries to figure out the correct password!" (often followed by "LAME!" or "IDIOT!"). I’m baffled by this criticism. Obviously, you (the person writing down the password) know how many characters are in the password, and what character(s) are bogus—and where in the password they’re located. But unless you stand up in the office and announce

"My secret key for passwords that I write down is the letter T and the number 4,  and I always make my passwords nine characters long!"

..then Binky Q. Snoopsalittle is not going to have the first clue where to begin trying to figure out how to use that written down password—he isn’t necessarily going to even know that you’ve done anything to the password at all! All he’ll know is that he found a Post-it that said

root password: Raf9KxZrZ2jWDa1a

But when he types it in, he keeps getting "incorrect password". If Mr. Snoopsalittle doesn’t know that you’ve modified the password in the first place, his first impression is most likely to be "huh. I guess it’s been changed since then".

But wait! Snoopsalittle reads Digg! And he read that stupid article about masking your written-down passwords! So, tell me Binky, what will you do when presented with this?

root password: Raf9KxZrZ2jWDa1a

How will you know, without having been told in advance, that the real password is only twelve characters long—not sixteen—and that the first two characters and the last two characters are completely bogus? The real password is actually f9KxZrZ2jWDa. But you didn’t know that, Binkster. You saw sixteen characters labeled "root password". 

But what if our Digging friend is a l33t haX0r, with all the latest password cracking software, and a kick-ass machine he can dedicate to cracking the password? Well sure. He’ll crack it in a jiffy. With the exception of more sophisticated security schemes, he doesn’t need any of the password at all. Having an obfuscated password might cut down some of the time necessary to crack it. But we’re not trying to thwart the dedicated malevolent intruder. He’s an entirely different problem. If you’re dealing with data that is life or death, or of the nature that million dollar transactions could be compromised—you aren’t using weak security systems like ‘username and password’ to begin with! Across the landscape of security, you tailor your response to your audience, so to speak. If for example I work a helpdesk and share my workstation with another employee, the information on that PC is likely neither highly confidential, nor highly desireable to acquire. This technique I’ve described is not intended for someone working, on the other hand, in Chase-Manhattan’s datacenter.

It was indeed quite foolish to state in the article  "This is, for all practical purposes, completely uncrackable." Really, really poor choice of words. As above, the determined hacker on a fast machine can pretty swiftly slice through a great many passwords of non-trivial length. Presenting a modified password can reduce the amount of work the password-cracking software has to do. But again, this technique is not geared towards thwarting that audience.

This technique is not intended as some sort of foolproof, Total Security, Super Dooper Password Perfect Protection system. It’s a pragmatic response to the rational tension between

Easy password, easy to remember, easy to break

and

Difficult password, difficult to remember, difficult to break

This method is a synthesis of ‘easy to remember’ coupled with a difficult password. Choosing your own private ‘key’ for unlocking long, complex passwords that have been written down is more secure than making your password "TGiF" and being able to remember it.

Getting back to the poorly chosen photo—and wording—suggesting writing the password on a Post-it and sticking it to your monitor. When this idea first came to me, it was in response to having been presented, at a job I’d just started, with a wallet-sized printout of some very long and complex passwords (regularly changed, as well), to servers that provided ‘last line of defense’ security for an entire server farm. A person would first have to thwart three previous layers of security, one of them requiring a Securekey keyring fob which generated one-time-use passwords, to even get to a place where they could use those written-down passwords. Even for the young crew of senior admins, memorizing them was wasted effort, so they kept the ‘cheat-sheet’ in their respective wallets. That’s when it occurred to me that obfuscating the actual printed password in some simple way could provide a "can’t hurt to do it" further layer of security.

Finally, I’ll reiterate the important concept that underlies this method: You, the person who obfuscates the password when writing it down, you choose the formula you use to obfuscate it, and there are countless different ways for any one person to do so. The other guy, however, the guy who finds your wallet with the list of passwords in it, he does not know that the password’s been modified, or how it has been modified. When considering this method, it’s important to keep that in mind. When presenting examples of it, sure, it all seems drop-dead easy to figure out, and not terribly secure at all. But good luck when you aren’t aware of the specifics.

 Wallet with password cheatsheet

Any password can be brute-forced, given enough time and enough computational horsepower. Not knowing in advance how those passwords in the photo above differ from the real, underlying passwords—and the changes to them are simple, similar to the methods described above—that makes brute-forcing them somewhat harder. But it’s the casual attacker for whom they’ll prove of no value at all.

(and no, those aren’t real or obfuscated passwords, or hosts. It’s a prop, for demonstration purposes.)

 I understand a lot of the criticism made of the technique, particularly relative to my poor presentation of the idea in the article yesterday. Nevertheless, I believe this technique has merit. It’s a pragmatic technique that Joe Cubicle-dweller can use, and be perhaps a little less vulnerable to Hacky McHackerson (tip of the fez to Coda on that last!).

Oh, and don’t forget—who besides me might know that three of the passwords in the photo above are bogus end-to-end? Nothing like adding some fruitless busywork to the process. Heck, by the time Hacky gets to the real obfuscated passwords, you’ll already have changed them all.

“When Ants Look As Big As Cars…”

Posted Saturday, 13 January 2007, 7:22 pm

Much to my surprise, the article I published yesterday—regarding a nifty, simple trick for adding a measure of security to passwords that have been written down—was submitted to digg.com, and even more surprisingly, it turned out to be very popular. Or rather I should say, it was very popular on digg.com,  but was a nightmare for me, scrambling to keep my server going under the crushing load.

The ‘fun’ began shortly after 7am, Pacific time. I got a text message from a script I run on an offsite system, probing my server every few minutes. After the second page, I dragged my ass out of bed and had a look. Yikes. I still had four SSH session open on my PC’s desktop from the night before, but none of them were responsive when I typed in them. Ouch.

I ran down to the garage (yep,  the server’s in my garage) to check it out. The server was up, but the disks were going absolutely crazy. This past night, we had had record low temperatures for our area, so one thing that crossed my mind was that the disks had simply gotten too cold, and were unable to recalibrate to compensate. Maybe. Since I didn’t have a serial console handy and this is a headless server, I power-cycled her. I use a logging filesystem, so the risks of a power-cycle even while doing busy disk seeks are minimal—I’ve yanked the plug from the wall during tests, over and over, and never had a problem. No problem this time either—server came back up, I headed upstairs to have a look.

Yikes! Server load was off the charts. All httpd processes. I quickly took a look at the logs, and there I could see that Digg had descended upon my little server.

I’ve been running the anastrophe.com server for something like eight years now. It started out as a Sun Sparc 20, and now it’s a Sun Netra T1. 440Mhz UltraSPARC IIi CPU, one gig of ram, and a pair of disks, mirrored. I provide email and webhosting and shell and other services for a few dozen friends and family. It’s a light load, and the hardware has held up just dandy. Until today.

The problem more than anything else was lack of ram. The Netra T1 can only hold 1G, so there were no quick fixes there. I did the usual things to try to tame the tiger—reduced the maximum number of concurrent httpd processes, fine tuned KeepAlive, etc.. But the reality was, I was caught utterly unprepared. I think I can be forgiven for not having anticipated that an article about passwords of all things would be a hit on digg. It’s no excuse though. I really should have had at least a backup plan, just in case. Maybe set up a secondary server, mounting the apache directories NFS, so the load could be split. I’ll be looking into that later tonight. One thing I did at one point was to attach an external disk array, and move swap onto it. That helped some—but by that point, the load on the server had already begun dropping, so it was too little, too late.

So what does the title of this article have to do with any of this? There’s an old skydiving rule of thumb:

When cars look as big as ants, it’s time to open the parachute.
When ants look as big as cars, you’ve waited too long.

 I’ve been picking ants from my teeth all day long.

 

Made with WordPress and the Semiologic CMS | Design by Antonella Pavese