Small Town News

Posted Monday, 29 January 2007, 3:17 pm

I grew up in the San Francisco Bay Area, on the Peninsula – Redwood City. As a child, our family watched the local news broadcasts, coming over the air from transmitters on Mount San Bruno, just south of San Francisco. In glorious Black and White, we watched Terry Lowry in front of a whiteboard map of the U.S., placing little magnet-backed clouds over California, and a little magnet-backed sun over the midwest. We watched Van Amburg report on the latest apartment fire in the Tenderloin, and we watched Wayne Walker report on the latest San Francisco 49ers Superbowl Win.

In that long-ago time, there was still a bit of a "small town news" quality to the major Bay Area news broadcasts. There would be glitches, dead air, tape wouldn’t roll, a camera would be cued while it was panning to the other anchor – all pretty typical, and they still happen to this day, just far less frequently. The production values today, even on the struggling independent major KRON, are excellent.

Because the Bay Area is such a splendid place to live, there has been a blur of reporters and anchors over the years, from station to station. Anchor Pete Wilson began as a reporter at KGO, went on to anchor at KGO, then KRON, then many years later returned to KGO after KRON went independent. It’s rare for a reporter or anchor to leave the Bay Area, at least not willingly.

Aside from the six major stations in the Bay Area (KTVU, KRON, KPIX, KGO, KQED – and KNTV which took over as the NBC affiliate when KRON went independent), there has always been a presence of smaller independent stations throughout the Bay Area. There are dozens of them. Most have subsisted on syndicated sitcoms, old movies, infomercials, and some local-interest programming thrown in from time to time.

One of those smaller stations is KFTY, based in the North Bay – way up in Santa Rosa, where the designation "Bay Area" begins to thin. Those of us up here generally consider ourselves Bay Area, and the rigid definition seems to be ‘any county with land meeting the Bay’, so in that regard, Sonoma County is indeed Bay Area, but only by a whisker.

The population up here is not significant, not when compared to the counties really bordering the Bay. There’s less than a half million people in Sonoma County, while Alameda County in the East Bay – a fraction of the size – has three times the population.

KFTY is just another small, independent station. Small operating budget, small viewership. They air the staple fare of syndicated sitcoms, infomercials, etc like all the others. But unlike any (to my knowledge) of the minor independents in the Bay Area, KFTY produced two full-fledged local evening news broadcasts.

You’ll note the past-tense there. Keep reading.

These were not – by comparison to the major stations – polished productions. The studio video tended to be somewhat washed out. Camera flubs and miscues were a regular occurrence. Tape would fail to roll, or begin rolling well after the anchor had begun to move to the next story. True, these happen at all stations, big and small, but they tended to be as much a staple on KFTY as the repeats of ‘Frasier’.

However, for a lonely little independent station, quite a throw from the major market, it was a damned fine news broadcast. Much of the news content was locally produced by their own reporters. The main anchor, Ed Beebout, has been with the station for twenty three years, and has anchored the news for more than a decade.  And he’s not bad – not bad at all. The smaller markets across the country tend to be a dumping ground for those not blessed with good onscreen personality, or poor teleprompter skills. But Ed – while certainly no Tom Brokaw – has held his own with aplomb, and could likely have worked at a major market station if he were inclined. Almost two years ago, Tricia Hua joined the newscast as co-anchor, and she has also shown remarkable poise and presence. Brent Allen served up a very snappy and accurate weather segment, and Bay Area veteran Curtis Kim produced ‘local flavor’ segments that – while often ranging well into corny territory – were nevertheless thoughfully and professionally produced bits of local interest.  The field reporters tended to have high turnover, and varied in quality from abysmal to excellent, but that’s to be expected at a small station. Recently, a new reporter named Cindy Chen appeared at KFTY, and showed real talent – I’d bet we see her reporting at KRON any day now.Considering the likely minuscule budget available, they produced an amazingly good broadcast.

I’ll be the first to admit: In the evenings, when my wife would tune to KFTY’s news, I would regularly ridicule it, albeit light-heartedly. I’d break into the refrain "Small Town Newwwws", which Paul Schaffer would sing before the Small Town News segment on Letterman – a collection of quirky, sometimes bizarre newspaper stories from backwaters across the country. I’d cringe at every miscue, and when a cub reporter, fresh from the local Junior College, would fall apart live and on-camera – well, it was as painful and entertaining as watching the early auditions on American Idol.

But that’s all gone now. Last thursday, the station pulled the plug on both evening news broadcasts. ‘Insufficient ad revenue’, which certainly isn’t a stretch to believe is true. There are rumors that ClearChannel – the owner of KFTY – intends to divest itself of small stations and markets such as these. That’s also no great stretch to believe true.

It’s a shame though. Having watched KRON’s long, drawn out decline after they lost NBC has been painful, almost more painful than having a longtime local newscast just disappear overnight. One wishes the broadcast could have been scaled back somehow rather than terminated – add another minute or two of commercials, use more syndicated feeds – who knows. As above, I’m no expert in these matters, just another armchair quarterback.

In the grander scheme of things, this is but a blip. Those who watched the KFTY news will have fond memories, but nothing more. We’ll just watch the major news stations, and in time the lack of local news will not be so strongly felt . Fifty years ago, the notion of a backwater like the North Bay even having a local television station would have been absurd. So we’re lucky in that respect. But without locally originated programming, an independent like KFTY just blends into the landscape. There’s simply no compelling reason to watch the station – unless you’re some sort of diehard fan of ‘Frasier’.

The internet has yet to fill the local gap. One can gather information in an instant from Byelarus, but accessing locally relevant information is still a hit-or-miss proposition. The local newspaper serves to some extent, but lacks the immediacy of a local news broadcast.

I suppose my only motivation for writing this is to express my appreciation for what was, and express my regret for what now is…

“Could Be The Worst Fire Season On Record”

Posted Tuesday, 23 January 2007, 2:43 pm

Every year. Every year. Come about April, my wife and I begin speculating about when the first utterance of the above sentence will occur on the local news. Without fail, every year, every local news station will air those words. If California had a light winter, with lower than average rain—then by May or so, the reports will be that there’s a ‘tinderbox’ of dry brush out there that could make this the worst fire season on record. If California had higher than normal rain, the reports will be that the "excess" rain has created a dense overgrowth of brush that’s going to become a ‘tinderbox’ of dry brush, which could make this the worst fire season on record.

Since every year deviates in some small proportion from the mathematical average for expected rainfall…then you can count on speculation every year that this could be the worst fire season on record.

And don’t get me started on droughts. The semi-arid Bay Area climate means that there will be stretches, every winter, where things dry out for a few weeks. By the end of the second week without rain—maybe early in the third week—some weather forecaster will allude to the dreaded "D word" as they refer to it in Happy Talk.

And don’t get me started on Global Warming/Climate change. Every deviation from seasonal averages is interpreted as a sign of the coming Climate Apocalypse. Every instance of extreme weather is interpreted similarly. We were told that the extremity of Hurricane Katrina was clearly a sign of things to come, all due to our evil burning of million-year-old plant matter. So…since there was no similarly devastating hurricane this past season, does that mean we’ve turned the corner? Or that the speculation is wrong? Why no, of course not! The absence of disaster is never tallied as a contrary indicator to the speculations. It’s merely ignored, until the next extreme weather event comes along…just as they’ve been coming along for the entirety of human history (and before, amazing!).

Grumble grumble mutter mutter.

If It’s Optional, Do You Have To Be Honest?

Posted Sunday, 21 January 2007, 3:55 pm

I tend to be against race-based discrimination, no matter what the reason. Whether it be cops profiling drivers ("Driving While Black"), or admissions policies that give preference to people of one color over another—any way you slice it, making a decision based on the color of one’s skin, rather than the content of their character, is wrong. If we’re to move to a place where race is meaningless, then we have to drop all pretense of using race for classification.

This comes up in relation to my previous article regarding changing my name. My petition went through, so now my legal name is Paul Theodoropoulos, rather than Paul Theodoropoulos. Joy!

My next step is to get a new Social Security card with the new name. In filling out the form, I came across the following section: Race/Ethnic Description Field from Social Security form

While I’m not of a mind to muck about with this—I’m merely going to leave it blank—I wonder…Since the information is voluntary, it should have no legally binding effect upon getting the card. So would there be any problem at all in checking a box other than your correct race? It’d be a dandy bit of civil disobedience. A sudden massive spike in the population of North American Indians would be nice.

This post brought to you by Lazy Sunday Ontological PeriMotivationalism©.

But When You Do Need Higher Security…

Posted Thursday, 18 January 2007, 12:04 am

Continuing on the theme of passwords and security—and I promise this will be my last on the matter, as I’m getting sick of it too—I’d like to make a software recommendation.

Even though I’m a Unix Systems Administrator by trade, I use Microsoft Windows on the Desktop. Have for more than a decade. It’s partly pragmatic, as it’s what most of the rest of the world uses on the desktop too. It’s partly for fun, as I enjoy "First-Person Shooter" games, and most are written either for the PC or for consoles. And beyond that, I like playing around in Windows. I have no particular religious sentiment in the matter, unlike many people. I don’t get my nose bent out of shape when I have to pay real, actual money to purchase software. I realize that Bill Gates is one of the wealthiest men ever to have lived, and that too doesn’t bend my nose out of shape. He’s rich, I’m poor, so what? I dislike fairly intensely the use of Windows in a server environment, and that’s largely due to the less than stellar performance of Microsoft products in that milieu. I prefer Solaris for bulletproof services, and to a lesser extent some flavors of Linux and FreeBSD. But I digress.

I do my online banking and finances on my Windows XP desktop PC. As a highly internet-centric individual, I have visited, and maintain accounts, on many, many websites that require username and password. For a long time, I used a very weak password of my own making, all of seven characters long, for almost every site I visited. I still do use it occasionally for sites that are of no significance—wherein if someone busted into the account, nothing of any importance would transpire from it.

Realizing the inherent danger in using such a weak password for everything, I took a look around several years back for a solution, and I found one that has served me exceptionally well: Roboform. Roboform automates creating and saving passwords, tied to the specific site that needs it. The passwords are encrypted, and you can set a master password with which you can prevent access to any stored passwords.  It is elegant in its simplicity, but exceptionally powerful at the same time. The built in password generator can create stunningly long, complex passwords, far more complex than one could easily remember—or for the ‘blackhats’ to break. When I was creating the examples for my followup article on obfuscated passwords, I used roboform to generate those strings. With just a mouse click, you can generate random password after random password, like this:





And you don’t have to try to remember them! They’re all safely stored, tied to the username and site you created them for. Visit the site, and a box pops up offering to fill the fields (roboform recommends using their toolbar, but I don’t particularly care for it). Further, roboform can store Credit Card and personal information securely, and can autofill online forms with that information for you, speeding up checkout when making online purchases.

There are many, many more features beyond just these few I’ve listed. There is a ‘portable’ version you can install on a USB drive, and keep all your information with you, ready to hand, and yet still secure.

I can’t sing my praises for roboform enough. You can download it for free, and use it with up to ten stored passwords/sites. Roboform Pro is $29.95. Though it’s ten dollars more expensive, Roboform2Go, for USB drives, may be the better choice in the long run.

I give it 18.5 out of 20 klaatus! (so it must be good!)

I should add I have absolutely no affiliation with Roboform or Siber Systems (the company that makes roboform), besides being a very happy customer. I’m not getting any kickback from them for this fantastic review. Unfortunately.

But What I Really Meant To Write Was…

Posted Monday, 15 January 2007, 12:36 am

In the aftermath of the controversy that erupted concerning my article yesterday regarding passwords, it seems—from the repeated comments misconstruing the idea—that I should write this followup, and clarify things a bit.

Mistake #1: A less catchy title might have helped, along with a less aggressive photo. In going for something attention-getting, I immediately set a tone that apparently a great many people took literally—that one should just feel free to write their [minimally modified] password on a Post-it, include what the password was intended for ("Desktop password", "root", etc), and stick it on your monitor.

I thought while I was writing it that that was over-the-top enough that people would just laugh. Er, no, not so much! I undermined the message pretty seriously with that. One merely invites scrutiny that would otherwise not occur, by publicly sticking Post-its on their monitor with passwords, modified or not. It’s best to stick the Post-it under your keyboard! (yes, I’m kidding again).

Mistake #2: Don’t say ‘Here’s the rule’ when what you really mean is "Here’s an example". In the middle of the article, I wrote—in the emphatic, mind you—

Choose a letter or number that will be your "personal" password. One single character. Add that character to whatever password you have, anywhere in the password. The only caveat is that you must ensure that any password you use does not already contain that letter or number.

Well, no, not so much again. That’s one way to do it. As I tossed in at the end of the article, there’s a ‘reverse’ method that works too. But the reality is, there are numerous ways one can employ this idea, with great success. The more ways people do it, the more work the l33t haX0rs face when they stick their nose where they shouldn’t. So along the lines of remedying Mistake #2, here, in depth, is more. This may seem tedious, but I think it’s important to address the criticisms that were expressed.

Suggested method A: Pick a letter or number that will be your secret key, and add it in a random position to any password you write down.

Example: "My personal secret character is uppercase J". I have a password of 


Since I can’t easily remember that, I write it down as


Suggested method B: Pick two letters or numbers that will be your secret ‘key’, and add them in random positions to any password you write down.

Example: "My personal secret characters are b and 8". I have a password of


Since I can’t easily remember that, I write it down as


Suggested method C: Pick a letter or number that will be your secret ‘add’ key, and a letter or number that will be your secret ‘subtract’ key. You add the one character to the password you write down. The subtract character is one you always use in the password, but always remove when you write it down. This requires that you pick a position where you will always use the character in your actual password.

Example: "My personal secret ‘add’ character is G. My personal secret ‘subtract’ character is h". I have a password of


Since I can’t easily remember that, I write it down as


Suggested method D: Pick a count and position. For any password you have, at the position you chose, enter random characters in the amount you chose.

Example 1: "My count and position are 3 and 3." I have a password of


Since I can’t easily remember that, I write it down as


Example 2: "My count and position are 4 and end." I have a password of  


Since I can’t easily remember that, I write it down as


By no means are the above suggested methods and their concomitant examples exhaustive. There are countless variations of the above that are reasonably easy to think up, and reasonably easy to remember.

But the most critical aspect of all of these methods and examples is that you pick the method, and you keep it to yourself. The most frequently repeated criticism has been—in a nutshell—"you have nine characters and you know that one of the fake, so it’ll take at most ten tries to figure out the correct password!" (often followed by "LAME!" or "IDIOT!"). I’m baffled by this criticism. Obviously, you (the person writing down the password) know how many characters are in the password, and what character(s) are bogus—and where in the password they’re located. But unless you stand up in the office and announce

"My secret key for passwords that I write down is the letter T and the number 4,  and I always make my passwords nine characters long!"

..then Binky Q. Snoopsalittle is not going to have the first clue where to begin trying to figure out how to use that written down password—he isn’t necessarily going to even know that you’ve done anything to the password at all! All he’ll know is that he found a Post-it that said

root password: Raf9KxZrZ2jWDa1a

But when he types it in, he keeps getting "incorrect password". If Mr. Snoopsalittle doesn’t know that you’ve modified the password in the first place, his first impression is most likely to be "huh. I guess it’s been changed since then".

But wait! Snoopsalittle reads Digg! And he read that stupid article about masking your written-down passwords! So, tell me Binky, what will you do when presented with this?

root password: Raf9KxZrZ2jWDa1a

How will you know, without having been told in advance, that the real password is only twelve characters long—not sixteen—and that the first two characters and the last two characters are completely bogus? The real password is actually f9KxZrZ2jWDa. But you didn’t know that, Binkster. You saw sixteen characters labeled "root password". 

But what if our Digging friend is a l33t haX0r, with all the latest password cracking software, and a kick-ass machine he can dedicate to cracking the password? Well sure. He’ll crack it in a jiffy. With the exception of more sophisticated security schemes, he doesn’t need any of the password at all. Having an obfuscated password might cut down some of the time necessary to crack it. But we’re not trying to thwart the dedicated malevolent intruder. He’s an entirely different problem. If you’re dealing with data that is life or death, or of the nature that million dollar transactions could be compromised—you aren’t using weak security systems like ‘username and password’ to begin with! Across the landscape of security, you tailor your response to your audience, so to speak. If for example I work a helpdesk and share my workstation with another employee, the information on that PC is likely neither highly confidential, nor highly desireable to acquire. This technique I’ve described is not intended for someone working, on the other hand, in Chase-Manhattan’s datacenter.

It was indeed quite foolish to state in the article  "This is, for all practical purposes, completely uncrackable." Really, really poor choice of words. As above, the determined hacker on a fast machine can pretty swiftly slice through a great many passwords of non-trivial length. Presenting a modified password can reduce the amount of work the password-cracking software has to do. But again, this technique is not geared towards thwarting that audience.

This technique is not intended as some sort of foolproof, Total Security, Super Dooper Password Perfect Protection system. It’s a pragmatic response to the rational tension between

Easy password, easy to remember, easy to break


Difficult password, difficult to remember, difficult to break

This method is a synthesis of ‘easy to remember’ coupled with a difficult password. Choosing your own private ‘key’ for unlocking long, complex passwords that have been written down is more secure than making your password "TGiF" and being able to remember it.

Getting back to the poorly chosen photo—and wording—suggesting writing the password on a Post-it and sticking it to your monitor. When this idea first came to me, it was in response to having been presented, at a job I’d just started, with a wallet-sized printout of some very long and complex passwords (regularly changed, as well), to servers that provided ‘last line of defense’ security for an entire server farm. A person would first have to thwart three previous layers of security, one of them requiring a Securekey keyring fob which generated one-time-use passwords, to even get to a place where they could use those written-down passwords. Even for the young crew of senior admins, memorizing them was wasted effort, so they kept the ‘cheat-sheet’ in their respective wallets. That’s when it occurred to me that obfuscating the actual printed password in some simple way could provide a "can’t hurt to do it" further layer of security.

Finally, I’ll reiterate the important concept that underlies this method: You, the person who obfuscates the password when writing it down, you choose the formula you use to obfuscate it, and there are countless different ways for any one person to do so. The other guy, however, the guy who finds your wallet with the list of passwords in it, he does not know that the password’s been modified, or how it has been modified. When considering this method, it’s important to keep that in mind. When presenting examples of it, sure, it all seems drop-dead easy to figure out, and not terribly secure at all. But good luck when you aren’t aware of the specifics.

 Wallet with password cheatsheet

Any password can be brute-forced, given enough time and enough computational horsepower. Not knowing in advance how those passwords in the photo above differ from the real, underlying passwords—and the changes to them are simple, similar to the methods described above—that makes brute-forcing them somewhat harder. But it’s the casual attacker for whom they’ll prove of no value at all.

(and no, those aren’t real or obfuscated passwords, or hosts. It’s a prop, for demonstration purposes.)

 I understand a lot of the criticism made of the technique, particularly relative to my poor presentation of the idea in the article yesterday. Nevertheless, I believe this technique has merit. It’s a pragmatic technique that Joe Cubicle-dweller can use, and be perhaps a little less vulnerable to Hacky McHackerson (tip of the fez to Coda on that last!).

Oh, and don’t forget—who besides me might know that three of the passwords in the photo above are bogus end-to-end? Nothing like adding some fruitless busywork to the process. Heck, by the time Hacky gets to the real obfuscated passwords, you’ll already have changed them all.


Made with WordPress and the Semiologic CMS | Design by Antonella Pavese