Wednesday, March 28, 2012
Advice to the Employer of a Hacker...
Parts of this I found quite funny (and I think it's intended to be a joke). Other parts resonated to various degrees, in some cases quite uncomfortably...
Religions...
Found this graphic showing the religions of the world's population. As always, click to enlarge. More info at the source. There were some surprises in here for me...
Trayvon Martin
I haven't been commenting about the Trayvon Martin (the black youth shot and killed by George Zimmerman) case mainly because I don't know what all the facts are (and I'm confident the lamestream media is not reporting them straight up in such a charged, sensational case). I'm not going to comment on it now, for the same reason.
But I will note, with interest, that a growing number of prominent black voices are reacting in a way that I find refreshingly constructive. They are wondering why the black community (and the news media) aren't outraged by the long-standing scourge of violence against blacks perpetrated by other blacks.
Juan Williams has just such a question in today's WSJ. In it, he cites an old quote from Jesse Jackson that I remember well:
But I will note, with interest, that a growing number of prominent black voices are reacting in a way that I find refreshingly constructive. They are wondering why the black community (and the news media) aren't outraged by the long-standing scourge of violence against blacks perpetrated by other blacks.
Juan Williams has just such a question in today's WSJ. In it, he cites an old quote from Jesse Jackson that I remember well:
"There is nothing more painful to me at this stage in my life than to walk down the street and hear footsteps and start thinking about robbery. Then look around and see somebody white and feel relieved... After all we have been through. Just to think we can't walk down our own streets, how humiliating."Whatever the facts of the Trayvon Martin case are, these black voices are raising a most excellent question. Where is your outrage, Al Sharpton? Why aren't you tweeting about that, Spike Lee? And most of all, our first black President: why aren't you siccing Holder on a real problem, Mr. Obama?
Hope and Change...
The news from the Supreme Court's oral arguments on Obamacare sure sound hopeful...
Passwords...
Passwords are really hard to get right. To be useful, they have to be memorable (so you can remember them without writing them down) and they have to be secure. It's the second part that's so hard, because most non-technical people have no idea what makes a password secure.
These days, the most common passwords fall into one of three categories.
First there are the stupid, easy passwords, such as "password123" or "qwerty". An amazing number of people (by some accounts, over 20%) use such passwords for things they really care about, like their bank account. This is like removing the lock from your house. If you do this, you shouldn't be allowed to touch a computer. The bad guys have readily-available lists of common stupid passwords, and they will try them all to see if they work.
Then there are the passwords comprised of personal information of some kind: your kid's name and birthday, or the names of your two dogs, etc. If these are well-chosen, and if (this is a huge if) the attacker has no other information about you, these kinds of passwords can be reasonably secure. But you need to be very certain that the personal information you disclose isn't available electronically anywhere: not on Facebook, not at your bank, not even on your tax return. A bad guy who hacks into your Facebook account might well know your kids names and birthdays. The safest things to use for this kind of password are generally things in your distant (and hopefully pre-Internet) days. Say, for example, the name of your fourth grade teacher (I'm looking at you, "Mrs.Dalrymple4th"). Good passwords of this type are relatively uncommon, though – most people make poor choices with easily discoverable or guessed information.
Finally, there are the passwords comprised of some memorable sequence of words, like "JamulGeekGeezer". People, especially non-technical people, are attracted to these passwords. They look secure, mainly because they're long and they look unlikely. The problem is that they are usually made up of words from a relatively small list of common words: a few tens of thousands of ordinary words and place names. That may sound like a lot of words to you, but to a computer this is a small list. Most web sites don't have protection against an attacker trying thousands of passwords, so the bad guys simply try lots of combinations of these words from their “dictionary” of common words. These attacks are depressingly effective. A common variant of this type of password replaces all "o" characters with "0" (zero) characters, "s" with "$", or some such thing. There are also relatively few variations of these, and the bad guys have dictionaries of them as well. A more secure variation of this type deliberately misspells one or more words, like "JamulGekkGezzer". That's far more secure, as the misspelled words are not likely to be in the dictionary.
Years ago, I read about another technique (mentioned in the linked article) that yields passwords that are both memorable and secure. I've been using it ever since. The technique is simple. First, choose a phrase that is easy for you to remember, but is unlikely for anyone else to ever use or guess. For example, I might choose "Miki is playing outside my red-roofed house." You must be careful, when choosing a phrase, not to use some famous lines from movies or plays, etc. – those an attacker could certainly guess. Then apply some simple rule (also easy to remember) to turn that phrase into a password. For example, I might have the rule "Take the first letter of each word, plus any punctuation". That would yield the password "Mipomr-rh." Now that's a pretty secure password. It's reasonably long (10 characters; a little longer would be better) and it certainly isn't attackable by a dictionary attack. I've been recommending this to anyone who asks me, and I still recommend it. For passwords protecing things that are really valuable to me, I use passwords with 12 or more characters, created from phrases like I used above.
These days, the most common passwords fall into one of three categories.
First there are the stupid, easy passwords, such as "password123" or "qwerty". An amazing number of people (by some accounts, over 20%) use such passwords for things they really care about, like their bank account. This is like removing the lock from your house. If you do this, you shouldn't be allowed to touch a computer. The bad guys have readily-available lists of common stupid passwords, and they will try them all to see if they work.
Then there are the passwords comprised of personal information of some kind: your kid's name and birthday, or the names of your two dogs, etc. If these are well-chosen, and if (this is a huge if) the attacker has no other information about you, these kinds of passwords can be reasonably secure. But you need to be very certain that the personal information you disclose isn't available electronically anywhere: not on Facebook, not at your bank, not even on your tax return. A bad guy who hacks into your Facebook account might well know your kids names and birthdays. The safest things to use for this kind of password are generally things in your distant (and hopefully pre-Internet) days. Say, for example, the name of your fourth grade teacher (I'm looking at you, "Mrs.Dalrymple4th"). Good passwords of this type are relatively uncommon, though – most people make poor choices with easily discoverable or guessed information.
Finally, there are the passwords comprised of some memorable sequence of words, like "JamulGeekGeezer". People, especially non-technical people, are attracted to these passwords. They look secure, mainly because they're long and they look unlikely. The problem is that they are usually made up of words from a relatively small list of common words: a few tens of thousands of ordinary words and place names. That may sound like a lot of words to you, but to a computer this is a small list. Most web sites don't have protection against an attacker trying thousands of passwords, so the bad guys simply try lots of combinations of these words from their “dictionary” of common words. These attacks are depressingly effective. A common variant of this type of password replaces all "o" characters with "0" (zero) characters, "s" with "$", or some such thing. There are also relatively few variations of these, and the bad guys have dictionaries of them as well. A more secure variation of this type deliberately misspells one or more words, like "JamulGekkGezzer". That's far more secure, as the misspelled words are not likely to be in the dictionary.
Years ago, I read about another technique (mentioned in the linked article) that yields passwords that are both memorable and secure. I've been using it ever since. The technique is simple. First, choose a phrase that is easy for you to remember, but is unlikely for anyone else to ever use or guess. For example, I might choose "Miki is playing outside my red-roofed house." You must be careful, when choosing a phrase, not to use some famous lines from movies or plays, etc. – those an attacker could certainly guess. Then apply some simple rule (also easy to remember) to turn that phrase into a password. For example, I might have the rule "Take the first letter of each word, plus any punctuation". That would yield the password "Mipomr-rh." Now that's a pretty secure password. It's reasonably long (10 characters; a little longer would be better) and it certainly isn't attackable by a dictionary attack. I've been recommending this to anyone who asks me, and I still recommend it. For passwords protecing things that are really valuable to me, I use passwords with 12 or more characters, created from phrases like I used above.
Milky Way...
Out with the dogs a little later than usual this morning. In the eastern sky, the Milky Way shone bright and clear, stretching from the north to the southeast. I was staring at this celestial beauty, lost in awe, until the arresting aroma of dog poop brought me back to earth. Oh, well...