Some time ago, Amazon purchased a controlling interest in a website known as AmieStreet. I'm not providing a link to Amie Street because Amazon shut down the service last month. In doing so, they killed off the only place on the Internet that many artists had their music available to the public. Several artists, such as Pink Stilletos and Tim McQueen no longer have a place for their music to be published and played.
While Amazon certainly has a profit motive for shutting down the website (which was probably losing money), it helps the music industry continue their power on deciding what music we listen to. Through Amie Street, I had found several bands worth listening to, and thankfully have had the opportunity to download their music. Unfortunately, others won't be able to discover these same artists and share their music with me. The Internet is supposed to be a great equalizer, but it seems that it is still part of the same game that stifles independents. Those with money and power continue to decide what is worth listening to and who will get display time on your screen. Independents without the savvy to use the Internet or the money to invest to get their voice heard have just lost a major opportunity to be discovered.
And that just sucks.
October 05, 2010
September 01, 2010
The Effects of Doing
The human mind is an amazing computer. It has adapted to learn things through a myriad of inputs. You can read something and learn about it, you can hear someone talk about something and learn important facts and aspects of it, you can watch someone do something and learn the machinations of how to perform. But if you want to get good at something, you just have to DO it.
I read. In fact, I read A LOT. When I was growing up, I used to read fiction. But as my interests matured, I have switched mostly to technical references and news sources. I read about a lot of new technology, and I like to think that I have learned about these things that I have read about. I have a cursory knowledge in a very wide swath of subjects, both technical and non-technical. I like to think of myself as an intellect, although my capacity leaves me somewhere in the area of the second standard deviation. I've never been able to pull off the Mensa scores, but I've gotten close enough to taste it (I took the ACT when I was older just to try to earn my way in - imagine taking the SAT/ACT by choice - I'm a lunatic), and I enjoy hanging out with people smarter than me.
So you think I would have learned a great deal through all of this reading. Yes....and no. I've certainly picked up a lot of knowledge through all of it. I've picked up others opinions and enough facts to try to make a decision as to where I stand on some issues. I've picked up some 'architectural' knowledge of how things fit together (constructing world view). But of all the things I tell people I've learned in the past few years, each one was something I didn't so much read about as something I learned by doing.
I asked myself this question: What have you learned (over some period of time)? Well, I've learned to juggle. Yes, at first I read a booklet (Thank you Klutz(c)). But I learned to juggle by doing it over and over and over. Through hundreds of failures I found success. I've learned to play the piano. With all of the missed notes, and the inordinate patience of my family that has listened to me practice for hours, I can passably play the piano. I've learned Pi to the 133rd digit (what has kind of spurred this post). I've learned to play chess well enough to beat just about any non-chess-player. I've learned some technical things as well, but that's my job, after all. All of those things I feel I've learned have not been through reading and understanding - all of them have really been learned by practicing, repetition, embedding these things into my muscle memory...like riding a bike.
I think this gets back to the question: What is meant to know something? When you KNOW something, you can just do it. Your mind gets out of the way of your ability to perform, and you enter a new level of constant change (and improvement) that is done subconsciously.
Not sure why any of this matters - just a random thought that crossed my mind and I felt like writing it down. So my new motto is 'Just Do It' - thanks, Nike.
I read. In fact, I read A LOT. When I was growing up, I used to read fiction. But as my interests matured, I have switched mostly to technical references and news sources. I read about a lot of new technology, and I like to think that I have learned about these things that I have read about. I have a cursory knowledge in a very wide swath of subjects, both technical and non-technical. I like to think of myself as an intellect, although my capacity leaves me somewhere in the area of the second standard deviation. I've never been able to pull off the Mensa scores, but I've gotten close enough to taste it (I took the ACT when I was older just to try to earn my way in - imagine taking the SAT/ACT by choice - I'm a lunatic), and I enjoy hanging out with people smarter than me.
So you think I would have learned a great deal through all of this reading. Yes....and no. I've certainly picked up a lot of knowledge through all of it. I've picked up others opinions and enough facts to try to make a decision as to where I stand on some issues. I've picked up some 'architectural' knowledge of how things fit together (constructing world view). But of all the things I tell people I've learned in the past few years, each one was something I didn't so much read about as something I learned by doing.
I asked myself this question: What have you learned (over some period of time)? Well, I've learned to juggle. Yes, at first I read a booklet (Thank you Klutz(c)). But I learned to juggle by doing it over and over and over. Through hundreds of failures I found success. I've learned to play the piano. With all of the missed notes, and the inordinate patience of my family that has listened to me practice for hours, I can passably play the piano. I've learned Pi to the 133rd digit (what has kind of spurred this post). I've learned to play chess well enough to beat just about any non-chess-player. I've learned some technical things as well, but that's my job, after all. All of those things I feel I've learned have not been through reading and understanding - all of them have really been learned by practicing, repetition, embedding these things into my muscle memory...like riding a bike.
I think this gets back to the question: What is meant to know something? When you KNOW something, you can just do it. Your mind gets out of the way of your ability to perform, and you enter a new level of constant change (and improvement) that is done subconsciously.
Not sure why any of this matters - just a random thought that crossed my mind and I felt like writing it down. So my new motto is 'Just Do It' - thanks, Nike.
August 12, 2010
July 20, 2010
Restrictive Password Rules Are Bad, mmmmk?
There are all kinds of things that a discussion of password security could go into, for example:
However, some have taken the step of implementing password rules to a level that it is actually damaging to their password system, and they may not realize it. After all, the password 'password' may no longer be the first most used password on their system because it isn't allowed, but the password "1234qwer!@#$QWER" is probably at the top of any good hackers list, and is allowed by even the most restrictive of password rule systems. Just because this second data string doesn't make sense to us doesn't give it any magical properties of being more secure than the 'password' password. Nay, for a computer, the second password has more patterns in it that the first ever did.
Recognizing a bad password is not something that is easily understood (although it's not an impossible task for an AI engine), but what the system administrator needs to know is that their password rules need to be in place that will make it as unlikely as possible that the user would create such an easily guessed monstrosity, and that the password the user creates will be both secure and easy to remember. This means both having restrictions (to ensure that single words and '123456789' are not used as passwords), and having reasonable and easy to meet restrictions that the user will be able to come up with a good password when asked. Once the restrictions get too tight, the user is going to logically process the rules into a pattern because they cannot easily come up with something that meets the restrictions.
Another problem is restricting the size of a password field is something that should never be done. Limiting a user to only 8, 10, 12, 14 characters is entirely arbitrary, and speaks to improperly implemented password storage systems. If you have a maximum limitation on your password, it screams to the world that you are storing the password either in clear-text in a data system, or something that any hobbyist cryptographer could crack open (rot13? XOR data field?). If you properly implement password storage as one-way salted hashes in your system then it won't matter how long the user password entry is. You should give them more than enough room to enter any reasonable string - arbitrarily, say 256 characters, so you can size the field and protect from buffer overflows, but you get the idea.
What about complexity requirements? They need to be simple to understand, and should be free of 'systemic' requirements. You should not forbid the use of any valid entry character. This may mean even allowing the entry of such no-no's as ',@ and " - if you don't accept these characters, you're again telling the world that you're doing something with the password you shouldn't be doing, like storing them in a database. Complexity should be simple to follow and easy to come up with something useful...perhaps a restriction to use at least one character from each of the sets: UPPERCASE-LETTERS, LOWERCASE-LETTERS, SPECIAL-CHARACTERS, NUMBERS. This is easy enough to follow just by using natural passwords like I*Hate%Passwords.
The more restrictive your rules, the more likely your users are to rebel by using something systematic (QWERTY12345qwerty!@#$%). If you frustrate your users, they'll just be looking for a way to get around your 'stupid rules' rather than be a partner in protecting their information. You'd much rather get someone to be inventive (like: Rosemary'sBaby1997). This password may seem simple to you and me, but it's because our minds are tuned to pick up and categorize the symbols in the password. For someone who doesn't know the password, it's going to take a LOT of guessing to get that password from the system.
And if you're properly hashing, salting and securing your password (shadow) file - a dictionary attack is going to have a hard time guessing that password at 3 allowable guesses per hour (between lockout).
Less focus should be spent on protecting yourself from system administrator staff who may have access to the secure password hashes and salt. If they want to get into your system, they have much more direct ways to impersonate users than pulling down that data and running computations against it. Instead, the focus on password security needs to be:
- Why passwords need to be stored properly on the data system
- How does a mixture of password implementation policies protect the system from account hacks?
- The risks of rainbow tables and cloud computing
- Why restricting your users to seemingly arbitrary or complex rules actually lessens the strength of your password system.
However, some have taken the step of implementing password rules to a level that it is actually damaging to their password system, and they may not realize it. After all, the password 'password' may no longer be the first most used password on their system because it isn't allowed, but the password "1234qwer!@#$QWER" is probably at the top of any good hackers list, and is allowed by even the most restrictive of password rule systems. Just because this second data string doesn't make sense to us doesn't give it any magical properties of being more secure than the 'password' password. Nay, for a computer, the second password has more patterns in it that the first ever did.
Recognizing a bad password is not something that is easily understood (although it's not an impossible task for an AI engine), but what the system administrator needs to know is that their password rules need to be in place that will make it as unlikely as possible that the user would create such an easily guessed monstrosity, and that the password the user creates will be both secure and easy to remember. This means both having restrictions (to ensure that single words and '123456789' are not used as passwords), and having reasonable and easy to meet restrictions that the user will be able to come up with a good password when asked. Once the restrictions get too tight, the user is going to logically process the rules into a pattern because they cannot easily come up with something that meets the restrictions.
Another problem is restricting the size of a password field is something that should never be done. Limiting a user to only 8, 10, 12, 14 characters is entirely arbitrary, and speaks to improperly implemented password storage systems. If you have a maximum limitation on your password, it screams to the world that you are storing the password either in clear-text in a data system, or something that any hobbyist cryptographer could crack open (rot13? XOR data field?). If you properly implement password storage as one-way salted hashes in your system then it won't matter how long the user password entry is. You should give them more than enough room to enter any reasonable string - arbitrarily, say 256 characters, so you can size the field and protect from buffer overflows, but you get the idea.
What about complexity requirements? They need to be simple to understand, and should be free of 'systemic' requirements. You should not forbid the use of any valid entry character. This may mean even allowing the entry of such no-no's as ',@ and " - if you don't accept these characters, you're again telling the world that you're doing something with the password you shouldn't be doing, like storing them in a database. Complexity should be simple to follow and easy to come up with something useful...perhaps a restriction to use at least one character from each of the sets: UPPERCASE-LETTERS, LOWERCASE-LETTERS, SPECIAL-CHARACTERS, NUMBERS. This is easy enough to follow just by using natural passwords like I*Hate%Passwords.
The more restrictive your rules, the more likely your users are to rebel by using something systematic (QWERTY12345qwerty!@#$%). If you frustrate your users, they'll just be looking for a way to get around your 'stupid rules' rather than be a partner in protecting their information. You'd much rather get someone to be inventive (like: Rosemary'sBaby1997). This password may seem simple to you and me, but it's because our minds are tuned to pick up and categorize the symbols in the password. For someone who doesn't know the password, it's going to take a LOT of guessing to get that password from the system.
And if you're properly hashing, salting and securing your password (shadow) file - a dictionary attack is going to have a hard time guessing that password at 3 allowable guesses per hour (between lockout).
Less focus should be spent on protecting yourself from system administrator staff who may have access to the secure password hashes and salt. If they want to get into your system, they have much more direct ways to impersonate users than pulling down that data and running computations against it. Instead, the focus on password security needs to be:
- Implement proper password storage and validation
- Partner with the user - don't piss them off
- Implement password and account policies that don't enable hackers to use your own CPU power to attack your accounts. (Account locking after so many guesses, only allow single sessions when feasible - session timeouts, disable session re-use, etc...)
- Log and monitor logs for suspicious activity
- Warn users when their accounts have been used (and ask them to validate the usage)
July 08, 2010
Dropping Data into the Cloud
Yesterday I signed up for DropBox, a personal cloud storage folder that stores and synchronizes a folder across any machine that I install the software and login to my account with on the web. It's sort of like a flash drive that I don't have to carry with me, and they start you off with 2.25GB of storage. You can earn up to 8GB of free storage (if you tell other people about the service and they sign up through your referral link).
A short word on a security standpoint. DropBox makes a claim to encrypt your data, but the software that you would use to encrypt your data is theirs, so trusting it to actually secure your data would need to be earned. Their encryption claim states that your password is the only way to decrypt your data. You'll be storing your password in the client you use to access the information, though, so if someone steals one of your devices with a client, you're going to lose the security of the account until you change it. Using cloud storage for your information is entrusting your data to complete strangers. If you decide to use the dropbox service, you need to understand that it is completely likely and eventually probable that at some point in time, your information (that you've placed in your dropbox) will be made available to someone else. It could be an internal break-in from a DropBox employee, but even more likely it will be a weakness in the DropBox system that exposes your data.
So, what good is cloud storage? It's good for storing semi-public information. For example, I use it to store several copies of my resume that I need to be able to access just about anywhere. I've also put some pictures in the dropbox to share with a friend. If you treat the storage container as if it were a public lockbox and the lock is no more secure than a gym locker padlock, then you'll be able to keep the right frame of mind on the service. Be careful out there.
EDITED: DropBox claims to encrypt your data, with a key protected by your userid/password. Remember that the security of an encryption algorithm is only as secure as its implementation and the security of the encryption key. If your userid/password can get the decryption key, then the security of that information is how strong the encryption is. There is no mention as to how that information is protected at DropBox.Com.
A short word on a security standpoint. DropBox makes a claim to encrypt your data, but the software that you would use to encrypt your data is theirs, so trusting it to actually secure your data would need to be earned. Their encryption claim states that your password is the only way to decrypt your data. You'll be storing your password in the client you use to access the information, though, so if someone steals one of your devices with a client, you're going to lose the security of the account until you change it. Using cloud storage for your information is entrusting your data to complete strangers. If you decide to use the dropbox service, you need to understand that it is completely likely and eventually probable that at some point in time, your information (that you've placed in your dropbox) will be made available to someone else. It could be an internal break-in from a DropBox employee, but even more likely it will be a weakness in the DropBox system that exposes your data.
So, what good is cloud storage? It's good for storing semi-public information. For example, I use it to store several copies of my resume that I need to be able to access just about anywhere. I've also put some pictures in the dropbox to share with a friend. If you treat the storage container as if it were a public lockbox and the lock is no more secure than a gym locker padlock, then you'll be able to keep the right frame of mind on the service. Be careful out there.
EDITED: DropBox claims to encrypt your data, with a key protected by your userid/password. Remember that the security of an encryption algorithm is only as secure as its implementation and the security of the encryption key. If your userid/password can get the decryption key, then the security of that information is how strong the encryption is. There is no mention as to how that information is protected at DropBox.Com.
May 22, 2010
I do not know these people
Back in 2008, I supported a Republican primary candidate by the name of Ron Paul. Unfortunately, Mr. Paul did not win the Republican party primary and instead, Sarah Palin and some old guy ran in his place, losing the election because the electorate realized that they were all more qualified to be vice president than the ditzy running mate they were given the choice of voting for. I imagine that the Republican party lost the election singly because of their choice of Sarah Palin for Vice President.
Now, Sarah is back, and she's touring the country speaking at rallies that use the term 'tea party'. Much of the rhetoric of this new tea party is not libertarian in nature. A lot of it is based on fear-mongering and hatred, and I just wanted to come out here today to tell you that I do not know these people. I do not wish to associate with these people.
Every time I hear a talking head on TV say the word 'teabagging', I can't help but giggle inside because I know what it means (and it has nothing to do with politics, I assure you).
The idiocracy is here, my friends. Do not embrace it. Do not merely be embarrassed and disgusted by it. Shore up your survival skills, because the world, it is going to hell in a hand-basket and it appears we cannot stop it with reason and logic.
Now, Sarah is back, and she's touring the country speaking at rallies that use the term 'tea party'. Much of the rhetoric of this new tea party is not libertarian in nature. A lot of it is based on fear-mongering and hatred, and I just wanted to come out here today to tell you that I do not know these people. I do not wish to associate with these people.
Every time I hear a talking head on TV say the word 'teabagging', I can't help but giggle inside because I know what it means (and it has nothing to do with politics, I assure you).
The idiocracy is here, my friends. Do not embrace it. Do not merely be embarrassed and disgusted by it. Shore up your survival skills, because the world, it is going to hell in a hand-basket and it appears we cannot stop it with reason and logic.
May 02, 2010
FiOS Closed Captioning
Do you have FiOS? Do you like Closed Captioning? The default CC style on our FiOS box was annoying - black bordered - too big font, ugly font. And going into the FiOS Settings didn't help, because it doesn't allow you to set the style, like my cable box did. After some searching online, I found that there is a 'secret' menu on the FiOS box. To access it, press STB, and then get ready to press the following quickly, in order - Power, OK, Menu. With a little luck, you wait about 3-5 seconds and a black text on white background menu pops up, where you can change the CC font, background, color options. Make sure to change the CC Options to User while you're here. When you're done, just press the Menu button again.
The small font still isn't small enough for my big screen TV, but at least the annoying black background is off of the letters.
The small font still isn't small enough for my big screen TV, but at least the annoying black background is off of the letters.
March 30, 2010
PhotoRescue Data Recovery
Ok, this is going to sound like an ad....but it's not...It's advice:
This software:PhotoRescue just saved my bacon. I was downloading images from my camera card using Picasa, and something went wrong/funny. I had 497 photos, but I only got 380 or so photos, but it erased them all from the card anyway, as if it were done downloading. The missing photos included some family vacation photos, and I was understandably pissed off. I tried several packages to recover lost files, but each one ended up recovering corrupt jpg files, and I even tried jpg restoration software, which showed me the recovered files weren't even the right ones, much less complete images.
PhotoRescue worked - and by worked, I mean, it recovered the files, the CORRECT files, and they were images - the images I expected them to be, and it worked beautifully, giving me images to select from as to what I wanted restored (so I didn't have to restore the movie files and 380 photos I already had downloaded). The software was $29, a price I was glad to pay once I saw that the software did what I needed it to do. After trying about 5 or 6 other packages, I was happy to finally have something that worked.
This software:PhotoRescue just saved my bacon. I was downloading images from my camera card using Picasa, and something went wrong/funny. I had 497 photos, but I only got 380 or so photos, but it erased them all from the card anyway, as if it were done downloading. The missing photos included some family vacation photos, and I was understandably pissed off. I tried several packages to recover lost files, but each one ended up recovering corrupt jpg files, and I even tried jpg restoration software, which showed me the recovered files weren't even the right ones, much less complete images.
PhotoRescue worked - and by worked, I mean, it recovered the files, the CORRECT files, and they were images - the images I expected them to be, and it worked beautifully, giving me images to select from as to what I wanted restored (so I didn't have to restore the movie files and 380 photos I already had downloaded). The software was $29, a price I was glad to pay once I saw that the software did what I needed it to do. After trying about 5 or 6 other packages, I was happy to finally have something that worked.
March 23, 2010
Trying out Windows Live Writer
I’m trying out a third-party blog post composition software called Windows Live Writer – I want to see how it does, whether it posts accurately, how the plug-ins work, like this sample photo attachment (my breakfast on a flight to Dallas).
The options for word-wrapping and tilting the photo are interesting, but I want to see how they translate to the actual page. I don’t like that they’re not using CSS to tilt, but instead recreating the image, so that it’s rectangular. It doesn’t allow the text to tightly wrap around the image like I would expect or want. Of course, beggars can’t be choosers, and this is a free tool. Interestingly, Windows Live Writer did not pick up the last blog post in my blog when it imported them. Now that I’ve edited this post and re-published it, let’s see if those changes are implemented.
March 06, 2010
What would happen if you quit today?
This question occured to me the other day as part of a moment of self-reflection/analysis. It turns out that it's a very good question for self-criticism and thinking about yourself in terms of your career, both as far as options go and trying to understand how others see you.
To perform this exercise, imagine that you walked into your bosses office and handed him a letter of resignation. Don't even think about WHY you would do this, especially during a recession - just imagine it says "Effective immediately, I resign my position. Signed, You"
What would your bosses first reaction be? Try to be as truthful as possible with yourself. Now, if that honest answer doesn't include your boss asking what he can do to change your mind, you've got a problem..whether the problem is with you or your company's situation. See, if you're not someone he needs to try to keep, what's to stop him from getting rid of you all by himself.
If your honest evaluation is that he would try to keep you, then ask yourself why and go from there.
Each of us who are employees have a duty to bring value to the company we work for, and not just be some form of replaceable labor. Your value can come from anything, whether it be your personality, your dedication, your knowledge, your leadership, etc.... But note that it has to come from you, not the job you do. If you don't bring unique STUFF to your job, you can be replaced, and that's not a position you want to be in with your employer when times get rough.
I'd go so far to say that probably half of us are in this boat. A self-evaluation will help you think about and understand where you stand. If you were your boss, why would you keep you? If you wouldn't, what can you do to improve your position?
It's too easy to show up for work every day with the attitude that you just need to get through just one more week until Friday. Instead, you should be thinking about how you can bring new value to your company this week. If you attack your career in such a way, then success is all but guaranteed, for you and your employer (which cycles right back to you). As you improve others, you improve yourself, and others can tell the difference between those who are constantly adding value and those who just survive.
And as a last point...they won't tell you which they think of you until that moment that you resign or they have to lay you off. Don't let yourself be surprised - self-evaluate now.
To perform this exercise, imagine that you walked into your bosses office and handed him a letter of resignation. Don't even think about WHY you would do this, especially during a recession - just imagine it says "Effective immediately, I resign my position. Signed, You"
What would your bosses first reaction be? Try to be as truthful as possible with yourself. Now, if that honest answer doesn't include your boss asking what he can do to change your mind, you've got a problem..whether the problem is with you or your company's situation. See, if you're not someone he needs to try to keep, what's to stop him from getting rid of you all by himself.
If your honest evaluation is that he would try to keep you, then ask yourself why and go from there.
Each of us who are employees have a duty to bring value to the company we work for, and not just be some form of replaceable labor. Your value can come from anything, whether it be your personality, your dedication, your knowledge, your leadership, etc.... But note that it has to come from you, not the job you do. If you don't bring unique STUFF to your job, you can be replaced, and that's not a position you want to be in with your employer when times get rough.
I'd go so far to say that probably half of us are in this boat. A self-evaluation will help you think about and understand where you stand. If you were your boss, why would you keep you? If you wouldn't, what can you do to improve your position?
It's too easy to show up for work every day with the attitude that you just need to get through just one more week until Friday. Instead, you should be thinking about how you can bring new value to your company this week. If you attack your career in such a way, then success is all but guaranteed, for you and your employer (which cycles right back to you). As you improve others, you improve yourself, and others can tell the difference between those who are constantly adding value and those who just survive.
And as a last point...they won't tell you which they think of you until that moment that you resign or they have to lay you off. Don't let yourself be surprised - self-evaluate now.
Subscribe to:
Posts (Atom)