So, what did you do with your weekend? This weekend the wife and I went to the library - I haven't been for a while and there's a relatively new branch in the main city near me. I picked up two things - "Ender's Game" by Orson Scott Card (a friend had recommended another book by him, but they didn't have it) and a book of sheet music for songs from the 70s. I brought the sheet music home and started learning "American Pie" by Don McClean on the piano. I'm certainly no virtuoso - I'm a self-taught piano player of a few years and I'm only able to play a melody with full-chord accompaniment, but it sounds fairly good on my electronic keyboard with some creative dual-voicing. I've learned up through the first chorus by heart, and with practice I should be able to teach myself the whole song before I have to bring the book back.
We also stopped at Panera bread for scones and a smoothie while we read our books. I'm about a third through "Ender's Game" and should finish it this week. Card is a very accessible author, and so far I am thoroughly enjoying the book, aside from the incredulous level of dialogue that is supposedly coming from a six-year-old. That's my only nitpick with the book concept thus far.
February 28, 2011
February 09, 2011
Jurors take their job seriously
I had jury duty yesterday. I spent all day at the County courthouse for a trial on a charge of 'failure to stop' (at a stop sign). It was more interesting than it probably should have been, and there were plenty of takeaways to share.
1. The jurists for this case (all 7 of them) appeared to be very dedicated to getting to the bottom of the matter and ensuring they followed their instructions as closely as possible. Because the case was such a simple one, I was surprised by the level of discussions in the jury room. I expected to be one of two or three dissenters, but found myself in the majority from the outset.
2. The Prosecution needs to ensure that they do their job. In presenting their case, they need to be extremely specific about focusing on the charge at hand and ensuring they present enough evidence to erase shadows of doubt. The jury takes very seriously the 'beyond reasonable doubt' clause. In our trial, most of the jury members were very adamant that they had not heard the officer testify that they saw the defendant approach the stop sign and roll through it without stopping. This planted seeds of doubt as to whether or not she had indeed watched him fail to stop, even though it was clear she saw him stop later on. The prosecution did not dwell on setting the scene and ensuring that the officer testified as to the fact that she actually knew that she saw him NOT STOP - a very specific event. Without this specificity, the jury was left to conjecture, which meant reasonable doubt (and ultimately an acquittal).
3. "You have the right to remain silent" - No better advice can be given anyone accused of a crime. The defendant did not make it easy on himself. Deliberations took hours for the jury merely because of the defendants behavior in the courtroom, introduction of unrelated evidence, disrespect, immaturity and even introduction of his own driving record (WITH MORE THAN 5 OFFENSES ON IT!!!) into evidence. [Oh yeah, and the prosecution didn't even provide the citation as evidence, which ended up being crucial in the deliberations room].
4. If you're going to represent yourself at a trial, ensure that you've prepared a logical argument and present ONLY THAT ARGUMENT. Had the defendant followed proceedings properly and taken the stand to state only the one crucial fact (his claim that he had stopped prior to the stop sign and then again after passing through the intersection to avoid hitting something else), it would have laid the reasonable doubt without prejudice. As it is, his rambling, his attacks on the character of the officer, and his other antics in the courtroom all detracted from his credibility.
4a. Oh yeah, and if you're going to represent yourself - CALM DOWN!!! You will be given an opportunity to refute testimony and present your own facts in due time. There is a structure for approaching the situation to come to a logical conclusion, and you will have adequate opportunity to address everything you need to. Take notes if you have an impetus and cannot address it in the current forum. Whatever you do, try not to sound like a stark-raving lunatic.
5. Interesting points on juries in Fairfax County - I was unaware that (at least in this court) you needed unanimity to reach a jury decision for non-felonies. I was unaware the jury sets the sentence in Virginia. I think that's an interesting point. We were given sentencing guidelines when we entered the jury room, and asked to provide a sentence in the case of a guilty verdict.
1. The jurists for this case (all 7 of them) appeared to be very dedicated to getting to the bottom of the matter and ensuring they followed their instructions as closely as possible. Because the case was such a simple one, I was surprised by the level of discussions in the jury room. I expected to be one of two or three dissenters, but found myself in the majority from the outset.
2. The Prosecution needs to ensure that they do their job. In presenting their case, they need to be extremely specific about focusing on the charge at hand and ensuring they present enough evidence to erase shadows of doubt. The jury takes very seriously the 'beyond reasonable doubt' clause. In our trial, most of the jury members were very adamant that they had not heard the officer testify that they saw the defendant approach the stop sign and roll through it without stopping. This planted seeds of doubt as to whether or not she had indeed watched him fail to stop, even though it was clear she saw him stop later on. The prosecution did not dwell on setting the scene and ensuring that the officer testified as to the fact that she actually knew that she saw him NOT STOP - a very specific event. Without this specificity, the jury was left to conjecture, which meant reasonable doubt (and ultimately an acquittal).
3. "You have the right to remain silent" - No better advice can be given anyone accused of a crime. The defendant did not make it easy on himself. Deliberations took hours for the jury merely because of the defendants behavior in the courtroom, introduction of unrelated evidence, disrespect, immaturity and even introduction of his own driving record (WITH MORE THAN 5 OFFENSES ON IT!!!) into evidence. [Oh yeah, and the prosecution didn't even provide the citation as evidence, which ended up being crucial in the deliberations room].
4. If you're going to represent yourself at a trial, ensure that you've prepared a logical argument and present ONLY THAT ARGUMENT. Had the defendant followed proceedings properly and taken the stand to state only the one crucial fact (his claim that he had stopped prior to the stop sign and then again after passing through the intersection to avoid hitting something else), it would have laid the reasonable doubt without prejudice. As it is, his rambling, his attacks on the character of the officer, and his other antics in the courtroom all detracted from his credibility.
4a. Oh yeah, and if you're going to represent yourself - CALM DOWN!!! You will be given an opportunity to refute testimony and present your own facts in due time. There is a structure for approaching the situation to come to a logical conclusion, and you will have adequate opportunity to address everything you need to. Take notes if you have an impetus and cannot address it in the current forum. Whatever you do, try not to sound like a stark-raving lunatic.
5. Interesting points on juries in Fairfax County - I was unaware that (at least in this court) you needed unanimity to reach a jury decision for non-felonies. I was unaware the jury sets the sentence in Virginia. I think that's an interesting point. We were given sentencing guidelines when we entered the jury room, and asked to provide a sentence in the case of a guilty verdict.
January 28, 2011
Geek Thoughts
This morning I sat down at my desk and looked over at my picture frame. When I was in Georgetown this summer, I took a picture of the plaque that adorns the building where Herman Hollerith invented and perfected the punched card machine. This is one of the pictures that, along with family pictures, macro pictures and nature pictures cycles through the day. But for some reason, this morning I thought about the Hollerith card.
Did I remember the coding scheme used by the card? A quick Google search confirmed my memories that it was a two-zone system, with 3 punch rows in zone 1 and 9 punch rows in zone 2 (although I recalled 3/10). This gives us 40 possible values per column, with 80 columns available. But then I had this thought, which I am sure others thought of before me.. The possible values per column is actually much more. By allowing multiple punches per zone, the card could be made to handle 2^12, or 4096 possible values, by ignoring the zoning of the card, and utilizing each potential hole as a bit value. And that's only with the same hardware. Because there was space between zone 1 and zone 2, the potential for more holes is there in the card, and with a bit more machining, another hole would be possible (although this thought process also gets into the potential for phase shifting along both x and y axis, giving us much more potential).
Just some geek thoughts for the morning.....completely unimportant.
Did I remember the coding scheme used by the card? A quick Google search confirmed my memories that it was a two-zone system, with 3 punch rows in zone 1 and 9 punch rows in zone 2 (although I recalled 3/10). This gives us 40 possible values per column, with 80 columns available. But then I had this thought, which I am sure others thought of before me.. The possible values per column is actually much more. By allowing multiple punches per zone, the card could be made to handle 2^12, or 4096 possible values, by ignoring the zoning of the card, and utilizing each potential hole as a bit value. And that's only with the same hardware. Because there was space between zone 1 and zone 2, the potential for more holes is there in the card, and with a bit more machining, another hole would be possible (although this thought process also gets into the potential for phase shifting along both x and y axis, giving us much more potential).
Just some geek thoughts for the morning.....completely unimportant.
December 31, 2010
Sniper Ghost Warrior
I bought Sniper: Ghost Warrior from Steam and have been playing it for the past two days. This game is, hands down, the most fun I have had with a PC game since Duke Nukem. There are a few things I don't like about it (unclear map boundaries/movement restriction and lack of freedom in the Story mode, and the red dots that give away EVERY player's position in online Deathmatch play, even if they haven't fired their weapon). Otherwise, I give the game a solid 8 out of 10. With some improvement, I would have no need for another FPS game ever. I don't think the game is still on sale at Steam, I picked it up for $7.50 - but even at $15, if you enjoy sniper/shooters and stealth games, you will definitely enjoy this. I'm going to need to massage these knots out of my neck now.
November 17, 2010
Chip-Resistant Corelle-ware
Ladies/Gentlemen:
I am writing you today as I nurse a wound on my right hand. You see, last night, I made the mistake of having one of your Correlle dinner plates slip from my grasp and fall 6 inches into my stainless steel sink, whereupon it shattered into what, by my count, seems to be a million pieces. Many of the pieces were quite visible, but it seems that many of them were not, and could only be detected when rubbing up against human skin and embedding itself in the epidermis, searching for (and finding) the nearest capillary to open.
Your plates are sold as 'break-resistant' and 'chip-proof'. They are quite visually attractive, and I have several sets. However, in the past year, this is the third occurrence upon which I have had the misfortune of cleaning up a shattered dinner plate.
I have, in the past, dropped a plate onto the kitchen floor (approximately 3"), which is surfaced with a double-thick linoleum with extra padding. I have dropped knives and glasses at this same height, and neither the surface nor the drink-ware suffered the same fate as my Corelle dinnerware.
It seems that in making your plates chip-proof, you have increased the likelihood that instead of merely chipping (providing an easy cleanup process of a few chips and a large plate), your product seeks to ensure there is little to no evidence, by exploding upon impact. While in the past, a few sweeps of a broom and a vacuum have been able to clean up the mess, it was all the more interesting last night, since I did not drop the plate onto the kitchen floor.
I dropped it (again, about 6-8 inches) into my stainless steel sink....with the garbage disposal.
Now, I don't know what you know about garbage disposals, but I will tell you that they are not made for rapid or simple disassembly. No, they are made for chopping and grinding and staying in place. And if you get something stuck in a disposal, it can be QUITE a chore to remove it as you shove your hand down the hole meant for water and waste and attempt to fish out what you've dropped. It's that, or call a rather expensive plumber.
So I was quite upset when, rather than having to fish out 2 or 3 chips from a cracked plate, I found myself fishing out slivers of Corelle dinner plate, sized anywhere between a vein-slicing 1/2" x 4" curved-blade piece to curse-inducing micrometer sized ceramic slivers.
Despite all the care in the world, I came away with wounds I didn't realize I had until they began bleeding.
Thankfully, I did not slice anything vital, and with the help of a very trustworthy Dyson I was able to clear out the disposal adequately once I had removed the larger slices.
However, I am not sure if you've changed the formula of your plates in the past year and a half, but this most recent batch seems VERY MUCH LESS 'break-resistant' than I was led to believe or have experienced in the past.
Although, I gotta hand it to you - they really are chip-resistant....they NEVER chip....ever...I wonder if you could also maybe make them 'EXPLOSION'-resistant?
I am writing you today as I nurse a wound on my right hand. You see, last night, I made the mistake of having one of your Correlle dinner plates slip from my grasp and fall 6 inches into my stainless steel sink, whereupon it shattered into what, by my count, seems to be a million pieces. Many of the pieces were quite visible, but it seems that many of them were not, and could only be detected when rubbing up against human skin and embedding itself in the epidermis, searching for (and finding) the nearest capillary to open.
Your plates are sold as 'break-resistant' and 'chip-proof'. They are quite visually attractive, and I have several sets. However, in the past year, this is the third occurrence upon which I have had the misfortune of cleaning up a shattered dinner plate.
I have, in the past, dropped a plate onto the kitchen floor (approximately 3"), which is surfaced with a double-thick linoleum with extra padding. I have dropped knives and glasses at this same height, and neither the surface nor the drink-ware suffered the same fate as my Corelle dinnerware.
It seems that in making your plates chip-proof, you have increased the likelihood that instead of merely chipping (providing an easy cleanup process of a few chips and a large plate), your product seeks to ensure there is little to no evidence, by exploding upon impact. While in the past, a few sweeps of a broom and a vacuum have been able to clean up the mess, it was all the more interesting last night, since I did not drop the plate onto the kitchen floor.
I dropped it (again, about 6-8 inches) into my stainless steel sink....with the garbage disposal.
Now, I don't know what you know about garbage disposals, but I will tell you that they are not made for rapid or simple disassembly. No, they are made for chopping and grinding and staying in place. And if you get something stuck in a disposal, it can be QUITE a chore to remove it as you shove your hand down the hole meant for water and waste and attempt to fish out what you've dropped. It's that, or call a rather expensive plumber.
So I was quite upset when, rather than having to fish out 2 or 3 chips from a cracked plate, I found myself fishing out slivers of Corelle dinner plate, sized anywhere between a vein-slicing 1/2" x 4" curved-blade piece to curse-inducing micrometer sized ceramic slivers.
Despite all the care in the world, I came away with wounds I didn't realize I had until they began bleeding.
Thankfully, I did not slice anything vital, and with the help of a very trustworthy Dyson I was able to clear out the disposal adequately once I had removed the larger slices.
However, I am not sure if you've changed the formula of your plates in the past year and a half, but this most recent batch seems VERY MUCH LESS 'break-resistant' than I was led to believe or have experienced in the past.
Although, I gotta hand it to you - they really are chip-resistant....they NEVER chip....ever...I wonder if you could also maybe make them 'EXPLOSION'-resistant?
October 05, 2010
How Amazon killed music
Some time ago, Amazon purchased a controlling interest in a website known as AmieStreet. I'm not providing a link to Amie Street because Amazon shut down the service last month. In doing so, they killed off the only place on the Internet that many artists had their music available to the public. Several artists, such as Pink Stilletos and Tim McQueen no longer have a place for their music to be published and played.
While Amazon certainly has a profit motive for shutting down the website (which was probably losing money), it helps the music industry continue their power on deciding what music we listen to. Through Amie Street, I had found several bands worth listening to, and thankfully have had the opportunity to download their music. Unfortunately, others won't be able to discover these same artists and share their music with me. The Internet is supposed to be a great equalizer, but it seems that it is still part of the same game that stifles independents. Those with money and power continue to decide what is worth listening to and who will get display time on your screen. Independents without the savvy to use the Internet or the money to invest to get their voice heard have just lost a major opportunity to be discovered.
And that just sucks.
While Amazon certainly has a profit motive for shutting down the website (which was probably losing money), it helps the music industry continue their power on deciding what music we listen to. Through Amie Street, I had found several bands worth listening to, and thankfully have had the opportunity to download their music. Unfortunately, others won't be able to discover these same artists and share their music with me. The Internet is supposed to be a great equalizer, but it seems that it is still part of the same game that stifles independents. Those with money and power continue to decide what is worth listening to and who will get display time on your screen. Independents without the savvy to use the Internet or the money to invest to get their voice heard have just lost a major opportunity to be discovered.
And that just sucks.
September 01, 2010
The Effects of Doing
The human mind is an amazing computer. It has adapted to learn things through a myriad of inputs. You can read something and learn about it, you can hear someone talk about something and learn important facts and aspects of it, you can watch someone do something and learn the machinations of how to perform. But if you want to get good at something, you just have to DO it.
I read. In fact, I read A LOT. When I was growing up, I used to read fiction. But as my interests matured, I have switched mostly to technical references and news sources. I read about a lot of new technology, and I like to think that I have learned about these things that I have read about. I have a cursory knowledge in a very wide swath of subjects, both technical and non-technical. I like to think of myself as an intellect, although my capacity leaves me somewhere in the area of the second standard deviation. I've never been able to pull off the Mensa scores, but I've gotten close enough to taste it (I took the ACT when I was older just to try to earn my way in - imagine taking the SAT/ACT by choice - I'm a lunatic), and I enjoy hanging out with people smarter than me.
So you think I would have learned a great deal through all of this reading. Yes....and no. I've certainly picked up a lot of knowledge through all of it. I've picked up others opinions and enough facts to try to make a decision as to where I stand on some issues. I've picked up some 'architectural' knowledge of how things fit together (constructing world view). But of all the things I tell people I've learned in the past few years, each one was something I didn't so much read about as something I learned by doing.
I asked myself this question: What have you learned (over some period of time)? Well, I've learned to juggle. Yes, at first I read a booklet (Thank you Klutz(c)). But I learned to juggle by doing it over and over and over. Through hundreds of failures I found success. I've learned to play the piano. With all of the missed notes, and the inordinate patience of my family that has listened to me practice for hours, I can passably play the piano. I've learned Pi to the 133rd digit (what has kind of spurred this post). I've learned to play chess well enough to beat just about any non-chess-player. I've learned some technical things as well, but that's my job, after all. All of those things I feel I've learned have not been through reading and understanding - all of them have really been learned by practicing, repetition, embedding these things into my muscle memory...like riding a bike.
I think this gets back to the question: What is meant to know something? When you KNOW something, you can just do it. Your mind gets out of the way of your ability to perform, and you enter a new level of constant change (and improvement) that is done subconsciously.
Not sure why any of this matters - just a random thought that crossed my mind and I felt like writing it down. So my new motto is 'Just Do It' - thanks, Nike.
I read. In fact, I read A LOT. When I was growing up, I used to read fiction. But as my interests matured, I have switched mostly to technical references and news sources. I read about a lot of new technology, and I like to think that I have learned about these things that I have read about. I have a cursory knowledge in a very wide swath of subjects, both technical and non-technical. I like to think of myself as an intellect, although my capacity leaves me somewhere in the area of the second standard deviation. I've never been able to pull off the Mensa scores, but I've gotten close enough to taste it (I took the ACT when I was older just to try to earn my way in - imagine taking the SAT/ACT by choice - I'm a lunatic), and I enjoy hanging out with people smarter than me.
So you think I would have learned a great deal through all of this reading. Yes....and no. I've certainly picked up a lot of knowledge through all of it. I've picked up others opinions and enough facts to try to make a decision as to where I stand on some issues. I've picked up some 'architectural' knowledge of how things fit together (constructing world view). But of all the things I tell people I've learned in the past few years, each one was something I didn't so much read about as something I learned by doing.
I asked myself this question: What have you learned (over some period of time)? Well, I've learned to juggle. Yes, at first I read a booklet (Thank you Klutz(c)). But I learned to juggle by doing it over and over and over. Through hundreds of failures I found success. I've learned to play the piano. With all of the missed notes, and the inordinate patience of my family that has listened to me practice for hours, I can passably play the piano. I've learned Pi to the 133rd digit (what has kind of spurred this post). I've learned to play chess well enough to beat just about any non-chess-player. I've learned some technical things as well, but that's my job, after all. All of those things I feel I've learned have not been through reading and understanding - all of them have really been learned by practicing, repetition, embedding these things into my muscle memory...like riding a bike.
I think this gets back to the question: What is meant to know something? When you KNOW something, you can just do it. Your mind gets out of the way of your ability to perform, and you enter a new level of constant change (and improvement) that is done subconsciously.
Not sure why any of this matters - just a random thought that crossed my mind and I felt like writing it down. So my new motto is 'Just Do It' - thanks, Nike.
August 12, 2010
July 20, 2010
Restrictive Password Rules Are Bad, mmmmk?
There are all kinds of things that a discussion of password security could go into, for example:
However, some have taken the step of implementing password rules to a level that it is actually damaging to their password system, and they may not realize it. After all, the password 'password' may no longer be the first most used password on their system because it isn't allowed, but the password "1234qwer!@#$QWER" is probably at the top of any good hackers list, and is allowed by even the most restrictive of password rule systems. Just because this second data string doesn't make sense to us doesn't give it any magical properties of being more secure than the 'password' password. Nay, for a computer, the second password has more patterns in it that the first ever did.
Recognizing a bad password is not something that is easily understood (although it's not an impossible task for an AI engine), but what the system administrator needs to know is that their password rules need to be in place that will make it as unlikely as possible that the user would create such an easily guessed monstrosity, and that the password the user creates will be both secure and easy to remember. This means both having restrictions (to ensure that single words and '123456789' are not used as passwords), and having reasonable and easy to meet restrictions that the user will be able to come up with a good password when asked. Once the restrictions get too tight, the user is going to logically process the rules into a pattern because they cannot easily come up with something that meets the restrictions.
Another problem is restricting the size of a password field is something that should never be done. Limiting a user to only 8, 10, 12, 14 characters is entirely arbitrary, and speaks to improperly implemented password storage systems. If you have a maximum limitation on your password, it screams to the world that you are storing the password either in clear-text in a data system, or something that any hobbyist cryptographer could crack open (rot13? XOR data field?). If you properly implement password storage as one-way salted hashes in your system then it won't matter how long the user password entry is. You should give them more than enough room to enter any reasonable string - arbitrarily, say 256 characters, so you can size the field and protect from buffer overflows, but you get the idea.
What about complexity requirements? They need to be simple to understand, and should be free of 'systemic' requirements. You should not forbid the use of any valid entry character. This may mean even allowing the entry of such no-no's as ',@ and " - if you don't accept these characters, you're again telling the world that you're doing something with the password you shouldn't be doing, like storing them in a database. Complexity should be simple to follow and easy to come up with something useful...perhaps a restriction to use at least one character from each of the sets: UPPERCASE-LETTERS, LOWERCASE-LETTERS, SPECIAL-CHARACTERS, NUMBERS. This is easy enough to follow just by using natural passwords like I*Hate%Passwords.
The more restrictive your rules, the more likely your users are to rebel by using something systematic (QWERTY12345qwerty!@#$%). If you frustrate your users, they'll just be looking for a way to get around your 'stupid rules' rather than be a partner in protecting their information. You'd much rather get someone to be inventive (like: Rosemary'sBaby1997). This password may seem simple to you and me, but it's because our minds are tuned to pick up and categorize the symbols in the password. For someone who doesn't know the password, it's going to take a LOT of guessing to get that password from the system.
And if you're properly hashing, salting and securing your password (shadow) file - a dictionary attack is going to have a hard time guessing that password at 3 allowable guesses per hour (between lockout).
Less focus should be spent on protecting yourself from system administrator staff who may have access to the secure password hashes and salt. If they want to get into your system, they have much more direct ways to impersonate users than pulling down that data and running computations against it. Instead, the focus on password security needs to be:
- Why passwords need to be stored properly on the data system
- How does a mixture of password implementation policies protect the system from account hacks?
- The risks of rainbow tables and cloud computing
- Why restricting your users to seemingly arbitrary or complex rules actually lessens the strength of your password system.
However, some have taken the step of implementing password rules to a level that it is actually damaging to their password system, and they may not realize it. After all, the password 'password' may no longer be the first most used password on their system because it isn't allowed, but the password "1234qwer!@#$QWER" is probably at the top of any good hackers list, and is allowed by even the most restrictive of password rule systems. Just because this second data string doesn't make sense to us doesn't give it any magical properties of being more secure than the 'password' password. Nay, for a computer, the second password has more patterns in it that the first ever did.
Recognizing a bad password is not something that is easily understood (although it's not an impossible task for an AI engine), but what the system administrator needs to know is that their password rules need to be in place that will make it as unlikely as possible that the user would create such an easily guessed monstrosity, and that the password the user creates will be both secure and easy to remember. This means both having restrictions (to ensure that single words and '123456789' are not used as passwords), and having reasonable and easy to meet restrictions that the user will be able to come up with a good password when asked. Once the restrictions get too tight, the user is going to logically process the rules into a pattern because they cannot easily come up with something that meets the restrictions.
Another problem is restricting the size of a password field is something that should never be done. Limiting a user to only 8, 10, 12, 14 characters is entirely arbitrary, and speaks to improperly implemented password storage systems. If you have a maximum limitation on your password, it screams to the world that you are storing the password either in clear-text in a data system, or something that any hobbyist cryptographer could crack open (rot13? XOR data field?). If you properly implement password storage as one-way salted hashes in your system then it won't matter how long the user password entry is. You should give them more than enough room to enter any reasonable string - arbitrarily, say 256 characters, so you can size the field and protect from buffer overflows, but you get the idea.
What about complexity requirements? They need to be simple to understand, and should be free of 'systemic' requirements. You should not forbid the use of any valid entry character. This may mean even allowing the entry of such no-no's as ',@ and " - if you don't accept these characters, you're again telling the world that you're doing something with the password you shouldn't be doing, like storing them in a database. Complexity should be simple to follow and easy to come up with something useful...perhaps a restriction to use at least one character from each of the sets: UPPERCASE-LETTERS, LOWERCASE-LETTERS, SPECIAL-CHARACTERS, NUMBERS. This is easy enough to follow just by using natural passwords like I*Hate%Passwords.
The more restrictive your rules, the more likely your users are to rebel by using something systematic (QWERTY12345qwerty!@#$%). If you frustrate your users, they'll just be looking for a way to get around your 'stupid rules' rather than be a partner in protecting their information. You'd much rather get someone to be inventive (like: Rosemary'sBaby1997). This password may seem simple to you and me, but it's because our minds are tuned to pick up and categorize the symbols in the password. For someone who doesn't know the password, it's going to take a LOT of guessing to get that password from the system.
And if you're properly hashing, salting and securing your password (shadow) file - a dictionary attack is going to have a hard time guessing that password at 3 allowable guesses per hour (between lockout).
Less focus should be spent on protecting yourself from system administrator staff who may have access to the secure password hashes and salt. If they want to get into your system, they have much more direct ways to impersonate users than pulling down that data and running computations against it. Instead, the focus on password security needs to be:
- Implement proper password storage and validation
- Partner with the user - don't piss them off
- Implement password and account policies that don't enable hackers to use your own CPU power to attack your accounts. (Account locking after so many guesses, only allow single sessions when feasible - session timeouts, disable session re-use, etc...)
- Log and monitor logs for suspicious activity
- Warn users when their accounts have been used (and ask them to validate the usage)
July 08, 2010
Dropping Data into the Cloud
Yesterday I signed up for DropBox, a personal cloud storage folder that stores and synchronizes a folder across any machine that I install the software and login to my account with on the web. It's sort of like a flash drive that I don't have to carry with me, and they start you off with 2.25GB of storage. You can earn up to 8GB of free storage (if you tell other people about the service and they sign up through your referral link).
A short word on a security standpoint. DropBox makes a claim to encrypt your data, but the software that you would use to encrypt your data is theirs, so trusting it to actually secure your data would need to be earned. Their encryption claim states that your password is the only way to decrypt your data. You'll be storing your password in the client you use to access the information, though, so if someone steals one of your devices with a client, you're going to lose the security of the account until you change it. Using cloud storage for your information is entrusting your data to complete strangers. If you decide to use the dropbox service, you need to understand that it is completely likely and eventually probable that at some point in time, your information (that you've placed in your dropbox) will be made available to someone else. It could be an internal break-in from a DropBox employee, but even more likely it will be a weakness in the DropBox system that exposes your data.
So, what good is cloud storage? It's good for storing semi-public information. For example, I use it to store several copies of my resume that I need to be able to access just about anywhere. I've also put some pictures in the dropbox to share with a friend. If you treat the storage container as if it were a public lockbox and the lock is no more secure than a gym locker padlock, then you'll be able to keep the right frame of mind on the service. Be careful out there.
EDITED: DropBox claims to encrypt your data, with a key protected by your userid/password. Remember that the security of an encryption algorithm is only as secure as its implementation and the security of the encryption key. If your userid/password can get the decryption key, then the security of that information is how strong the encryption is. There is no mention as to how that information is protected at DropBox.Com.
A short word on a security standpoint. DropBox makes a claim to encrypt your data, but the software that you would use to encrypt your data is theirs, so trusting it to actually secure your data would need to be earned. Their encryption claim states that your password is the only way to decrypt your data. You'll be storing your password in the client you use to access the information, though, so if someone steals one of your devices with a client, you're going to lose the security of the account until you change it. Using cloud storage for your information is entrusting your data to complete strangers. If you decide to use the dropbox service, you need to understand that it is completely likely and eventually probable that at some point in time, your information (that you've placed in your dropbox) will be made available to someone else. It could be an internal break-in from a DropBox employee, but even more likely it will be a weakness in the DropBox system that exposes your data.
So, what good is cloud storage? It's good for storing semi-public information. For example, I use it to store several copies of my resume that I need to be able to access just about anywhere. I've also put some pictures in the dropbox to share with a friend. If you treat the storage container as if it were a public lockbox and the lock is no more secure than a gym locker padlock, then you'll be able to keep the right frame of mind on the service. Be careful out there.
EDITED: DropBox claims to encrypt your data, with a key protected by your userid/password. Remember that the security of an encryption algorithm is only as secure as its implementation and the security of the encryption key. If your userid/password can get the decryption key, then the security of that information is how strong the encryption is. There is no mention as to how that information is protected at DropBox.Com.
Subscribe to:
Posts (Atom)