When should a password be strong

If you're like me, you select special unique passwords for the sites that count, such as banks, and you use a fairly simple password for things like accounts on blogs and message boards where you're not particularly scared if somebody learns the password. (You had better not be scared, since most of these sites store your password in the clear so they can mail it to you, which means they learn your standard account/password and could pretend to be you on all the sites you duplicate the password on.) There are tools that will generate a different password for every site you visit, and of course most browsers will remember a complete suite of passwords for you, but neither of these work well when roaming to an internet cafe or friend's house.

However, every so often you'll get a site that demands you use a "strong" password, requiring it to be a certain length, to have digits or punctuation, spaces and mixed case, or subsets of rules like these. This of course screws you up if the site is an unimportant site and you want to use your easy to remember password, you must generate a variant of it that meets their rules and remember it. These are usually sites where you can't imagine why you want to create an account in the first place, such as stores you will shop at once, or blogs you will comment on once and so on.

Strong passwords make a lot of sense in certain situations, but it seems some people don't understand why. You need a strong password in case it is possible or desireable for an attacker to do a "dictionary" attack on your account. This means they have to try thousands, or even millions of passwords until they hit the one that works. If you use a dictionary word, they can try the most common words in the dictionary and learn your password.

Upgrading to Drupal 5.1

I have upgraded the site to the latest Drupal 5.1. For a short time that means some features I coded won't be available until I re-patch, such as my anti-spam comment tool (comments are moderated for now.) If stuff is broken, let me know. (I don't know what happened to the category menus and will try to get them back.) I'll also be adding some new features, such as RSS feeds of comments and nodes and some other things mostly only seen by those who create an account.

Anti-gerrymandering formulae

A well known curse of many representative democracies is gerrymandering. People in power draw the districts to assure they will stay in power. There are some particularly ridiculous cases in the USA.

I was recently pointed to a paper on a simple, linear system which tries to divide up a state into districts using the shortest straight line that properly divides the population. I have been doing some thinking of my own in this area so I thought I would share it. The short-line algorithm has the important attribute that it's fixed and fairly deterministic. It chooses one solution, regardless of politics. It can't be gamed. That is good, but it has flaws. Its district boundaries pay no attention to any geopolitical features except state borders. Lakes, rivers, mountains, highways, cities are all irrelevant to it. That's not a bad feature in my book, though it does mean, as they recognize, that sometimes people may have a slightly unusual trek to their polling station.

Now that virtualizers are here, let's default to letting you run your old system

Virtualizer technology, that lets you create a virtual machine in which to run another "guest" operating system on top of your own, seems to have arrived. It's common for servers (for security) and for testing, as well as things like running Windows on linux or a Mac. There are several good free ones. One, kvm, is built into the lastest Linux kernel (2.6.20). Microsoft offers their own.

Topic: 

Social networking sites -- accept you won't be the only one, and start interoperating.

So many social networking sites (LinkedIn, Orkut, Friendster, Tribe, Myspace etc.) seem bent on being islands. But there can't be just one player in this space, not even one player in each niche. But when you join a new one it's like starting all over again. I routinely get invitations to join new social applications, and I just ignore them. It's not worth the effort.

Topic: 

Farewell, Studio 60 on the Sunset Strip

I've decided to stop watching Studio 60. (You probably didn't even know I was watching it, but I thought it was worthwhile outlining the reasons for not watching it.)

Studio 60 was hailed as the most likely great show of this season, with good reason, since it's from Aaron Sorkin, creator of one truly great show (the West Wing) and one near-great (Sportsnight.) Sorkin is deservedly hailed for producing TV that's smart and either amusing or meaningful, and that's what I seek. But I'm not caring about the characters on Studio 60.

Topic: 

Digital cameras should have built-in tagging

So many people today are using tags to organize photos and to upload them to sites like flickr for people to search. Most types of tagging are easiest to do on a computer, but certain types of tagging would make sense to add to photos right in the camera, as the photos are taken.

Updating the Turing Test

Alan Turing proposed a simple test for machine intelligence. Based on a parlour game where players try to tell if a hidden person is a man or a woman just by passing notes, he suggested we define a computer as intelligent if people can't tell it from a human being through conversations with both over a teletype.

The giant security hole in auto-updating software

It's more and more common today to see software that is capable of easily or automatically updating itself to a new version. Sometimes the user must confirm the update, in some cases it is fully automatic or manual but non-optional (ie. the old version won't work any more.) This seems like a valuable feature for fixing security problems as well as bugs.

But rarely do we talk about what a giant hole this is in general computer security. On most computers, programs you run have access to a great deal of the machine, and in the case of Windows, often all of it. Many of these applications are used by millions and in some cases even hundreds of millions of users.

When you install software on almost any machine, you're trusting the software and the company that made it, and the channel by which you got it -- at the time you install. When you have auto-updating software, you're trusting them on an ongoing basis. It's really like you're leaving a copy of the keys to your office at the software vendor, and hoping they won't do anything bad with them, and hoping that nobody untrusted will get at those keys and so something bad with them.

Topic: 

Internet oriented supper club

At various times I have been part of dinner groups that meet once a month or once a week at either the same restaurant or a different restaurant every time. There's usually no special arrangement, but it's usually good for the restaurant since they get a big crowd on a slow night.

Topic: 

Understand the importance of a key in crypto design

I've written before about ZUI (Zero user interface) in crypto, and the need for opportunistic encryption based upon it. Today I want to further enforce the concept by pointing to mistakes we've seen in the past.

Topic: 

Hybrid stickers in carpool lane should be sold at dutch auction.

In the SF Bay Area, there are carpool lanes. Drivers of fuel efficient vehicles, which mostly means the Prius and the Honda Civic/Insight Hybrids can apply for a special permit allowing them to drive solo in the carpool lanes. This requires both a slightly ugly yellow sticker on the bumper, and a special transponder for bridges, because the cars are allowed to use the carpool lane on the bridge but don't get the toll exemption that real carpools get.

Tempfailing for spam -- where does it lead

One growing technique for use in anti-spam involves finding ways to "fail" on initial contacts for sending mail. Real, standard conformant mail programs try again in various ways, but spammers, in writing their mail blasters, tend to just have them skip that address and go to the next one in their list.

Two common approaches include simply returning a "temporarily unavailable" status on any initial mail attempt that might be spam. Another approach is to have dead MX records both at the "try first" and "try last" end of the MX chain.

Topic: 

Replacing the FCC with "don't be spectrum selfish."

Radio technology has advanced greatly in the last several years, and will advance more. When the FCC opened up the small "useless" band where microwave ovens operate to unlicenced use, it generated the greatest period of innovation in the history of radio. As my friend David Reed often points out, radio waves don't interfere with one another out in the ether. Interference only happens at a receiver, usually due to bad design. I'm going to steal several of David's ideas here and agree with him that a powerful agency founded on the idea that we absolutely must prevent interference is a bad idea.

My overly simple summary of a replacement regime is just this, "Don't be selfish." More broadly, this means, "don't use more spectrum than you need," both at the transmitting and receiving end. I think we could replace the FCC with a court that adjudicates problems of alleged interference. This special court would decide which party was being more selfish, and tell them to mend their ways. Unlike past regimes, the part 15 lesson suggests that sometimes it is the receiver who is being more spectrum selfish.

Here are some examples of using more spectrum than you need:

  • Using radio when you could have readily used wires, particularly the internet. This includes mixed mode operations where you need radio at the endpoints, but could have used it just to reach wired nodes that did the long haul over wires.
  • Using any more power than you need to reliably reach your receiver. Endpoints should talk back if they can, over wires or radio, so you know how much power you need to reach them.
  • Using an omni antenna when you could have used a directional one.
  • Using the wrong band -- for example using a band that bounces and goes long distance when you had only short-distance, line of sight needs.
  • Using old technology -- for example not frequency hopping to share spectrum when you could have.
  • Not being dynamic -- if two transmitters who can't otherwise avoid interfering exist, they should figure out how one of them will fairly switch to a different frequency (if hopping isn't enough.)

As noted, some of these rules apply to the receiver, not just the transmitter. If a receiver uses an omni antenna when they could be directional, they will lose a claim of interference unless the transmitter is also being very selfish. If a receiver isn't smart enough to frequency hop, or tell its transmitter what band or power to use, it could lose.

Since some noise is expected not just from smart transmitters, but from the real world and its ancient devices (microwave ovens included) receivers should be expected to tolerate a little interference. If they're hypersensitive to interference and don't have a good reason for it, it's their fault, not necessarily the source's.

Now you have to have the right reverse-DNS

Update: Several of the spam bounces of this sort that I got were traced to the same anti-spam system, and the operator says it was not intentional, and has been corrected. So it may not be quite as bad as it seemed quite yet.

I have a social list of people I invite to parties. Every time I mail to it, I feel the impact of spam and anti-spam. Always several people have given up on a mailbox. And I run into new spam filters blocking the mail.

Topic: 

Censored and uncensored soundtrack on the airplane

A recent story that United had removed all instances of the word "God" (not simply Goddamn) from a historical movie reminded me just how much they censor the movies on planes.

Here they have an easy and simple way out. Everybody is on headsets, and they already offer different soundtracks in different languages by dialing the dial. So offer the censored and real soundtrack on two different audio channels. Parents can easily make sure the kids are on whatever soundtrack they have chosen for them, as the number glows on the armrest.

How to stop people from putting widescreen TVs in stretch mode

(Note I have a simpler article for those just looking for advice on how to get their Widescreen TV to display properly.)

Very commonly today I see widescreen TVs being installed, both HDTV and normal. Flat panel TVs are a big win in public places since they don't have the bulk and weight of the older ones, so this is no surprise, even in SDTV. And they are usually made widescreen, which is great.

Cell carriers, let us have more than one phone on the same number

Everybody's got old cell phones, which sit in closets. Why don't the wireless carriers let customers cheaply have two or more phones on the same line. That would mean that when a call came in, both phones would ring (and your landlines if you desire) and you could answer in either place. You could make calls from either phone, though not both at the same time.

Math getting better? -- CitizenRe

(Note: I have posted a followup article on CitizenRe as a result of this thread. Also a solar economics spreadsheet.)

I've been writing about the economics of green energy and solar PV, and have been pointed to a very interesting company named CitizenRe. Their offering suggests a major cost reduction to make solar workable.

Topic: 

Photostatuary

3-D printing is getting cheaper. This week I saw a story about producing a hacked together 3-D printer that could print in unusual cheap materials like play-doh and chocolate frosting for $2,000. Soon, another 3-D technology will get cheap -- the 3-D body scan.

Topic: 

Pages

Subscribe to Brad Ideas RSS Subscribe to Brad Ideas - All comments