Archive for the ‘Technical’ Category

Password Strength – you’re doing it wrong

Friday, August 26th, 2011

A confluence has occurred – time to write a post!

password strength explained

Wow.  That’s very observant, and kind of funny (to me anyway).

So, my corporate password was expiring shortly after I read this, so I decided to change my pattern, chose three motivating words, and set the new password.  Then I went to a meeting.  Then I went to another meeting.  That meeting slid right into our Friday afternoon bash, with pizza and beer (though I’m sure that is an irrelevant detail).

After that, I went back to work and for the life of me could not remember the first word.  A co-worker brilliantly pointed out that I can VPN in to the network using my RSA key, and can thereby access the password-reset application without providing a password.  It’s late on a Friday, so I put my laptop in standby and go home.

At home, I do the VPN trick from another computer and reset my password.  Then, I see the flaw in my plan.  The laptop is locked with the old password with a missing first word.  To unlock it with the new password, it must be connected to the office network.  I can connect using VPN, but must unlock it first…

So, I ended up working a couple of days from a krufty old back up laptop using the Outlook Web Interface to mail and without any support tools.

The workaround (for next time) is to install a  local administrator account while I have access, then use that account to establish VPN.  Our Very Smart IT Guy says that when I then switch users, it will use the active network session to check for access and change the cached password.  Note: I don’t actually anticipate there will be a next time.

This came up today:

You're doing it wrong

I like it.

The Sony hack: passwords vs. financial details

Friday, May 20th, 2011

The details are coming out about yet another data breach, this time at Sony’s PlayStation Network. Light Blue Touchpaper has the details. (excerpts below, with my emphasis)

Sometime last week, Sony discovered that up to 77 M accounts on its PlayStation Network were compromised. Sony’s network was down for a week before they finally disclosed details yesterday. Unusually, there haven’t yet been any credible claims of responsibility for the hack, so we can only go on Sony’s official statements. The breach included names and addresses, passwords, and answers to personal knowledge questions, and possibly payment details.

… regarding the leaked passwords. The risks here are very real—hackers can attempt to re-use the compromised passwords (possibly after inverting hashes using brute-force) at many other websites, including financial ones. There are no disclosure laws here though, and Sony has done nothing, not even disclosing the key technical details of how passwords were stored. The implications are very different if the passwords were stored in cleartext, hashed in a constant manner, or properly hashed and salted. Sony customers ought to know what really happened.

…this is a serious market failure. Sony’s security breach has potentially compromised passwords at hundreds of other sites where its users re-use the same password and email address as credentials. This is a significant externality, but Sony bears no legal responsibility, and it shows.

This is yet another example of why reusing passwords, and perhaps even user ids is a bad idea.  In this case, part of the exposed data includes the answers to all those secret questions – you know, the top secret ones that give you a free give-me-a-new-password pass?


YouTube Illustrated

Sunday, April 3rd, 2011

I have nothing to add to this video.  You’ll love it or just scratch your head.

The video is … amazing.  I fear to even glance at the comments.

I’m guessing  NextGenHacker is wishing the internet had an undo button.

via Larry Osterman’s WebLog

How to Make Anything Signify Anything

Friday, April 1st, 2011


This photo says “Knowledge Is Powe[r]” using Sir Francis Bacon’s Bilateral Cipher.  See how here.

I found this on a fascinating treatise about cryptography, steganography and WWII cryptographers William and Elizebeth Friedman.

Read more in the original: How to Make Anything Signify Anything

Here’s one of several more examples:

The biologist turns cryptographer. Friedman’s most elaborate example of how to make anything signify anything using Bacon’s biliteral cipher. Courtesy the Bacon Cipher Collection, Manuscripts and Archives Division, New York Public Library.

Security Questions Strike Again

Wednesday, January 19th, 2011

I can’t seem to wrap up this security jag.  Stuff keeps happening.

This article highlights again why secret questions are a bad idea.

In a cautionary tale for users of social-networking sites, a California man has admitted using personal information he gleaned from Facebook to hack into women’s e-mail accounts, then send nude pictures of them to everyone in their address book.

Prosecutors said Bronk would scan women’s Facebook accounts looking for those who posted their e-mail addresses. He would then study their Facebook postings to learn the answers to common security questions like their favorite color or father’s middle name.He contacted the women’s e-mail providers and used the information to gain control of their accounts. He also often gained control of their Facebook accounts by hijacking their passwords…

There are at least three lessons here (if you find this alarming)

  • Don’t share passwords across accounts (Bronk stole email passwords and used them to hijack Facebook accounts)
  • Don’t give real answers to the security questions. (Bronk used the security questions to get email account passwords)

and finally,

  •  Don’t store compromising pictures of yourself on a web mail server. (duh)

On Nuclear Reactors and Banks

Sunday, January 16th, 2011

Putting Nuclear Reactors and Banks into the same sentence seems odd to most people, but Tim Hartford points out in What we can learn from a nuclear reactor that there are some important similarities.  Both are complex and tightly coupled systems.  There are similarities in their failure modes and safeguard systems — and there are similarities in the way the safeguards can fail us and cause further harm.

It might seem obvious that the way to make a complex system safer is to install some safety measures. Engineers have long known that life is not so simple. In 1638, Galileo described an early example of unintended consequences in engineering. Masons would store stone columns horizontally, lifted off the soil by two piles of stone. The columns often cracked in the middle under their own weight. The “solution” – a third pile of stone in the centre – didn’t help. The two end supports would often settle a little, and the column, balanced like a see-saw on the central pile, would then snap as the ends sagged.

Galileo had found a simple example of a profound point: a new safety measure or reinforcement often introduces unexpected ways for things to go wrong. This was true at Three Mile Island. It was also true during the horrific accident on the Piper Alpha oil and gas platform in 1988, which was aggravated by a safety device designed to prevent vast seawater pumps from starting automatically and killing the rig’s divers. The death toll was 167.

In 1966, at the Fermi nuclear reactor near Detroit, a partial meltdown put the lives of 65,000 people at risk. Several weeks after the plant was shut down, the reactor vessel had cooled enough to identify the culprit: a zirconium filter the size of a crushed beer can, which had been dislodged by a surge of coolant in the reactor core and then blocked the circulation of the coolant. The filter had been installed at the last moment for safety reasons, at the express request of the Nuclear Regulatory Commission.

The problem in all of these cases is that the safety system introduced what an engineer would call a new “failure mode” – in other words, a new way for things to go wrong. And that was precisely the problem in the financial crisis.

“… a new safety measure or reinforcement often introduces unexpected ways for things to go wrong”

We the people do not understand this principle.  We the people demand that something be done.  But often that something just makes the system more complex while introducing new modes of failure.


Another Gawker bug: handling non-ASCII characters in passwords

Monday, January 10th, 2011

Last week I dumped a bunch of information about the sorry state of passwords and the internet, mostly from Light Blue Touchpaper.  As usual, I soon ran across more information that should be included.  It turns out that Gawker had another problem.  Why should we think they are alone?

Read on if you’re interested.

Light Blue Touchpaper » Blog Archive » Another Gawker bug: handling non-ASCII characters in passwords
A few weeks ago I detailed how Gawker lost a million of their users’ passwords. Soon after this I found an interesting vulnerability in Gawker’s password deployment involving the handling of non-ASCII characters. Specifically, they didn’t handle them at all until two weeks ago, instead they were mapping all non-ASCII characters to the ASCII ‘?’ prior to hashing them. This not only greatly limited the theoretical space of passwords, but meant that passwords consisting of any n non-ASCII characters were equivalent to ‘?’^n. Native Georgian or Korean speakers with passwords like ‘రహస్య సంకేత పదం’ or ‘비밀번호’ were vulnerable to an attacker simply guessing a string of question marks. An attacker may in fact know in advance that some users are from non-Latin countries (for example by looking at their email addresses) potentially making this more easily exploitable.

We users-of-ascii-english have it easy — and hard in a way.   I have had to deal with related issues in recent years, primarily because C/C++ does not account for non-ascii characters for sorting unless you take special steps.  That causes ordering and uniqueness issues as soon as you run into data with accented characters.

VMware Cloud Jumper

Saturday, January 8th, 2011

This is an interesting marketing technique.

“Join the growing elite of IT leaders known as ‘Cloud Jumpers’ who have taken the leap and begun their journey to Cloud Computing. ”

It’s a short but respectable game from my very own VMware.  Give it a try.


Year End Link Clearance – Password Edition

Sunday, January 2nd, 2011

I’m not good at letting go.  If I were doing this right,  I’d just list the links and be done with it.  But no, I have to blather about each one, because I found each of these interesting and worth saving saving to comment on for some reason.

Light Blue Touchpaper is a fairly technical blog focusing on security (“Security Research, Computer Laboratory, University of Cambridge”).  A certain subset of my readers will find the archives interesting.  Their recent series on passwords forms the backbone of this post.

Bottom line: many websites store passwords.  Most are doing it wrong.

…but we believe ours was the first large study into how Internet sites actually implement them. We studied 150 sites, including the most visited overall sites plus a random sample of mid-level sites. We signed up for free accounts with each site, and using a mixture of scripting and patience, captured all visible aspects of password deployment, from enrolment and login to reset and attacks.

They link to this paper exploring the economic reasons why users may be wise to ignore security advice.  (it probably says something about you if you find it as interesting as I did.)

Exploring the factors which lead to better security confirms the basic tenets of security economics: sites with more at stake tend to do better. However, doing better isn’t enough. Given users’ well-documented tendency to re-use passwords, the varying levels of security may represent a serious market failure which is undermining the security of password-based authentication.

Even the big boys often get it wrong.  The greatest sinner I’ve seen is (or perhaps was) Charles Schwab.  Due to an unhappy serendipity, I discovered that my password was not only inexcusably short, but also case insensitive.  If my calculations are correct, this reduces the size of the password space by a factor of 67,108,864.  I also wonder about Fidelity.  When I call them, they want me to key in my “pin” on the phone.  This is supposed to be the same as the “password” I use online.  If that really works, then my complex online password is mapped to a much simpler one on the phone.  If not, then they expect me to use a numeric password online.  Both cases are security flaws.

It’s long been said in the security community that password re-use is dangerous because it enables attackers to compromise an account at a low-security site and gain access to a higher-security one. This is increasingly true as most websites today use email addresses as identifiers (87% in our study), meaning an email/password combination can unlock many online accounts. The RockYou hacker indicated that 10% of the email/password combinations registered at RockYou were also PayPal accounts (external compromise isn’t the only threat here: a malicious insider could certainly try to profit from a database at sites like this).

News websites may have very little to lose through poor password security, but they can undermine the efforts made by other sites.

“Gawker” was recently hacked, and their user/password database was used to hack into millions of accounts on other sites such as twitter.  Light Blue Touchpaper and CodingHorror both have good analyses.

For security purposes, it would be better to use some kind of central identity protocol (an Internet Driver’s License).

Currently, the trendiest proposed solution is to use federated identity protocols to greatly reduce the number of websites which must collect passwords (as we’ve argued would be a very positive step). Much focus has been given to OpenID, yet it is still struggling to gain widespread adoption.

Unfortunately, security is not the primary goal for many sites. (my emphasis)

Why do small websites, particularly news websites, still collect their own passwords instead of relying on a federated identity provider?Considering newspaper websites as the prime example of password deployments with questionable utility, we found that they were significantly more likely than other websites to collect marketing data at the time of password collection. They also nearly universally, with only a single exception, insist on verifying the validity of a user’s email address as a pre-requisite for an account (this was equally true at sites which also require CAPTCHAs, so we don’t think false account prevention is the primary reason). At this point, users may be trained to accept the idea of inputting personal data along with a password. A password input field may serve as a ceremonial cue that entering personal data into a form is safe (verifying this with behavioural experiments is an important future research question).

Thus, collecting passwords provides cover for collecting personal data, which provides tangible benefits to a site operator. The costs of password collection, however, aren’t primarily borne by the server. As discussed Wednesday, the costs of insecurity are largely borne by higher-security websites. The usability costs, in contrast are borne by users themselves.

OpenID may be being held back by market forces. For users, removing the requirement of registering personal information with the site is an advantage, but for many websites, removing the ability to collect personal data eliminates a major justification for deploying passwords at all.

Sometimes, the programmers are not at fault.  Management or Marketing is.  They insist that information be collected for all users, and don’t seem to care that 80% of their users are named “Barney Rubble.” (That comes from a blog entry I cannot find – fill me in if you know who wrote it first.) This requirement comes at a cost.  If you require registration to participate on your site, users will leave.  If you require personal information, users will leave or lie.

I have an example.  I like to listen to MP3 books in my 2008 RAV4.  I have found that the CD player cuts off the last couple seconds of each track.  Some audio books have track breaks every minute for my convenience – and these are unusable in the car.  I spent way too long searching online for a solution, and found exactly one match at

The OEM MP3 player on my 2008 Toyota RAV4 cuts off the last few seconds of each MP3 file.I have started burning MP3 files onto CDs to play on the CD/MP3 player in my 2008 RAV4 Limited (JBL sound system).

The last few seconds of every MP3 file are cut off abruptly, although when I use the CD on my computer the files are fine, so the problem is not with the CD.

I cannot find anything about this issue in the Owner’s Manual or on the internet, and nobody at the Toyota dealership knows anything about this. Does anyone know why this is happening and how I can correct it?

It’s an exact match, so I thought I’d add a “me too” comment with some additional information.  Edmunds requires me to create a registration.  I don’t want an account on, so I just left.  Not worth the trouble, no thanks edmunds.

If you happen to have a solution, or a way to add 2 seconds of padding to an MP3/WMA file, please comment.

Pidgin and MSN (certificate error for omega​.con​tacts​.msn​.com)

Thursday, November 18th, 2010


Microsoft did something today.

My wife started getting dozens of dialogs with this error – “The certificate for could not be validated. The certificate chain presented is invalid.”

Once I disconnected from my company VPN, I started getting them too (I can’t quite make that make sense, but that would be another story entirely.)

Anyway, I consulted Google, and found that Andrei Neculau solved the problem already and shared the solution here.