Still More Password Analysis

Posted on 2011-06-19 by jcs

Three more bloggers have weighed in with an analysis of the 62,000 passwords that LulzSec released recently. These three analyses take a look at the structure of the passwords and have some interesting details that I hadn’t seen before.

Aviv Ben-Yosef and Rafe Kettler take a look at the complexity of the passwords. As you might expect, the results are not encouraging, although the average length is 7.63, which is higher than I would have thought. Here are some startling results from Kettler

  • 43.108% of the passwords were all lower case
  • 19.536% of the passwords were all numeric
  • 36.914% of the passwords had some mixture of lower case, uppercase, numbers, and symbols (although not necessarily all of those types)

Over at R-bloggers, Colin Gillespie takes a slightly deeper look. He considers those passwords that would not fall to a simple dictionary attack and investigates their structure. It’s fairly intuitive that some characters will be used more than others and he drills down on that. Among other things, he discovered that

  • 20 characters (out of 78) cover 25% of the passwords
  • 27 characters cover 50% of the passwords
  • 31 characters cover 80% of the passwords

As Gillespie dryly remarks, if you’re trying to crack passwords, it’s clear that brute force is not the way to go. We users can also take away a lesson from this. If you want passwords that are hard to crack, it might be worthwhile using the less popular characters.

There are lots of other interesting results in these posts so if you’re interested in this sort of thing you should take a look.

Posted in General | Tagged | Leave a comment

Reeder

Posted on 2011-06-18 by jcs

I follow a large number of technical blogs (emacs-fu, research!rsc, Abstract Heresies, …) and aggregators (Planet Scheme, Planet Lisp, Hacker News, …) that I read everyday and in some cases several times a day. Most of the blogs are not updated daily so an RSS reader is essential for keeping track of new entries. For years, I’ve just used Safari for this and that worked well but I have three devices (an iMac, a MacBook Pro, and an iPad) that I use regularly.

There are two problems with that:

  • Keeping in sync
    This is especially a problem with the aggregators. If I read some stories on, say, my MacBook and then move to the iMac, I’d like to have those stories that I’ve read on my laptop be marked as such on my iMac. Safari almost does this but it’s not quite accurate enough. Sometimes the two lists will be considerably out of sync.
  • Safari’s RSS on the iPad
    It’s terrible. You can’t sort the same ways that you can on the Macs and it does not appear to sync with the other non-iOS devices.

Recently Reeder, an excellent iOS RSS reader became available for the Mac as well. It’s a Google Reader client so the synchronization happens automatically and seamlessly. Almost all the reviews of Reeder on the App Store rated it excellent with only a few dissatisfied users. It seemed like a good solution for both problems, so I downloaded the iPad and Mac versions and moved all my subscriptions over to Google Reader.

I’ve been using Reeder for a couple days now and I’m quite pleased with it. There are keyboard shortcuts that make stepping through the posts very easy and it makes excellent use of the gesture capabilities of my Magic Trackpad. My only complaints so far are that there’s no way to export to Evernote and I’d like to be able to bookmark some of the entries in Safari. There are a lot of complaints about not being able to export to Evernote so I expect that that feature will be added soon. I don’t know if anyone else wishes they could bookmark stories so that may never be added. There’s a fairly easy workaround to both of those problems: you can press 【B】 and open the story in your browser so that you can export it to Evernote or bookmark it from there. That’s a little clumsy but only a little.

All-in-all I’m happy I changed to using Reeder. It’s making my browsing much more enjoyable, especially on the iPad. The only downside that I can see is that I’ve surrendered my reading list to Google. Of course, they already know pretty much everything I do on the Web so there wasn’t a lot to surrender.

Update: Dr. Elliot Jaffe says I shouldn’t worry about Google.
Update 2: IOS → iOS

Posted in General | 1 Comment

Mac OS X Modifier Key Symbols

Posted on 2011-06-16 by jcs

When I first started using Macs, one of the things most confusing to me were the symbols that OS X uses on the menus to indicate the keyboard short cuts:

http://irreal.org/blog/wp-content/uploads/2011/06/wpid-menu.png

Eventually, I learned what these symbols meant

Symbol key
Command/Apple
Option
Delete
Shift
^ Control

The ⇧ is obvious and the ^ is the usual symbol for the control key; the ⌫ is almost as obvious as the first two. The ⌥ key is the hardest one to figure out until you look it up in a unicode chart and discover that its name is “OPTION KEY.” So that symbol makes sense once you learn its name.

The ⌘ wasn’t difficult at all because it’s printed right on the command key but when you look up its name you find “PLACE OF INTEREST.” Huh? What does that have to do with command or Apple or anything else? I just put it down to one of the mysteries of the universe until I saw this post by Andy Hertzfeld over at Folklore.org. In it, Hertzfeld explains how that symbol came to be chosen for the command key. It’s an amusing story and I won’t spoil it for you by giving it away—head over to Folklore to see for yourself.

Posted in General | Tagged | Leave a comment

Drawing Keyboard Keys

Posted on 2011-06-15 by jcs

Those of you who followed my recommendation and took at look at Xah Lee’s Increase Productivity Using Function Keys post, may have noticed some neat CSS magic that he uses when writing about keyboard keys. For example, he says that to switch apps on the Mac you use the 【⌘ Cmd+Tab】 key sequence. I like that a lot and decided to try it out on my own. As it turns out, it’s pretty simple to do and Org-mode makes it easy to enter them into a post with a macro.

If you look at the HTML for this post, you will see that the keys above are rendered as 

<span class="key">⌘ Cmd</span>+<span class="key">Tab</span>

so to draw a key we merely enclose it in <span class="key"> </span> tags. We can implement that easily with an Org-mode macro: 

#+MACRO: key @<span class="key">$1@</span>

and then call the macro for each key we want to draw. For example, the source code for the line with the keys is:

…use the 【{‍{{key(⌘ Cmd)}}}+{‍{{key(Tab)}}}】 key sequence. I like that a lot and…

That leaves only the CSS. Here’s what I’m using: 

.key {
        border:solid 1px #989898;
        background-color: #F4F4F4;
        padding-left: .25ex;
        padding-right: .25ex;
        font-family: monospace;
}

You can experiment with the colors and spacing to get something that looks pleasing to you if you don’t like my scheme.

The only downside to this for me is that I have add the CSS directly to my site’s CSS file rather than include it in the post itself. That’s the proper thing to do, of course, but every time I upgrade WordPress they overwrite the template file with my extra CSS and I have to reapply it. Of course, it’s entirely likely that there’s some way to make a permanent addition but I haven’t found it yet.

Posted in Blogging | Leave a comment

Increased Productivity With Function Keys

Posted on 2011-06-14 by jcs

Xah Lee has a self-confessed obsession with keyboards. He’s particularly interested in their ergonomics and features that can enhance productivity. Not everyone agrees with his take on these things but his views are thoughtful and often useful. In a recent post he addresses ways in which the underused function keys can help increase productivity.

For example, Lee points out that most of us spend the majority of our time in 3 or 4 applications: editor, browser, mail, say. He recommends dedicating some function keys that will switch directly to these apps. The normal way of doing this is with ALT-TAB or CMD-TAB but this requires multiple keystrokes and that you look to see which app you switched to and perhaps TAB some more to get to the right one. By assigning a function key, only a single keystroke is required.

Lee has more suggestions for how to enhance productivity with function keys and also discusses how to assign them under Windows and Mac OS X. It’s an interesting post and if you care about keyboard shortcuts that can speed things up, you should head on over and take a look.

Posted in General | Leave a comment

Lisp in a Production Environment

Posted on 2011-06-12 by jcs

Over at the Symbo1ics Blog, Robert Smith has a nice post on the myth that Lisp is inappropriate in a production environment. He says that, like many others, he believed that while Lisp is flexible and expressive it would not be good in a production environment. He give the usual reasons for having believed this:

  • Too many programming paradigms are supported (functional, imperative, object oriented, …) and so the large teams you find in production environments would have programmers using different paradigms resulting in confusion and incomprehensible code.
  • Everyone would create their own macros, again leading to confusion and incomprehensible code.
  • The semantics and flow of the code would not be uniform enough.

In short, the power and flexibility of Lisp would lead to the disintegration of programmer discipline.

But then he took a new job that used Lisp exclusively and had a code base of several hundred thousand lines of code. He found to his delight that understanding the code, while a challenge at times, was no harder than in any other similar environment with a different language. This despite the fact that many of the original developers were no longer at the company.

Head on over to the post and read how Smith found all the reasons that Lisp wouldn’t work in a production environment to be false. Then bookmark the post for the next time someone tries to explain how “Lisp is all well and good but it’s completely impractical in the read world.” It will give you something to point at besides ITA.

Posted in Programming | Tagged | Leave a comment

The Greatest Hack of All Time

Posted on 2011-06-11 by jcs

I just saw a reference to one of my favorite papers on computer security. It’s Ken Thompson’s Turing Award Lecture, Reflections on Trusting Trust. In it he describes what the Jargon File calls a truly moby hack: the insertion of an invisible back door in Unix.

If you haven’t read this you should do so without delay. It’s short and will astound you. The even shorter version is that Thompson added code to the C compiler to recognize when the Unix login function was being compiled and insert additional code that would accept a special password in addition to the user’s normal password. That’s the back door but there’s nothing very exciting or clever about it. The clever part is that he also added code so that the C compiler would recognize when it was compiling itself and insert the code to add the back door. Finally he recompiled the compiler, removed the two additions from the source and recompiled the compiler again.

At this point, the compiler would insert the back door whenever the login function was compiled and if the compiler itself was compiled it would insert the two pieces of code into the new compiler. However, if you looked at the source code for the compiler there was no indication of what was happening in the binary.

The modified compiler was distributed to the Unix Support Group and although Thompson says that it was never deployed outside the Labs, there is a story that BBN somehow ended up with a copy. I recall, but can not find the reference, that the support group eventually discovered that the compiler had been hacked by looking at the assembly code.

Again, if you haven’t read Thompson’s paper I urge you to. Of course, after you do, you will never trust any piece of software again.

Posted in General | Tagged | Leave a comment

iMessages

Posted on 2011-06-09 by jcs

Now that the excitement over the WWDC Keynote has died down, people are beginning to think about the new features and what they will mean. One interesting take on that is that iMessages is really a very disruptive technology. There are plenty of folks yawning and mumbling about how it’s nothing more than Apple’s version of Rim’s BBM and, anyway, who cares? And if you do care, haven’t you heard about GTalk and WhatsApp?

What those yawning are missing, I think, is that fact that iMessages is (reportedly) transparent. The user will fire up the Messaging app as always but if the recipient is another IOS device it will use iMessages instead of SMS. There are 200 million IOS devices deployed now so on the day that IOS 5 is released, the carriers are going to lose a bunch of revenue. To be sure some of those IOS users will be texting folks on other platforms but there’s going to be a lot of IOS-to-IOS messaging and the carriers won’t be getting a piece of it. Now add in the fact that Android will certainly do something similar and it’s easy to imagine the bottom dropping out of the SMS market.

Many people are excited and happy about that prospect. Over at TechCrunch, MG Siegler is enjoying a bit of schadenfreude at the carriers’ expense. As he correctly points out, SMS is tremendously overpriced, especially when you consider that it uses a control channel and is essentially cost-free for the carriers.

Fabrizio Capobianco over at Mobile Open Source says that SMS is going away. He predicts that the revenues from SMS are going to disappear and suggests that the carriers move up the food chain while they can. Capobianco and Siegler agree that it’s going to take a while for SMS to go away and, really, it probably won’t completely—after all, it’s just there so why not leave it? I do agree with them that the huge profits from it will soon be a thing of the past.

On the other hand, I’m not sure that any glee is called for. If the carriers lose the SMS profits, they will surely try to regain them through increased fees in other areas. Then everyone, whether or not they text, will be paying more.

Still, I see this as another step towards the oft predicted commoditization of cell service. A march that ends with the carriers providing a bit pipe and little more.

Posted in General | Tagged | Leave a comment

Encrypting (Some) Dropbox Files

Posted on 2011-06-08 by jcs

A while ago I wrote about the developing ‘scandal’ involving Dropbox’s supposed admission that they could read your data. As I remarked at the time, no one with an ounce of sense ever thought otherwise but the question did remain as to what a user could do to protect sensitive files from rogue Dropbox employees or subpoenas. When I wrote that, there didn’t seem to be any good answers short of encrypting the files yourself. That takes a bit of discipline, of course, and could lead those with insufficient amounts of paranoia to not bother just this once.

Now Andrew over at WEB UPD8 has a nice post that shows us how to encrypt some or all of those files automatically. He does this by using EncFS. EncFS use two directories: files put in the first show up encrypted in the second. The idea is that you put the encrypted folder in your Dropbox and place the files you want encrypted and synced with Dropbox in the other directory. The nice thing is that you can put nonsensitive files in the Dropbox as before and they won’t be encrypted.

EncFS uses the Linux fuse facility but solutions exists for the Mac (macfuse) and Windows (BoxCryptor) so Andrew’s idea is portable to the big three. This is a really nice hack and if you are using Dropbox and worried about keeping your data private, you should head over to WEB UPD8 and read all the details. If you’re on the Mac there are directions for setting EncFS up here.

Posted in General | Tagged | Leave a comment

More Password Analysis

Posted on 2011-06-07 by jcs

A week ago I wrote about the analysis of the Gawker passwords. Now Troy Hunt has provided a similar analysis based on the SonyPictures.com compromise. He looked at 37,608 accounts from the LulzSec torrent and analyzed the passwords for

  • Length
  • Types of characters used
  • Randomness
  • Reuse of passwords between accounts

You really should head over to Hunt’s blog and read the article—there are lots of interesting results.

Sadly, all our favorite passwords are there, although seinfeld beat out password for first place and 123456 came in fourth. Like the previous Gawker analysis, Hunt’s results are alarming. Companies are going to have to start doing more to increase password safety. It’s a sure thing that the users aren’t going to.

You may remember that I’ve written about Hunt’s work before on my old blog. If you didn’t take my advice then and read his series of posts on passwords, you should do so now—he has a lot of useful things to say.

Posted in General | Tagged | Leave a comment