More Password Analysis

Posted on 2011-06-07 by jcs

A week ago I wrote about the analysis of the Gawker passwords. Now Troy Hunt has provided a similar analysis based on the SonyPictures.com compromise. He looked at 37,608 accounts from the LulzSec torrent and analyzed the passwords for

  • Length
  • Types of characters used
  • Randomness
  • Reuse of passwords between accounts

You really should head over to Hunt’s blog and read the article—there are lots of interesting results.

Sadly, all our favorite passwords are there, although seinfeld beat out password for first place and 123456 came in fourth. Like the previous Gawker analysis, Hunt’s results are alarming. Companies are going to have to start doing more to increase password safety. It’s a sure thing that the users aren’t going to.

You may remember that I’ve written about Hunt’s work before on my old blog. If you didn’t take my advice then and read his series of posts on passwords, you should do so now—he has a lot of useful things to say.

Posted in General | Tagged | Leave a comment

The History of UTF-8

Posted on 2011-06-06 by jcs

Via the Programming subredit I was led this History of UTF-8 by Rob Pike. I already knew some of that history (such as Ken Thompson and Rob Pike designing UTF-8 on a paper placemat at a diner) but much of the story is new to me. Pike felt compelled to set the record straight because of a persistent story that UTF-8 was designed by IBM and then first implemented in Plan 9.

In fact, the IBM folks had called Pike to vet a design of theirs but Pike didn’t like it because their scheme couldn’t synchronize a byte stream with less than one character being consumed. So Pike and Thompson went to dinner where Thompson sketched out the encoding on the famous placemat. They returned from dinner and while Thompson banged out the packing and unpacking code, Pike started working on the graphics library. The code was done the next day and in another day they had it running in Plan 9.

This is a great story and if you have any interest in Unix (or Plan 9) history, it’s well worth a read. The story comes complete with the code that Thompson wrote that first night as well as some subsequent code, which is, apparently, pretty much what is running in Plan 9 today.

Posted in General | Leave a comment

Two Interviews

Posted on 2011-06-05 by jcs

Recently Ken Thompson and Dennis Ritchie sat down for interviews: Thompson with Dr. Dobb’s and Ritchie with IEEE Spectrum. Ritchie talks mostly about he and Ken inventing Unix—the occasion for both interviews was Thompson and Ritchie winning the Japan Prize for their work on Unix—and the early efforts to make it portable.

Thompson talks about developing Unix, Dennis Ritchie, and the Go language. The best line in either interview, as far as I’m concerned, was Thompson saying that he, Rob Pike, and Robert Griesemer started the Go project because they all hated C++. That’s sure to ruffle some feathers but it’s a sentiment that many can identify with.

Both interview are short and leave you wishing for more but they’re interesting talks with two of the giants in Computer Science.

Posted in General | Leave a comment

Scrolling The Other Window

Posted on 2011-06-04 by jcs

Trawling through the old Emacs COTWD twitter entries I came across something I didn’t know. In some situations, such as help screens, Emacs will open another window but keep the focus in the current window. When this happens, Emacs will tell you that you can scroll the other window down with C-M-v but it doesn’t tell you how to scroll the other window up. I long ago discovered that you can do that with C-M-- C-M-v but it’s annoying to have to type the two chorded keys. Today’s discovery was that the correct way of doing this is to type C-M-S-v. That’s a lot more convenient because it’s easier to scroll up several pages. Of course, this works no matter what’s in the other window so it can be helpful to quickly check documentation or code in the other window without leaving the window you’re working in.

Posted in General | Tagged | Leave a comment

The Hits Keep On Coming

Posted on 2011-06-03 by jcs

It appears that kicking the hornet’s nest worked out better for Lisbeth Salander than it has for Sony. The “hacker group” LulzSec has again embarrassed Sony by compromising SonyPictures.com and exposing user data for over one million users. Fortunately for Sony, the group did not have enough computer resources to download the whole database although it did take about 51,000 user records. Unfortunately for Sony, LulzSec has demonstrated once again how clueless Sony is about even rudimentary security. You can read LulzSec’s announcement on Pastebin here.

Consider this:

  • The compromise was by an elementary SQL injection attack. How is this possible today? How is it possible especially for Sony who, one would think, would be on the alert after the PSN and subsequent disasters?
  • The stolen data included passwords, email addresses, birthdates, and whatever opt-in data, such as telephone numbers, the users included.
  • None of this data was encrypted.

All of this suggests that if Sony wants to sue and prosecute people for modding the PlayStation console, they better attend to their security first. Of course, it’s already too late for that. I wonder how many of those users who had their personal information exposed are already talking to lawyers. Sony is very likely to discover that those who live by the lawsuit, die by the lawsuit.

Posted in General | Leave a comment

Pharen

Posted on 2011-06-02 by jcs

I don’t know what to think of Pharen. It’s a little compiler that compiles a Lisp-like language into PHP. PHP seems to be almost as universally reviled as it is universally used, so perhaps this is a useful thing as well as a nice hack. Still, a little voice in the back of my mind keeps repeating, “If you want PHP go use PHP.”

On the other hand, Aubrey Jaffer the author of SLIB and SCM, the Scheme implementation on which Guile was originally based does this sort of thing all the time. After making the same off-by-one mistake in C too many times Jaffer started coding in Scheme. As he put it, “Periodically, a manager will mandate that I perform my work using some particular language or technique (buzzword). I usually comply by writing (adapting) a translator from SCM to that language.” I’ve always admired his approach to this (he’s even written device drivers in Scheme and used his schlep compiler to translate the Scheme code to C.

So perhaps Pharen is a good thing. What do you think?

Posted in Programming | Leave a comment

Magic Trackpad

Posted on 2011-06-01 by jcs

My main machine, at the moment, is a 27 inch iMac. It came with the Magic Mouse, which is an optical mouse that has a multi-touch surface on its top shell. It’s a great mouse and I really like it but I have a glass desk which means that I need to use a mouse pad for the optical tracking to work. That’s a problem because with that giant screen I was always running off the edge of the mouse pad and would have to pick up the mouse to reposition it.

So last weekend I bought a Magic Trackpad. Until I got my MacBook Pro I had always hated trackpads. For some reason the designers of every laptop I had ever used before the MacBook thought it was a great idea to have a tap on the trackpad represent a click. It’s one of those things that sounds good and natural but is terrible in practice. Terrible because it’s very easy to accidently trip the click simulation and yank focus away from whatever window you were working in. Say what you like about Apple but they think about stuff like this so their trackpad implementation was intelligently done. My MacBook is an older model so the trackpad had only limited gestures: a two-finger swipe was a scroll and, of course, the scrolls were inertial to make it easy to move large distances. The Magic Mouse added a gesture that would page forward and backwards in Safari and photos.

The Magic Trackpad has a full set of gestures and is much larger than a laptop trackpad as you can see in the picture.

http://irreal.org/blog/wp-content/uploads/2011/06/wpid-magicmouse.jpg

It’s really easy to move around with it and it doesn’t take up as much room as the mouse pad did. All in all, it’s a giant win for me.

Posted in General | Leave a comment

As I Was Saying

Posted on 2011-05-31 by jcs

No sooner had I pushed my Bad Passwords post than I stumbled on this post by Marc Bevand over at Zorinaq. Bevand reports that VISA’s Verified by VISA authentication system forces users to select weak passwords (this may not be VISA’s fault, see below). Passwords so weak that if they were used on a Windows machine they could be bruteforced in less than two and a half hours. Valid passwords under VISA’s rules must be between 6 and 8 characters long (inclusive) and use only letters and numbers. Thus the key space is 628 + 627 + 626 = 221,918,520,426,688. That may seem a big number but it’s well within bruteforce territory.

It seems there is little hope of having the banks and other financial services enforce a secure password policy. After all, 123456 and password are both valid passwords for Verified by VISA.

All of this is a shame because VISA is, of course, a tempting target and it’s not unreasonable to assume that sooner or later someone will manage to get their password hashes. From there, it’s an easy step to bruteforce them and start looting accounts. It’s also a shame that responsible customers who would like to use secure passwords are prevented from doing so. It’s hard to see any reason for VISA’s password policy other than some PHB assuming the mantle of security expert and just decreeing them out of ignorance.

Just as I was getting ready to publish this, I read some additional comments to Bevand’s post and there are two more points worth mentioning from them.

  1. The password policies for Verified by VISA are set by each VISA card issuer so the culprit in this case is the individual bank. Another commenter reported that Barclay’s doesn’t even hash the passwords, which is truly shocking.
  2. Apparently, (at least some) banks will reset your password given your birth year and month and some card data. This commenter remarked that it hardly matters that the passwords are weak since an attacker could just reset them using data that is reasonably easy to obtain.
Posted in General | Tagged | Leave a comment

Bad Passwords

Posted on 2011-05-31 by jcs

Alternative title: Good Grief. It’s absolutely incredible how clueless people still are about password security. You would think that anyone using the Web today would be aware of the numerous compromises that involve weak passwords. Apparently not. Over at Naked Security, Graham Cluley has a truly depressing post, entitled The top 50 passwords you should never use, that looks at the passwords compromised as a result of the security breach at Gawker Media last year. The most popular? 123456. Really? 123456? The next most popular is password.

Go take a look at the post and see all 50 of them. One could say, “Well, who cares about some throwaway password on Gizmodo or Gawker?” Probably no one except for the other depressing fact that Cluley reports: one third of Web users use the same password on every Website that requires one. You could take the position that this is Darwin in action but, unfortunately, when these people have their bank accounts hacked it raises the costs for all of us.

The foolish are always with us, of course, so maybe banks and other high profile targets should reject any passwords on that list. Unfortunately, as I wrote on my old blog, banks and other companies don’t appear to be much smarter about password security than those Gawker users.

Posted in General | Tagged | Leave a comment

Sorting With Emacs

Posted on 2011-05-30 by jcs

Mickey over at Mastering Emacs has a great post on sorting in Emacs. Did you know you can sort by regular expressions? I didn’t. Get over there and read the post; it’s well worth your time. In fact, you might want to add Mastering Emacs to your feed. He doesn’t post often but all his posts are useful.

Posted in General | Tagged | Leave a comment