Bad Password Policies

It seems like I’ve been shouting into the wind forever about password policies and it hasn’t made a bit of difference. There’s probably little anyone can do about users choosing really dumb passwords—like password or 123456 and so forth—but you’d think that Web sites would at least implement sensible password policies.

Alas, no. Dumb Password Rules is a crowd-sourced GitHub repository of, well, dumb password rules. It’s late 2019 and there really is no excuse for a site insisting on rules like passwords must be between 6 and 8 letters/numbers long with no special characters. Yet there are an astounding number of sites doing just that. These aren’t just Joe’s Online Fish Market, either. They’re banks, big retail organizations and even the government.

Scroll through as much of the site as you can stand. Even the Irreal minions refused to read the whole thing claiming it was just too painful.

I’ve said it many times before but it bears repeating: avoid sites that have any1 restrictions on what your password can look like. If they’re doing it right, those passwords are going to be salted and hashed with something like bcrypt or one of its brethren and it won’t matter what characters they contain or how long they are. If they insist on some arbitrary restrictions you can be sure that your passwords aren’t being hashed and that when the site is inevitably broken into, your password will be exposed.

Sometimes you can’t avoid those sites. After all, We have to deal with our banks (they’re among the worst offenders, ironically), wireless providers, and similar institutions but in those cases you should make an extra effort to use a password as complicated as their rules allow.

It’s pretty clear that passwords aren’t going away anytime soon so sites should take the situation seriously, start salting and hashing our passwords, and stop insisting on arbitrary and dumb rules on what they can be.

Footnotes:

1

Other than a large—1024 characters, say—maximum size.

Posted in General | Tagged | Leave a comment

Dumb-jump 0.5.3

Back in 2017, I started using dumb-jump after seeing Mike Zamansky’s video demonstrating it. As I said at the time, it really hit the sweet spot for me. I have tried many times over my career to warm up to TAGS-based systems and I never could. They were always too fussy and required maintaining the TAGS file.

The wonderful thing about dumb-jump is that it just works and requires little or no configuration and no index files to keep up to date. It does its magic by leveraging one of the grep siblings to search for what you need. That sounds as if it could be slow and it might be for very large projects but by using a fast grep (ripgrep) I found it to be instantaneous while browsing the Unix v10 kernel sources.

Jack Angers has just released Version 0.5.3 of dumb-jump and added support for 10 more languages. That means that you can use dumb-jump with more than 40 languages. Unless you’re using something fairly obscure, dumb-jump will probably support it.

I was a little skeptical at first due to my bad experiences with trying to use TAGS but I’ve been delighted with dumb-jump and it’s now one of my favorite packages. If you’re an Emacs user you should give it a try. It doesn’t take any effort at all to install it and you can easily delete it if it doesn’t meet your needs.

Posted in General | Tagged | Leave a comment

Mozilla Talks About Its Plans for DoH

You may recall that back in July I wrote about Google’s and Mozilla’s plans for DNS over HTTPS (DoH) and the furor it caused among the nannies in the UK who resented having their ability to spy on their users made more difficult. I was a little skeptical that Google and Mozilla would stick to their guns in the face of the opposition but Mozilla, at least, is moving forward with their plans.

In a post entitled What’s next in making Encrypted DNS-over-HTTPS the Default, Mozilla details the results of experiments with a beta version and their plans for rolling out the system to everyone. There are two problems to solve:

  1. What to do when DoH returns erroneous results
  2. How to interoperate with parental controls

Mozilla has solutions for both of these and plans to partially roll out the system starting in late September. DoH will be enabled by default but will be opt-in in the sense that users will be notified of the change and given a chance to disable it. If the test deployment goes well, Mozilla will enable the service for everyone in the U.S.

I applaud all this and welcome one more way of keeping the busybodies’ noses out of what I do on the Internet. The other advantage is that it also prevents DNS hijacking where users are surreptitiously directed to bogus and potentially harmful sites. It’s a win for everyone. Except the busybodies.

Posted in General | Tagged , | Leave a comment

Saving the Planet With Smartphones

When the New Luddites aren’t hectoring us about our debilitating addiction to our phones, the loss of our ability to read maps or do arithmetic, or the extreme disservice we’re doing to our children by allowing them to use smartphones, they fall back on the technique most favored by all reformers: guilt. They tell us that our crack-addled-monkey-like addiction to smartphones and other technology is stripping the earth bare of its resources. Our smartphone addiction is killing Gaia.

Except it isn’t so. According to a very interesting article in Wired, electricity use has been flat for the last decade and plastic use has gone from growing faster than the economy to lagging it by 15 per cent. In fact, they say, consumption for most natural resources has gone negative. How can this be?

While it’s true that significant resources are consumed to build those smartphones, even more resources are saved by no longer building other devices to do the things that smartphones do. The Wired article has a revealing vignette of someone seeing a Radio Shack (remember them?) ad from 1991 that showed 15 electronic “gadgets” for sale and realizing that he carried 13 of those gadgets in his pocket everyday. Actually, smartphones replace far more than 13 other devices. Take a look at your phone’s screen and look at all the functions it provides. That’s why, among other things, the camera market is collapsing, it’s hard to find a standalone GPS unit, and no one buys general purpose calculators anymore. They’re all built into our phones.

None of this will have the slightest impact on the New Luddites, of course. They’ll go right on detailing our many shortcomings and predicting the end of the world but the Wired article shows us what we’ve always known: they’re full of malarkey.

Posted in General | Tagged , | Leave a comment

Using R With Emacs and ESS

With the rise of big data, the R programming language has become one of the most popular languages. Indeed, the IEEE has it rated as number 5 in 2019. Probably the most popular environment for R is RStudio, an IDE for working with R. Of course, it’s also possible to use Emacs for this. Way back in 2011, I showed how to combine R and Org Babel to do some basic statistics.

That was just me fooling around, though. If you want to Combine R and Emacs seriously, there’s a bit more involved. Peter Prevos has a nice post that shows how he uses Emacs and ESS (Emacs Speaks Statistics) to provide an excellent environment for writing R programs and including the results in documents. Included in his post is an example of a paper he wrote with the system1. You can see the Org source file at his GitHub repository along with the part of his Emacs configuration that supports the environment.

Prevos’ post is written from the point of view of someone in the social sciences who is not necessarily an engineer. The post even gives a brief account of how to get Emacs installed so it should be useful to anyone who’d like to use Emacs for R and doesn’t mind the learning curve involved.

Footnotes:

1

Actually, it was a rewrite of a paper he originally wrote using LaTeX and Sweave.

Posted in General | Tagged | Leave a comment

Opening Images in Emacs

These tweets:

reminded me that not everyone is aware that you can open image files in Emacs so I thought I’d share the knowledge. If you like, it’s easy to switch back and forth to a hex representation.

Of course, this works only with GUI Emacs although you should almost certainly be using GUI Emacs instead of the terminal version anyway (but see Phil’s comment for a situation where terminal Emacs makes sense).

It’s just another reminder of how powerful Emacs is for most text-based tasks and even some tasks that aren’t text-based.

Posted in General | Tagged | Leave a comment

Curl Recipes

There’s not much going on today so I thought I’d share this small list of Curl recipes that I recently stumbled on. If you’re like me, your first reaction when facing a problem like those on this list is to throw together a bespoke solution rather than leveraging the tools you already have. That’s just crazy, of course, so cookbooks like this one can be really useful.

Take a look and maybe bookmark it for the day you need it.

Posted in General | Tagged | Leave a comment

Apple Secrecy and the Tech Press

It’s no secret among those who have been reading this blog for a while that Irreal doesn’t hold journalists in high regard. Those that aren’t explicitly corrupt are mostly lazy and ignorant (yes, yes, of course there are exceptions). I wish I could say that the tech press is better but, sadly, if anything they’re worse.

A glaring example of this is Apple coverage. For reasons unknown to me—and probably any other sane observer—Apple drives many reporters into paroxysms of mindless fury and an inability to see facts or reason about them. Every single thing that Apple does is taken by these reporters as proof that Apple is doomed and is only barely holding on. No one, no one, with any sense believes any of their nonsense because Apple continues to be, arguably, the most successful company ever and is showing no signs of slowing down. Sure, eventually they’ll start the inevitable decline common to all earthly things but that time is not yet upon us.

Apple hasn’t been blind to this and being Apple have brilliantly used it to advance their ends. Over at Apple Insider, Daniel Eran Dilger writes about Apple’s infamous secrecy and how they use it to leverage the press in helping them gain competitive advantages against their rivals. The article is, in a way, screamingly funny and you don’t have to be an Apple fan to enjoy the spectacle of a hapless press being pressed into serving Apple’s ends while believing they are fighting the evil empire.

The funniest part of the story is that Apple doesn’t have to lie to the press or do any overt misdirection. They simply keep their plans private and let the press make up their own stories. As I said, nobody with a modicum of sense believes anything they write and it’s unlikely that they’ve changed anyone’s perception of Apple or its products. But they keep at it.

Posted in General | Tagged , | Leave a comment

Emacs or Vi

It’s Friday so it’s time for a little red meat.

Ward Willats tackles the critical issue of “Emacs or Vi.” He appears to have strongly held views on the matter.

Posted in General | Tagged | Leave a comment

The Google GDPR Workaround

A little over a week ago in my post on Google Tracking, I remarked that nothing short of strictly enforced GDPR-syle legislation would get Google and the other adtech miscreants to behave. I ended on the cynical note that maybe even then they wouldn’t behave. It turns out that I was right to be cynical.

The Irish Times is reporting that Google has been accused of secretly sending users’ personal data to advertisers. They’re doing this with a new mechanism being called “push pages.” The details are technical and a bit hard to understand but the TL;DR is it allows participants in Google’s real time bidding program to match the user with their own profiles and to share that information with other participants. Google has assured us that neither of those activities would be possible with their new GDPR-compliant protocols.

Johnny Ryan from Brave decided to investigate how Google handled his personal data and ran some tests. What he found was alarming. Google is, in fact, doing both those things. Ryan’s account, which the Irish Times report is based on, has a few more details including a link to his formal complaint to the Irish Data Protection Commission (DPC), an example of a push page, and a sequence diagram showing how the new scheme works.

If the charges are verified by the DPC, Google will undoubted be fined several million Euros. The problem is that they won’t care; the fine will simply be written off as a cost of doing business. If we want to end the scourge of adtech, the only thing that will get it done is putting a few executives in jail. I’m really against the automatic urge (especially in the U.S.) to put people in jail for the slightest infraction but I don’t think anything else will get the adtech industry’s attention. Fines certainly haven’t helped.

Posted in Blogging | Tagged | Leave a comment