You are here

rick's blog

RockYou and Password Choices

A social networking site called Rockyou.Com was hacked a few months ago, and someone was thoughtful enough to tell them about it in December. After some dithering, they announced it to their user community.

Unfortunately, they were trying to do site aggregation stuff - using other site login credentials to link that site to theirs. All very Web 2.0. All very dangerous, especially since passwords were stored in plaintext. Thus, the attackers collected 32 million user login credentials: ids, passwords, e-mail addresses. This was courtesy of a cross site scripting vulnerability.

John, a former colleague, sent me a note about a security group named Imperva that analyzed the list of passwords.

The actual report is poorly drafted - you can't tell how much of the database they really analyzed, or how they chose a set to analyze. However, it seems that they analyzed a sampling of the passwords and compiled a list of the 5,000 most common ones. Which they didn't share. They did share a list of the 20 most common: the most common word was "Password" while "princess" and "Nicole" were the most common names.

Post category: 

Bring-Your-Own-Computer

Paul Ardoin, a former colleague, has posted some comments on Bring-Your-Own-Computer, the notion that companies should rely on employees' personal laptops. My security-wonk-alarm went off when I read this, but I'm thinking the concept has some merit.

This is somewhat related to the question of using a company car versus the company paying you for mileage on your own car. People in general tend to take better care of their own car.

Wordpress tag: 
Post category: 

Intro to Multiprogramming

Back in 1964, Boston's public TV station, WGBH, did a show on interactive computing at MIT. They interviewed Fernando Corbató, MIT's timesharing pioneer, who demonstrated the old CTSS system.

Best New Security Technology

A while back, Popular Science asked me to identify the Best New Security Technology. At the time I simply couldn't think of anything, and they've long since published their issue filled with Best New ____ Technology.

I finally thought of something - self-encrypting mass storage. This can be anything from an encrypting USB drive - the IronKey if you like theatrics - to a self-encrypting hard drive like Seagate's Momentus line of laptop drives.

While I also rely heavily on software drive encryption (TrueCrypt) I wish that all my hard drives had full disk encryption (FDE). If all drives had FDE, I could recycle drives (i.e. give them to my kids) just by erasing the key. Instead, I have to hook each drive up to an idle machine for a day or so to run a wiping process.

So FDE isn't just for security paranoids and folks hogtied by compliance regulations. They're useful for everyone. That is, assuming that the vendors make it easy to use them.

Post category: 

Security Through Obscurity

Kodak is offering the Easyshare Wireless Picture Frame, which uses a wireless Internet connection to select and display its content.

According to a blog post by Casey Halverson, the wireless picture frame contents comes from a findable URL. It wouldn't take a lot of technology to build software to search for the contents of other random picture frames.

This poses an interesting question: when is Security Through Obscurity (STO) good enough to protect privacy? This is one of those technical weaknesses that professionals like to talk about, but lots of people won't understand. This can play out in one of several ways:

  • The product becomes popular, and it takes years for the security problems to bother the user community. This is what happened with analog cell phones.
  • The product's security problems become an issue that interferes with its marketplace success. This is what happened with early Web sites. Netscape solved the problem by introducing SSL encryption.
  • The product fails for other reasons.
Wordpress tag: 
Post category: 

Napolitano Blows It

Janet Napolitano has flubbed her first major event as Secretary of Homeland Security. First, she incorrectly claims that the bomber thwarted on Christmas Day was not on any of the screening lists. Someone manages to correct her, and then today she claims this is a "failure" of the US security system.

She still gets it wrong. The bomber boarded a plane in Nigeria and changed planes in Amsterdam. How are new - and more extreme - physical screening measures in the US going to reduce the risk of a poorly-screened passenger from overseas?

No matter how carefully we screen Grandma when she gets on the flight in Duluth, it's not going to catch a poorly-screened bomber in Lagos.

Wordpress tag: 
Post category: 

Blaze visits the Titan Missile Museum

Matt Blaze has posted a blog entry following a visit to the Titan Missile Museum that's just south of Tucson, Arizona. It's a well written summary of the place.

Blaze talks a bit about Titan, PALs, and the "butterfly switch;" mechanisms intended to prevent an unauthorized launch. The Titan system didn't have PALs. The butterfly switch, also known as the "Coded Switch System" (CSS), authorizes the launch. PALs were first required on overseas nukes starting in 1962. Titans were never overseas, and the system was already under construction in the continental US by the time the PAL idea arose.

Wordpress tag: 

A crashed off-site RAID drive

Here are some more observations on using RAID on the Mac OS X, particularly in terms of off-site storage, terminology, and upgrading. Here is a photo of my former off-site hard drive:

WD 7500 with the case opened

It's been sitting in an office desk drawer for a couple of months, and the time came to cycle it back into the RAID set. But when I tried to spin it up, I was greeted by a disappointing rattle, and the drive didn't come on-line. The drive, a WD 7500 AAKS, was 14 months old when it died. In the photo above, I've removed the case cover in preparation for an autopsy.

Wordpress tag: 
Post category: 

A 21st Century Family Library

Over the years, our family has bought three copies of the Crosby, Stills & Nash album. My wife and I each bought a vinyl copy back in the '70s. Recently we bought a "clean" (not copy protected) copy from the iTunes music store. I expect that's the last time anyone in our family will have to buy a copy of that album, including all our descendants.

I believe that music sharing is "fair use" within a family. I'm inclined to feel that way about video, and no doubt I'll feel the same way about digitized books. Cousin Jon sent me a couple of links describing "do it yourself" book scanners. I need to get myself one of those. But a family library of digitized books has an interesting implication for publishers: it will decimate the reprint market. My (not-yet-existing) great grandson won't ever have to purchase a copy of Pride and Prejudice and should never have to buy any other books I collect in digital form.

Computers and Health Care

David Himmelstein of Cambridge Hospital and Harvard Med School (with co-authors) recently published a paper on the effect of computerization of hospitals.

The results, as Computerworld put it: Computers don't save hospitals money.

Excellian Logo

This makes sense, especially when you look at the study. They focused on data collected reported by individual hospitals nationwide between 2003 and 2007. Computerization, especially at the clinical level, is incredibly disruptive. Thus, the efficiencies aren't likely to arise soon.

Pages

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer