Forcing users to use insecure passwords

30. November, 2009

Q: What’s the most efficient way to force your users to use insecure passwords?
A: Try to force them to use secure ones.

What’s a secure password? It’s complicated, unguessable, easy to remember, contains several strange characters, different per site, changed often.

But how much security can you buy with that?

Changing your password helps to lock out people who have cracked your password. But unless they are in for long time surveillance, crackers will abuse your account within five seconds of cracking it. In the usual scenario, (i.e. when the crackers is not your better half), changing your password buys you nothing. It’s enough to wait for a mail which says that you account has been cracked and change the password then.

Different passwords for sites looks like a good idea but this only has an effect when a cracker manages to crack your password in one place and has list of other accounts. Usually, they crack your account for a specific purpose, not to compete in a find-them-all contest. So that doesn’t buy us much, either.

Strange characters look like a good idea until you travel and sit in front of a foreign keyboard in an Internet cafĂ©. Yay, hide and seek! And if you’re using a complex algorithm to build your password which includes strange characters, you’ll encounter the odd site which expects you to either have more or less strange characters in your passwords. Also, unless you’re a software developer, you’re not used to all the strange symbols which your computer can produce.

Easy to remember is at odds with hard to guess and complicated.

Lastly, good passwords don’t protect you against the most common forms of attack: Phishing and keyloggers.

Links: “So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users” (Cormac Herley, Microsoft Research)


28. November, 2009

Don’t ask me how to pronounce that, I have no idea. Akaelae is a web-comic by Tiffany Ross. It’s one of those rare gems that warm the heart (and not only by raising your adrenaline level). If you like Stan Sakai’s Usagi Yojimbo or Elfquest, you’ll live this, too. It’s the story of a couple of childhood friends that get in all kinds of adventures at school, home, even space. The focus is rarely on the action but on the emotions and reasons of the characters. It’s about how people can hurt each other and how they deal with it. Here is an example: Darrik, a young, lonely black fox is moving to a new room and wants to say goodbye to a shy albino fox that’s living on the same floor. During the chat, she tells him that the wolves are only keeping them to sell them as slaves later. Which is why she is refusing to take the proficiency tests.

Darrik is confused. “Then aren’t you useless to them? If they’re running a slave trade? Wouldn’t they just sell you instead of feeding you, giving you clothing, art supplies, medical attention?”

Conclusion: Buy. You can find the whole story in the archive or support the starving artists by buying her books as PDF downloads over Lulu.

If you get confused with the characters and the names, visit the ComixPedia page: “The Cyantian Chronicles“.

Note that the site has some technical difficulties (like images not showing up) now and then, but Tiff is always quick to fix that. Drop her a polite note if something lingers for more than a few days.

Adopt a line of code!

24. November, 2009

Why spend all your hard earned money on on-line porn when you can have an offspring by adopting a line of code?

Here are the three latest additions to my family:

Dobalina Digulla:

Oliver Digulla:

Maurizio Digulla:

Another example for “security” by obscurity

24. November, 2009

Sometimes, you’ll need a catchy example why “security by obscurity” is such a bad idea. Here’s one: “Starring The Admin.”

The gist is that a developer of an application was too lazy to implement proper user roles. So the solution was “if the login has ‘**’ in it, I’ll grant admin rights”. That’s it. Anyone can get admin rights just by appending “**” to their login (the app will remove the “**” from the login before checking the it so no changes to the user database are necessary).

Cool, eh? And so simple!

Why You Should Be Rabid About Your Tools

19. November, 2009

Rands writes:

The lesson: the correct tool is exponentially more productive.[…]As an engineer, there is a short list of tools that you must be rabid about. Rabid. Foaming at the mouth crazy.

Wise words. If your tools don’t make you exponentially more productive, you must change them. Every engineer can write an application using Notepad. But if you care about quality, timeliness or sanity, then find the right tool and use it.

R&C Future: A Crack In Time

16. November, 2009

Ah, I like those long game titles. Anyone remembering Leisure Suite Larry in the Land of the Lounge Lizards? I have a feeling that a title says something about a game. If they care about the title, they care about the game.

Anyway, it’s jump, run and shooting time. Shooting with anything you can imagine and sometimes with things that you couldn’t imagine before. There’s a burp gun, a rocket launcher called “Negotiator”, a robot sidekick called Mr. Zurkon (always complaining that it can’t shoot at the innocent). I like its remarks. “Mr. Zurkon doesn’t need no pesky nanotec to survive, Mr. Zurkon lives from fear.”

Game levels are as colorful and nice as ever. Especially the Great Clock looks awesome with it’s red and gold and reflections. Ratchet finally has some fur on his ears. The levels are also pretty short, there are tons of mini-games, you can go hunt for Zoni’s to upgrade your ship, or Gold Bolts or upgrades for your weapons. Old time fans of the series will find all the good stuff again, like weapons that get better as you use them, pixel precise jumping sequences, there is an arena, and funny comments by the ton. Game play is fluent. I wished more game companies would take care of my time like Insomniac does: While the game installs on the HD, you get to see a long into movie which sets the scene. Two thumbs up for that.

The new stuff is that you can actually fly around space a bit, shoot asteroids for fun (and some bolts), play the main story or idle in some side levels. There are levels for the die hard jump’n’run people and shooter levels. And when I say “die hard”, I mean it. I’m not that bad at R&C but I’ve had to use the skip option once. Some of Clank’s jump sequences in the Big Clock are insanely hard. I must’ve died a hundred times in there. The logic puzzles are usually more simple on the “jump” side but it takes some brainpower to run yourself four times through a level, timing the switching of buttons just right to get all your copied through. And in time. Luckily, you can skip a puzzle. 95% for that one. For 100%, there should have been a way to revisit a puzzle to try it again.

All in all, they kept the great stuff and added a couple of nice, new features. The individual levels are short but plenty, so you can save often or take a break, and won’t have to start all over again.

Recommendation: Buy.

no symbol version for module_layout

15. November, 2009

This one drove me nuts. After upgrading to openSUSE 11.2, I couldn’t compile the NVIDIA (warning: Big flash welcome) or the VirtualBox drivers. Well, the compilation was working but loading failed with:

no symbol version for module_layout

This post finally pointed me in the right direction. To fix the issue, just run zypper in kernel-default-devel as root (or kernel-desktop-devel if you use the desktop kernel).