Forcing users to use insecure passwords

30. November, 2009

Q: What’s the most efficient way to force your users to use insecure passwords?
A: Try to force them to use secure ones.

What’s a secure password? It’s complicated, unguessable, easy to remember, contains several strange characters, different per site, changed often.

But how much security can you buy with that?

Changing your password helps to lock out people who have cracked your password. But unless they are in for long time surveillance, crackers will abuse your account within five seconds of cracking it. In the usual scenario, (i.e. when the crackers is not your better half), changing your password buys you nothing. It’s enough to wait for a mail which says that you account has been cracked and change the password then.

Different passwords for sites looks like a good idea but this only has an effect when a cracker manages to crack your password in one place and has list of other accounts. Usually, they crack your account for a specific purpose, not to compete in a find-them-all contest. So that doesn’t buy us much, either.

Strange characters look like a good idea until you travel and sit in front of a foreign keyboard in an Internet café. Yay, hide and seek! And if you’re using a complex algorithm to build your password which includes strange characters, you’ll encounter the odd site which expects you to either have more or less strange characters in your passwords. Also, unless you’re a software developer, you’re not used to all the strange symbols which your computer can produce.

Easy to remember is at odds with hard to guess and complicated.

Lastly, good passwords don’t protect you against the most common forms of attack: Phishing and keyloggers.

Links: “So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users” (Cormac Herley, Microsoft Research)


28. November, 2009

Don’t ask me how to pronounce that, I have no idea. Akaelae is a web-comic by Tiffany Ross. It’s one of those rare gems that warm the heart (and not only by raising your adrenaline level). If you like Stan Sakai’s Usagi Yojimbo or Elfquest, you’ll live this, too. It’s the story of a couple of childhood friends that get in all kinds of adventures at school, home, even space. The focus is rarely on the action but on the emotions and reasons of the characters. It’s about how people can hurt each other and how they deal with it. Here is an example: Darrik, a young, lonely black fox is moving to a new room and wants to say goodbye to a shy albino fox that’s living on the same floor. During the chat, she tells him that the wolves are only keeping them to sell them as slaves later. Which is why she is refusing to take the proficiency tests.

Darrik is confused. “Then aren’t you useless to them? If they’re running a slave trade? Wouldn’t they just sell you instead of feeding you, giving you clothing, art supplies, medical attention?”

Conclusion: Buy. You can find the whole story in the archive or support the starving artists by buying her books as PDF downloads over Lulu.

If you get confused with the characters and the names, visit the ComixPedia page: “The Cyantian Chronicles“.

Note that the site has some technical difficulties (like images not showing up) now and then, but Tiff is always quick to fix that. Drop her a polite note if something lingers for more than a few days.

Adopt a line of code!

24. November, 2009

Why spend all your hard earned money on on-line porn when you can have an offspring by adopting a line of code?

Here are the three latest additions to my family:

Dobalina Digulla:

Oliver Digulla:

Maurizio Digulla:

Another example for “security” by obscurity

24. November, 2009

Sometimes, you’ll need a catchy example why “security by obscurity” is such a bad idea. Here’s one: “Starring The Admin.”

The gist is that a developer of an application was too lazy to implement proper user roles. So the solution was “if the login has ‘**’ in it, I’ll grant admin rights”. That’s it. Anyone can get admin rights just by appending “**” to their login (the app will remove the “**” from the login before checking the it so no changes to the user database are necessary).

Cool, eh? And so simple!

Why You Should Be Rabid About Your Tools

19. November, 2009

Rands writes:

The lesson: the correct tool is exponentially more productive.[…]As an engineer, there is a short list of tools that you must be rabid about. Rabid. Foaming at the mouth crazy.

Wise words. If your tools don’t make you exponentially more productive, you must change them. Every engineer can write an application using Notepad. But if you care about quality, timeliness or sanity, then find the right tool and use it.

R&C Future: A Crack In Time

16. November, 2009

Ah, I like those long game titles. Anyone remembering Leisure Suite Larry in the Land of the Lounge Lizards? I have a feeling that a title says something about a game. If they care about the title, they care about the game.

Anyway, it’s jump, run and shooting time. Shooting with anything you can imagine and sometimes with things that you couldn’t imagine before. There’s a burp gun, a rocket launcher called “Negotiator”, a robot sidekick called Mr. Zurkon (always complaining that it can’t shoot at the innocent). I like its remarks. “Mr. Zurkon doesn’t need no pesky nanotec to survive, Mr. Zurkon lives from fear.”

Game levels are as colorful and nice as ever. Especially the Great Clock looks awesome with it’s red and gold and reflections. Ratchet finally has some fur on his ears. The levels are also pretty short, there are tons of mini-games, you can go hunt for Zoni’s to upgrade your ship, or Gold Bolts or upgrades for your weapons. Old time fans of the series will find all the good stuff again, like weapons that get better as you use them, pixel precise jumping sequences, there is an arena, and funny comments by the ton. Game play is fluent. I wished more game companies would take care of my time like Insomniac does: While the game installs on the HD, you get to see a long into movie which sets the scene. Two thumbs up for that.

The new stuff is that you can actually fly around space a bit, shoot asteroids for fun (and some bolts), play the main story or idle in some side levels. There are levels for the die hard jump’n’run people and shooter levels. And when I say “die hard”, I mean it. I’m not that bad at R&C but I’ve had to use the skip option once. Some of Clank’s jump sequences in the Big Clock are insanely hard. I must’ve died a hundred times in there. The logic puzzles are usually more simple on the “jump” side but it takes some brainpower to run yourself four times through a level, timing the switching of buttons just right to get all your copied through. And in time. Luckily, you can skip a puzzle. 95% for that one. For 100%, there should have been a way to revisit a puzzle to try it again.

All in all, they kept the great stuff and added a couple of nice, new features. The individual levels are short but plenty, so you can save often or take a break, and won’t have to start all over again.

Recommendation: Buy.

no symbol version for module_layout

15. November, 2009

This one drove me nuts. After upgrading to openSUSE 11.2, I couldn’t compile the NVIDIA (warning: Big flash welcome) or the VirtualBox drivers. Well, the compilation was working but loading failed with:

no symbol version for module_layout

This post finally pointed me in the right direction. To fix the issue, just run zypper in kernel-default-devel as root (or kernel-desktop-devel if you use the desktop kernel).

Goodbye Fallout 3

11. November, 2009

I made a mistake. A big mistake. I admit it. I shouldn’t have. I still did. I bought the game officially in a store. Sorry. Won’t happen again. Bethesda is now on my “Don’t Buy” list and Sony is close.

What happened. A year ago, I bought Fallout 3 in a shop. It’s a German uncut version. I’d actually preferred the cut version; the splatter effect is probably some nice piece of FX code but blood doesn’t give me much. Can’t have that. I’m in Switzerland and I can’t do as I please. On top of that, it seems my shop sold me the Austrian version. It’s German, too, but different. Somehow. I don’t know. I’m just a stupid gamer. The main difference is that when I buy the addons in Sony’s PSN, then I get something that doesn’t work with my game. Because I must have the Swiss version. Since I’m in Switzerland. And I bought the game in Switzerland. And I have a Swiss PSN account. I think. I don’t know. I’m just a stupid gamer.

So what happens is that I have an illegal copy of the game. Illegal as in “if you’re in Switzerland”. Why Bethesda decided to produce three German versions? I don’t know. I’m just a stupid gamer. I don’t need to know such things. Why were the DLCs available for months for Xbox but not for PS3? I don’t know. Why did everyone say that the DLCs would never come to the PS3? I don’t know. Maybe it was because Bethesda knew what would happen. Or maybe Sony treats them like their customers. I don’t know.

The net result is that I have a game which I can’t upgrade (at least not without illegally creating an Austrian account on PSN). I probably can’t buy the GOTY Editition without loosing my save games. I don’t know for sure. I’m not sure I care anymore. My blood pressure raises when I only see the game box. I buy games to relax, not to heap more problems on my plate. I don’t care who is responsible for this crap. I don’t understand why it’s more cheap for Sony to put some text in the game description (“Don’t buy this unless you have BLES-00399”) instead of checking the list of installed games. It’s also sad that Switzerland doesn’t have any laws to protect customers who buy over the Internet. Sony can put anything in the rules of the PSN and I can only weep. I can’t even sell or ebay things I buy on PSN.

Makes me wonder what happens should I ever have to move back to Germany. Will I have to buy all my games again? Or will Sony be nice and allow me to keep my Swiss PSN account even though I’ll lose my Swiss credit card? Maybe they’ll expect me to live close to the border, so I can still buy games. Or carry the PS3 over, hook it up to PSN via my mobile phone, so I can update the games I bought.

Some more frustration: Fallout 3 has left about 600 save games on my harddisk. It would take me approx. 24 hours to delete them (it’s a process that involves pressing eight buttons in the correct sequence).

Or how about this: I bought a Sony LCD TV because the PS3 can talk to my media server. I was naively assuming that the TV would work just like the console. Well, it doesn’t. I can watch photos and videos on my PS3 but not directly on the TV.

Well done. For some reason, Xbox and Wii sell better than the PS3. I wonder why. The PS3 looks so much better!

Software Design With Modern Languages

6. November, 2009

There is a nice series of articles on IBM’s developerworks by Neal Ford which talks about software design and how modern languages help to come up with a clear and cost-efficient design. To get a grasp why this is important, I like this quote:

Building software isn’t like digging a ditch. If you make compromises when you dig a ditch, you just get uneven width or unequal depth. Today’s flawed ditch doesn’t prevent you from digging a good ditch tomorrow. But the software you build today is the foundation for what you build tomorrow. Compromises made now for the sake of expediency cause entropy to build up in your software. In the book The Pragmatic Programmer, Andy Hunt and Dave Thomas talk about entropy in software and why it has such a detrimental effect (…). Entropy is a measure of complexity, and if you add complexity now because of a just-in-time solution to a problem, you must pay some price for that for the remaining life of the project.

Any software developer should be familiar with the concept of entropy and how it affects their lives.

In a later installment, Neal shows some reasons how modern languages allow to implement many of the design patterns by the GoF much more naturally with Groovy.

What’s Your Mission?

2. November, 2009

There is another nice article from Joel Spolsky: Figuring out what your company is all about. It’s all about

“We help $TYPE_OF_PERSON be awesome at $THING”

So what do you work on and how does it help your customers to be awesome with something? If you can’t answer this simple question, then you should sit down and ponder why not. It will help you to achieve your goals.

There is one point about the article, though. Joel says: “We help the world’s best developers make better software.” Uh … only the best? How about the vast majority, the good ones?