Wednesday, November 27, 2013

A Happy Thankgiving(?) present from the company: Uncertainty stinks

Yesterday we got called in to an emergency town hall meeting a work. Thermo Fisher is in the process of acquiring Life Technologies. The European regulators decided that would make too large a company, and have required the company to divest itself of one particular business line.

That line is roughly 1/2 to 2/3 of what we do here in Logan. I.E. they are going to sell off half of our business unit.

what does that mean? We don't know. Most likely a new company will take ownership of that business and continue to operate it, and everyone will continue to have jobs, get paid, etc..., just half of us will now work for a different company. Probably a competitor. But we won't know until the buyer is selected, and the transaction is completed.

For some of us, it is less certain. Working Information Technology, I cover both sides of the business, so what will happen to me? Which side will end up taking me? Or, since these two business units, belonging to two different corporations - are now half the size they were, will neither side choose to keep me? Or will this be my opportunity to "pursue other interests" (That's what they call it when they kick you out the door).

I hate uncertainty. I hate not knowing what things are going to look like tomorrow, next week, next month, next year.

That's life though. Nothing is certain. And we have more warning than you typically get from... say... a Tornado, or Hurricane, or an Earthquake. And with a higher probability of a positive (or at least a non-negative) outcome. Who knows, maybe this is my opportunity to change my career to Computer or Software engineering (Aligned to my degree). Or maybe this is my chance to keep doing what I'm doing, only slightly less, so I can actually take my days off every year. Or... Who knows... Indeed...

Uncertainty...

Bleh....

Happy Thanksgiving.


Friday, November 22, 2013

Why?

I saw a share on facebook quite awhile ago, from this mommy blog, titled "My Kid's are not the center of my world".

I though most of her most of her points were good, though I expressed concern that perhaps us "old-timers" didn't necessarily have a good grasp on some aspects of modern day bullying. With the advent of social everything, and with a general social trend toward sarcasm and meanness (It is hard to find a sitcom that isn't primarily an insult tennis match), Bullying has become much more sophisticated, coordinated, and focused. Many such incidents are more reminiscent of brainwashing and psychological torture techniques than the bullying I remember seeing.

A couple days ago, I saw this news write-up of the blog post. Reviewing the comments, I think I am a minority opinion on the subject. Lots of responses about kids needing to toughen up, stop being whimps... about parents needing to stop hovering, stop being over protective... a few comments about overreacting to "kids being kids".

And while I don't disagree with the sentiment that many need to be a little less sensitive, that parents need to let their children take a few knocks, and that we need to accept that people will sometime misbehave...

As I was walking out to my car to drive home today, I thought about the "Kids will be kids" line, and found myself thinking.... Why?

Why do we just accept that kids are going to be mean to each other? Why is that normal? In many places now, home security systems are a standard feature. Millions (Billions?) of dollars are spent on security systems, cameras, sensors, alarms... for what purpose? What useful value do they serve? None! We buy them to protect us from thieves, robbers, home invaders. But why? Why is this an industry? Because theft is so common. We just accept it as a normal part of daily living....

Why? Why do we accept this as "The norm?", Why do we talk act, behave as though this is how it was, is, and always will be? Why will "boys be boys"?


In the Book of Mormon, Helaman, Chapter 6, there is a story about the Gadianton Robbers - a crime syndicate. They were the Mafia of the time. They would rob, plunder, bribe, extort... They would even assassinate government officials in order to place their own in positions of power. They wreaked havoc on the people in the Americas.


Then it tells us in verse 20 of this chapter

 20 And now it came to pass that when the Lamanites found that there were robbers among them they were exceedingly sorrowful; and they did use every means in their power to destroy them off the face of the earth.

and then in verse 37

37 And it came to pass that the Lamanites did hunt the band of robbers of Gadianton; and they did preach the word of God among the more wicked part of them, insomuch that this band of robbers was utterly destroyed from among the Lamanites.



Why can't we do that? Is it really, truly not possible for us to expect better? Can't we at least try? Am I asking too much?

Managing Passwords

In a previous post, I gave some guidelines for creating good passwords (ie relatively long and random, and unique for at least sensitive accounts, if not all accounts).

So, how do you go about creating good passwords? and how do you manage them?

Well I can share one trick for creating them, though I don't use it. On trick is to use a phrase, line from a song, or quote, as your reference, and pick letters from it. An example. Say you are a big fan of Bon Jovi, so you pick the phrase "Whoa, we're halfway there whoa, livin' on a prayer". You could select first and last letter of each word, which would give you "WawehyteWal'onapr" as a password. That is 17 characters long, with a mix of upper and lower case letters, and since it had the word livin' in it, I also have the good fortune to be able to include a symbol. I could also easily add a number to the begining or end, by counting the number of words, or maybe the number of letters int he last word (WawehyteWal'onapr6). That is long, random, and fairly easy to remember... So long as you don't have too many different passwords.

I have over three hundred passwords. each one unique. I have a fairly untrustworthy memory also. So I don't use that technique.

I use a program to store my passwords in an encrypted database, and I let it generate random passwords for each account for me.

I have used two different password managers, and I like both of them. On is Password Agent, a closed-source Application by Moon Software. It is $25 for a single user license.

The other is KeepPass Password Safe.KeePass is open-source and free (Note there is a donation link. If you find the software useful. please consider donating. It is a good program, and people have invested considerable time to make it so).

I was going to link a howto for keepass, but so far, I am not satisfied with any that I have seen.
This youtube video is pretty good other than:

  • I would recommend going to keepass.info (the original source) to download it, rather than cnet (a third party repository). 
  •   
  • For the master password, His example password shows a good quality password. It is imoprtant that this password be hard to guess. This is the password that grants access to all your passwords. Another possibility is to use a phrase, instead of a password (like "I am a really big fan of tom8to spam sandwiches."). Whatever you use here, you MUST REMEMBER IT! If you forget this password, you have lost access to all your passwords!!!
  •  
  • As a matter of protecting your data, you must make sure you have a good backup of your password file. You can also print the password database, place the printout in a sealed envelope and store it in a fireproof safe. 

  • One other point he misses- in additon to the executable installer, there is also a zip file, which allows you to place the program on a thumbdrive that you can carry around with you, and use on any computer (make sure you have a copy of your password file on the thumb drive. There are also versions for iphone, android phones...
  •  


This video is another good one, that catches a few of the things the previous one misses, though he makes a few mistakes as well. Between the two, you should get a good idea how it works.


But both of these videos fail to actually show you what to do after you enter the username and password.

The short version, if you have populated the username and password fields, and the url, the easy way to use it, is to:

  • select the entry you wish to use and press ctrl+u to autolaunch the URL in your default web browser
  • make sure the cursor is in the username field on the web page
  • press ctrl+alt+k to return to keepass
  • press ctrl+u to have keepass transmit the username and password to the page.

Hopefully that is enough to get you started. Maybe if there is interest, I will put together a more complete tutorial.


So either of those is a good option. Next time I will show you an option for safely keeping your passwords on a piece of paper in your wallet.

Saturday, November 16, 2013

Good passwords guide



Since I trashed talked biometrics in my last post, I decided I should offer some advice regarding passwords.

What makes a password good? Well, the main feature of a good password is that it is hard to guess.
In the worst case, the hacker has somehow managed to get hold of the password database, which means they can guess passwords as fast as their computer will run through them. I believe the current record is roughly 350 billion guesses in one second. That was on a miniature super computer. A box with special cards designed for performing advanced computations rapidly. It’s a fairly expensive setup, Most hackers are not likely to have that kind of power available to them currently, so it makes a good top end number. For now (Moore’s law suggests that the rate of calculation will double every two years or less ).

So now it is a numbers game. It goes something like this. First pass guessing will be the easy stuff. They will try common passwords, dictionary words (yes, any language), two words together, words with a number… Once those are used up, it’s time to start checking for random passwords. That means trying every possible combination of letters, numbers and symbols (aaaa, aaab, aaac, aaad,…). Since most systems now require at least a 6 character password, that is what will be tried first – every possible combination of  letters, numbers, and symbols six characters long. Then they will try seven characters, then eight, and so on.

Treating this as a game of averages, the hacker is on average going to have to try one half of all those possible combinations in order to correctly guess your password. So you want to pick a password from a pool with enough possible combinations that is will take the hacker longer to try half of them before it is time for you to change your password. That way, by the time he has guessed your password, you have changed it.

There are two factors then that increase the complexity of the password. The number of possible characters in each position, and the number of positions. Below is a chart showing the effects of increasing the possible character types, and the number of characters.


possible combinations
Characters
# of chars
6 characters
8 characters
12 characters
20 characters
a-z
26
308915776
2.08827E+11
9.5429E+16
1.99281E+28
a-z,A-Z
52
19770609664
5.34597E+13
3.90877E+20
2.08962E+34
a-z,A-Z,0-9
62
56800235584
2.1834E+14
3.22627E+21
7.04423E+35
a-z,A-Z,0-9,!@#$%^&*()[]{},.<>;:'"-_=+
88
4.64404E+11
3.59635E+15
2.15671E+23
7.75628E+38

If we take our guess rate of 350 billion per second:

An eight character password - utilizing upper and lower case letters, numbers and symbols - will be guessed (on average) in 1.5 hours.

A twelve character password using just letters and numbers (no symbols) will take on average 145 years to guess. If you add in the symbols that number goes to 10 thousand years

A twenty character password using the full range of characters will take on average 30 quintillion years to guess. It is going to be a while before computing power is sufficient to bring that number down to a practical time to brute force attack.

So the first rule of good passwords, make them at least twelve characters long, random, composed of a mix of small and capital letters, numbers, and symbols.

The second rule is don’t use the same password for different systems.Why? Say the hacker sets up a fake page that looks like the facebook login, and captures your password. That stinks. He’s got access to your facebook. It stinks even more if you used that same password for all your banking sites, and he starts transferring money, making paypal purchases, using your credit card…
You might cheat with you social and email sites, but never never never use the same password for financial sites.

The third rule is to change your passwords regularly. There is still that risk that someone might catch a glimpse over your shoulder or capture it using some social engineering scam. So it is a good practice to change them once in a while, just as a precaution. How often? Most paranoid experts aim for every 30-90 days. I lean more toward every 6-12 months personally. Realistically, if you are using long, random passwords, and you are good about applying safe computing practices, you should be safe going several years between password changes on some systems. I'd still err on the side of caution when it comes to financially related sites, or sites with sensitive information.

But those rules which make for good passwords do create a rather serious problem. How does one manage a whole bunch of long, hard-to-guess passwords?

I’ll share some strategies next time.

Thursday, November 14, 2013

Biometrics:Reality Check

I saw this article on Biometrics today. The article starts with a fairly practical discussion regarding using biometrics (fingerprint scans, retina scans...) to identify people. It then moves into the (to me) uncomfortable territory of using biometrics to replace passwords. The idea is that you can scan your fingerprint, or retina or..., and that will be sufficient to identify you as you to your computer, your car, the store, ... No more passwords to remember. How wonderful would that be?

I cringed a bit at that. I cringed even more after reading one comment in particular. It started out as a sales pitch for the iPhone; talking about how great and secure the biometric features are in the new one. A few eye-rolls later and I get to this part...

"Hackers and thieves want you to think biometrics are not secure. Don't be fooled. Hackers love cracking passwords, and they do it all the time. But a password married to a biometric authentication makes it far more difficult for them, and they will do or say anything to try to keep people from adopting these new layers of security. Every PC and tablet should function in the same way to put an end to most remote hacking."

I'm thinking people are learning too much about security from the movies. You frequently see the "Hacker" pull out some little gizmo, or run some program that interfaces with the password challenge, and proceeds in a matter of a few seconds to discover the password one character at a time.

It doesn't work like that.

In most modern systems, your password is stored as an encrypted entry in a password database, which is only readable by a very few system accounts (the super admin, the backup system,...). When you enter your password, assuming the application developers are not idiots, the password is passed from your computer through a secure channel to the authentication system. It runs the encryption algorithm on the password, and passes it to the password query system. Which compares it against the entry int he database, if they match, it returns a "yes" and you are granted access, if they don't match, it returns a "no" and you are not granted access.

To remotely guess your password, the "Hacker" has to try a password, then another, then another... until he manages to stumble on the right one. That could take hours, days, years (unless you use a really bad password). Most good systems now will detect bad password attempts and will alert when multiple bad attempts occur in a short time frame.

To get around this, the "Hacker" could steal the Password database, then he can run a program on his local computer to rapidly try guesses. If your password is shorter than twelve characters, or is a dictionary word, or two words put together, or one or two words with an number somewhere, and he has some reasonably powerful computing resources, he stands a far chance of getting it within a week. If your password exceeds 12 characters and is reasonably random, it could take years. (As computers become more powerful, this time will grow shorter, and your password will have to be longer). But, to steal the password database, he has to obtain admin access to the system. If he has full access to the system, does he even need to waste his time figuring out your password?

Most modern "Hackers" aren't interested in your password. That is just a means to an end. What they really want is your bank account, credit card information, something that allows them to obtain money. IT is a business, and like any other business, the goal is profit. Spending weeks trying to guess your password so they can steal hundred bucks is not efficient. Being smart businessmen, then look prefer to work smarter, not harder.

So they employ social engineering. They get you to go to a web page what looks like your bank's web page, and enter your username and password. Or they get you download and run a program that scours your hard drive for banking information, or that records your keyboard activity. It's less work.

So what is biometrics really going to do for this? Not very much in most cases. Most biometrics systems can be gamed (collect a fingerprint and copy it onto latex, gelatin...). Biometrics fail in some circumstances (I remember a bank that put fingerprint readers into their ATM's in a cola mining town, the coal dust gummed them up, and the fingerprints of half the clientele were 'sanded' off by work and thus virtually unreadable.

Then there are the unanswered questions that really make me nervous.

Like, do I really want to risk having some nut cut off my hand or gouge out my eyeball, so he can get into my bank account? Many of the scanners actually have mechanisms to prevent this strategy from working, But will the stupid criminal know that?

Of greater concern, what happens if a "hacker" gets hold of the biometric database? If they get the password database, you can change your password (so long as you are notified), and that is the end of it. If they have your fingerprint, or your retina, how exactly are you going to change that?

 

Tuesday, November 12, 2013

Why I am leery of "The Cloud"

I am very reluctant to use web based applications. I avoid DRM'd content, and even with local applications, I shy away from proprietary file formats (I am pretty neutral on open-source but media/document formats and standards are another matter altogether). All of these create artificial roadblocks to the safety and security of my data.

How can I be certain the Vendor won't go out of business, or at the very least stop supporting the specific App? How can I be sure they are sufficiently protecting my data?

I can't.






I'm not feeling all that warm and fuzzy about "The Future is in the cloud"...