This is a big week-- I've been tremendously busy with work and being sick lately, but stuff is happening with or without me. Core i7 released today, although motherboard and RAM prices will keep it from the mainstream for now. Tomorrow is the grand re-launch of the XBox360 with the New Xbox Experience.
Exciting times!
Monday, November 17, 2008
Thursday, November 6, 2008
WPA Encyrption hacked, 15 minutes to heaven
PC World is reporting that a "mathematical breakthrough" combined with a method for forcing a router to give you lots of good samples of encrypted data allows for a non-dictionary attack against the TKIP encryption algorithm behind WPA. Researchers expect that WPA encryption can be cracked in 12-15 minutes given modern hardware. Combine that with a high power antenna, and you should be very concerned if you have routers and systems using WPA to carry sensitive data.
Aircrack-ng is already being updated to take advantage of the latest vulnerability, so this attack is in the wild now or will be shortly. (props to DownloadSquad for the info.)
As you should already know, WEP encryption is trivial to bypass, and while WPA2 isn't officially "cracked" yet, significant advancements in parallel processing using CUDA allow for much faster brute-force cracking of WPA2. That would still require a very high end system with lots of local storage over a 24+ hour period to crack, but the impractical is now possible.
So with anything below WPA2 being easily exploitable, using WiFi without additional encryption layers (SSH, VPN, etc.) is becoming too risky for any kind of sensitive data. Be careful out there...
Aircrack-ng is already being updated to take advantage of the latest vulnerability, so this attack is in the wild now or will be shortly. (props to DownloadSquad for the info.)
As you should already know, WEP encryption is trivial to bypass, and while WPA2 isn't officially "cracked" yet, significant advancements in parallel processing using CUDA allow for much faster brute-force cracking of WPA2. That would still require a very high end system with lots of local storage over a 24+ hour period to crack, but the impractical is now possible.
So with anything below WPA2 being easily exploitable, using WiFi without additional encryption layers (SSH, VPN, etc.) is becoming too risky for any kind of sensitive data. Be careful out there...
Tuesday, November 4, 2008
MS08-067 in the wild
It appears that at least two credible variants of worms based on the MS08-067 exploit have gone live.
I'm fully (and I do mean fully patched) and your organization should be too.
I'm fully (and I do mean fully patched) and your organization should be too.
Monday, November 3, 2008
Amazon: No more Wrap Rage!
OK, so maybe this isn't the most high-level IT topic I've covered, but I've got to hand it to Amazon for trying to find a serious solution for a serious problem. They're working with manufacturers to eliminate overpackaged, hard-to-open containers for merchandise!
While on some level, Mother Nature is breathing a sigh of relief, there are also tangible benefits in terms of cost and frustration as well as weight. Heck, there's a closet-industry built up around devices to open modern blister packs!
In my day toys came in a cardboard box, possibly with some assembly required and with at most a small plastic window to see some of the contents inside. The current trend of exposing as much of the toy as possible in a demo mode is so ungodly frustrating to me that it makes me want to strangle kittens. Knowing that I'll be undoing half a roll of tape and a few dozen steel twist-ties is frustrating!
Just package the stuff in an appropriate, but not overdone package. A lot of computer stuff is already very lucky in this regard, but tons of consumer-oriented gear is not. Nobody is putting their greasy mitts on an Amazon product in a retail store. You don't have to compete with other items on the shelf. It's all going to ultimately come in a plain brown wrapper no matter what, so let's save time, material, plastic, frustration, etc. and see some more sensible packaging. Good job, Amazon! Keep it up.
While on some level, Mother Nature is breathing a sigh of relief, there are also tangible benefits in terms of cost and frustration as well as weight. Heck, there's a closet-industry built up around devices to open modern blister packs!
In my day toys came in a cardboard box, possibly with some assembly required and with at most a small plastic window to see some of the contents inside. The current trend of exposing as much of the toy as possible in a demo mode is so ungodly frustrating to me that it makes me want to strangle kittens. Knowing that I'll be undoing half a roll of tape and a few dozen steel twist-ties is frustrating!
Just package the stuff in an appropriate, but not overdone package. A lot of computer stuff is already very lucky in this regard, but tons of consumer-oriented gear is not. Nobody is putting their greasy mitts on an Amazon product in a retail store. You don't have to compete with other items on the shelf. It's all going to ultimately come in a plain brown wrapper no matter what, so let's save time, material, plastic, frustration, etc. and see some more sensible packaging. Good job, Amazon! Keep it up.
Intel: i7 first benchmarks released.
I'm not going to rehash what's out there, and what's out there is still pouring in, but Core i7 is fast. Big surprise there. Here are some early reviews:
Maximum PC
TechSpot
PC Perspective
Expect mass-market acceptance by Q2-Q3 of '09, but with the Core i7 920 at around $270, that's tempting for a midrange + system now. i7 Xeon benchmarks are still MIA as far as I can tell, but expect similar performance.
Shanghai will be good, but Intel has so much breathing room now... things are looking grim over at the green camp.
Maximum PC
TechSpot
PC Perspective
Expect mass-market acceptance by Q2-Q3 of '09, but with the Core i7 920 at around $270, that's tempting for a midrange + system now. i7 Xeon benchmarks are still MIA as far as I can tell, but expect similar performance.
Shanghai will be good, but Intel has so much breathing room now... things are looking grim over at the green camp.
Thursday, October 23, 2008
Windows: Vulnerability MS08-067
I don't normally beat the dead horse with Windows patch news, but this one is bad. Microsoft released an out-of-band patch this morning with MS08-067.
This vulnerability affects all current shipping Windows versions, with worm-style propagation being a very real likelihood. Versions of Windows 2000 and XP Pre SP2 are highly vulnerable, with some XP SP2+ and Windows Server 2003 systems being exploitable under certain common/popular firewall conditions.
Vista and Server 2008 appear to be exploitable, but only in terms of a DDoS type attack. Remote Code Execution has not yet been shown on a Vista system.
As of 12:30 PM Pacific Time, Microsoft reports attacks in the wild. This could be the next Blaster/Sasser type attack, so get patching!
This vulnerability affects all current shipping Windows versions, with worm-style propagation being a very real likelihood. Versions of Windows 2000 and XP Pre SP2 are highly vulnerable, with some XP SP2+ and Windows Server 2003 systems being exploitable under certain common/popular firewall conditions.
Vista and Server 2008 appear to be exploitable, but only in terms of a DDoS type attack. Remote Code Execution has not yet been shown on a Vista system.
As of 12:30 PM Pacific Time, Microsoft reports attacks in the wild. This could be the next Blaster/Sasser type attack, so get patching!
Thursday, October 16, 2008
Apple: MacBook/Pro teardowns
iFixit has a great page showing a teardown of the new MacBook and MacBook Pro for those of us who actually and unfortunately know what the inside of a notebook should look like.
The big win? Hard drive replacement is MUCH easier on the new MacBooks Pros!
The WTF moment? Neither a DisplayPort to VGA or DisplayPort to DVI adapter is included with your $2000+ computer. It's a $29 option from Apple. I have yet to see 3rd party alternatives, but no doubt they're coming, and for a fraction of that price. (Yeah, I know DisplayPort is the New Hotness, but there aren't any monitors for it yet...)
The big win? Hard drive replacement is MUCH easier on the new MacBooks Pros!
The WTF moment? Neither a DisplayPort to VGA or DisplayPort to DVI adapter is included with your $2000+ computer. It's a $29 option from Apple. I have yet to see 3rd party alternatives, but no doubt they're coming, and for a fraction of that price. (Yeah, I know DisplayPort is the New Hotness, but there aren't any monitors for it yet...)
Tuesday, October 14, 2008
Windows 7: Hope you like the name.
Well, the product that started as Blackcomb, then codename Windows 7 will officially be called... (drum roll please)... Windows 7!
Never mind that it's a lot closer to a "6.1" version, this may mark the return to relatively sensible version naming at Microsoft.
Coincidence that Nehalem has been named i7? Windows 7 on i7? Sounds like a match made... somewhere.
Intel: Best Quarter Ever
Intel just reported their best quarter ever with a gross margin of 59% while still selling most products at very competitive prices. The worst part? They don't expect the downturn to make that much of a dent by Q4. Even if things look bleaker long term, that's a helluva war chest.
Poor AMD.
Apple: New Notebooks!
It's official. I'm not going to say anything that hasn't already been said, but Apple has refreshed its MacBook line as well as the MacBook Pro 15.4" and MacBook Air.
The old MacBook soldiers on as a slightly reduced cost base model, with rumors of an $899 model coming in below the current base model's $999 price.
The new MacBook is still in 13.3" flavor, but sports a new billet aluminum body & frame with an all-glass, no button touchpad. The touchpad is capable of up to 4-touch sensitivity and supports gestures. At least as importantly for the MacBook, Apple is going with an nVidia GeForce 9400M mobile chipset with integrated GPU. The non-legacy MacBooks now have a 'real' video solution that's acceptable for basic to moderate 3D use! Other nice features include LED backlighting and a backlit keyboad, but gone are the Firewire ports.
I'm not sure what the video output options are, but it looks like a DVI port is out, replaced by Apple's mini-DisplayPort. A breakout box here should do the DVI, VGA and possibly regular DisplayPort and HDMI connectors. We'll see as these start shipping as to what's available in the box.
This model is almost a bridge between the current MacBook Pro and the older MacBooks. They look much more similar and are in much closer parity in terms of design and content. Pricing should reflect this, as the "new" MacBooks are a little spendy relative to the models they replaced, and the older design is already discounted.
The MacBook Pro 15.4" shares all of the features of the MacBook, adding an option for a 9600M GPU for more serious graphics and FireWire is back, but only in FW800 flavor.
The MacBook Air was all-new this year already, so the changes are less dramatic. Options for bigger hard drives, faster CPUs and a speed-reduced 9400M have been announced. A mini-display port is available as well, but the Kensington lock port appears to still be MIA.
A 24" Apple Cinema Display LCD monitor to match the MacBook was also announced. It looks slick, sporting an LED backlight. Unfortunately, it's a bit rich for the current 24" market, coming in at $899.
What wasn't announced was a replacement (or price adjustment) for the current 17" MacBook Pro. For now, it soldiers on. A replacement is sure to be imminent.
Unsaid in all of this is what matters most to me: manageability! Easy replacement for hard drives, RAM, etc. remains up in the air. I suspect the new cases will still be a bitch to open and work with; the current MBPs are the bane of techs everywhere. The lack of Firewire leaves the Migration Assistant and Firewire Target mode in doubt. The Migration Assistant can work via other means, but I'm curious to see what 10.5.6 and beyond will offer to mitigate the loss of Firewire as a management and recovery tool.
Samung: Now with Notebooks!
OK, well this isn't news for anybody outside the US, but it is for us. Samsung has been competitive in the world notebook market for a while now, but back in the dim mists of time, they had agreed to be an OEM for Dell, and as such, left the US market alone. Engadget reports that the times, they are a changin'. The last Samsung-made Dell of any note was the Latitude X1, and before that, most of the small form factor Latitudes at least as far back as the Latitude LS. We haven't been able to even sample their larger offerings, and this is all-around good news for consumers.
Sammy is entering the U.S. Netbook market at the same time with the NC10. This should open up some competition among "premium" netbooks.
Sammy is entering the U.S. Netbook market at the same time with the NC10. This should open up some competition among "premium" netbooks.
Wednesday, October 8, 2008
Intel Strikes Back: the poison pill edition
It looks like Intel is trying to block the AMD/Foundry deal-- AMD and Intel cross license each others' Intellectual Property very heavily and they object. This would transition some Intel IP to probably be used by Foundry, and Intel and Foundry do not cross-license. I expect this to get a little legally ugly here, as Intel has the upper hand. If AMD pulls x86-64, that would really hurt Intel, but without x86, AMD is deader than dead.
Tuesday, October 7, 2008
AMD goes Fabless
Well, it's official. AMD is spinning this pretty hard, but they are selling all of their Fabs and will no longer be manufacturing their own CPUs. AMD sold off all of their Fabs worldwide in a deal with ATIC -- Advanced Technology Investment Corporation. ~3000 AMD employees will transition to the new company/joint venture which will be named Foundry.
The Inquirer is already dubbing the joint venture Arabian Micro Devices, and I can't say that I disagree. I'm concerned that this is funded ultimately through ATIC by the Emirate of Abu Dhabi itself. Yes, AMD will retain 45% share in stock, but if things turn sour the already troubled chipmaker is now at the mercy of the new managers of its former Fabs as well.
Obviously a lot of chipmakers operate in a fabless manner. I've had some experience with Silicon Labs-- a company that has never owned or operated a Fab, but still does OK for itself. Certainly the advantage is that you don't have to specialize in desiging, building and operating the Fab itself in a manner that recoups your huge facility investments in the most efficient manner possible. That frees you up to concentrate on design and be more agile... but it also prevents you from having any direct control of Fab outputs. Not getting enough ICs? Bad yields? They can't just shuffle production around by fiat to get the outputs they need.
If this were such a positive deal, why wouldn't AMD have gone for this 5 years ago, when Fabless started to become the new awesome thing? They were already having problems with their own fabrication processes. Chartered Semiconductor is already doing Fabrication for them as a partner, and ATI produces their chips through TSMC. This is a clear sign of desperation to be doing it now, and they're lucky to have found a suitor willing to take on ~$1.3 billion in debt along with a $700 million set of fabrication assets.
I've got to admit, I'm a little nostalgic at the news. I lived a few blocks from the K5 Fab (Fab 25) as it was spinning up in the mid 90's. I sat at the bus stop many a day and watched AMD hotshots drive past in their Lotus Esprits. Those days are not to return.
The Inquirer is already dubbing the joint venture Arabian Micro Devices, and I can't say that I disagree. I'm concerned that this is funded ultimately through ATIC by the Emirate of Abu Dhabi itself. Yes, AMD will retain 45% share in stock, but if things turn sour the already troubled chipmaker is now at the mercy of the new managers of its former Fabs as well.
Obviously a lot of chipmakers operate in a fabless manner. I've had some experience with Silicon Labs-- a company that has never owned or operated a Fab, but still does OK for itself. Certainly the advantage is that you don't have to specialize in desiging, building and operating the Fab itself in a manner that recoups your huge facility investments in the most efficient manner possible. That frees you up to concentrate on design and be more agile... but it also prevents you from having any direct control of Fab outputs. Not getting enough ICs? Bad yields? They can't just shuffle production around by fiat to get the outputs they need.
If this were such a positive deal, why wouldn't AMD have gone for this 5 years ago, when Fabless started to become the new awesome thing? They were already having problems with their own fabrication processes. Chartered Semiconductor is already doing Fabrication for them as a partner, and ATI produces their chips through TSMC. This is a clear sign of desperation to be doing it now, and they're lucky to have found a suitor willing to take on ~$1.3 billion in debt along with a $700 million set of fabrication assets.
I've got to admit, I'm a little nostalgic at the news. I lived a few blocks from the K5 Fab (Fab 25) as it was spinning up in the mid 90's. I sat at the bus stop many a day and watched AMD hotshots drive past in their Lotus Esprits. Those days are not to return.
Friday, October 3, 2008
Quote of the Day
Admin Tip: 24 Free/OSS Admin Tools
Download Squad had a great article recently listing 24 open-source, free tools for admins and technicians. I'm already sold on PuTTY, DBAN, Memtest86/Memtest86+ and 7-Zip, but there are some real gems out there that I hadn't even heard of.
WCD in particular scratches an itch I've had since giving up Norton ncd many a year ago and being spoiled by locate under *nix. You do need to know how to manually set a Path variable, but otherwise it works as advertised.
They did have one recommendation that is good, but I think you can do better... Visualization tools for data are invaluable in giving you a meaningful picture (literally) of what is and is not taking up space. They recommend a product called WinDirStat.
WinDirStat looks like a re-working of the same concept that was pioneered by SequoiaView: "Cushion Treemaps" to visualize data. The strength of this method is that it can show individual files and folders easily by size and type, and groups them together, but the weakness is that it lacks a true hierarchical view. It's also a very busy interface which makes it hard to tell usage in terms of rough percentages or amounts. Unfortunately, SequoiaView lacks any type of obvious licensing. You're probably safe to use it for any purpose, but it's not OSS. It's also rapidly aging, so WinDirStat looks like a great replacement.
There are times when it is the best tool for the job, but for a first-pass on a Windows system I prefer an application called Scanner, written buy a guy named Steffan Gerlach. The licensing is also unclear, but presumed freeware with the source supplied. This app has the strength of being able to show disk usage as a pie chart, with a hierarchical view. It lacks color coding by file and doesn't show individual files at all until you drill down into that directory. It is, however, nice and portable, so you can run it from a USB drive or a network share.
Between the two, you should have pair of complementary products that'll allow you to better manage your storage.
WCD in particular scratches an itch I've had since giving up Norton ncd many a year ago and being spoiled by locate under *nix. You do need to know how to manually set a Path variable, but otherwise it works as advertised.
They did have one recommendation that is good, but I think you can do better... Visualization tools for data are invaluable in giving you a meaningful picture (literally) of what is and is not taking up space. They recommend a product called WinDirStat.
WinDirStat looks like a re-working of the same concept that was pioneered by SequoiaView: "Cushion Treemaps" to visualize data. The strength of this method is that it can show individual files and folders easily by size and type, and groups them together, but the weakness is that it lacks a true hierarchical view. It's also a very busy interface which makes it hard to tell usage in terms of rough percentages or amounts. Unfortunately, SequoiaView lacks any type of obvious licensing. You're probably safe to use it for any purpose, but it's not OSS. It's also rapidly aging, so WinDirStat looks like a great replacement.
There are times when it is the best tool for the job, but for a first-pass on a Windows system I prefer an application called Scanner, written buy a guy named Steffan Gerlach. The licensing is also unclear, but presumed freeware with the source supplied. This app has the strength of being able to show disk usage as a pie chart, with a hierarchical view. It lacks color coding by file and doesn't show individual files at all until you drill down into that directory. It is, however, nice and portable, so you can run it from a USB drive or a network share.
Between the two, you should have pair of complementary products that'll allow you to better manage your storage.
Saturday, September 27, 2008
HP - Decoding HP Notebook Codes
I'll get this out there right up front: I'm not a fan of HP notebooks. Partially, becuase I've had limited exposure and find their model lineup frustratingly complex and partially because what experience I've had has tended to be dealing with reliability/repair issues on the cheap consumer models.
Still, I've finally been able to get a good decoder for the business line:
First number
6 = mid-range business
8 = high end
2 = ultraportable
Second number:
The higher the 2nd number the better generally, it denotes a market segment.
Third number:
year
10 = 2007
30 = 2008
4th number:
0 = Intel
5 = AMD
Final position: code letters:
s = cheap/value edition - lower end screen, no docking connector except USB solutions
b = mainstream business
p = professional business e.g. 6910p, 8510p
w = mobile workstation e.g. 8510w 8710w
If somebody has a better way to decode models, I'm all ears.
Still, I've finally been able to get a good decoder for the business line:
First number
6 = mid-range business
8 = high end
2 = ultraportable
Second number:
The higher the 2nd number the better generally, it denotes a market segment.
Third number:
year
10 = 2007
30 = 2008
4th number:
0 = Intel
5 = AMD
Final position: code letters:
s = cheap/value edition - lower end screen, no docking connector except USB solutions
b = mainstream business
p = professional business e.g. 6910p, 8510p
w = mobile workstation e.g. 8510w 8710w
If somebody has a better way to decode models, I'm all ears.
Wednesday, September 24, 2008
LG 70 HDTV/Monitor
LCD prices for all types of panels have been contracting recently, but I'm very impressed with how much you can get for so little nowadays. I went shopping for a presentation display for work and brought an LG LG70 42" TV/Display. This is still a somewhat cost-reduced model when compared with flagship-style Sony products, but for $1099, I got a 42" 1080P screen that works flawlessly when hooked up to a computer via VGA. The TV detected the input immediately and asked if I wanted to "enjoy" this new connection now. The screen was set up immediately, correctly, and absolutely no waves, jaggies, dead/stuck pixels or "snow" were evident when using VGA. If I didn't know better, I would have sworn it was a digital signal.
My only beef is the dark, sparkly red stripe around the outside of the unit. It hides all of the buttons except for power and frankly looks a bit too "boy racer."
All in all, I'm very impressed at what's out there now for so little. If only I had the money for one of my own... it would make a kicking monitor.
Monday, September 22, 2008
Apple: In praise of XQuartz
As with many things Apple, The Jobs and crew like to bless a lot of common projects before distributing versions on the Mac. Recently, however, I came across some problems with the Apple distribution of X11 (an optional component on the OS disk) on 10.5.4. When launched, the App would appear in the dock, then disappear, then reappear again a few times. Checking the running processes, it started then entered a zombie state almost immediately-- before any logs get written.
The first system was a fairly modern MacBook Pro, but had a user profile that was migrated from a PPC Powerbook. Thinking this may be the problem, I uninstalled and then reinstalled X11 to no avail from the OS disk. I stepped through all kinds of diagnosis, running updates, clearing caches, checking all the config and shell profile files with no luck. I finally stumbled on a suggestion to try the XQuartz version of X11. Apple uses the XQuartz project as a basis for building their X11 distribution, but apparently don't do a good job all the time. The XQuartz version dropped right in and works great. The only downdside was that it requires a logoff.
The problem occurred the very next day for me on a PPC Mac running 10.5.4, so the problem may be something in the OS or configs we use. It doesn't appear to be platform-based. The same fix worked like a charm.
As some further notes, Apple may overwrite X11 with their point-releases of their OS, so reinstallation may be necessary at a later date. The X11 version, however, was last changed at 10.5.2, and was unchanged with the 10.5.3 and 10.5.4 releases.
The first system was a fairly modern MacBook Pro, but had a user profile that was migrated from a PPC Powerbook. Thinking this may be the problem, I uninstalled and then reinstalled X11 to no avail from the OS disk. I stepped through all kinds of diagnosis, running updates, clearing caches, checking all the config and shell profile files with no luck. I finally stumbled on a suggestion to try the XQuartz version of X11. Apple uses the XQuartz project as a basis for building their X11 distribution, but apparently don't do a good job all the time. The XQuartz version dropped right in and works great. The only downdside was that it requires a logoff.
The problem occurred the very next day for me on a PPC Mac running 10.5.4, so the problem may be something in the OS or configs we use. It doesn't appear to be platform-based. The same fix worked like a charm.
As some further notes, Apple may overwrite X11 with their point-releases of their OS, so reinstallation may be necessary at a later date. The X11 version, however, was last changed at 10.5.2, and was unchanged with the 10.5.3 and 10.5.4 releases.
Sunday, September 14, 2008
Linux - Linuxcommand.org
Just a quickie-- There are tons of Linux newbie guides on the 'net, but I found one that I like. The pages at linuxcommand.org show you not only the 'right' way to do things (starting with command line, pretty much distro-agnostic), but guide you on what you should know without a *nix basis.
Wednesday, August 20, 2008
Security: Passwords, Part III: Better, Stronger, Faster.
We looked at passwords and password strength in the context of a random password generator. That's a great tool and a wonderful ideal, but sometimes random strings can be a squeency bit hard to memorize and type.
Here are some tactics I've found for creating easily memorized passwords (with the understanding that you still need strong passwords and great security.)
I want to make one point, though, before I start: I've both been taught and seen that when you give people an example password, they will think that the example is itself a great password, and then use the example. Don't do that.
Acronyms: Take a phrase or sentence, using the first letters of each word. For example, "This password is for the backup administrator account" might become Tpiftbaa. That's not great (sufficiently random, but only 2 classes of character), but moving in the right direction.
Passcodes: Systems that will take a longer password can take a phrase or sentence in the form of a passcode. With the previous example, "This password is for the backup administrator account." could itself be the password. That's much stronger-- much longer and it adds the period as a third class of character, but remembering the little fiddly words can get tricky with these.
Patterns: Sometimes thinking outside the box is the key to a good password. Look at your keyboard and find a nice pattern. I'll use the keys on the left of a standard qwerty keyboard. Note that the keys make a cool "V" pattern-- hey, that's kinda random! "1qazse4" isnt' just a pattern on the keyboard, it's a decent password. The problem here is that somebody shoulder-surfing is much more likely to be able to pick up on your password because it makes an obvious pattern.
Transposing Characters: I hesitate to mention this one, because it's so easy to be lazy. Think you're 1337? Well, 'leet boy, you can use a "1" for an "i" or a "#" for an "H". This is a good tactic, but easy to abuse. "P@ssw0rd" is a very, very bad password- easily guessable. Use this tactic, but in conjunction with passwords that are good to begin with.
Mnemonics: Like anything memorized, attach them to other concepts or items-- or make up your own secret special meaning for your password. Pronounce it out loud in your mind-- just don't use things that are easily memorized but also guessable things about you.
Naughty Passwords: Since other mnemonics are often insecure, one trick you can use to make passwords more memorable is to use elements that are at least slightly naughty. Let's say your boss has a serious problem with rearward-facing pants bulge. Myb#aBFA would be a pretty good password! Breaking that down:
My
b(oss)
#(leet-h for has)
a
Big
Fat
Ass
Bet you won't forget that one so easily!
Here are some tactics I've found for creating easily memorized passwords (with the understanding that you still need strong passwords and great security.)
I want to make one point, though, before I start: I've both been taught and seen that when you give people an example password, they will think that the example is itself a great password, and then use the example. Don't do that.
Acronyms: Take a phrase or sentence, using the first letters of each word. For example, "This password is for the backup administrator account" might become Tpiftbaa. That's not great (sufficiently random, but only 2 classes of character), but moving in the right direction.
Passcodes: Systems that will take a longer password can take a phrase or sentence in the form of a passcode. With the previous example, "This password is for the backup administrator account." could itself be the password. That's much stronger-- much longer and it adds the period as a third class of character, but remembering the little fiddly words can get tricky with these.
Patterns: Sometimes thinking outside the box is the key to a good password. Look at your keyboard and find a nice pattern. I'll use the keys on the left of a standard qwerty keyboard. Note that the keys make a cool "V" pattern-- hey, that's kinda random! "1qazse4" isnt' just a pattern on the keyboard, it's a decent password. The problem here is that somebody shoulder-surfing is much more likely to be able to pick up on your password because it makes an obvious pattern.
Transposing Characters: I hesitate to mention this one, because it's so easy to be lazy. Think you're 1337? Well, 'leet boy, you can use a "1" for an "i" or a "#" for an "H". This is a good tactic, but easy to abuse. "P@ssw0rd" is a very, very bad password- easily guessable. Use this tactic, but in conjunction with passwords that are good to begin with.
Mnemonics: Like anything memorized, attach them to other concepts or items-- or make up your own secret special meaning for your password. Pronounce it out loud in your mind-- just don't use things that are easily memorized but also guessable things about you.
Naughty Passwords: Since other mnemonics are often insecure, one trick you can use to make passwords more memorable is to use elements that are at least slightly naughty. Let's say your boss has a serious problem with rearward-facing pants bulge. Myb#aBFA would be a pretty good password! Breaking that down:
My
b(oss)
#(leet-h for has)
a
Big
Fat
Ass
Bet you won't forget that one so easily!
Intel: Plenty o' News from the IDF
A lot of info is starting to stream out of IDF (courtesy News.com as they have a concise article.) Short takes follow:
A dual-core Atom is coming, but only for the "Nettop"/thin client segment. Intel doesn't feel that it's power-efficient enough for the "Netbook" mobile market.
A 6-core Dunnington Xeon is planned as Penryn's siren song.
Roadmaps for Nehalem are starting to get fleshed out, with on-die video options and an 8-core version announced.
And this is all before next week's nVidia announcements! Biggest rumor? nVidia breaks into the x86 market...
A dual-core Atom is coming, but only for the "Nettop"/thin client segment. Intel doesn't feel that it's power-efficient enough for the "Netbook" mobile market.
A 6-core Dunnington Xeon is planned as Penryn's siren song.
Roadmaps for Nehalem are starting to get fleshed out, with on-die video options and an 8-core version announced.
And this is all before next week's nVidia announcements! Biggest rumor? nVidia breaks into the x86 market...
Tuesday, August 19, 2008
Security: Passwords part Deux: When Passwords Go Bad
It's probably worth a few minutes to talk about what constitutes a bad password.
Anything guessable is bad. Anything that's easily compromised through brute force is bad.
OK phew, that was hard! Now, on to the specifics. Users often don't really have a clue about passwords in general and see them as at best a necessary evil and at worst a horrible pain in the ass. Users will go to heroic lengths to "beat the system." Getting around these problems often involves management, but at least be vigilant for what happens.
Using really poor passwords: People use the names of their kids, their pets, their address, their kids' birthdays, their pets' birthdays, etc. These are all very easily guessable, bad passwords. The ultimate cliche is a password of "password." BAD USER! NO COOKIE! You'll see other common passwords like favorite sports teams, TV/movie characters, cities, states, brand names, etc. used. Your defense against this is setting up a password system that requires complexity and tests for dictionary words and other likely bad passwords.
Practicing Poor Password Security: Taping your password to your monitor, the underside of your keyboard, or scribbling it on the bottom of the tissue box all happen, often. No matter how complex your passwords are, writing it down in a public space removes all security. Anybody who can get to their desk can get in with their passwords. All you can do is have a policy set up such that when this is caught, the user gets their proverbial hand spanked, changes their password immediately and is informed not to do it again.
Using the Same Password in too many Places: This is another easy one, but hard if not impossible to test for. At least encourage your users to use different passwords for work than for any other use and if you have a more secure network or if they act with higher privilege than normal, ask them to use a 2nd password for that task so that a single compromise won't compromise every system.
Re-using the same passwords excessively: So if you have a password policy that the user has to change the password monthly, and can't use the same one doesn't preclude the user from just having two passwords and rotating them monthly. You can set policy such that they can't re-use more than X number of passwords (3-6 is common.) That's actually pretty reasonable. If users rotate a larger number of passwords less frequenty, it's not so terrible. The danger comes in when users combat this annoyance by just changing one character or identifier in the same base password. If "Password1" just becomes "Password2", the whole point of rotating passwords has just been invalidated. If you can, ensure that when a user changes a password that it's >1 character different from the old one.
But sometimes, admins fail as well. I've seen a production database system that contained credit card data at a major company that was just secured by a password-- not a username/password pair. Understanding that people are lazy, a co-worker sat down one slow afternoon and tried strings. About one in four turned out to be a valid password. These weren't exotic strings either-- mostly sports teams, common dictionary words, etc. Thankfully the admins realized this was a huge security hole and fixed it in short order.
If you can, ensure that passwords are as complex as possible and be vigilant for users trying to undermine your best efforts.
Anything guessable is bad. Anything that's easily compromised through brute force is bad.
OK phew, that was hard! Now, on to the specifics. Users often don't really have a clue about passwords in general and see them as at best a necessary evil and at worst a horrible pain in the ass. Users will go to heroic lengths to "beat the system." Getting around these problems often involves management, but at least be vigilant for what happens.
Using really poor passwords: People use the names of their kids, their pets, their address, their kids' birthdays, their pets' birthdays, etc. These are all very easily guessable, bad passwords. The ultimate cliche is a password of "password." BAD USER! NO COOKIE! You'll see other common passwords like favorite sports teams, TV/movie characters, cities, states, brand names, etc. used. Your defense against this is setting up a password system that requires complexity and tests for dictionary words and other likely bad passwords.
Practicing Poor Password Security: Taping your password to your monitor, the underside of your keyboard, or scribbling it on the bottom of the tissue box all happen, often. No matter how complex your passwords are, writing it down in a public space removes all security. Anybody who can get to their desk can get in with their passwords. All you can do is have a policy set up such that when this is caught, the user gets their proverbial hand spanked, changes their password immediately and is informed not to do it again.
Using the Same Password in too many Places: This is another easy one, but hard if not impossible to test for. At least encourage your users to use different passwords for work than for any other use and if you have a more secure network or if they act with higher privilege than normal, ask them to use a 2nd password for that task so that a single compromise won't compromise every system.
Re-using the same passwords excessively: So if you have a password policy that the user has to change the password monthly, and can't use the same one doesn't preclude the user from just having two passwords and rotating them monthly. You can set policy such that they can't re-use more than X number of passwords (3-6 is common.) That's actually pretty reasonable. If users rotate a larger number of passwords less frequenty, it's not so terrible. The danger comes in when users combat this annoyance by just changing one character or identifier in the same base password. If "Password1" just becomes "Password2", the whole point of rotating passwords has just been invalidated. If you can, ensure that when a user changes a password that it's >1 character different from the old one.
But sometimes, admins fail as well. I've seen a production database system that contained credit card data at a major company that was just secured by a password-- not a username/password pair. Understanding that people are lazy, a co-worker sat down one slow afternoon and tried strings. About one in four turned out to be a valid password. These weren't exotic strings either-- mostly sports teams, common dictionary words, etc. Thankfully the admins realized this was a huge security hole and fixed it in short order.
If you can, ensure that passwords are as complex as possible and be vigilant for users trying to undermine your best efforts.
Intel: i7 (Nehalem) will have a Turbo Mode
The Intel IDF Conference is going on as we speak, and Hardware-Infos.com (auf Deutsch) is reporting that Nehalems will have a mode similar to Santa Rosa Meroms where the chip will dynamically "overclock" itself on the fly on a single core when the need for high performance on a single execution thread is indicated. At this point, it's being called a Turbo-Mode, even though the Intel branding for this feature is unknown at this time. Details are still sketchy, but this is another very interesting detail about the i7/Nehalem platform.
In layman's terms, let's say you have a 4-core, 2.66 GHz CPU. If you're running something that only uses one core, but needs all the power it can get, you have no benefit over a 2.66 GHz dual-core CPU or even a theoretical single core version of the same. These are already maximum speeds, with the CPUs running at lower speeds when performance isn't needed. What this system will do is transparently to the user allow a single core to go faster than the rated maximum while reducing maximum speed on the remaining cores. No word yet on if this will work on a system that's already overclocked. I hope to have more info as this leaks out into the English language press.
Monday, August 18, 2008
Security: Passwords
There's not much to say about this one that's not common sense, but more common sense is better.
Passwords should be "strong" -- that is, not easily guessable or hacked via brute-force. The longer it is, the better. Combining different types of characters (upper-case letters, lower-case letters, numerals and 'special characters' like punctuation) is even better. Your birthday, the name of your dog, etc. are all very, very bad passwords. They're not as good as two-factor authentication, but often they're all you get to work with.
Sometimes you have to crank out password after password (or one Really Good password) and that's a job best left to a random password generator. If you just need some passwords, I like the PCTools Random Password Generator web page.
Passwords should be "strong" -- that is, not easily guessable or hacked via brute-force. The longer it is, the better. Combining different types of characters (upper-case letters, lower-case letters, numerals and 'special characters' like punctuation) is even better. Your birthday, the name of your dog, etc. are all very, very bad passwords. They're not as good as two-factor authentication, but often they're all you get to work with.
Sometimes you have to crank out password after password (or one Really Good password) and that's a job best left to a random password generator. If you just need some passwords, I like the PCTools Random Password Generator web page.
Sunday, August 17, 2008
BoingBoing has a list of the top 101 classic computer and computer-related advertisements "of all time!!!11!eleventy-one" (OK so, I made up the last part.)
I'm not old enough to remember a few of these, but others bring back some fond (and not so fond) memories. Enjoy!
I'm not old enough to remember a few of these, but others bring back some fond (and not so fond) memories. Enjoy!
Subscribe to:
Posts (Atom)
Posts
