technology

Security Engineering

A secure password does not make a system secure. No password – in fact, no authentication system – is entirely bulletproof. The key when designing a password-based access system, and choosing passwords, is to balance an equation. You must make the effort required to crack the password more valuable than the data the password protects. This will force the attacker to attempt another approach – there is no value in them continuing to try to break the password.

When laying barbed wire, we do not attempt to completely block access to the defended area (the enemy will just stay put and bring in tanks), unless we want to bring in enemy tanks (to, for example, ensure that they aren’t elsewhere!). We lay out barbed wire in a pattern that requires infantry to take a longer route in order to get in, in order that we can shoot at them more on their way. When laying barbed wire, there is never any doubt that the enemy will penetrate it, given enough effort.

When I tell people that no password is completely secure, and describe all that is above to them, they sometimes don’t believe me, or see the relevance. So here’s another example I came up with this morning:

When people install burglar alarms in their houses, they think they are doing it to prevent burglars. But this doesn’t work, otherwise the number of burglars would be expected to go down as the ratio of houses with burglar alarms has increased. No; a burglar alarm does not prevent burglars – what a burglar alarm does is makes the effort (in this case, the chance of getting caught) not worth the data protected (your TV, VCR, computer, etc.). So the burglar goes elsewhere – perhaps to steal less valuable stuff, but from somewhere that the effort is substantially lower. Burglar alarms don’t stop burglars – they redirect them.

But if the value of the data you’re protecting increases, then the equation disbalances, and it becomes worth the effort. If you start keeping stacks of gold bars in your living room, our burglar will probably risk getting caught to try to nab them. Or they might spend time getting the experience and equipment needed to disarm your alarm first. Or they might watch your daily patterns; see if you sometimes forget to arm the alarm, or maybe they’ll bribe your ex- to share with them the code.

There’s the basics of security engineering. Now, here’s the bit I missed:

Hackers are a very complicated set of people, of all manner of ages, disciplines, experience levels, and motivations. An important factor with many hackers is that, regardless of the possible value of the data, the effort taken to break into the system is irrelevant as a deterrent! Many hackers see more challenging systems as a ‘challenge’, and try to break into these systems just to prove that they can. Imagine your suprise when you find that your house has been broken into and all the gold bars in your living room have been autographed by some greyhat.

Now go change your passwords.

TromaNightAdventure!

I’ve finished TromaNightAdventure, a WikiGame on RockMonkey. It’s at version 0.9, so far, because there’s still a few things I’d like to do with it (like add a “hints” page, for example!). But nonetheless, if you’re a Troma Night fan, you ought to go play it!

Windows XP SP1 Honeypot Breached In 200 Seconds

The internet is becoming a scarier and scarier place.

In a recent “honeypot” study, a Windows XP computer with Service Pack 1 was infiltrated in just 200 seconds, without even opening a web browser.

For the less techie-minded, a “honeypot” study involves setting up a new PC with a new operating system (in this case, a Windows XP SP1 machine) and connecting it directly to the internet to see how it is attacked and to what end. In this case, all they did was connect said computer to the internet… and less than four minutes later, it had been compromised by an attacker. Within half an hour, it was receiving instructions to act as a bridge to attack other computers.

Four minutes isn’t long enough to download and install ZoneAlarm. It certainly isn’t long enough to install Service Pack 2. And all across the globe, newbie PC users are buying off-the-shelf computers with no firewall, taking them home, and connecting them to the internet, basically ‘volunteering’ their computers and their bandwidth to be zombies and attack others around the world, relay spam, or share their files with anybody, anywhere.

If anybody needs help securing their system, just give me a shout.

Blogspam A Problem… No More

As I’ve mentioned in previous posts, I’ve been getting more than my fair share of blogspam of late. I’ve been spending about twenty minutes every three or so days clearing out the ‘moderation’ queue and updating my keyword lists. Worse still, some spam has been getting through nonetheless (hopefully I’ve always been quick to remove it, and so none of you – my readers – have had to see any of it).

So: I’ve implemented a new anti-blogspam solution: whenever you post a comment to my weblog from now on you’ll be asked a simple question. The answer is usually obvious… to a human… but very difficult to automate a computer to answer. I appreciate any feedback on this (why not leave a comment to this post), and I’ll let you know whether it fixes the problem. And, of course, if it does, I’ll offer my code snippet back to the WordPress development team in order to include it, perhaps, with a future version: or, at least, offer it to friends of mine who use similar blog engines and are troubled by spam.

I need sleep.

In other (almost equally geeky) news, I’ve been spending a good deal of time working on my new RockMonkey WikiGame – TromaNightAdventure. If I can keep up a reasonable development rate on it this weekend (which could be tough – I’ve lots to do, and Gareth is visiting and keeps distracting me with cool technology like GPS devices and VoIP telephones), it’ll be ready on Tuesday evening. Watch this space.

Popularity Of The Welsh Language

<ROFLMAO>

Want a giggle? Go to Google and type “old dead language” into the search box (with or without the quotes… either way), and hit “I’m Feeling Lucky!”.

This is the follow-up to my experimental googlebomb the other week. I’ve had my fun, now, and I actually believe it’s possible (I was skeptical when I first read about it, but it turns out that Google really is that easy to manipulate) to pull off a googlebomb of this scale with my limited resources.

In other (equally geeky) news, I’m starting to have trouble with blogspam, and my usual keyword/IP/link-count filters aren’t catching it all… might need a reprogram.

Somebody Writes Of Half-Life 2

Somebody on slashdot writes of Half-Life 2:

Doom 3 tried to generate atmosphere through the lack of light and the monster placement that was obviously designed to scare you. After a while it degenerated into one big black scare job to me, and wasn’t very interesting as a result.

On the other hand, I felt that HL2 did an awesome job of generating atmosphere, without the darkness. That last part was especially interesting to notice. When was the last time you were scared in a computer game while in broad daylight? Or in a peaceful zone? And to continue onto gameplay, when was the last time you had an idea of killing an enemy in the middle of a firefight, and that creative idea that would’ve been impossible in older games simply worked? Yes, I’m talking about the physics engine, and I haven’t seen gameplay this varied since wielding a cursed blanket in NetHack.

I’m willing to sacrifice bump mapping everywhere for the ability to throw bladed flying machines at enemies.

Yum.

My Very Own Googlebomb

Partially out of curiosity, partially to point out a flaw in the #aber multipass system, I’ve made my own little googlebomb. For those of you who don’t like reading, a googlebomb is where you manipulate the way that popular search engine Google into falsely linking with great priority a page that it probably should not. I’m sure you all remember “French military victories” and “Weapons of mass destruction”?

Go to Google, type in “Stuii should fix this”, and hit “I’m Feeling Lucky”. You’ll be taken to the #aber multipass page of a user who has never existed, a user called “Stuii Should Fix This”.

It’s a pain that when people search for ‘AvaPoet’, the first result is what should be my multipass (but it expired long ago). However, there’s obviously still a lot of places linking to it, so people keep getting that page whenever they look for me. Grr.

In any case; the theory’s been demonstrated plenty of times before… I just wanted to do it for myself. Yay.

Error Message Of The Day

Sometimes being a geek is funny.

SmartRacer

Yesterday lunchtime I finished writing a program that suddenly makes our working day that little bit more exciting – SmartRacer.

SmartRacer runs quietly in the system tray of as many users want to run it – currently Matt, Haagen, Gareth and me… but I’m trying to get Alex involved, too.

When you click on the system tray icon, the race begins! A couple of quick UDP broadcast packets are passed around the network, and everybody on the subnet who’s running the program is presented with racing-style “start lights”… 3… 2… 1… GO!

At this point, all participants will race – on their wheely-chairs – around the central ‘island’ of tables, in a clockwise direction, and attempt to be first to return to their own place and click the “Finish” button. Overtaking is rare – but permitted – and usually quite aggressive. As each player returns to their desk a “score” table is presented to everybody, with all participants times appearing in ‘minutes’ (heh), ‘seconds’, and ‘hundredths’.

Of course, players can choose not to participate in any particular race by clicking the “I’m Not Playing” button. The wimps.

You can download SmartRacer here, to play at your own workplace – SmartRacer.exe (64kb). It runs on Windows 98/ME/2000/XP/2003, and requires the Microsoft .NET Framework.

If Architects Had To Work Like Web Designers

This blog entry amused me today… it’s true that people don’t seem to treat web engineering as a discipline that requires any kind of planning or organisation. Jon knows what I’m talking about.

Fantasy Terrorist League

You know what’s become quite popular among the masses since the take-off of the Internet? Fantasy leagues. Yes; that’s right – those things previously reserved for pub regulars and geeky play-by-mail types. Now, the internet is full of Fantasy Sports Leagues, Fantasy Share Trading, and so on.

For those of you not in the know; when playing in a fantasy league you are allocated a number of points (frequently represented by pseudo-currency). These points can be spent on, for example, famous football players, or companies, or whatever, and as the perceieved values of these commodities change (e.g. the footballer scores more goals, or particpates in more winning matches… or the companies share value changes), the value of your team/portfolio adjusts accordingly. You can then sell the successful players or shares (ideally at their “market peak”) in order to finance the purchase of others, plus a small profit for yourself. Some fantasy leagues take this to it’s logical extreme, and actually play gambling for real money (with the values of the commodities scaled down by a factor to accomodate the wallets of the participants, of course – few people carry around enough spare cash to finance a premier league football team).

So; here’s my idea: Fantasy Terrorist League. It’s a web site where, once you’ve signed up an account, you’re given a number of ‘points’ which you can invest in the many terrorist organisations that are active the world over. The value of these terrorist groups decreases gradually over time, unless they get media attention. Value of groups goes up as they are featured in the news. Value of groups rises dramatically as they perform other acts: for example, taking a hostage might be worth 5 points per hostage taken (2 bonus points for a successful execution); detonating a car or truck bomb might be worth 10 points (with bonus points available for damaging foreign embassies); a toxic gas attack or biological terror might get a group’s value up by 15 points; a plane hijacking could increase a group’s value by 20 or 30 points. The points weightings will be variable, too, based on difficulty (it’s a lot more difficult now to hijack a plane than it used to be, apparently) and popularity (“Oh great; HAMAS did another suicide bombing… by the time the PLO get around to detonating one it’ll be worth nothing! I knew I should have invested in those Chechen rebels…”). Of course, I wouldn’t run such a site as a real gambling site (last thing I’d want is somebody with, how shall we put this – insider information – using it to gain a profit to support their activities), but I think it’d be a fascinating social experiment to run as a true “fantasy league”.

If you think this is in bad taste: fuck off. o_|/ It amused me for awhile when I thought of it.

Which OS Are You?

Apparently, I’m Debian Linux (or possibly MacOS X). Sweet.

You are Debian Linux. People have difficulty getting to know you. Once you finally open your shell they're apt to love you.
Which OS are You?

Geeky Winnage With Bluetooth

Geeky winnage! This evening I wrote a pair of applications enabling me to use my new Bluetooth-enabled mobile phone as a remote control for WinDVD, the DVD playing software I use on my computer.

Not just a geeky project, this is fuelled by a genuine need: every Troma Night, when the pizza arrives, we end up scrambling for the keyboard in order to pause the film, or I find myself wandering back and forwards, trying to set the volume to an audible-to-all but not-deafening level. With the aid of this new funky toy, I can do this from my seat. Toy.

I’m looking forward to other ideas for uses for this technology. Tools already exist to allow you to control your media player and PowerPoint presentations using a Bluetooth mobile phone, but I’m sure that there are more useful applications that I can use in order to improve my own, personal geeky life.

Toy.

Our Web Developer’s “Line Of The Day”

Yet again my concern for the value of an Internet Computer Science degree from UWA is raised, as a dippy co-worker with two years of such a degree behind her asks me for help:

“Dan,” she begins, “How do I make a table in PHP?”

For those of you that don’t know quite as much about web design as she should, PHP is a programming language used, amongst other things, for developing dynamic, flexible web sites which integrate with other data sources. This weblog, for example, is powered by PHP. It is most frequently used to output HTML, the language of the web.

“I think you mean HTML,” I reply, seeing what she’s trying to achieve – the alignment of two text fields with their corresponding labels. She’ll need a simple two-by-two table. The code for this is as follows:

<table>
  <tr>
    <td>
      Top-Left Text
    </td>
    <td>
      Top-Right Text
    </td>
  </tr>
  <tr>
    <td>
      Bottom-Left Text
    </td>
    <td>
      Bottom-Right Text
    </td>
  </tr>
</table>

What are they teaching them these days? I remember learning this at about age 14, using Netscape’s examples. This girl has been studying Internet-fucking-Computing at degree level for two years and hasn’t been shown this?

Don’t even get me started on the fact that she shouldn’t be using a table for the purpose she was trying to use it for.

Update 2023-12-07: In hindsight, I made a knee-jerk reaction in writing this blog post. I should have treated this junior developer as what I’d now call “one of the lucky 10,000” and been more-supportive and a better teacher. We’re all learning, and back in 2004 I clearly had a lot of learning still to do.

Programmer’s Day

Apparently it’s Programmer’s Day, so Paul, Bryn, Claire and I put together an old low-end Pentium into a dual-booting Red Hat/Windows 98SE box, and racked up some classic games of the 80s and 90s. Fab.

There’s actually some debate about whether Programmer’s Day should be included as a Wikipedia entry… as there’s not a lot of evidence that anybody actually supports it, except for a few hardcore geeks (most of whom discovered it on Wikipedia or a site that uses it as a source) and some Russians who started a petition.

In any case, we had a lot of fun, and we’ll be doing it next year.