Ignorant high school teacher gets rhetorically planed
If you have 30 minutes and are interested in watching a rhetorical Hindenburg disaster, check this out:
Cam from NRA News somehow got a NY state high school teacher to agree to a phone interview in which said teacher explains why he’s taking his class to Albany to lobby for gun control bills. It wasn’t a fair fight. Requisite “NRA members don’t care about minority children” and “Idaho militia member” stereotypes present and accounted for.
NewSid.exe hanging on Windows 2008
At work I use newsid all the time to clone VMs from a common baseline, then build them up into whatever I need. Newsid makes sure each VM has a unique SID and thus won’t collide with other copies of the same template. I’ve been doing this for a while with no problems.
However, today I updated my template with all the latest updates as of 27-April-2009. One of those updates broke newsid, such that it runs for a while then hangs and is flagged as “stopped working” by Windows. I googled around a bit and didn’t come up with much, but I did see mention of a Beta 2 issue with infinite recursion in the Wow6432Node key.
I took a peek at HKLM\Software\Wow6432Node and, sure enough, there was a second Wow6432Node key underneath it. WTF? All it contained was some path settings for IEXPORE.exe, so I assume this was caused by the IE7 upgrade.
I deleted the nested Wow6432Node key, re-ran NewSID, and it ran fine. I’m not sure if newsid or the guilty update are to blame, but whoever it is, it’s a pretty lame fuckup, and I’m surprised I haven’t read about more people experiencing it given how widely used newsid is.
How strong are haddock passwords?
One of the recurring themes in my self-edification development revolves around ways to generate strong but somewhat memorable passwords and passphrases, and how to quantitatively measure the strength thereof. In the past I’ve experimented with Markov chains and PCKS#5. Today I ran across another password generation implementation by Stephen Celis called haddock. It’s a simple algorithm that generates a password of a specified length by picking two words, a simple, and padding with decimal digits. It produces passwords like habit57/love and Bim52`bummer.
I was curious how strong these were in terms of equivalent symmetric cipher key bit length, so I wrote up a quick and dirty script to compute the strength of each password length from 8 to 31 characters, given my Moby wordlist of 350k English words. As usual the code is on my SVN repository.
Here’s what I found:
For password length 8, there are 4.32e+009 possibles, strength is 32.01 bits
For password length 9, there are 2.67e+010 possibles, strength is 34.63 bits
For password length 10, there are 9.73e+010 possibles, strength is 36.50 bits
For password length 11, there are 2.99e+011 possibles, strength is 38.12 bits
For password length 12, there are 7.93e+011 possibles, strength is 39.53 bits
For password length 13, there are 2.38e+012 possibles, strength is 41.11 bits
For password length 14, there are 5.17e+012 possibles, strength is 42.23 bits
For password length 15, there are 1.01e+013 possibles, strength is 43.20 bits
For password length 16, there are 1.81e+013 possibles, strength is 44.04 bits
For password length 17, there are 3.74e+013 possibles, strength is 45.09 bits
For password length 18, there are 5.89e+013 possibles, strength is 45.74 bits
For password length 19, there are 8.66e+013 possibles, strength is 46.30 bits
For password length 20, there are 1.20e+014 possibles, strength is 46.77 bits
For password length 21, there are 1.98e+014 possibles, strength is 47.49 bits
For password length 22, there are 2.53e+014 possibles, strength is 47.85 bits
For password length 23, there are 3.10e+014 possibles, strength is 48.14 bits
For password length 24, there are 3.65e+014 possibles, strength is 48.37 bits
For password length 25, there are 5.32e+014 possibles, strength is 48.92 bits
For password length 26, there are 5.99e+014 possibles, strength is 49.09 bits
For password length 27, there are 6.58e+014 possibles, strength is 49.23 bits
For password length 28, there are 7.07e+014 possibles, strength is 49.33 bits
For password length 29, there are 9.57e+014 possibles, strength is 49.77 bits
For password length 30, there are 1.01e+015 possibles, strength is 49.84 bits
For password length 31, there are 1.04e+015 possibles, strength is 49.89 bits
For the details of my approach or to check for the distinct possibility of mistakes, review the source code.
Based on my results, I would not be comfortable using the generated password as, for example, the passphrase on a 256-bit AES key or a 2048-bit DH key pair, at least not without some PKCS#5 folding to strengthen the key. If you’re using the passphrase for an online system hardened against online dictionary attack and (believed to be) impossible to subject to an offline dictionary attack, it’s a helluva lot better than just picking a dictionary word or using your name.
Just what we need: Federal control over private network infosec
Apparently the Senate is considering a bill that would grant a new Cybersecurity czar sweeping new powers over private computer networks, including NIST guidelines and audit protocols for cybersecurity, and a certification regime for security professionals. This will not end well.
If you don’t believe me, try to get work done in a federal bureaucracy, and see how many times the infosec people thwart your every effort to get things done. These guys aren’t accountable for your ability to do your job or collaborate or access information. If there’s a security breech, however, it’s their ass. So, why would they ever say anything but ‘no’? In my experience, they seldom do.
To offer but one example, I once worked on a team building a simple web service for use by a government agency with offices all over the world. The purpose of this web service was to provide remote access to a central database. The database was NOT classified, and the web service was accessible only on the agency’s own worldwide network, and was in no way available over the public Internet. However, the security folks would not approve the application. Instead, they would issue a temporary waiver to allow it to operate while they thought about it a little longer. For over a year this server was running under a series of temporary waivers. For all I know, it still is.
Mark my words: if legislation like this gets passed, actual security won’t improve too terribly much, but government meddling in private information security will rise dramatically, and the result will be bullshit, crippling, bureaucratic risk aversion on an epic scale. Yay.
I also notice this:
Addressing what intelligence officials describe as a gaping vulnerability, the legislation also calls for the appointment of a White House cybersecurity “czar” with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway, the officials said.
Well, now THAT is reassuring. There’s not enough government control of the Internet as it is; now we need another ‘czar’ with a kill switch, to be flipped whenever there’s a politically convenient infosec scare. Yay.