March 21, 2011

How Passwords Work (And Don't)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Today I hope to illuminate some common misconceptions about passwords, what they really mean, and how they can be/are used.  As always, I'll try to keep it simple, but some of the rules are a little wonky if you don't already know them.  Just stay with me, I'll do my best to help!

First, let's start with what most folks already know.  If a website or program wants to make sure you are who you claim to be, it asks for a password.  This works because when we keep passwords in our head, and hard to guess, only the person who made the password should be able to guess it right.

Quite a few folks (I believe the last estimate was nearly three quarters of all computer users) have already made a mistake.  If you have sticky notes or a notepad with a login and password on or near your computer, but still used a long and complicated password, you're fairly safe from internet-based attacks.  If someone goes rifling through your computer room, though, or if they grab it during a break-in, or snatch it from your purse/wallet, they have absolute access.  If you have a really easy password to make sure that you don't forget it, you're still at risk from pretty much anybody who wants into your account.

Another easy mistake to make is to use the same login name and password on multiple sites.  Facebook, myspace, grooveshark, pandora, twitter, google, banks, cable, internet, phone, water, electricity... there are a lot of places that use names and passwords!  And if you use the same login name and password for all of them, when one gets compromised the attacker will have your login information for every last one of them.  More on this further down, but for now, back to passwords themselves.

When someone doesn't know your password, there's a huge number of ways that they can still manage to get into your account.  If your password is short, they can try a method called 'brute-force', which is exactly what it sounds like: they start off at 'a', and then go to 'b', and then 'c'... and on and on, until something works or they give up.  If your password is short, they'll most likely guess it even if it's complicated.  If it's long, brute force will take a long time to get there, or won't get there at all.

The next type of attack is called 'dictionary', and is essentially when the attacker starts off with a long list of common words (it's easy to use all the words in a large dictionary as a starting point, then add in names for city, state, roads, sports teams, and all sorts of other things) and goes through one at a time guessing with them.  Most dictionary attacks also combine words, so they'll get 'redwalls' the same way they'll get 'red' and 'walls'.

The first two methods, as described above, work even when the attacker doesn't know anything about you.  But what if you use a long password with things like your date of birth, SSN, telephone number, pet's name, or things like that?  While not exactly sophisticated, 'guessing' is a form of attack as well, and the better you know your target, the more likely you are to succeed.  You should never use personal information that you don't want shared with the world as part of your login name or password (either of them!), as they significantly reduce the number of different things your password could be.  Why not your login name, either?  Well, take this as food for thought: a quick search for leaked data shows that it happens all the time, even to big-name companies!  If an attacker can link your login name to you, they get whatever you used as your password, name, and anything else you entered for free!

Alright, so a login name and password that you can keep in your head, but neither points back to you, and your password should be long and complex?  That is a lot to handle (even for technical folks)!  Fortunately, there are tricks and tools that make this easier while still being safe.  If you use a modern browser, you may have had it ask to remember your password.  I have not, and will never trust this functionality.  It's too easy to have someone borrow your computer for just a second, and even if you logged out to be safe, they just press OK and are logged back in!  However, modern browsers also have better features, like Firefox's Master Password feature.  It goes hand-in-hand with the functionality that remembers your login details, but instead of just handing them out like candy, it asks for a password before it gives them out.

What if you just have to write down things or you'll forget?  I actually fall into this category, so I can help you along with that, too.  There are stand-alone, open-source programs like KeePass that will store all of your login names and passwords behind a single password.  If you can choose and commit one really good password to memory, this will handle all the rest!  When choosing one of these programs, though, make sure it comes from a reputable source that you know and trust, and it's usually good to have security software be open source so then people who actually care about that kind of thing (programmers like me!) can tattle on programs that try to steal your information, or just plain don't work.

In the end, passwords and such go way deeper than this, but those details are mostly for people who make the security for web sites and programs that take logins.  This post is already super-long, so I'll safe nifty ways of making random-but-memorizable passwords (or super-secure random passwords) for a later post.  As always, questions, details, clarifications and such should go in comments.  Thanks for reading!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFNiB7vdzdg8zBNoIARAljuAJwN6a8833Nquclr9BH76qq6aMnCBQCgmI8R
cmrzCVQsHv3++9Y+lZcQ9wA=
=JDxf
-----END PGP SIGNATURE-----

March 16, 2011

The Lost Art Of Counting Back

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Over the course of several years of retail and customer service, I discovered a couple of very important rules that held true in nearly every encounter.  The first and foremost of these is that Americans have learned they can be jerks to that stooge behind the counter and get away with it, except for when they can't.  I truly wish businesses were more progressive in this aspect; there's a difference between "the customer is always right" and "the customer is usually right, but also can be a complete jerk".  I've not once met a person who, upon being informed that their continuing attitude would result in immediate ejection from the storefront, continues to be jerk.  They most often become sullen for a second and then move right along into being a model customer (bless their rotten hearts).

The other important rule I'll talk about today is that people rarely look at what you give them until they are forced to.  If you've ever been through a fast food restaurant's drive-thru, ordered successfully, and then arrived at work or home only to find that what you had was of less value than what you paid for, you've been given a hard lesson in this.  However, it gets worse!  When folks pay with cash, they're so blithely unconcerned about how much you give back that you could give back fives in place of tens all day long and only a handful of folks would notice right then and there.  Granted, this can easily result in them going home, realizing they'd been had, and then all reconvening at your location with pitchforks and torches, but still...

In any case, here's how you count back change to someone (and how you make sure a cashier is counting back your change right to you):
  1. Start with the amount the customer Paid
  2. Add pennies to the total until their change ends in a 0 or 5
  3. Add a nickel and one or two dimes until they reach 00, 25, 50, or 75 cents in change
  4. Add quarters until their change ends in 00.  You now have their change!
  5. If you had to grab change, add a dollar to their total and forget about how much change they had
  6. Add twenties until adding another will put you over what they paid you
  7. Add tens until adding another will put you over what they paid you (a pattern!)
  8. Add fives until adding another will put you over what they paid you
  9. Add ones until you MATCH what they paid you
  10. Here's the magic: Hand them their change and say how much it is, and then "makes (add change to total)"
  11. Then keep adding to that, starting with the smallest bills (ones) first
  12. When you've counted everything, the amount you'll be saying is what they paid you!
If you're getting change counted back to you, follow steps 10-13 only and you'll know it's right.

It looks long-winded, but after you've done it a few times, it makes a wonderful kind of sense to both your brain and your hands.  Also, if they gave you change so that you'd give them bigger coins (or none at all), you have to do the change part with different rules.  That's okay, because they've already made it easier on you!

Why should you care about that mess at all?  After all, now that we're a paragraph away from that scary thing, I can say that it does look complicated. Well, for starters, it means that the cashier knows they gave you the right amount (which is good for them) and that you got the right amount too (which is good for you).  It also saves you the trouble of ever having to go back and convince a cashier (or *giggle* their manager) that they need to give you more money.  There's also some word coming through the grapevine that cash is local-friendly because running credit cards is quite expensive for small-dollar-item places (Visa has to get paid too, you know).

Now you know.  Retail's hard on everybody, folks!  Show some compassion to the working stiff behind the counter and the experience can be better for the both of you!


*
I've added an actual, honest-to-god example here.  I didn't include it with the main stuff because few folks wants to go through a checklist and then hear about it all over again right away.  Come back in a little bit and give it a try:
Customer buys a candy bar ($1.09) and pays with a $20
Start with 09 cents
Take out a penny, have 10 cents
Take out a nickel and a dime, have 25 cents
Take out three quarters, have 00 cents
Took out money, so add a dollar to total, which is $2 now
Can I use a $20?  Nope, $22 is too high!
Can I take a $10? Yep, a ten makes the total $12
Can I take a $5? Yep, a five makes the total $17
Three $1 gets me to $20, which is what they gave me

At this point, I look in my hand, see a penny, a nickel, a dime, and three quarters.  I hand them this terrible mess and say "Ninety-one cents makes two dollars", and then count up with the smaller bills first.  "Three, Four, Five" is the ones, "Ten" is the five-spot, "and Twenty" when I tack that ten on there.  Since I was counting bills right where the customer could see, they're already neat and in order, and they had a second to put away their change.  Perfect for the OCD in everybody!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFNgEzGdzdg8zBNoIARAkPgAJ9F1xzk3u39aTuYybLXiFfmfg0AFgCgmZD+
jRK8yK3qZ9UCXyb+iAJN3dA=
=cVQR
-----END PGP SIGNATURE-----

March 13, 2011

On Boxes With Locks

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

With fear of alienating what few readers I have, I'll jump right in on a big topic: Encryption.  I'll start this one by telling the story I try to tell everybody when I'm talking about encryption:

Before the internet, there were two spies who needed to trade information in a hostile country.  Since the two were operating in different regions, they couldn't simply meet up in a coffee shop and swap notes.  Since it's a hostile country, there are no established lines of communication that they can trust.  Instead, each spy had a notepad, a good padlock and the only key for it, and a lockbox with a latch big enough to attach several padlocks, but even one lock will jam the box completely shut.  They used the country's own public mail system (which was known for digging through mail, reading whatever they wanted, and stealing anything that wasn't firmly attached to said mail).  How did they trade messages without getting caught?

The first problem comes up when when you realize attaching a padlock to a box means the recipient can't open it.  Putting the key inside the box doesn't help because the recipient can't open the box (not even a crack!).  If the sender tries to mail the key separately, the public mail couriers will steal it, and use it to open the box.  The problem is that anything the recipient can do, the couriers can do.  So what gives?

The trick to the story is that you can attach more than one padlock.  The first spy writes a message and puts it inside the box, snaps the lock on the box while keeping the key, and mails it to the second spy.  The second spy can't do anything with this locked box, but they snap their own padlock on it anyways, keeping the key, then mails it back.  Now neither spy can get into the box!  However, the magic happens when the first spy takes off his padlock.  They still can't get into it, as they don't have the second spy's key, but that's okay.  They send it back anyways.

When the second spy receives the box, surprise!  The only lock left on it is the one that uses their key!  They pop off the lock, and read the first spy's note.  Then the same process happens, but the first and second spy have traded roles.

Gosh, that's a lot of work to send a message, and it must take an awfully long time!  However, it does satisfy all the needs the spies had:

    * The mail couriers are never able to open the box
    * The mail couriers are never able to get a key, even though they can see the lock
    * Things inside the box still go from one party to the other
    * All the spies need are their own padlock, and their own key

 This is essentially how symmetric cryptography works.  You take a bunch of data (the box), apply your encryption key (padlock) to it, then send it to a third party.  This turns the data into a bunch of gibberish that neither party can really get meaning from.  The third party applies their own encryption key, making it even MORE garbled, and sends it back to you.  You reverse your original encryption (removing your padlock), still can't read the mess of bits, and send it back to the third party.  The third party reverses their original encryption, and *poof* the original message appears.  Technically, it's possible to break encryption, but if it's done correctly, it's possible in the same way that our sun going supernova is possible.

Why does this even matter to a normal, non-super-computer-nerd person?  If you've ever bought something online, you put your credit card numbers into one of these boxes.  Some kinds of logging in (not usually web sites, but game logins and such) put your password into a box (this is a lie, but it's close enough!).  It's also the reason that surfing the internet on public wifi at a coffee shop is pretty much the same as announcing out loud what you're looking at (including forums that you're reading, images you're downloading, anything that isn't encrypted really).  Sites are a little better about securing things these days, but even a couple months ago Facebook would tell your login details to everybody listening to your connection (the firesheep addon was made to elaborate this point).

And now you know a little bit more about why some things are safe online, and some things are not.  I'll be talking about public key encryption, too, because it's fantastic and incredible and everybody should use it, but that's another post's worth of details.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQBNkoYkdzdg8zBNoIARAldIAJ91MS41XLbLgUaq/VRqFpmHsUwI9gCcDCiN
tI06M2e8M1JTcucd6kBxphU=
=ieod 
-----END PGP SIGNATURE-----

March 11, 2011

Greetings, Salutations, It's Too Late To Turn Back

Greetings to you, friends and friends of friends.  It's officially too late to turn back, and the only option you have left is to see this through to the end.  This is like one of those dreadful chain letters, but with less dire portent.

I'm mainly starting this blog as an outlet for the every day tech I use in my life, be it software, hardware, firmware, wetware, or underwear.  Being a rabid fan of computing shouldn't just be squandered on killing zombies (regardless of how hard I may be trying on a given week), and since I give out so much advice and opinion about the stuff anyways, I might as well solidify my thoughts and commit them to the all-remembering Internets.  Since I'm a jack-of-many-trades, expect to hear about the likes of these:
  • Programs (internet browsers, anti-virus suites, open-source lifesavers)
  • Silicon (what's the difference between a CPU, GPU, and PSU anyways?)
  • Mechanics (or Powerful Batteries Are Serious Business)
  • The Internet and You (how to browse a bit safer, and maybe teach new router tricks after convincing it to work right in the first damn place)
  • Paranoia (and how!)
  • ... and maybe even how I think the whole world's falling apart.  This is a blog, after all!
No matter what topic I've chosen for a poorly guided rant, I do hope to keep in mind the fact that I'm not writing for other technobrains.  Instead, look for the What, Why, and How in each post and see if you can make it work for you.  If I lose you, let me know!

Enjoy intermittent profanity, hidden gems of wisdom for living (completely unintentional), and more parentheses than you can shake your fist at.  Stick with it, calisthenics are good for you!  For the sufficiently motivated, you should add your own experiences and questions to the comments, and I might even make a new post just for you!

Alright, you're free.  No 13 years of bad luck for you.  Thanks for your handful of minutes :>