Funk Babblings

When I started using computer networks in the early 90s, I had a six-character password. A few years later the recommendation was a minimum of eight characters, and be sure to mix it up with upper/lower-case, numbers, and maybe some punctuation.

Unfortunately way too many people still haven't even gotten that message; as a network administrator (who tries to avoid knowing people's passwords but somehow does anyway since they don't seem to care) I see some amazingly simple passwords.

Even more unfortunately, some software enforces less-than-good passwords by restricting the punctuation or the password length.

But with the guidelines of a decade ago, it's been generally assumed that brute-forcing a password would take many months at least. However, that assumed that the job would be done on a single CPU. Or possibly much faster on a massively-distributed network on CPUs, but that's still a lot of effort for a few passwords, and apparently less interesting or lucrative than searching for aliens or sending spam.

Who expected cracking a password to be done on a graphics card? In less than a week?

So basically the eight-character password has been cracked. But the 12-character password will still present a challenge for a while, even if you don't include the punctuation and numbers and all that.... though you still might be vulnerable to a dictionary attack if you're not careful.

I almost let this topic go by, but news came today that keeps it from being completely stale.....

( The 2007 Boston Mooninite Scare )

Sometimes schneier reads more like an absurdist-humor blog than a security-issues blog. Today he linked to the tragic tale of an artist unable to ship his empty (but labeled) containers.

The labels on the empty containers include one for rocket fuel ("type: infinite improbability"), as well as some for nitrogen ("78.084% pure") and neon ("0.0018% pure"). The idea of shipping this sort of hazardous material frightened the FedEx courier.

There may be some hope for the courier, however. Philosophically, if not intellectually. He said the bottle of "certainty" just sounded too suspicious.

The good news:
You've heard of Wikipedia, right? Well, now there's WikiTravel!

The bad news:
Sky Marshals Place Innocent People On 'Watch List' To Meet Quota
(Noted by both Bruce Schneier and Pam at Pandagon, both pointing to the same source.)

Those of us in the Great Lakes states can easily forget that we're actually living in border states -- Canada is just across the lake.

With that in mind, I was interested to learn that not only will passports be required (rather than just drivers license and birth certificate) to cross the Canada border by air starting in 2007, and by land starting in 2008, but that the passport requirement is not planned to apply to crossing by ferry or private boat. There are a LOT of private boats crossing between the US and Canada on the lakes every day.

If I were the type of person to be paranoid about terrorist attacks, I might start worrying about attacks on Cleveland -- or the Davis-Besse nuclear power plant. Instead I'm more interested in the quickest and easiest way to flee the country if and when necessary. Well, I'd also just like to go see Toronto sometime.

Still gotta find my birth certificate though. And I've been intending to get a new passport anyway for a year now; the one I got when I was 17 is long-expired, and I'm hoping to avoid a passport with an RFID chip.

Bruce Schneier and friends look at the security at Hogwarts and find it lacking.

Every six months for more than five years now, I've been buying the new release of OpenBSD. Yet I haven't actually installed one of those new releases in almost four years, and haven't actually used OpenBSD in over two years.

So why do I keep buying it? Mostly to support three major aspects. (Non-geeks may want to skip to the last one.)

1. Security - OpenBSD's approach to security is one that deserves attention and support. And since their security solutions often find their way out to the world beyond OpenBSD (OpenSSH being the most prominent example), supporting OpenBSD supports security on Linux and other systems.

2. Free Software Activism - With the popularization of binary-only Linux drivers and software, and the concurrent marginalization of the GNU Project, OpenBSD has become the foremost twister-of-arms in the struggle to get not only useful software under completely-free licenses but also the information necessary to run that software on today's hardware. This work on the part of the OpenBSD people benefits Linux people too. (See also #3 below.)

3. Music - How many operating systems include an original song with each release? Thanks to Ty Semaka, OpenBSD has been doing it for eight releases now, and each one has a different style - techno, industrial, lounge (Bond theme-ish), anthemic hard rock, folk balladry with two types of hip-hop mixed in, Pythonic, Johnny Cash-ish, and now Floydian. They started out as theme songs of a sort, but starting with OpenBSD 3.3's "Puff The Barbarian" they became allegorical commentaries on the political issues the project had been facing, usually related to their efforts related to #2 above. The latest song, for the upcoming OpenBSD 3.7 release, is "Wizard of OS", a Pink Floyd style commentary on closed-specification hardware with a chorus of "Ding dong the lawyer's dead / You're off to see the Wizard kid". (The comments alongside those lyrics help explain my #2 above too.) Presumably the Dark Side of the Moon sound is a nod to the idea of that album being used as a soundtrack to The Wizard of Oz.

But my favorite OpenBSD song remains the second one, OpenBSD 3.1's "Systemagic", with its vampire-slayer motif, goth-industrial sound, and verses like:

Cybersluts vit undead guts
Transyl-viral coffin muck
Penguin lurking under bed
Puffy hoompa on your head

Oh yeah, and if I ever need to set up a secure web server quickly, I always have the install CDs on hand, though for long-term maintainability I still prefer Debian.

Today I got up early and joined some Canton friends for a seven-hour excursion for lunch in Columbus. Why?
We went to meet Duane Groth, president of the CAcert board.

CAcert is a project intended to apply a strict form of the PGP-style "community web of trust" model to SSL-style (X.509) certificates, rather than paying someone like Verisign or Thawte to sign your certificates. CAcert uses a point system: people get points by being "assured" (having their identity verified) by someone with enough points to have that power. Normally you get up to 35 points for being assured by one person, and once you accumulate 150 points you can assure other people. (There are also certificate-related benefits available depending on the number of points you have.)

Duane is on an extended leave from Australia to tour the U.S. promoting CAcert and seeding the system by creating new Assurers. As a board member, he has the power to award 150 points to a person all at once, immediately making that person an authorized assurer, who is then able to award up to 35 points per authenticated person. (I like to think of it as a bit like getting your PGP key signed by Phil Zimmerman, though the web-of-trust models work a bit differently. Which made me wonder, stega did you ever get a PGP key signed by Zimmerman before fleeing his company?)

So now I am authorized to authenticate people and award up to 35 points to them, as are the other people I went with. (As I write this I am among a total of 1775 authorized CAcert assurers in the world, and 23260 verified users in the system.) I can also create assured client certificates, code signing certificates, and server certificates. The only problem is that today's SSL client software does not yet trust CAcert by default; the CAcert root certificate must be imported and trusted. Apparently it would cost $75000 plus $10000/year to get it into Internet Explorer (far outside CAcert's budget), but they are working on getting it into Mozilla/Firefox.

My apologies to the vast majority out there who don't care about any of this....

( PHP is annoying )

( Soekris + m0n0wall = nice small firewall )

( Geek Showdown: Debian vs Cartoon Nudity )

I'm sitting here at the Hyatt Regency Columbus at the second Ohio LinuxFest, and so far the most interesting talk was about Security-Enhanced Linux. But it wasn't interesting only for the obvious reasons; it was also interesting because it reminded me of some mildly annoying namespace clashes in technology:

When someone mentions "MAC", it could be a reference to:
- An Apple Macintosh
- Medium Access Control on an ethernet network, or the hardware address used in that protocol
- Mandatory Access Control security

Then we also have:
- eMacs, the type of Apple computers
and
- Emacs, the "extensible, customizable, self-documenting real-time display editor."


I've also learned enough about FreeBSD here that I might give that another try; the last time I tried it was in the late 90s with version 3.something.