contact me
A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects. —Robert A. Heinlein
-
Tue Dec 2 8:52 pm, 2008
Highly recommend s3cmd as a way to interface with your S3 service if you're always on the command line anyway -- feels as close as a single line away. I'm often syncing files up, and it does a nice combo of GPG and https for the transfers. I'm not using S3 for anything like media, just small files, knowing that if there were some kind of complete failure of both my backup drive, main HD at the same time, I've got S3 (for which I'm paying much less than a dollar a month -- yeah, again, no media files).
-
Thu Oct 16 9:17 pm, 2008
I'm always in favor of security research, and I have enjoyed following the developments in quantum cryptography. But as a product, it has no future. It's not that quantum cryptography might be insecure; it's that cryptography is already sufficiently secure.
The Schneier is awesome. Never afraid to put some smack down on quantum cryptography. Or the TSA. Other things too, I'm waiting for Schneier smack down updates. -
Fri Jul 25 10:36 pm, 2008
I love this story. You probably know it. An SF city admin, a government employee, refused to turn over the passwords to the city's fiberWAN because he claimed the government was incompetent and insecure. Read more about it here, and here. Today's Slashdot thread on the subsequent password reveal by the DA brings up common problems about passwords in IT.
If you make the password policy more than trivial (the name of your dog, the word 'password', a word from a dictionary) users will simply write the password down on a post-it and put it on the front of their monitor. No kiddng. Admin's shrug, they know what I'm talking about. Simply the easiest thing to figure out is a common users password in a weak password strength system, especially if you can talk to them or know anything personal about them. Guy grew up with Polish grandparents? Throw a Polish dictionary at it. Has pics of their dog in their cubicle? Easy. Big Lord Of the Rings or Doctor Who fan? Please, I think there is password cracking software built around that single case. I personally use a password generator in most cases and store those values in password-safe. But the majority of users will never ever be bothered to use that software. You can try and make them, but I'm telling you now, they won't. Let's reiterate that: most people will never store or create their passwords in a secure manner, so let's proceed with next best.
The rule is: if they can't easily remember it they will either write it down (on a post-it most likely) or forget it and keep asking you, even though in a proper system you have no idea what their password is. So, what I usually do is talk to them for a few minutes. What interests them? Is it the Beatles or late 80's sit-coms, for instance? Can they recall lines or lyrics even if they were comatose, with an accuracy that belies modern neurological understanding? Almost all people have some subject like this, that they click on. Tell them to choose some lyric, for instance, take the first letters from it, and give them arbitrary rules like "change all T's to !'s", or "e's to 3's", "make the first and third letter capital" etc. It's important to be somewhat arbitrary about this. Obvious is "all a's to @" and so on. So, for instance "Everybody's got something to hide except for me and my monkey" might become "3gS!h3fm@mm" (it looks difficult to recall, unless you are remembering explicitly the lyric and the substitution rule). Pretty good strength wise, and knowing the basic idea they can figure it out if they forget it (which makes them much less likely to write it down). But make sure they have something about 8 characters long. Of course they don't have to tell you what it is as they're coming up with it. And this is important, make sure they understand to never use this exact password for any other account. This takes time to explain to people, which most IT guys don't have, so there's the downside. But that 5 minutes is worth countless hours of work and decent sleep time.
Now, this isn't the best thing in the world, it won't satisfy the serious password nuts, it isn't the most secure, but it's the most realistic and in this sense it is vastly more secure than the alternative, like "mr biggles" (or the person who thought they were being clever by using "swordfish"). And it has to be occasionally changed -- I'm not talking about top-secret level material here, I'm talking about day-to-day. It's important, take some time to do it. -
Sun Jun 15 9:31 pm, 2008
If you're not encrypting your important data, you really should be. It's not about being paranoid, it's more about simple pessimism. I've used passwordsafe for a long time, and on the mac you can easily create a mountable AES encrypted disk image -- but I want to be able to open the image on any system -- whether it's a pc, my ubuntu install, my eeepc, my mac. Truecrypt has this covered, with versions for all platforms. Drop these files on Amazon's S3 service and stop worrying about things like airport laptop searches.