Google as a password cracker

Light Blue Touchpaper does a nice job explaining the utility of a giant online cache of password hashes:

In both the webpages, the target hash was in a URL. This makes a lot of sense — I’ve even written code which does the same. When I needed to store a file, indexed by a key, a simple option is to make the filename the key’s MD5 hash. This avoids the need to escape any potentially dangerous user input and is very resistant to accidental collisions. If there are too many entries to store in a single directory, by creating directories for each prefix, there will be an even distribution of files. MD5 is quite fast, and while it’s unlikely to be the best option in all cases, it is an easy solution which works pretty well.

Because of this technique, Google is acting as a hash pre-image finder, and more importantly finding hashes of things that people have hashed before. Google is doing what it does best — storing large databases and searching them. I doubt, however, that they envisaged this use though.

Maybe they thought weak passwords are not their problem to solve, and for good reason. The fact that MD5 hashes are now considered weak and common makes them about as “secret” as the origin words they try to obfuscate. It is like MD5 hashes have become as common as words themselves, since there are so many computers “speaking” them, sort of like Chinese becoming common as there are more Chinese people.

Thus, this is similar to asking whether a library should have any vision of how people will use the popular words they collect in their shelves. If we are to say Google should be regulated and hide or destroy the MD5 hashes, just like pornography or other sensitive and offensive material, they will have the interesting task of correctly identifying MD5 hashes to remove from their databases. The more practical answer is for people to use better secrets, with better hashing (e.g. use salts and SHA1), and realize that Google collects everything, or just move away from secrets towards multi-factor authentication. WordPress needs a plugin that gives better authentication options, for sure.

Germans drop English as marketing language

The devaluation of the US dollar has been disappointing, but now I see that the English language may also be losing its value abroad. DW has an amusing report about the move to more native phrasing in German advertising:

One reason for this shift is purely practical. While even native speakers struggle with the double negatives of Adidas’ promise that “Impossible is Nothing,” a study commissioned last year by advertising agency Endmark revealed that Germans respond to most English-language claims with sheer bewilderment.

Faced with a dozen Anglicisms, only one-third of those questioned in the survey actually knew what the slogans meant. Few grasped the point of “Come In and Find Out,” the ubiquitous promotion for the Douglas cosmetics chain. Most consumers, it emerged, thought they were being invited to enter a store and then find the nearest exit.

Would the same group express sheer bewilderment at the logos as well? Does it really matter if they truly understand the phrase or icons if it registers a positive sentiment or simply serves as an identity? I thought that was the point of marketing, not to connect on a more meaningful level.

What does Douglas mean? What does Adidas mean, for that matter? Or more to the point, should anyone really care if they want to buy the product sold under a particular identity? Differentiation is key, according to Businessweek.

It has been permanent jurisdiction in German courts since the 1970s that two, three and four stripe designs infringe adidas’ three stripe trademark. The distinctive mark enjoys a worldwide brand awareness of more than 90 percent. According to the German Federal Court of Justice, the public recalls and recognizes such well-known and distinctive brands rather than un-established marks. It is therefore likely that consumers associate and confuse signs with two, three or four parallel stripes with the adidas trademark.

The objection that the questionable stripe motifs are not used as trademarks, but merely for embellishment or decoration, is negligible. This is because the consumer is accustomed to view parallel stripes on apparel and shoes as evidence of origin and not as a simple design motif.

Ninety percent? That’s impressive, but does anyone really know what the stripes mean? I guess the issue really is that English is no longer seen as sexy or cool enough to move product on its own. Not clear if that’s because of association (e.g. Bush deflating the value) or just a trend, but chances are that its both.

Curveball secrets revealed; liar/alcoholic led US into War

History will not be kind to American leaders who called for war with Iraq. More evidence of naive incompetance has come forward:

[CBS’ 60 Minutes] says Mr Alwan’s story unravelled once CIA agents finally confronted him with evidence contradicting his claims.

Back in November 2005, Col Lawrence Wilkerson, the chief of staff to Mr Powell, told the BBC’s Carolyn Quinn he was aware the Germans had said that they had told the CIA of the unreliability.

“And then you begin to speculate, you begin to wonder was this intelligence spun; was it politicised; was it cherry-picked; did in fact the American people get fooled?,” Col Wilkerson said.

A presidential intelligence commission into the matter found that Curveball [Mr Alwan] was a liar and an alcoholic.

Interesting that the Germans did not bite on false information, but the US fell for it at the highest levels.

Vagabond Scholar has a nice writeup of the tragic details.

Psychologists have long known that typically, human beings tend to look for evidence to support their views, not for evidence to contradict them. This dynamic makes the thorough vetting of critical intelligence all the more crucial.

[…]

The Bush administration must take a large share of the blame. Many people forget, as mentioned above, that Bush claimed weapons of mass destruction had in fact been found, and he repeated this claim several times. He later went on to deliberately substitute the argument that “Hussein had WMD” to “Hussein wanted WMD.”

[…]

No one doubted Hussein wanted WMD. The question was whether he had them, and whether he could actually get them.

Wonder where the name curveball came from.