Category Archives: Security

Security

Google as a password cracker

Leave a comment

Light Blue Touchpaper does a nice job explaining the utility of a giant online cache of password hashes:

In both the webpages, the target hash was in a URL. This makes a lot of sense — I’ve even written code which does the same. When I needed to store a file, indexed by a key, a simple option is to make the filename the key’s MD5 hash. This avoids the need to escape any potentially dangerous user input and is very resistant to accidental collisions. If there are too many entries to store in a single directory, by creating directories for each prefix, there will be an even distribution of files. MD5 is quite fast, and while it’s unlikely to be the best option in all cases, it is an easy solution which works pretty well.

Because of this technique, Google is acting as a hash pre-image finder, and more importantly finding hashes of things that people have hashed before. Google is doing what it does best — storing large databases and searching them. I doubt, however, that they envisaged this use though.

Maybe they thought weak passwords are not their problem to solve, and for good reason. The fact that MD5 hashes are now considered weak and common makes them about as “secret” as the origin words they try to obfuscate. It is like MD5 hashes have become as common as words themselves, since there are so many computers “speaking” them, sort of like Chinese becoming common as there are more Chinese people.

Thus, this is similar to asking whether a library should have any vision of how people will use the popular words they collect in their shelves. If we are to say Google should be regulated and hide or destroy the MD5 hashes, just like pornography or other sensitive and offensive material, they will have the interesting task of correctly identifying MD5 hashes to remove from their databases. The more practical answer is for people to use better secrets, with better hashing (e.g. use salts and SHA1), and realize that Google collects everything, or just move away from secrets towards multi-factor authentication. WordPress needs a plugin that gives better authentication options, for sure.

Poetry, Security

Germans drop English as marketing language

Leave a comment

The devaluation of the US dollar has been disappointing, but now I see that the English language may also be losing its value abroad. DW has an amusing report about the move to more native phrasing in German advertising:

One reason for this shift is purely practical. While even native speakers struggle with the double negatives of Adidas’ promise that “Impossible is Nothing,” a study commissioned last year by advertising agency Endmark revealed that Germans respond to most English-language claims with sheer bewilderment.

Faced with a dozen Anglicisms, only one-third of those questioned in the survey actually knew what the slogans meant. Few grasped the point of “Come In and Find Out,” the ubiquitous promotion for the Douglas cosmetics chain. Most consumers, it emerged, thought they were being invited to enter a store and then find the nearest exit.

Would the same group express sheer bewilderment at the logos as well? Does it really matter if they truly understand the phrase or icons if it registers a positive sentiment or simply serves as an identity? I thought that was the point of marketing, not to connect on a more meaningful level.

What does Douglas mean? What does Adidas mean, for that matter? Or more to the point, should anyone really care if they want to buy the product sold under a particular identity? Differentiation is key, according to Businessweek.

It has been permanent jurisdiction in German courts since the 1970s that two, three and four stripe designs infringe adidas’ three stripe trademark. The distinctive mark enjoys a worldwide brand awareness of more than 90 percent. According to the German Federal Court of Justice, the public recalls and recognizes such well-known and distinctive brands rather than un-established marks. It is therefore likely that consumers associate and confuse signs with two, three or four parallel stripes with the adidas trademark.

The objection that the questionable stripe motifs are not used as trademarks, but merely for embellishment or decoration, is negligible. This is because the consumer is accustomed to view parallel stripes on apparel and shoes as evidence of origin and not as a simple design motif.

Ninety percent? That’s impressive, but does anyone really know what the stripes mean? I guess the issue really is that English is no longer seen as sexy or cool enough to move product on its own. Not clear if that’s because of association (e.g. Bush deflating the value) or just a trend, but chances are that its both.

History, Security

Curveball secrets revealed; liar/alcoholic led US into War

1 Comment

History will not be kind to American leaders who called for war with Iraq. More evidence of naive incompetance has come forward:

[CBS’ 60 Minutes] says Mr Alwan’s story unravelled once CIA agents finally confronted him with evidence contradicting his claims.

Back in November 2005, Col Lawrence Wilkerson, the chief of staff to Mr Powell, told the BBC’s Carolyn Quinn he was aware the Germans had said that they had told the CIA of the unreliability.

“And then you begin to speculate, you begin to wonder was this intelligence spun; was it politicised; was it cherry-picked; did in fact the American people get fooled?,” Col Wilkerson said.

A presidential intelligence commission into the matter found that Curveball [Mr Alwan] was a liar and an alcoholic.

Interesting that the Germans did not bite on false information, but the US fell for it at the highest levels.

Vagabond Scholar has a nice writeup of the tragic details.

Psychologists have long known that typically, human beings tend to look for evidence to support their views, not for evidence to contradict them. This dynamic makes the thorough vetting of critical intelligence all the more crucial.

[…]

The Bush administration must take a large share of the blame. Many people forget, as mentioned above, that Bush claimed weapons of mass destruction had in fact been found, and he repeated this claim several times. He later went on to deliberately substitute the argument that “Hussein had WMD” to “Hussein wanted WMD.”

[…]

No one doubted Hussein wanted WMD. The question was whether he had them, and whether he could actually get them.

Wonder where the name curveball came from.

Security

Cops fight over speeding ticket technology accuracy

1 Comment

I have been thinking about this AP story more and more lately. If anyone else was fighting the accuracy of a speed-detection device this would be a non-story, but because it is a retired deputy who says he is trying to maintain his “faith” in the justice system…well, that’s just sad and amusing all at the same time:

A retired sheriff’s deputy nevertheless hopes to beat the long odds of the law by setting the performance of a police officer’s radar gun against the accuracy of the GPS tracking device he installed in his teenage stepson’s car.

The retired deputy, Roger Rude, readily admits his 17-year-old stepson, Shaun Malone, enjoys putting the pedal to the metal. That’s why he and Shaun’s mother insisted on putting a global positioning system that monitors the location and speed of the boy’s Toyota Celica.

[…]

“I’m not trying to get a guilty kid off,” Rude said. “I’ve always had faith in our justice system. I would like to see the truth prevail and I would like Shaun to see that the system works.”

Truth prevail? Everyone knows the technology is wildly inaccurate and the courts go to some length to defend their weaknesses. The truth is that radar is inaccurate.

Our network intrusion detection sensors are also inaccurate, but at the end of the day the “smoke comes from fire” line of reasoning usually prevails and if there is enough circumstantial evidence and the accused are brought to trial then “justice” is often done in spite of the initial details rather than because of them.

What is your faith in radar speed detection, especially after you drive by one of the giant billboards that inaccurately display your speed? Those things seem like a subtle anti-radar advertising campaign.

Nonetheless, I hope the retired deputy is able to advance the courts’ understanding around technology used to monitor speed, as well as the integrity aspect of information security.