Category: article

Posted on
by
From http://xkcd.com/936/

I love this cartoon. It makes a great point really simply.

However, it’s a bit, well, misleading…

The cartoon suggests that Tr0ub4dor&3 is massively more susceptible to an attack than correcthorsebatterystaple because of the difference in entropy.

Assuming the math is sound (I calculated using actual password space rather than entropy) I still have a problem with how it might be interpreted.

In the cartoon Tr0ub4dor&3 loses entropy points because it’s based on a non-random word with substitutions. Ok, that’s fair enough. Lots of people do create p4ssw0rds this way so it seems reasonable to punish this with lower entropy.

In short, this password is punished because the format is predictable.

However, if we punish that password for a predictable format, it’s also fair to say that correcthorsebatterystaple is thus susceptible to a dictionary attack. Conversely, Tr0ub4dor&3 is entirely secure against such an attack.

A pure brute force attack against Tr0ub4dor&3 with a 1000 guesses a second would take 180 billion years.

The same attack against correcthorsebatterystaple would take 7.5 billion billion years.

The difference is so gigantic it’s almost inconceivably massive.

However, if we consider a dictionary attack using 860,000 words against correcthorsebatterystaple at 1000 guesses a second we’re looking at 17,345 billion years.

Suddenly, correcthorsebatterystaple is a lot less strong.

In fact, if you add a single _ to the end of Tr0ub4dor&3 it now takes 17,134 billion years to brute force. That’s very comparable.

To batter the correcthorsebatterystaple example even more we could alter our dictionary attack and remove all the words that are shorter than 4 characters from the 860,000 total. This would be reasonable as you would want your four word password to be at least 16 characters long.

However, I can’t deny that a pure brute force attack on Tr0ub4dor&3 would take less time than a full dictionary attack on correcthorsestaplebattery and the latter is much easier to remember.

So it’s still an amazing bit of work – it just helps to understand the details.

So… what?

Well, basically, two things.

1) using a format that helps you remember your passwords is a good idea – whether you combine 4 random words or use substitutions – the weakness comes when someone PREDICTS the format.

For example, using 4 random dictionary words AND making a single typical substitution of an alpha char for a numeric char (e.g. substituting a 0 for an o) secures it completely against a dictionary attack and the hacker would have to resort to a brute force attack. However, if the hacker KNOWS that you did this, they know they can modify their dictionary attack instead.

2) there is no substitute for length when it comes to passwords.

For example, take a simple 8 char lower case password. Changing one of those 8 chars to a number means it takes 10 times longer to brute force. However, adding another lowercase char would take 26 times longer.

That’s a generous example but it makes the point. Having a short but complex password like and then typing it 4 times is extremely resilient against a brute force attack.

Just make sure no-one is looking over your shoulder…

Posted | Tagged

Posted on
by

I don’t like the new Gnome either. I had been enjoying Gnome but after 3 was released I swapped back to Xfce.

However, one app which is inexplicably hardcoded to work with Nautilus is Dropbox.

I followed a quick guide here to get it working with Thunar but it kept giving me an error:

Thunar: Unknown option --no-desktop

Taking a look at the suggested wrapper script we see:

exec thunar $@

It’s passing thunar multiple options. So, a quick bit of trial and error gives us:

exec thunar $2

Done.

Posted on
by

Turns out I’ve got an old PS3. Seems weird to say that but it is a very early version. It only had a 40Gb HDD, for example. So in order to take advantage of the PSN Welcome Back I had to upgrade my HDD.

Having read the instructions I knew that backing up, installing the new disk and restoring the system should be relatively simple. Still, I didn’t expect it to go quite as smoothly as it did.

So, Sunday, I went into town and bought a 320GB disk from yoyotech. They may not be the cheapest but they are competitive and working full-time is not very compatible with internet shopping, anyway.

Then, on Monday, my lovely wife borrowed an external HDD from work for me to do the back-up. Bless her.

I was pleasantly surprised that the PS3 backup routine uses a file structure that allows multiple, time-stamped back-ups on the same disk. That’s cool, eh? I did a couple of back-ups just to be sure and then dived in.

Actually changing the drive was easy. I’ve done loads of laptop HDD changes in the past and it was really no different. Although, I’ll wager the screws on the disk caddy weren’t tightened by a human. If they were, that human was having a bad day.

The restore was just as easy as the back-up. A couple of restarts later and everything was exactly as it had been before except now I have 8x the HDD space.

Kind of dull but I am delighted it was that easy. I really didn’t need any hassle!

Posted | Tagged

Posted on
by

I picked up a Dell Optiplex SX280 from eBay last week with the intention of setting it up as a dedicated Linux box. Previously I have always worked with dual boots but I decided it was time to have the best of both worlds full-time.

The install went pretty well although it’s been a while since I did anything in Linux. I came a bit of a cropper trying to partition the hard disk. The auto partition scheme was great and worked fine but didn’t make a separate /var and /tmp, which I wanted. So, I resorted to doing it manually but was baffled by cfdisk and working with extended/logical partitions and the fact I couldn’t choose the FS I wanted. Naturally, I shortly discovered that cfdisk doesn’t make filesystems and that comes later in the install.

After that it all went pretty flawlessly. I have used Arch Linux a lot before so the set-up was pretty simple once the OS was actually installed.

Now to set up the services.

Posted on
by

I have a friend who works for LG and a few months ago he slipped me an LG Optimus One to have a play with.

I had an HTC Hero before and I loved it. When I initially switched to the LG I hated it. My only experience of Android had been with HTC and I thought Sense and Android were one and the same. Imagine my disappointment when all the great widgets weren’t there.

I stuck with the phone though because it was noticeably faster than my Hero, which was starting to struggle under the weight of the apps.

This week I have finally got my home screens setup just so. I thought I might share some of my favorite apps and widgets in the next few days.

I wish I could post screenshots of my phone but it’s not rooted.

Posted

Posted on
by

Looks like the baddies have got at LastPass now.

They say there is no cause for concern if you use a strong non-dictionary master password…

Who wouldn’t protect every password they own with the strongest password they could manage?

Posted

Posted on
by

So, I recently installed some software on my linux box.

I saw on the homepage for the software that they were looking to make a new home page. So, I made a new one for them. I just took their content, threw in some divs and made a simple CSS. Took me about 2 hours (I’m no expert).

The project lead quite liked it. I sent him the files and he put it to the dev list.

What happened? The very first response was: I like it but I think it would be better if we had a wiki front page.

This is absolutely typical open source:

  • There’s a problem or an issue.
  • Someone takes the initiative and solves the issue or problem.
  • They put the solution to the inevitable committee and immediately everyone’s hither to unmentioned preference comes to light.

What’s most annoying about this is that often you can tell that the responses are from people that have never put any thought into a resolution for the problem or issue before but now it’s been bought to their attention their brain has wandered off and decided how they’d do it (better). This wandering nearly always fails to take into account that they don’t have time to do it themselves.

What’s even more galling is you know that if you approached “the committee” for preferences before you start, you’ll just get bogged down in discussion and indecision anyway, again taking into account the opinions of people that don’t intend to actually contribute to the solution in a practical way.

So, the work that’s already been done is pretty much discarded and a new solution is proposed, taking into account the newly revealed preferences. As with everything designed by committee, this new solution will then limp along, unfinished for months or even years, because no-one has the time. In the meantime, the perfectly decent solution initially proposed could be filling the gap nicely but instead it sits unused and the time already spent is wasted.

The solution? Well, there’s two possible outcomes but no real solution:

  1. get to a point in the “hierarchy” where you just implement your ideas, without even checking with anyone (really ballsy and often risky)
  2. you get really fucking lucky and create a solution that everyone likes and meets everyone’s expectations with an almost psychic degree of accuracy

Good luck!

Posted

Posted on
by

It’s time to do something other than moan about how boring my job is.

So, I’ve started to learn again.

At the moment I’m doing some stuff with PHP but I’m trying to chuck in CSS as I go too.

Posted

Posted on
by

We were just about to leave the house this AM when my other half remembered we still had to print something. The laptop was already logged into Ubuntu and I thought “Hell, everything else has been so easy, I’ll give it a go”. I added a printer and printed the document in about two minutes. I was as simple, if not more simple than windows. Excellent.

Posted

Posted on
by

Just spotted something awesome while watching the extras on my Iron Man 2 Blu-Ray.  During the “Practical Meets Digital” featurette you’ll see an ILM guy applying a dust map to the Mark II suit and he appears to be using a GNOME desktop, Firefox and Thunderbird.  Cool.

Posted