Well, now the major ISP’s are talking about sifting through Internet packets looking for copyrighted material. The problem is, I host a boatload of fully legal MP3s for which I, or the contributors, hold the copyright. I’d hate to get a Cease and Desist because the name of one of my songs that I wrote nineteen years ago happens to be identical to one released by some teenie-bop group last year.
I think it’s time I just sucked up the fee and moved most barnson.org traffic to SSL encryption. I’ve been concerned for a while that network sniffers could capture passwords when we log in here, and seeing now that major ISPs are planning on sniffing everything for copyright violations, it’s simply time. That information could be too easily abused.
So on my 2008 resolution list: update barnson.org’s look, feel, and code level while encrypting the traffic.
Certificates suck
Would you purchase a standard SSL certificate from Thawte or Veri$ign? That’s a pretty hefty yearly fee there.
I could personally assist you in getting people to accept a certificate generated by a certificate authority you create. Only problem is new visitors would get ye ‘ole annoying certificate error.
My $.02 Weed
Annoying certs…
Oh, I’ve generated plenty of “snake oil” certificates in my time, and know exactly how to do it. I could have done it long ago for this site, and do so for mail traffic. Godaddy.com has fairly reasonable certs that seem to be accepted by most browsers… I’m going to look into them today, as they are $25/year instead of the $250/year charged by other providers.
—
Matthew P. Barnson
20 bucks..
I’d paypal 20 bucks to you to update the site.. its the best site I visit.. I’d be a paying member..
Visit the Official Justin Timpane Website Music, Acting, and More! http://www.timpane.com
I’m Going For The Password Record
Matt,
Like I said last night, and for the sake of keeping my secret friend’s secret identity double-super secret, Comcast has successfully been blocking torrent files getting trafficked through home residential use. According to my secret friend, I don’t think the ISPs are snifting the material, but just implementing a stone wall which prevents seeds connecting to other peers. However, and this is just my feeling based on history, soon there will be another file format and another swapping technology that will emerge and cause the IP holders to again freak out and figure out yet another way to block the infringers.
So…when are they just going to make music and movies all free and move the model to embedded advertising? Popcorn will cost $15.00.
Anyway, as someone who has been to CES, and has sat front row at the expert-led panels, let me add that CES induces the overstatement effect. These people are all in Vegas, and trying to outdo each other with massive booths, and the latest gadget release, and the big announcement, and the bigger celebrity in the better after-hours party, and the better rental limo…they are liable to say anything that gets press because it means they’ve done their job in establishing buzz at the big annual event.
Notice how the Supreme Court Justices are not in Las Vegas.
Now, in direct response to your takeaway, Matt, I hope you don’t go-for-broke because you’re worried about passwords getting compromised. I mean…everyone out there is using more than one password for all internet/financial/home security, right? Right? I’ve got over 100 passwords and I keep them all organized by KeePass software.
New Password Theory
I’d be curious to get your thoughts on one of the new prevailing security theories out there in terms of password security.
For the longest time, the rule of thumb has been 8 character, random collection of number, letters, and special characters, with a mix of upper and lowercase. Strong passwords, but with the unfortunate side-effect that they’re difficult to remember, prompting your average user to either post it on a sticky to the side of their monitor or put it in a word document (frequently called “passwords.doc) on their computer.
Now there’s a new theory out that attempts to join a strong password with something that an average user would actually get motivated to use; really, at this point, it’s not much use lamenting the fact that so many computer “newbs” don’t have strong password practices… if they haven’t adjusted to the random-character model after ten years of using their computer they probably won’t ever.
The new theory is passphrases that, on the surface might seem weak in that they contain dictionary words. Something like “Thequickbrownfoxjumped”. No numbers, no special characters. BUT, the password is over 15 characters long. Most password cracking programs give up after about 12 or 13 characters, because with every added character in a password string the number of combinations increases exponentially. The processing power needed to bust a 20 character password is so prohibitive that it woudl probably prompt a hacker to choose an easier target.
This is the theory as I understand it. Whether or not it holds up, I leave that to you to decide.
The three measurements
The three measurements you should take for full security are: 1. Something you know. 2. Something you are. 3. Something you possess.
So an ideal secure system is a password or phrase, a biometric of some sort (like a retinal or palm scan), and a card-key. If you combine the three, you have a fairly secure system. If you only have two or one, you have a much less secure system.
This is the problem I have with ATM and credit cards. They attempt only to measure 2 of the 3, and credit cards in particular do one of the two very poorly (signature comparison). However, farming out my biometrics to every Wal-Mart on the planet so they can compare them when I buy something isn’t exactly safe either. I don’t have a good solution, but an ideal solution has these three items in it.
I also suspect that if we implemented biometrics for ATMs, thieves would be cutting off a lot more hands or fingers.
—
Matthew P. Barnson
My Theory
My theory is that the best password is one that you don’t need to have.
phrases
One of the coworkers i had at my last company would get his phrases from his favorite books. He would write a number on his monitor that resembled a pin #. The number actually stood for the page / paragraph / line in a book. The book he used was never the same book. An interesting method I thought…
Another good method for 3 factor authentication would be to use an RSA key instead of biometrics. A credit card company could issue you an RSA dongle that you would have to enter the random generated pin in when making a purchase.
RSA + PIn
Right, we use that at my work: an RSA token plus a memorized PIN form your password. So it changes every time, and it tests two factors: something you know, and something you have.
—
Matthew P. Barnson
Something you be
So why haven’t the put thumbprints into those RSa cards yet?
My $.02 Weed
Biometrics…
I have never had reliable luck with the thumbprint biometric systems. My experience has been that the thumprint systems throw a lot of false negatives. The guards end up verifying ID’s and letting us pass.
The retina scanners work a lot better, although I haven’t seen them used as widely as thumbprints (mainly in secure DoD spaces).
Hand Scanners
The hand scanners we have are very reliable, and don’t tend to give false negatives at all.
Of course, once you research the technology, you realize that the reason they are so reliable is they only “type” people’s hands into six or seven categories. So if you have the right key-card, and out of the six or seven types of hands yours is a fit, you can get in.
A co-worker of mine and I used to play that game. Our hands were the right type, so with a little wiggling I could get the reader to read my hand as his or vice-versa.
A small genetic sample would be better, akin to the daily genetic samples taken from workers in “Gattaca”.
—
Matthew P. Barnson
A lot of the new laptops
A lot of the new laptops come with fingerprint scanners nowadays. By and large, I’ve so far found them to be more trouble than they’re worth. Lots of false negatives, not to mention the fact that the software plays well with the OS, of both the workstation and the server that the workstation is connecting to.