Archive for May, 2011

Write Down Your Passwords

Monday, May 23rd, 2011

Recently someone pointed out that an Ubuntu mailing list will e-mail a forgotten password back to you.  And that this is wrong.  Well, I agree, but…

I am never bothered when a mailing list sends me a plaintext password.

But I do something Extremely Radical: I don’t reuse passwords.

If a mailing list password of mine gets out it is only a mailing list password.

Reusing passwords is too scary. Somehow the idea of having just one (or a small number) of keys to my life and casually handing out copies to anyone who asks seems really stupid. How do I know what they are going to do with it?

Write down your passwords. Yup. Write them down. Keep a list, obscure things a little in the list, but keep a list. Put it in your wallet, keep an updated copy someplace else. If someone steals your wallet you will probably notice it and you will be able to go change passwords before the thief figures out your obscuring scheme.

But when you reuse a password and one of the various sites is broken into, first you won’t know it was broken into, second, even if you did get notified…how would you ever know what other sites you used that password on if you don’t keep a list?

Yes, it is better for mail reflectors to not send out plaintext passwords, but it wouldn’t matter much if you didn’t reuse passwords.

It should bother you that a site is mailing back your real password, but sites are constantly doing things far scarier than e-mailing a password the right person (such as letting actual criminals get a copy). You should be far more bothered by the password reuse that makes every breach have possibly unbounded consequences.

Even if a site does a password reset and e-mails a temporary password, that is also a risk. E-mailing the original password is only worse if it is used elsewhere.

Don’t reuse passwords.

-kb, the Kent who thinks expiring passwords are stupid, too.

©2011 Kent Borg

Python Command Line Arguments

Wednesday, May 18th, 2011

For quite some time I have thought I shouldn’t parse my own command line arguments in Python, but each time I looked for the “right” way to do it, I turned back.

Today, I decided to persist.

Now I know why I turned back, the libraries were terrible.

I want to have:

mycleverprog.py mycommand --nifty-option

Where the command is to do one thing or do the opposite.  It is a required thing to say which.

The standard library argparse is a little obscure at first, but with a little reading it starts to make sense.  Cool.

Oh, dang!  It is new in Python 2.7, and I am running 2.6.  Okay, so let’s look at the deprecated optparse, it looks really similar, I’ll convert my embryonic code…

Horrors!  I don’t know the history of the project, but it looks like some “little minds” have been at work on this library.  Because it is called “optparse” it doesn’t support “required options” because the term is self-contradictory.  Come on!  A very common use case is to type a command with a required parameter following on the command line.  Think Unix commands like “rm” or “mkdir” or “touch”, or …, you get the idea.  These commands also have “options” that are optional.  So someone built a library that handles the “options” but makes a point of not handling a required parameter, just because of an unfortunate name for the library!?!  They even waste effort pontificating on why options should be optional?

Bosch!

They do talk about “positional arguments” being required, but it isn’t clear whether they even support that.

My solution?  Download

http://argparse.googlecode.com/files/argparse-1.2.1.tar.gz

put argparse.py in

/usr/local/lib/python2.6/dist-packages

and use argparse.  My little utility will just be for personal use–at least for now. By the time I give it to anyone else, newer versions of Python will be standard.  Or I can include a copy of argparse.py.

-kb, the Kent who is slowly getting better and better at Python.

©2011 Kent Borg

Android Pattern Unlock Insecure

Tuesday, May 10th, 2011

When I first saw the pattern unlock feature in Android phones I thought: Cool!

And I used it on my Nexus One.  Until I realized that it is a really stupid idea if I want my phone to be secure.  Don’t do it.

The problem is that the phone screen gets smudged.  And when you unlock your phone you will leave a new smudge trail revealing your pattern.

Here is how to read it: With the phone turned off hold it up to a bright light, but angle it so that so that it reflects something dark.  The smudges will be obvious.

Turn the phone on, note where the pattern dots are, turn it off and see what smudges align with the pattern dots.  Turn in on, turn it off, and you will be able to see the pattern.  (At least if the phone wasn’t used much with dragging gestures on top of the pattern area.)

New smudges will write on top of old smudges, they will be “in front”, so to reproduce the pattern in the right order start with the smudges that are “behind”, and trace towards the “front”.

It is tempting to wipe off the screen to clear the smudges of your unlock pattern, but beware: A clean screen is even easier to read than a dirty screen, so if you ever forget to wipe it after entering your pattern, your unlock pattern will be very readable.

This doesn’t mean your pattern lock is completely insecure always.  If you unlock your phone and then use it a lot with plenty of dragging gestures in the pattern area, then turn it off, your unlock pattern will be very hard to read.  But do you ever turn on your phone, maybe just to check the date, and then turn it off?  If so, your lock pattern is not hard to read at all.

So the unlock pattern is cool, but a bad idea.  Instead you should use a unlock code number.

“But wait!” I hear you say.  “Can’t those smudges be read too?”

Yes.  But they are taps not drags, so the order is hard to read.  And, this means a 4-digit PIN is not so good.  If someone can figure out what the 4-digits are, there are not that many combinations to try.  Only 24 (4×3x2×1, or 4 factorial).  Increase your PIN to 5-digits and the number of combinations are 57, not great, but a lot better.

I suggest you make up a truly random PIN of, say, 6-digits.  (Have a spinner from a board game?  Maybe use that.) then fill in the other digits in, say, left-to-right, top-to-bottom order.  If the person who finds your phone can see your PIN uses all ten digits (with no repeats), that narrows it down to 3,628,800.  Because your phone limits how fast PINs can be tried, that is pretty good, and you only have will have a PIN that is pretty easy to remember.  A PIN with repeated digits is cool, but the smudges might show which digit is repeated, diminishing its value somewhat.

The only catch is that it takes a moment to enter a long PIN each time you turn on your phone.

If, however, more and more of your life is in your phone, it might be worth it.

-kb, the Kent who tried to figure out how to photograph the smudges of an unlock pattern lock, but it is tricky to get the lighting right.

©2011 Kent Borg

To Release or Not Release bin Laden Photos: A Most Productive Argument

Wednesday, May 4th, 2011

Nice to have a few things go right.

Sure, the initial reports of the raid on bin Laden’s hideout were a bit confused and got corrected, and will get further corrections, but, if I may parrot others in this cliché, that’s why they call it the “fog of war”.  Even when things go stunningly right, things go wrong.  Reality is always a bit messy.  And reality is good.

Also fun to watch Pakistan argue with itself:

“We are incompetent! He was right under our noses and we couldn’t sniff him out!”

“We are not incompent!  We knew all a long…um, ah, I mean…”

“No.  We aren’t that unified.  Yes, our president might have said he didn’t know where bin Laden was.  He was telling the truth.  We don’t tell him everything.”

“We are incompetent! The Americans flew practically right to our most important military academy, started shooting and blowing things up, stayed around for 40-minutes, and we didn’t really notice.”

Yes, nice to have things go right for the USA.

Though, that isn’t the news here.  A lot of things have gone right for this administration, the news is that they are finally getting credit.  After two-plus years in office, Barack Obama’s administration might have finally figured out how to get their horn blown.

Take the case of the bloody photos of bin Laden’s head partly blown away by a shot to his left eye.  The CIA director says that they probably will be released, eventually.

Anderson Cooper has probably already rehearsed his somber warning that maybe we should all turn away before he shows us the picture, milking it, delaying (so dad can make it back from the kitchen with his beer and not miss anything), and…only showing us the image once…he is sure his warning has maximized the audience. These pictures are so real CNN practically taste the ratings.

The White House then mutters about it being the president’s decision.

Many hours pass, long enough for indignation and outrage to start to build in the Muslim world over such disrespectful pictures being released.  Finally, hours later, it leaks that President Obama has decided not to release the pictures.  (It is probably official by the time you read this.)

Perfect!  Like the mostly-never-seen shark in Jaws, these pictures are most real and vivid before we see them.  Showing them has clear downsides.  Refusing to show them has different downsides.  But having the administration spending two days arguing in public about whether to release them has none of the downside, and tons of upside.  Getting everyone weighing in on whether to release or not release makes them all buy in on the premise that the pictures exist.  Did we manage to get some of the Muslim world on record saying it would be terrible to release the photos?  Hamas? Iran??  Gosh, I hope so.  It might make it harder for them to later convince anyone he is still alive.

CIA Director Leon Panetta had to be on the losing side of predicting they would eventually be released, but he can handle that.  (And he might eventually be right.)

How tidy.  Things don’t happen this nicely by accident.  The Obama administration is getting good at the PR side of their job.

-kb, the Kent who wonders whether he smells a Plouffe, or maybe just a clever PotUS who can walk, chew gum, and get things done.

©2011 Kent Borg

The ’00s Are Over!

Tuesday, May 3rd, 2011

Culturally the ’60s didn’t begin until about 1963 and lasted until about 1973. A powerful decade even with sloppy dates.

The ’00s have more precise dates: September 11th 2001 to May 2nd 2011.

Not everything in that decade is so tidy. Obama’s Cairo speech on June 4th, 2009, was a preview of the ’10s just as Bush v. Gore, on December 12th, 2000, was a preview of the ’00s. And there will be other exceptions, but these are pretty good dates. Too bad it was such a sorry decade.

What an embarrassment to have to admit it was Osama bin Laden’s decade. He got us to embrace fear, be proud of torture, invade on lies, govern by truthiness, and nearly ruin the global economy.

Count me as one who is happy to see that decade behind us.

-kb, the Kent who thinks it is a good sign we don’t have a current security alert as a CYA “just in case” measure.

©2011 Kent Borg