Nerdy Security Discussion

Ok, I’ve been having a debate in my head for about a week now, and so I figured I’d open it up for discussion:

Right now, I have three classifications of passwords:

  • "Secure" – A memorable, yet obscure base (would look random to most people) with host-specific unique data inserted within (via a mental hash function)
  • "Screen-door lock" – a simple mixed case alphanumeric password I reuse across multiple hosts.  This is for hosts (typically, random Web sites) where it would be mildly irritating if someone had access to my account…
  • "Who cares" – This is for the hosts that I don’t care about yet require me to input a password.  It is a completely insecure, throwaway password.  It could probably be brute-forced in about 30 seconds.

I began thinking about whether or not it would be ultimately more secure to have one classification of password (really secure, pseudo random noise) and store those passwords in a single, encrypted password store behind a single "secure" password.  This store would obviously be very backed up and treated as other personal data.  

Clearly, this is a single point of failure, so if someone compromises my password store, everything is compromised.  On the other hand, each individual password would be far less guessable…  

Opinions?



I am a nerd.

While it certainly wasn’t the nerdiest thing I have ever done, waking up at 6am on Friday morning to get an iPhone 3G is up there. I got to the Chestnut Hill mall around 6:40am and was approximately 50-60 people deep in the line. The store was not opening until 8am, so I sat down on the floor, busted out my laptop, and caught up on my RSS feeds, etc. Quickly the line was twice as long, extending all the way out of the mall.. My “line buddies” were all pleasant and we were chatting the whole time. We had heard that the Apple Store had planned on moving 100 customers per hour through the store, so being 50 people deep I was expecting to be out of the store by 9pm at the latest. While we waited Apple had people going up and down the line giving out Coffee, Tea, and some kind of fancy (smart or vitamin) water, which I thought was a nice showing of appreciation of your psycho-fans.

The store opened at 8am and they let the first batch of about 25-30 people in. They easily had 30 employees working the store, so it seemed like everything would move along quickly. Unfortunately, as some of you are already aware, this was not the case. It was quickly apparent as 20-30 minutes passed with only a handful of customers leaving the store that things were taking longer than they estimated. Apparently both AT&T and Apple’s servers were getting crushed. The server for the wireless handheld POS terminals the Apple employees use even crapped out at one point, although that was a quick reboot..

It was 9:40 before I got into the store, and all that meant was further standing in line. I finally was served around 10:15am, but it took forever to execute the transaction because of the network/server crush. Initially, after I finally paid, they took me to a station where they tethered the phone to a mac and tried to activate it with iTunes, but within the first minute the rep mentioned something about doing it at home and I jumped. I got out of the store at 10:40, and there were easily still 150+ plus people still waiting on line. Apparently soon after I left they stopped trying to activate the phones in the store at all, so perhaps the line started moving along quicker after that.

I got home and tried to activate, but it wasn’t until after lunch that I had any luck.. Eventually, either Apple/AT&T fixed their problems or enough people gave up that I was able to activate.

All that said, I kind of expected these kinds of problems, so while it sucked, I was prepared for it to suck… I’m loving the phone so far, although it’s going to take me awhile to become proficient at typing..

Pobox.com Reminder

Just a reminder to anyone interested: My @pobox.com email address, which I have had for the past 10+ years, is going away at the end of this month (August 30th). I pay a few bucks a year to keep this active, but thanks to spam, the S/N ratio has just become unbearable. For the past few years I have been using my @csh.rit.edu address, so most people seem to send mail there, but if you haven’t updated your address books yet, please do.

“CANCEL THIS, DID NOT WANT IT”

Why are people so god-damned stupid? Someone decided they wanted to unsubscribe from the film club weekly newsletter mailing list. This list is opt-in, so this person managed to subscribe themselves, but apparently clicking the unsubscribe link at the bottom of EVERY LIST MESSAGE was too complicated and they just sent a message to the list (which bounced). Don’t worry, you lazy bastard, I just volunteer my time running this club, but I’ll do your work for you.

BarCampBoston – June 2006

Headed out to Maynard yesterday for BarCampBoston. I had the dubious distinction of being the first person to show up (other than the volunteers putting it together), but fortunately some others were quickly behind me. Hung around for about an hour or so before the first session… At first, it looked like it was going to be slim selection, but the schedule filled up quickly. The first session I went to was on “Neo-Cartography”, but it was pretty lame because the guys running spent about 15 of their 30 minutes on going around the room … I was worried that the “ad-hoc” nature of the event would cause all the sessions to be kinda chaucey, but I think people just needed a bit of time to figure out how short 30 minutes actually is.

Went to several great sessions, and I even took notes for several of the sessions I attended.. I used SubEthaEdit for the first time, and while nobody else contributed to my documents, a few people requested copies of the notes by adding their address to the bottom of the docs.

I didn’t go back for day two of the conference because I woke up early to take to the airport and when I got back I took a nap that ran “a little long”. I was going to do my talk today on “Why working on classified software sucks”, but oh well.. The deal with BarCamp is that every attendee is supposed to give a talk, so I’m a leech, but the whole grid was pretty much full yesterday, so whatever.. I’ll be more prepared next time around…

A Noted Harvard Symbologist

I’ve been killing myself trying to finish this design document at work and I finally was able to send it out for review on Friday afternoon. Hopefully people won’t have too many comments about it, because I’d really like to write some code sometime this year.

Got my Powerbook back on Friday, it was shipped out, fixed, and back in the apple store in less than 72 hours. Seems to be working great now, I had forgotten how nice the keyboard backlight was after going without it for a few months. If I had known how fast the turnaround would be on the repair I would have had it fixed ages ago.

Pretty laid back weekend, saw The DaVinci Code with the film club last night. As I expected it was way better than the book, which is a worthless steaming pile of shit. That said, it isn’t a GREAT movie, just a good, entertaining flick. It was pretty much exactly what I was expecting, and I’m not entirely sure why the critics have been so harsh on it… Maybe they are all in the pockets of Opus Dei.

lazyweb code review

I’m writing a tool in python that will automate the posting of the weekly newsletters for the film club. Currently, I manually post to LiveJournal, Craigslist, the SNFC webpage, and the mailing list. I had a tool a long time ago but it broke for various reasons.

Anyway, I want to have a directory of .py containing classes, and call a method [execute()] on each of them. This way I can just create a new subclass, pop it in that directory, and it will be picked up automatically. This is what I came up with, somehow I feel it’s crude and there is a better way to do it (ignore bad var names pls):

plugins = glob.glob("plugins/*.py")

for x in plugins:
pathName = x.replace(".py","")
className = x.replace(".py","").replace("plugins/","")

foo = __import__(pathName,globals(), locals(), [''])
bar = getattr(foo,className)

obj = bar()

obj.execute(nl)

This code looks for all of the .py files in the dir, imports them, gets the class from the imported module, and instantiates them. Finally, it calls the execute() method. Any suggestions?

Email Changes

I have decided to terminate my Pobox.com addresses once the current subscription ends on August 30th, 2006. My csh.rit.edu address will become my ‘primary’ email address, please update your address books accordingly (and leave a comment here if you have any questions). I’ve been getting nothing but spam and nonsense to this address for a long time, so there seems to be no point in paying a few bucks a year to keep it alive.