23 May
Passwords Are Stupid
There, I have said. Passwords are indeed stupid. Why, you may ask? One cannot have a password, such as ‘fluffy’, and expect his account(s) to be secure due to dictionary attacks (the attempt to use every word, brute-force, in the English dictionary until access is granted). Thus, self-proclaimed security experts advocate the use of alphanumeric, multi-case passwords, such as ‘12@aE#4($32d*%ki‘. Furthermore, no password should be used twice, which is exactly what most Internet users do. That is not a password, it is a character sequence, and it is next to impossible to remember. Should it be leaked, every account will be compromised. Since almost every website demands an account to keep track of its users, an ever increasing number of unmemorable passwords are necessary.
Some spell a password in leet speech–’e|\|c1cL0P43D1@‘ instead of ‘encyclopaedia‘. Leet speech converters exist. It is not an insurmountable task to translate a proper spelt dictionary into leet speech and use a brute-force dictionary attack. More-so, if an attacker knows personal information about his victim, he may segment the dictionary into probable sets of words for a password and increase the speed of the attack.
Software developers have come up with password managers. Agile’s 1Passsword is the most popular password manager on the Mac platform. It can generate secure passwords, manage, and one-click log-in a user. Nevertheless, what if said user is using a mate’s computer or is using a mobile device? Except for the iPhone/iPod Touch, that user has no access to his pass-character sequences. Even on the iPhone, the 1Password application is inadequate, not due to Agile’s fault, because Apple’s developing guidelines disallow the modification of Safari Mobile. Browsing must be done through the 1Password application. It is awkward and Safari features are missing.
Others advocate the use of SSL digital certificates. Secure communication with web servers is created with SSL certificates. When a user seas ‘https’ at the beginning of the URL in the location bar, he knows that data transmissions are encrypted from his computer to the server. In the same way, a user can identify himself to the server using SSL certificates. A certificate can be obtain for a fee or for free from Thawte and StartSSL for private use.
How does Thawte know who the user is? In order for the certificate to include the user’s name, a driver’s licence number or another form of identification must be submitted for a background check. Then the certificate is issued. When a server detects the certificate, the user is automatically logged-on. There is no need for a login-prompt. Unfortunately, the certificate must be installed on every browser of every machine, including mobile devices. One cannot use a mate’s computer or a public computer at a library.
What could be a solution? Instead of passwords, one can use pass-phrases--It’s nice to be important, but it’s more important to be nice! Using proper spelling and punctuation is just as secure as ‘12@aE#4($32d*%ki‘. Phrases are easy to remember. Dictionary attacks cannot be used on phrases. As long as the phrase is not a cliché, it is not popular, it is safe to use. Compose your own. It is, however, regrettable that websites are fixated on ‘passwords’. Most password fields are 32 characters long, not enough to compose a phrase. Until websites accepted pass-phrases, we have to look elsewhere.
OpenID Login Prompt
One solution is OpenID. It allows one to create one account at an OpenID provider and use that identity on every website that supports it. An OpenID prompt is a text-box that asks for a URL–where the user’s identity is located.
One-login services have been tried before, most popular, Microsoft’s Passport, but they were universally hated because users refused to allow a mega-corporation to control their Internet identity. The beauty of OpenID is that one can choose his identity provider or run the OpenID software on his own server if he is ultra-paranoid. No mega-corporation will have monopoly on user’s identification.
Most users already have an OpenID. AOL, Google, Yahoo, MySpace, Facebook, Flickr, WordPress, Technorati, Microsoft Live, and many others, are all OpenID providers. However, Google and Yahoo, have made the puerile move of not accepting OpenIDs created elsewhere, yet. Moreover, they advocate the use of buttons–’Login with Google’, ‘Login with Yahoo’, ‘Login with Twitter’, ‘Facebook Connect’. Google provides an ugly and long URL. Facebook and MySpace have not yet published their URLs. While a one-click login sounds wonderful, it turns the login prompt into NASCAR, a race-car with tens, if not hundreds of logos of OpenID providers.
OpenID NASCAR Login
How does it work? Bubba has an OpenID identity. He wants to register with BokayMe, a flowers site, which supports OpenID. He types in http://bubba.myid.net. BokayMe redirects Bubba to myID.net, which is his OpenID provider. Bubba logs into into his account with his username and password. Then myID asks Bubba if he wants to register with BokayMe and what identity information he wants to share–name, email address, birthday, etc. The user has the option to accept or cancel the registration request, after which, myID redirects back to BokayMe, where the user is logged in if he has accepted. From now own, the user never has to login again as long as he is logged into his OpenID provider.
Unfortunately, more moronic moves from Facebook, Google, and Yahoo may put some users at risk. They have not implemented it properly or tried to simplify the registration process. When a user of these providers is asked, ‘Do you want to register with BokayMe?’, only the options of ‘Yes’, and ‘No’ are available. The user cannot make an informed decision because the identity information BokayMe demands is not displayed. Maybe, the user only wants to provide BokayMe with his email address and not his phone number. Maybe, many of the fields are optional and not required and he can opt out from providing that information.
It is best to use veteran OpenID providers. MyOpenID was the first provider and has many features, including multiple profiles and SSL certificate support. claimID has a ton of features, including hCard support on the identity page. The developers are also very active on the claimID blog. In the future, they want to provide value-added services for a fee. Current accounts will be grandfathered in and will pay no additional fee. myID, along with its beautiful interface, has Korean language support and an easy to remember URL http://user.myid.net. VeriSign Labs Personal Identity Portal (PIP) has a confusing interface, but it supports many authentication methods from simple username and password to SSL, SmartCard, fob key. It is best for the ultra-paranoid. Along with securing websites with SSL certificates, VeriSign operate two of the thirteen root servers of the Internet as well as two of the generic top-level domains, .com, and .net. They are here to stay.
Lastly, myVidoop, my favourite OpenID provider has an innovative and secure login mechanism: no passwords. Instead, it uses a matrix of image categories that are easy to remember to login called Image Shield. One can choose 3-5 image categories for his login and 7 other categories to obfuscate his login categories or allow myVidoop to choose at random. For example, a user chooses cats, dogs, and aeroplanes to be his 3 categories. Upon login, he will be prompted with a matrix of images. The user has to type the letter next to the cat, dog, and the aeroplane in the text-box. Even if those letters are somehow compromised, after they were used once, they are useless. It is a one-time password making key-loggers ineffective. In the image below the sequence is ‘MKC’. The images are never the same and they are never in the same position. So, each time a user logs into with a different sequence of letters. For added security, the sequence of cats, dogs, and aeroplanes can be enforced. By default, dogs, cats, and aeroplanes as well as any other permutation also work.
myVidoop Image Shield
Furthermore, myVidoop is a two-tier security. Even before the Image Shield is displayed, the browser must be recognised, not just the machine. If the browser is not recognised, myVidoop will ask how the user wants to be contacted, by email, by voice on the phone, or by text message. It will send a one-time sequence of 6 numbers which has to be input. From then on, the browser is recognised, and the Image Shield will be displayed if the user is logged out.
myVidoop Activation Code Contact Selection
myVidoop Activation Code Entry
Once used, the activation code expires and cannot be reused again. Thus when the user uses a mate’s computer, the browser will not be recognised, and he will be prompted to be contacted by an alternate method, email, voice on the telephone, or text message with a pin number. Once the pin number is input, the user will see the Image Shield where he will type a letter for each category. The activation code is useful to prevent phishing.
One last feature of OpenID, besides self-hosting, it also supports redirection. So, if Bubba has a blog at http://bubbaisondiet.com and wants to use that instead of http://bubba.myvidoop.com, he may by inserting the following lines in the header of his page. In the future, Bubba can use a different OpenID provider without losing the websites on which he has registered by changing the redirection.
<link rel=”openid2.provider” href=”https://myvidoop.com/openid” />
<link rel=”openid.server” href=”https://myvidoop.com/openid” />
<link rel=”openid2.local_id” href=”http://user.myvidoop.com/” />
<link rel=”openid.delegate” href=”http://user.myvidoop.com/” />
For more explanation on OpenID, please read OpenIDExplained and watch the video below.
UPDATE 2009-06-05: MyVidooop may be going out of business.
9 Apr
The First Official Declaration by Protesters from the Moldavian Capital (English Translation)
Parts in brackets “[...]” were additions by me for clarification not found in the original text.
See the original in the attached image.
The First Official Declaration by Protesters from the Moldavian Capital (English Translation)
1) We are many; we are young; we are united! We will go until the end!
2) You can no longer control us!
3) We are tired of binding a totalitarian regime; maintained by fear and terror!
4) Communism is guilty of the largest genocide in history!
5) We do not want to be lead by those who have murdered and deported our parents and grandparents!
6) We are asking for the resignation of president Voronin and the banning by law of the criminal communist party!
7) We do not want extreme solutions–we are asking for the judging of the president by Constitutional law!
We are not executing anyone’s politics, and we have not been paid by anyone!
9) We do not have political colour–we are pure and transparent!
10) Down with the communist magnets who are sending us to work illegally [abroad in foreign countries without a work visa] and stealing our money from Western Union.
11) The luxury furniture and parquet from the Presidency and Parliament were bought from percentages from foreign exchange [one is charged a fee when converting currency].
12) We do not want Italy, Portugal, or Spain!
13) We do not want Canada or Moscow!
14) We want to work and be paid in our country!
15) We want a state based on respect and confidence, not fear and blackmail.
16) Down with the fear, Moldavians!
8 Apr
SHOCKING STATEMENTS FROM VICTIMS OF POLICE ARRESTS IN PMAN (English Translation)
This is a translation of the linked video. Phrases added in brackets ‘[...]‘ are additions by me for clarification purposes and not uttered by the reporter nor the girl in the video. You will notice that some of the reporters’ questions to the girl have not been translated. I am having a hard time understanding his accent and he speaks quietly, and I cannot hear him. If you can help, please, comment at the bottom of the story with translations and between which lines to insert them.
This is a speech translation and transcript. It has not been translated into written language (as one would write an essay). Media, please refrain from cleaning it as you may change the message. But, you may correct misspellings.
You may copy this translation, but you must link to the original source: this URL. I’m looking at you http://unimedia.info/ who plagiarised my translation of the official declaration of the protesters found at http://tr.im/iwnE . At least do a proper copy/paste and do not misspell words.
SHOCKING STATEMENTS FROM VICTIMS OF POLICE ARRESTS
Girl:
We were coming from the meeting last evening. It was about 22:30.
In the front of the Presidency, we were attacked by many policemen.
Reporter:
Civilian clothes?
Girl:
Yes, they were wearing civilian clothing and police uniforms.
They attacked us. They put us down. We were with a few more girls and boys.
We were about 15. They kicked us. They kicked the boys harder. The girls were hit too. They put our face down on the pavement. We were named with the dirtiest words ever. Never have we been named with such ugly words.
After about 10 minutes, their van came, and they took us to the police station.
After us, they kept bringing groups of 10-15 youths.
They have never told us real motives [for the arrest].
They asked us if we were the ones who threw stones a day before in the front of Parliament. They said that they have evidence that we were there even though they did not have any.
They were using a clear method of intimidation for us not to go outside tomorrow for the next meeting.
We were beaten. Boys were severely beaten. Girls were not as badly hit, but they pulled our hair. We were threatened that if we go outside again [to assembly in protest], it will be bad. The police are doing their duty well, and that we should not forget this.
I heard that those who were arrested last evening, the 196 of them, with their own words that they were taking to Capazari 166 [intelligible, probably street address or police station].
Everyone was very scared. Some were sick and could not take the hard, systematic, strikes from them [the police]. There were sick boys and we were asking for permission to at least go home.
Some people did not know what was going on. They were just simply lifted off the street.
They did not lock us. We were in a large room. We were all put with the face to the wall and our legs spread apart. During this time, they were hitting us. It was though. We stayed there for 2 hours, but the boys that were with us stayed there for longer. I do not know what happened to them.
We want the entire country to know what is happening, what the police are doing. Our rights are being gravely stepped on, and everyone is staying quiet about this.
It is something horrible. It is something terrifying. The people must know.
Voronin, on television, says that the children are not being ill-treated. It’s a lie. Children are being ill-treated and are scared.
Reporter:
Were there minors?
Girl:
There were minors. Minors were taken into another room.
Reporter:
Were they hit?
Girl:
I do not know [what happened in that other room]. They were hit. Those that took us from the front of the Presidency, they were very violent. We were all hit. Once they brought us to the station, were were split. I don’t know what happened to those [the minors] that were in the other room.
All the police sectors were filled with students. They [the police] were too few and they could not handle the volume of students to take statements from each one. They were talking to each other saying that all sectors [police stations] were filled with students.
They were all happy. They were naming us [cursing]. They were saying that they’ll show us that the police are working.
We are paying [taxes], and they are working in our disfavour. We do not have peace. We are afraid to sleep during the night in the house. We are afraid of going outside on the street. We are afraid of expressing freely our rights. It is something extraordinary. I do not know where else this can happen. Where else has this been heard?
The youth were saying that they were searching for their brothers, sisters. They were arrested at the same time, but they were split to different sectors [police stations]. They did not known what they were happening with their sisters.
We could not make calls. They have taken all our things [including phones]. We did not have the right to make calls. And, of coarse, the youth were worried because they did not know what was happening with their sisters, brothers.
This is how it is. The people were saying that we will still go out [into the street], will still protest because we were peacefully protesting. They lifted and detained us illegally. We were crossing Stefan cel Mare, an intersection in front of the Presidency. We were told that from meetings, students are taken by force into cars and taken somewhere. We were all scared. We did not know what to do. If we stay in the piazza [Piața Marii Adunări Naționale (PMAN), translated as Piazza of Big National Gathering], we will for surely be arrested. From stops [street crossing where you have to wait for a green light to cross] they were taking us. We did not know what to do.
From that point on, we were very attentive at cars in case they stop and take us. The cops from behind the shields came and aggressed us. I was hit. My hair was pulled. Even now, a portion of my head is hurting badly. We were named [cursed] with the dirtiest words possible.
Reporter:
Have you addressed anyone?
Girl:
No, I did not address anyone. I went out into the piazza and I will continue to do so. They asked me if I know Brega [Oleg Brega, journalist, himself took a beating last night for filming police beatings], if I have been paid by him–aberrations and nonsense I have never heard in my life. Of coarse I know him from his works, from his articles, from his journalist work that he is doing.
I do not know what we can do. Only last night we have realised that it will be a tough fight. Our rights are being stepped on. This can no longer happen. We do not know whom to address. The police are our enemy. Should we go [to the police] and say that we were arrested by them and stay there for many hours when they have found out that I know a few journalists. There was a danger that I could have stayed there and been beaten all night.
Original Video:
26 Feb
Run Safari 4 Beta Alongside Safari 3
Download from: http://pastie.org/401793
Screenshot: http://i44.tinypic.com/23krriu.png
1) Save the file as install_safari_beta.sh in the Downloads folder.
2) Launch Terminal.app
3) Type: cd ~/Downloads
4) Type: chmod u+x install_safari_beta.sh
5) Type: ./install_safari_beta.sh
Let it run. You will find ‘Safari 4 Beta’ in the applications folder.
To uninstall, simply drag it to Trash.
By default, plugins like Inquisitor and Safari AdBlock are disabled because most do not work with Safari 4 Beta.
To enable them, type in Terminal: defaults write SafariBeta ‘NSUseCocoaInputServers’ -bool true
Credit goes to http://vasi.dyndns.org:3128/svn/SafariBeta/HOWTO.txt
I just automated it.
Note to Apple,
Please take a page out of WebKit nightly. Install side by side from now on with no restart required. Never overwrite current versions with beta versions.
SpookyET
UPDATE: If you use RSS feeds in Safari instead of a third-party application, such as Newsfire, you must use Safari 3 instead of Safari 4 to view and manage those feeds. If you use Safari 4 Beta, you will experience anomalies. Sometimes, it works. Other times, it does not, and the browser goes into an infinite loop and must be forcibly closed. The reason for the behaviour is that the new RSS daemon that ships with Safari 4 is not installed to not overwrite the Safari 3 daemon.
