Ignorance like a gun in hand

Sometimes you’re not even looking for a blog topic and one just smacks you in the face.

I got a call from a cousin this evening who reported that both her e-mail and Facebook account had been hacked. I personally set up the e-mail account (circa 1999) with a very basic password. To this day it had not been changed, and a simple derivative of that password was used for her Facebook account. Thus, while I don’t know for sure how the accounts were hacked, I can infer that when one fell, the other did as well. This hacker had changed the passwords to both of her accounts, leaving her locked out.

I told my cousin how to go about regaining access to her accounts, and hung up the phone. But my mind dwelled a bit – for years, I’ve used the same password on most of my accounts. This password isn’t particularly complex (normally scores a medium when it goes through a password meter), but I’ve rested easy knowing that most account hacking comes through phishing these days, and I’m pretty smart about what I click.

It occurred to me though, that my publicly accessible username to many sites is the same I use to log in, making a potential password cracker’s job half as hard (if you’re trying to get into a lock, it’s hard if you don’t have the key, but it’s even harder when you don’t know where the lock is).

Thus, there were a lot of things working against me: searching my name in Google yields at least 4 pages of search results related to my “web presence” (sorry about the word choice, Mike), I used the same password across most of those services, and that password wasn’t incredibly strong to begin with. That doesn’t even account for the possibility of another RockYou (and let’s face it: the odds for are much greater than the odds against).

So I decided it was time, and set about changing my passwords to all my major accounts (the ones I really care about, anyway). I started with Facebook, moved to my e-mail and Twitter and then my banks.

(Seriously, how messed up is my thought process? And make fun of me if you must, but you know your priorities are exactly the same.)

So I got to my online credit card account. I have a Starbucks Duetto Visa, which is administered by Chase, so I went to chase.com, logged in, and after noticing one of my phone numbers was no longer correct and fixing it, set about changing my password. I chose my password, entered my old one, and entered the new one twice.

Here was the response:

I thought I must have done something wrong at first, but sure enough, after closer inspection of the password change form, I found:

What. The. Crap. I understand the fourth one. The last one doesn’t really make a lot of sense since Chase doesn’t enforce a regular password change anyway. I can understand the second one, but while good practice, the fact that you’re limited like that hurts your password’s security statistically. My confusion in this post, however, is mostly directed at bullet points 1 and 3 here.

Firstly, let’s cover what those two points imply. This means (in all likelihood, anyway) that either my Chase password is stored in plaintext in whatever database they use, or it’s two-way encrypted: that is, given an unencrypted password it can create a ciphertext, and given that same ciphertext it can reproduce your original password.

Non-developers may wonder what the alternative here is: the alternative is a hash, which is a one-way encryption algorithm that, given a plaintext password, can easily make a ciphertext, but given a ciphertext, cannot or cannot easily reproduce the original password. So when you log in to site using a a one-way encrypted password, the site knows how to generate that encrypted text from your password, and simply compares the encrypted text.

So here’s the downside: what if you forget your password? It’s really hard to get back to the plaintext password just given the ciphertext password, so really the only option is to reset the password to some random new password, somehow communicate what that password to you, and let you log in and change it to something you know.

But the upside: storing a one-way encrypted password is easier. For the most part, one-way encryption produces a ciphertext that is the same length each time, making the design of the database easier and more predictable. Also, most one-way functions produce a ciphertext that is simply a number.

Here’s what that means: type in a password of any length, with any symbols you want, and the encryption function and your database can handle it. You don’t need to worry about capping your users’ password length or limiting the symbols they use. Facebook, Twitter, and other sites that don’t limit your password (within reason) use one-way encryption. Based on the errors shown here, it’s clear that Chase uses two-way.

Chase isn’t the only site to do it. In fact, most enterprise sites limit your password length (although, not letting you use symbols is a low blow). But why? By letting in a wider variety of passwords, your Facebook password is potentially safer than your bank password. Is this really what we want?

I understand that banks need to use stronger encryption (and the strongest algorithms are two-way, but take a long time to implement and execute, so are only used when necessary), but why not one-way encrypt the ciphertext of the two-way encrypted password? To me, this seems like the best of both worlds: the speed and flexibility of the one-way encryption; the increased security of two-way encryption.

The only thing this loses, I think, is the ability to simply tell the user their old password if they forget it. Is that what banks are afraid of?

As a postscript, I managed to find a password that is secure for my credit card account. But statistically, my coins in FarmVille (if I played that game) and the status of my pokes on Facebook are safer than my credit card details and transactions. Something is definitely wrong here.

I’m just a stranger on this road

Ever since graduating in May 2009, I’ve struggled for blogging material. I’m not sure if I simply had more time to get out in the world or on the Internet and form opinions on more stuff, or maybe it’s just that now I simply have said most of what I wanted to say. Whatever it is, I’d like to try to blog more, even if the articles themselves aren’t the best.

That said, this particular topic is one that I’ve had on my mind for a while, and it’s seemed to only intensify over the last few weeks. This topic is: driving. More specifically: bad driving.

SC-277, the source of most of my driving rage.Bad driving is a topic I have covered before, but rather than making this one just about city driving, I’ll try and make this a general purpose guide for how to tick me off on the road. So, without further ado, here we go:

Drive more better: some guidelines for being “that guy” on the highway

  • Drive below the speed limit. And not a couple miles below either. Make sure you’re going 35 in a 45, 15 in a 35, etc., so that everyone behind you is cursing more than your average rap song. Don’t let the fact that you’re not towing anything, that you’re driving a car in good working condition, or really don’t have any excuse to be driving too slow: do it just because.

    Fun variations on this guideline include driving 10 under up until you see a green light turn yellow, then accelerating through the intersection to leave the guy behind you stuck at a red, or ignoring a speed zone change (i.e. a 35 MPH zone becomes a 45 MPH zone) by going exactly the same speed.

  • Leisurely accelerate down the on-ramp while getting on the freeway. After all, there’s no hurry. It’s completely your right-of-way when merging on, so if you’re going 25 MPH the cars behind you will just have to deal.

    Think about it this way: when you fly somewhere in a commercial jet, does the pilot blast you up to full throttle to take off without using the entire runway? Noooooo. After all, that wouldn’t be professional, and the real goal isn’t safely getting in the air, its making sure that your passengers don’t feel a thing. Don’t listen to those idiots who claim you need to match your speed on the on-ramp whenever possible.

  • While on the freeway, drive as slowly as possible in the left lane so other cars can’t pass you. I find it’s best to work in teams here: find someone who’s in the right lane going at maximum 5 miles per hour under the speed limit, drive up to them in the left lane and drive along with them for a few (hundred) miles. Highways aren’t made for getting somewhere fast; they’re made for getting somewhere fun, and what better fun is there than making a new friend? The people behind you honking their horns don’t know what they’re doing NOW, but eventually they’ll learn this too.
  • When getting off the freeway, slow down to about half the speed limit about five miles before your exit, just to make sure your brakes are working. To use the airplane metaphor again, do airplane pilots land their plane on the runway every time? Noooooo. What fun is that? Landing miles before the runway is exciting for the passengers and challenging for you. The same principle applies when getting off the freeway: slowing down gives the drivers behind you a chance to make sure their brakes work and makes sure they’re awake. Plus, you have plenty of time to send your obligatory “I’m getting off the highway” text message to each of your 300 cell phone contacts individually. Which leads me to my next point:
  • OMG txt as much as possible!! ;-) No one likes driving alone. Even when you have passengers in the car, it’s not really a party unless you’re in constant social contact with at least 15 friends. Watching the road is for newbie drivers, not seasoned veterans like you.
  • Know your Art of War:
    Let your plans be dark and impenetrable as night, and when you move, fall like a thunderbolt.

    Headlights, turning signals, and following the rules of the road lets your enemies know where you are. It’s important to not use any of these “training wheels” designed for drivers less skilled than you. It’s pretty much guaranteed that anyone who’s behind you is a spy working for enemy intelligence services: don’t give them any help.

  • Finally, your political beliefs are important. Make sure you have enough bumper stickers so that everyone knows where you stand. Conclude that everyone who does not share your political belief is an enemy, so you should use one of the previous tactics to aggravate them as much as possible.

Follow these steps and you’re sure to make your journey a little longer, sure, but significantly more entertaining.

(P.S. I’m kidding. Don’t do any of this. Please.)

‘Cause I’m as free as a bird now…

Last night, I tuned in to The Tonight Show for Conan O’Brien’s final show. His last two weeks have been well-documented, well-sympathized and well-protested, so for the most part I’m going to focus on last night’s show.

  • As usual (especially lately), Conan’s monologue was brilliant. He’s at his best when he’s berating himself, and while a lot of his jokes have come at NBC’s expense, it’s seemed that he’s saved the best stuff for himself, like joking about his unemployment (which is sure to be as brief as legally allowed) and suggestions for his next job.
  • I loved the montage, set to “Surrender” by Cheap Trick, exactly like his cold open when he started hosting The Tonight Show. It was fun to watch and reminisce and gave the impression of a guy who loved his job.
  • Conan’s last couple weeks were marked with some marquee guests, and Tom Hanks was no different. My favorite moment was when Hanks offered Conan a drink, and after taking a sip, Conan said, “This is creme soda. I think it’s diet creme soda.”
  • Conan’s musical guest was Neil Young. I’m not familiar with much of his library, but his song choice was appropriate and reminded me heavily of Jay Leno’s last tonight show, when James Taylor played “Sweet Baby James”.
  • Probably my favorite part of the whole episode was the thank you speech, particularly these lines:

    To all the people watching, I can never thank you enough for your kindness to me and I’ll think about it for the rest of my life. All I ask is one thing, and I’m asking this particularly of young people: please don’t be cynical. I hate cynicism, for the record, it’s my least favorite quality and it doesn’t lead anywhere. Nobody in life gets exactly what they thought they were going to get. But if you work really hard and you’re kind, amazing things will happen.

    The rest of his speech was a classy thank you and farewell, but this part seemed to say he wasn’t intending on becoming another David Letterman, who’s been bitter ever since being denied The Tonight Show years and years ago. For me, I couldn’t agree more with his statement.

  • The final number was Will Ferrell and other musical guests covering “Free Bird” (with Ferrell in costume) and Conan rocking the guitar solo. A heartfelt, hilarious, epic ending to a show that was too short.

Wherever and whenever Conan decides to come back on television, I’ll be tuning in. But that’s not to say I’ll boycott NBC, Jay Leno or others. As Conan himself seemed to understand, sometimes bad things happen, and when they do, it’s best to count your blessings and make the best of a good situation.

In closing, here’s one of my favorite Tonight Show bits:

One must put up barriers to keep oneself intact

Buster Olney wrote an article today (which, incidentally, is available only to ESPN Insider readers. Or you can take my word for it.), in which he asserted that baseball writers should not have the privilege of casting Hall of Fame ballots. Olney is quick to point out that he has this privilege, but he still feels it shouldn’t be up to the writers.

I agree, and there are three players who should be in the Hall but probably won’t be, unless another group of voters is selected:

  • Mark McGwire. Potential the original steroid abuser? Sure. Controversial for his non-statements after his career? Sure. Feared hitter? Definitely. Hall of Fame nominees are supposed to get your vote if they are the most dominant player at their position in their era. McGwire didn’t win many Gold Gloves (he actually got one, in 1990, I learned after some research) at first base but for a few years in the 90s, he was the most feared hitter in the game. He broke the single season home run mark that had stood for 37 years, but more importantly he hit 583 home runs in his career – many of them long before his biceps blew up like balloons.
  • Barry Bonds. Perhaps the most controversial player in the 2000s, it can’t be argued that Barry Bonds is the all-time career home run leader (762) and single season home run leader (73). If you still have doubt that Bonds was the most feared hitter of his era, he was intentionally walked the most times of any player in history – by nearly 400.
  • Pete Rose. To me, this is even more of a slam dunk than McGwire or Bonds. The only reason Rose isn’t in the Hall is for gambling on baseball while he was a manager. This shouldn’t take away his achievements as a player, which includes being the all-time hit leader with 4,256, or having the second longest hitting streak in history at 44. It’d be like if Tiger Woods were barred from the golf Hall of Fame (I assume there is one, and that it’s the same sort of organization as baseball’s) for having too many affairs.

Here’s the point Olney makes and I agree with: writers have agendas. The baseball writers are still upset that they were swindled into the steroids era, and are exacting their revenge on anyone who used or was accused of being on steroids. In Rose’s case, the situation is a little bit different because technically, Rose is banned from baseball, but as the Hall of Fame is a separate organization, they could elect him if they really wanted to.

And another thing: why did it take the writers 15 years to decide Jim Rice was a Hall of Famer? Or what about Burt Blyleven, who’s been on the ballot for 11 years and next year, should finally make it in? What makes him better next year? To me, this is also a sign of voters with an agenda and not voting for the best players of their era. If you’re voting for the best, vote totals should only decrease – you may decide someone is more deserving than that player, but you shouldn’t ever often decide “you know what, this old guy was actually pretty good, I’ll vote for him over this new guy.”

So who should vote? I think it should be all active Major League players with 5+ years of service. These are players who are likely to have played against the newest nominees – who would be better at determining who is the most dominant of their era?

Being elected to the baseball Hall of Fame is the greatest individual honor any player can receive. Let’s take the politics out of it.