Megatheriums for Breakfast

Security theater is a term that describes security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security.

– Wikipedia

I’ve been getting annoyed lately by web sites and applications which insist that passwords must be entered in a specific format, or with specific characters, in theory to improve security.  Specifically, so many sites and apps demand that passwords must include upper and lower case letters, numbers (and sometimes symbols).

For example, here’s what happens now when you try to create a new Apple ID in iTunes:

If you can’t read that grey text, it reads:

“Passwords must be at least 8 characters, including a number, an uppercase letter, and a lowercase letter.  Don’t use spaces, the same character 3 times in a row, your Apple ID, or a password you’ve used in the last year.”

This greatly annoys me, because it’s silly – it’s “security theater” rather than real security.  Using a mix of upper and lower case characters and insisting on the inclusion of a number, only marginally increases the security of a password compared to lower case letters only.  And on iOS devices like the iPhone, entering a mix of numbers and upper and lower case characters correctly in a password is simply a pain because of the limited keyboard.

On the other hand you can greatly increase the security of a password, even if it is all in lower case letters, simply by making the password a few characters longer.  I’ll show you the figures below.  It annoys me because the assumption is that a password such as NyZq573j is magically (and that’s the correct word, because it’s magical thinking) stronger than a password such as myfavoritefoodischeese.  In fact, the latter is both much easier to remember and is many, many orders of magnitude more difficult for a brute-force cracking program to discover.

If you treat myfavoritefoodischeese as simply a string of random lower-case characters, then there are some 130,000,000,000,000,000,000,000,000,000 possible combinations of the 22 letters in such a password.  No cracking program could try out that many combinations in the lifetime of the universe.  

But, I hear you say, “if the cracker knows that you habitually use a string of English words in your passwords (I prefer Jeff Attwood’s term “passphrase”) then they can use a ‘dictionary attack’ and quickly crack them”.  

Such an attack would work on passphrases of one or two words, perhaps.  But with something like 40,000 reasonably common words in the English language, it only takes a phrase of four or five words to be beyond reach.  In the case of the 5-word phrase above, there are some 10,000,000,000,000,000,000,000 possible combinations of words, less than the random letter scenario but still a vast number, and way more than the mere 210,000,000,000,000 combinations of characters in an 8-character password like NyZq573j.

Here’s a comparison chart (the vertical scale is logarithmic).  ”Tokens” means either individual characters or whole words:

Here’s the raw data:

Note how adding a few more characters to a lower-case-only password equals or exceeds the complexity of a password mixing upper and lower case characters plus numbers.  Eg, a 12-character password of all lower case letters is MORE secure than a 9-character password of mixed case and digits.

The moral of this story, if there is one, is that longer passwords or phrases are much better than those which merely add a greater variety of characters or symbols.  And web sites which ignore that (or worse, put a limit to the maximum length of passwords) are being ignorant.  The majority of passwords have been stolen because people are forced to write them down because they are hard to remember.  Easy to remember passphrases do not have to be written down and, if long enough, are much more secure.

PS: myfavoritefoodischeese is NOT the password to any web site or computer I use!!

We recently moved house and I had to move the 3,000-odd books in my library, a total of over 75 boxes full. This was not fun. I’m now seriously trying to trim down my book collection (yes, I tried to do this before we moved, but didn’t succeed too well, so now I’m getting serious).

The difficulty, of course, is trying to decide what books I am prepared to part with. I do love well-designed hardcover books, but the paperbacks I own are definitely a target. Some of these paperbacks are forty or more years old, and many are not in great condition. So I’m going through them ruthlessly.

Here is where e-books can be a real boon. If I really want to retain the ability to re-read a particular book, but want to get rid of my current poor-quality paperback, I go looking for an electronic version. If I can find an e-book version on sale at a reasonable price then I’m prepared to pay for it and divest myself of the physical copy. In many cases I can find free e-book versions (for example, all of my Joseph Conrad novels, most of Dorothy Sayers, all of Dickens, Wilkie Collins, Conan Doyle etc, are out of copyright and are readily available as e-books from Gutenberg.org or other sources).

But there are a few books that I can’t locate as e-books (or at least, not legally). Extreme measures might have to be taken!

A case in point: a very old paperback copy of Poul Anderson’s Guardians of Time, which some time in the past had been cheaply bound. I think I bought it second-hand, in this bound condition, many a long year ago. It was now literally falling apart, with the paper oxidized to a light brown color. So I decided to try out my new Epson V330 scanner, which came with a nice OCR program called ABBYY Fine Reader.

The result is shown above. It was a fairly tedious exercise to scan each double-page spread, but it was eventually done. The ABBYY Fine Reader did a remarkably good job in converting the scans into text. I turned the raw text into a first-draft epub e-book using the excellent free Sigil program, transferred it to iBooks on my iPad and read through it, enjoying the story, but also highlighting bits where the OCR hadn’t quite worked correctly, which I subsequently went back and fixed. Result, one resurrected book.

Now my question is, was this legal or ethical?

Here’s my case for the defense: The original book is out of print, so I couldn’t buy another physical copy. I had paid for my original physical copy of the book, and I was not going to sell or even give away that copy (in fact, it went into the recycling bin). I am not going to give away or sell the electronic copy. So at the end of the day, one (physical) copy of the book was destroyed, and a new (electronic) copy was born. I’m left, as I was, with one copy of the book. This may not be strictly legal, but I reckon it is definitely ethical.

I don’t expect that I will be transferring many of my books in this way – the whole OCR exercise is very tedious – but it’s useful to have in reserve when there is no other (affordable) way of retaining the words of a book whose physical copy is beyond redemption.

Well, at the sake of being seen to be the total Apple fanboy (a description that a few years ago I would never have dreamed could be applied to myself), I’m going to talk about my new Apple toy – the new Apple TV. The name is a bit of a misnomer as it isn’t a TV at all, just a media device which connects to your television.

At only AU $129 it wasn’t a major expense, and I figured it would be a modest enhancement to my existing television / hi-fi system.

It has actually exceeded my expectations already, and that got me to thinking about how Apple products compare with products from other companies. I have found through personal experience that a product which looks good on paper often turns out to be a disappointment in practice. That has never happened to me with an Apple product. Rather I usually find myself surprised and delighted that the product does more, or works better, than I had hoped. Perhaps this is one reason why Apple is now (by market capitalization) the second largest company in the world? Or maybe not, there are plenty of huge companies which produce awful products (viz Microsoft).

Anyway, I ordered my Apple TV not long after it was announced, and it arrived a couple of weeks ago.

The first amazing thing is how small this thing is – it literally fits into the palm of your hand. With its tiny size and sleek blackness, it is just unnoticeable in my audio-visual set-up – a visitor would have to have it pointed out to them.

I connected a HDMI cable from the Apple TV to my television, via a switchbox (I only have one HDMI input on my television), and to my hi-fi system via an optical cable. Neither cable is supplied with the Apple TV, by the way. Plugged in the power, turned on the television, and within moments I was being asked to set up a connection to my wireless network, a matter of putting in the network password (you do password your network, don’t you?). Bingo, I was up and running and could rent a movie, or view YouTube or Flikr. A little more set up (turning on Home Sharing in iTunes on my computer and on the Apple TV) and I could play all of the media I have in iTunes on my computer – all the movies, iTunesU lectures, and digital music I own. One more bit of set-up (pointing iTunes to the photo folder I wanted to view) and I could view all of my digital photos or turn them into a slideshow.

The quality of all of this media is just great, either viewed on my (modest) digital television or played through my (equally modest) hi-fi system.

The first night my wife and I picked out a movie we’d missed at the cinema (The Men Who Stare At Goats), paid for it with a couple of clicks, and watched it through. Sure, we could probably have rented a DVD of this same movie for a couple of bucks less, but the hassle of having to go out to the video store, find the movie, drive it back home, then return it has got to add up to a few dollars of inconvenience value. The only disappointing thing is that, so far, there are a number of movies I would like to see which aren’t yet available for rent in the Australian iTunes store, but, as they say, patience is a virtue. And there are still plenty of movies available for rent which I would like to catch up with.

But the best thing about all of this is when I installed the Remote app on my iPad. It turns my iPad into the media centre of the house. With this, I can sit down in my armchair and scroll through all my media on my computer and start playing through the Apple TV. Being able to scroll through all my music albums and pick one to play instantly through my hi-fi is wonderful.

Then there’s the Internet connection. My daughter came round and mentioned a YouTube clip that our son-in-law had posted. Within a matter of moments we were viewing it full screen on our television.

So I have to confess it – I’m an Apple (TV) fanboy!

(I started writing this post months ago, but only recently rediscovered the draft).

Well, you knew that I was going to buy an iPad, didn’t you? Indeed in recent months I’ve become quite the Apple fanboy. I lusted after an iPad from the moment I saw Steve Jobs demo it a couple of months ago. I ordered one on the very first day that we Australians could do so, on May 10th 2010.

In fact, I ordered two – a 32 GB wifi only version for my wife, who will use hers mainly at home, and a 32 GB wifi plus 3G for myself. I figured that we would need one each so we wouldn’t have to compete for the use of a single device.

Annoyingly, though my 3G model was delivered on May 28th, none of the local carriers would let you order micro-SIM cards or sign up for data plans before that date. I signed up with Telstra, figuring that they have the best wireless coverage, then had to wait for the SIM card. It arrived just in time for me to put it in the iPad and go through the very annoying activation process before we left to go on a 10 day holiday, taking the iPads with us.

I decided not to take my laptop with us, even though our holiday was mainly going to be about researching my wife’s family history. It would, I thought, be a great test of the iPad’s utility.

And indeed it proved very useful in many ways. The GPS chip and the Maps app helped us out many, many times; I could keep up with my email; we could look up things on the Internet; I used it to read books and magazines; I even used it as a (rather large) alarm clock!