A solution to two-way task list syncing on a Mac & iPhone

I just published a page on my website about a solution I’ve found to an important issue: how to keep task lists on my Mac & my iPhone that are synced. I used to use The Hit List, but the developer’s failure to come up with an iPhone solution has led me to abandon it. To read about my solution, check out “Two-way Syncing Task List Software on a Mac”, at

What passwords do people use? phpBB examples

From Robert Graham’s “PHPBB Password Analysis” (Dark Reading: 6 February 2009):

A popular Website,, was recently hacked. The hacker published approximately 20,000 user passwords from the site. …

This incident is similar to one two years ago when MySpace was hacked, revealing about 30,000 passwords. …

The striking different between the two incidents is that the phpbb passwords are simpler. MySpace requires that passwords “must be between 6 and 10 characters, and contain at least 1 number or punctuation character.” Most people satisfied this requirement by simply appending “1” to the ends of their passwords. The phpbb site has no such restrictions — the passwords are shorter and rarely contain anything more than a dictionary word.

It’s hard to judge exactly how many passwords are dictionary words. … I ran the phpbb passwords through various dictionary files and come up with a 65% match (for a simple English dictionary) and 94% (for “hacker” dictionaries). …

16% of passwords matched a person’s first name. This includes people choosing their own first names or those of their spouses or children. The most popular first names were Joshua, Thomas, Michael, and Charlie. But I wonder if there is something else going on. Joshua, for example, was also the password to the computer in “Wargames” …

14% of passwords were patterns on the keyboard, like “1234,” “qwerty,” or “asdf.” There are a lot of different patterns people choose, like “1qaz2wsx” or “1q2w3e.” I spent a while googling “159357,” trying to figure out how to categorize it, then realized it was a pattern on the numeric keypad. …

4% are variations of the word “password,” such as “passw0rd,” “password1,” or “passwd.” I googled “drowssap,” trying to figure out how to categorize it, until I realized it was “password” spelled backward.

5% of passwords are pop-culture references from TV, movies, and music. These tend to be youth culture (“hannah,” “pokemon,” “tigger”) and geeky (“klingon,” “starwars,” “matrix,” “legolas,” “ironman”). … Some notable pop-culture references are chosen not because they are popular, but because they sound like passwords, such as “ou812” (’80s Van Halen album), “blink182” (’90s pop), “rush2112” (’80s album), and “8675309” (’80s pop song).

4% of passwords appear to reference things nearby. The name “samsung” is a popular password, I think because it’s the brand name on the monitor that people are looking at … Similarly, there are a lot of names of home computers like “dell,” “packard,” “apple,” “pavilion,” “presario,” “compaq,” and so on. …

3% of passwords are “emo” words. Swear words, especially the F-word, are common, but so are various forms of love and hate (like “iloveyou” or “ihateyou”).

3% are “don’t care” words. … A lot of password choices reflect this attitude, either implicitly with “abc123” or “blahblah,” or explicitly with “whatever,” “whocares,” or “nothing.”

1.3% are passwords people saw in movies/TV. This is a small category, consisting only of “letmein,” “trustno1,” “joshua,” and “monkey,” but it accounts for a large percentage of passwords.

1% are sports related. …

Here is the top 20 passwords from the phpbb dataset. You’ll find nothing surprising here; all of them are on this Top 500 list.

3.03% “123456”
2.13% “password”
1.45% “phpbb”
0.91% “qwerty”
0.82% “12345”
0.59% “12345678”
0.58% “letmein”
0.53% “1234”
0.50% “test”
0.43% “123”
0.36% “trustno1”
0.33% “dragon”
0.31% “abc123”
0.31% “123456789”
0.31% “111111”
0.30% “hello”
0.30% “monkey”
0.28% “master”
0.22% “killer”
0.22% “123123”

Notice that whereas “myspace1” was one of the most popular passwords in the MySpace dataset, “phpbb” is one of the most popular passwords in the phpbb dataset.

The password length distribution is as follows:

1 character 0.34%
2 characters 0.54%
3 characters 2.92%
4 characters 12.29%
5 characters 13.29%
6 characters 35.16%
7 characters 14.60%
8 characters 15.50%
9 characters 3.81%
10 characters 1.14%
11 characters 0.22%

Note that phpbb has no requirements for password lengths …

Problems with airport security

From Jeffrey Goldberg’s “The Things He Carried” (The Atlantic: November 2008):

Because the TSA’s security regimen seems to be mainly thing-based—most of its 44,500 airport officers are assigned to truffle through carry-on bags for things like guns, bombs, three-ounce tubes of anthrax, Crest toothpaste, nail clippers, Snapple, and so on—I focused my efforts on bringing bad things through security in many different airports, primarily my home airport, Washington’s Reagan National, the one situated approximately 17 feet from the Pentagon, but also in Los Angeles, New York, Miami, Chicago, and at the Wilkes-Barre/Scranton International Airport (which is where I came closest to arousing at least a modest level of suspicion, receiving a symbolic pat-down—all frisks that avoid the sensitive regions are by definition symbolic—and one question about the presence of a Leatherman Multi-Tool in my pocket; said Leatherman was confiscated and is now, I hope, living with the loving family of a TSA employee). And because I have a fair amount of experience reporting on terrorists, and because terrorist groups produce large quantities of branded knickknacks, I’ve amassed an inspiring collection of al-Qaeda T-shirts, Islamic Jihad flags, Hezbollah videotapes, and inflatable Yasir Arafat dolls (really). All these things I’ve carried with me through airports across the country. I’ve also carried, at various times: pocketknives, matches from hotels in Beirut and Peshawar, dust masks, lengths of rope, cigarette lighters, nail clippers, eight-ounce tubes of toothpaste (in my front pocket), bottles of Fiji Water (which is foreign), and, of course, box cutters. I was selected for secondary screening four times—out of dozens of passages through security checkpoints—during this extended experiment. At one screening, I was relieved of a pair of nail clippers; during another, a can of shaving cream.

During one secondary inspection, at O’Hare International Airport in Chicago, I was wearing under my shirt a spectacular, only-in-America device called a “Beerbelly,” a neoprene sling that holds a polyurethane bladder and drinking tube. The Beerbelly, designed originally to sneak alcohol—up to 80 ounces—into football games, can quite obviously be used to sneak up to 80 ounces of liquid through airport security. (The company that manufactures the Beerbelly also makes something called a “Winerack,” a bra that holds up to 25 ounces of booze and is recommended, according to the company’s Web site, for PTA meetings.) My Beerbelly, which fit comfortably over my beer belly, contained two cans’ worth of Bud Light at the time of the inspection. It went undetected. The eight-ounce bottle of water in my carry-on bag, however, was seized by the federal government.

Schnei­er and I walked to the security checkpoint. “Counter­terrorism in the airport is a show designed to make people feel better,” he said. “Only two things have made flying safer: the reinforcement of cockpit doors, and the fact that passengers know now to resist hijackers.” This assumes, of course, that al-Qaeda will target airplanes for hijacking, or target aviation at all. “We defend against what the terrorists did last week,” Schnei­er said. He believes that the country would be just as safe as it is today if airport security were rolled back to pre-9/11 levels. “Spend the rest of your money on intelligence, investigations, and emergency response.”

We took our shoes off and placed our laptops in bins. Schnei­er took from his bag a 12-ounce container labeled “saline solution.”

“It’s allowed,” he said. Medical supplies, such as saline solution for contact-lens cleaning, don’t fall under the TSA’s three-ounce rule.

“What’s allowed?” I asked. “Saline solution, or bottles labeled saline solution?”

“Bottles labeled saline solution. They won’t check what’s in it, trust me.”

They did not check. As we gathered our belongings, Schnei­er held up the bottle and said to the nearest security officer, “This is okay, right?” “Yep,” the officer said. “Just have to put it in the tray.”

“Maybe if you lit it on fire, he’d pay attention,” I said, risking arrest for making a joke at airport security. (Later, Schnei­er would carry two bottles labeled saline solution—24 ounces in total—through security. An officer asked him why he needed two bottles. “Two eyes,” he said. He was allowed to keep the bottles.)

We were in the clear. But what did we prove?

“We proved that the ID triangle is hopeless,” Schneier said.

The ID triangle: before a passenger boards a commercial flight, he interacts with his airline or the government three times—when he purchases his ticket; when he passes through airport security; and finally at the gate, when he presents his boarding pass to an airline agent. It is at the first point of contact, when the ticket is purchased, that a passenger’s name is checked against the government’s no-fly list. It is not checked again, and for this reason, Schnei­er argued, the process is merely another form of security theater.

“The goal is to make sure that this ID triangle represents one person,” he explained. “Here’s how you get around it. Let’s assume you’re a terrorist and you believe your name is on the watch list.” It’s easy for a terrorist to check whether the government has cottoned on to his existence, Schnei­er said; he simply has to submit his name online to the new, privately run CLEAR program, which is meant to fast-pass approved travelers through security. If the terrorist is rejected, then he knows he’s on the watch list.

To slip through the only check against the no-fly list, the terrorist uses a stolen credit card to buy a ticket under a fake name. “Then you print a fake boarding pass with your real name on it and go to the airport. You give your real ID, and the fake boarding pass with your real name on it, to security. They’re checking the documents against each other. They’re not checking your name against the no-fly list—that was done on the airline’s computers. Once you’re through security, you rip up the fake boarding pass, and use the real boarding pass that has the name from the stolen credit card. Then you board the plane, because they’re not checking your name against your ID at boarding.”

What if you don’t know how to steal a credit card?

“Then you’re a stupid terrorist and the government will catch you,” he said.

What if you don’t know how to download a PDF of an actual boarding pass and alter it on a home computer?

“Then you’re a stupid terrorist and the government will catch you.”

I couldn’t believe that what Schneier was saying was true—in the national debate over the no-fly list, it is seldom, if ever, mentioned that the no-fly list doesn’t work. “It’s true,” he said. “The gap blows the whole system out of the water.”

Usernames that botnets try

From Chapter 2: Botnets Overview of Craig A. Schiller’s Botnets: The Killer Web App (Syngress: 2007):

Default UserIDs Tried by RBot

Here is a list of default userids that RBot uses.

  • Administrator
  • Administrador
  • Administrateur
  • administrat
  • admins
  • admin
  • staff
  • root
  • computer
  • owner
  • student
  • teacher
  • wwwadmin
  • guest
  • default
  • database
  • dba
  • oracle
  • db2

How Google motivates employees

From Larry Page’s “How to Motivate Your Staff” (Business 2.0: December 2003: 90):

We wrote a program that asks every engineer what they did every week. It sends them e-mail on Monday, and concatenates the e-mails together in a document that everyone can read. And it then sends that out to everyone and shames those who did not answer by putting them on the top of the list. It has run reliably every week since we started, so for every week of our company’s history we have a record of what everyone did. It’s good for performance reviews, and if you’re joining a project team, in five minutes you can read what your team members did the last few weeks or months.

All stories have the same basic plots

From Ask Yahoo (5 March 2007):

There are only so many ways to construct a story.

Writers who believe there’s only one plot argue all stories “stem from conflict.” True enough, but we’re more inclined to back the theory you mention about seven plot lines.

According to the Internet Public Library, they are:

1. [wo]man vs. nature
2. [wo]man vs. man
3. [wo]man vs. the environment
4. [wo]man vs. machines/technology
5. [wo]man vs. the supernatural
6. [wo]man vs. self
7. [wo]man vs. god/religion

Ronald Tobias, author of “Twenty Basic Plots” believes the following make for good stories: quest, adventure, pursuit, rescue, escape, revenge, riddle, rivalry, underdog, temptation, metamorphosis, transformation, maturation, love, forbidden love, sacrifice, discovery, wretched excess, ascension, and decision.

Bad passwords for SSH

From Christian Seifert’s “Analyzing malicious SSH login attempts” (SecurityFocus: 11 September 2006):

First, we analyzed the login names that were used on the login attempts. During the sample period, there were 2741 unique account names ranging from common first names, system account names, and common accounts to short alphabetical strings captured by the system logger. Of those, the 15 account names used most often are shown in Table 1. This table shows accounts that usually exist on a system (root, mysql), accounts that are likely to exist on a system (guest, test), as well as common first names (paul). Then Figure 1 shows the distribution of valid and invalid account names that were used.

Account Name Number of login attempts
root 1049
admin 97
test 87
guest 40
mysql 31
info 30
oracle 27
postgres 27
testing 27
webmaster 27
paul 25
web 24
user 23
tester 22
pgsql 21

Table 1. Top 15 account names among 2741 attempts.

Next, we looked at the passwords used in the login attempts. The attackers tried a range of passwords with most of the account names. In total during our analysis, they attempted to access 2741 different accounts and used 3649 different passwords. Not all passwords were used with all accounts. The passwords ranged from account names, account names with number sequences, number sequences, and keyboard sequences (like ‘qwerty’). There were a few more complex passwords used with seemingly random letter and number sequences or common substitution passwords (like r00t or c@t@lin).

Table 2 shows the top 15 passwords used in malicious login attempts.

Password Number of login attempts
123456 331
Password 106
Admin 47
Test 46
111111 36
12345 34
administrator 28
Linux 23
Root 22
test123 22
1234 21
123 20
Mysql 19
Apache 18
Master 18

Table 2. Top 15 passwords attempted.

What should one study in college as an undergraduate?

From Paul Graham’s “Undergraduation” (March 2005):

The social sciences are also fairly bogus, because they’re so much influenced by intellectual fashions. If a physicist met a colleague from 100 years ago, he could teach him some new things; if a psychologist met a colleague from 100 years ago, they’d just get into an ideological argument. Yes, of course, you’ll learn something by taking a psychology class. The point is, you’ll learn more by taking a class in another department.

The worthwhile departments, in my opinion, are math, the hard sciences, engineering, history (especially economic and social history, and the history of science), architecture, and the classics. A survey course in art history may be worthwhile. Modern literature is important, but the way to learn about it is just to read. I don’t know enough about music to say.

You can skip the social sciences, philosophy, and the various departments created recently in response to political pressures. Many of these fields talk about important problems, certainly. But the way they talk about them is useless. For example, philosophy talks, among other things, about our obligations to one another; but you can learn more about this from a wise grandmother or E. B. White than from an academic philosopher. …

Language courses are an anomaly. I think they’re better considered as extracurricular activities, like pottery classes. They’d be far more useful when combined with some time living in a country where the language is spoken. On a whim I studied Arabic as a freshman. It was a lot of work, and the only lasting benefits were a weird ability to identify semitic roots and some insights into how people recognize words.

Studio art and creative writing courses are wildcards. Usually you don’t get taught much: you just work (or don’t work) on whatever you want, and then sit around offering “crits” of one another’s creations under the vague supervision of the teacher. But writing and art are both very hard problems that (some) people work honestly at, so they’re worth doing, especially if you can find a good teacher.

Fouche’s daily list for Napoleon

From Central Missouri State University’s “Joseph Fouche“:

Fouché established an organization of policing and intelligence gathering that was decades ahead of its time. Napoleon, frequently on military campaigns, depended on Fouché’s information to maintain control over France and his military effectiveness. Six days a week, every week, Fouché sent secret reports to Napoleon. The information represented an incredible array of topics:

1. Palace gossip.

2. Audience reaction to a new play.

3. Stock market prices.

4. Desertions from the army.

5. Arrests of foreign agents.

6. Results of interrogations.

7. News of crime.

8. Offenses by soldiers.

9. Fires.

10. Rebellion against the Gendarmarie.

11. Intercepted correspondence.

12. Visiting personages.

13. Public reception of news of victories.

14. Shipping news.

15. Indiscretions of Fouché’s enemies.

16. Contractor’s tenders.

17. Agitation against the draft.

18. Suicides.

19. Prison epidemics.

20. Progress of construction.

21. Unemployment figures.

22. Extracts from inter-ministerial correspondence.

23. Persons detained or under special surveillance (Stead, 1983, pp. 41-48).

When to use XML

From W3C’s “Architecture of the World Wide Web, Volume One“:

XML defines textual data formats that are naturally suited to describing data objects which are hierarchical and processed in a chosen sequence. It is widely, but not universally, applicable for data formats; an audio or video format, for example, is unlikely to be well suited to expression in XML. Design constraints that would suggest the use of XML include:

1. Requirement for a hierarchical structure.
2. Need for a wide range of tools on a variety of platforms.
3. Need for data that can outlive the applications that currently process it.
4. Ability to support internationalization in a self-describing way that makes confusion over coding options unlikely.
5. Early detection of encoding errors with no requirement to “work around” such errors.
6. A high proportion of human-readable textual content.
7. Potential composition of the data format with other XML-encoded formats.
8. Desire for data easily parsed by both humans and machines.
9. Desire for vocabularies that can be invented in a distributed manner and combined flexibly.

Borges’ animals

From Tom Van Vleck:

In “The Analytical Language of John Wilkins,” Borges describes “a certain Chinese Encyclopedia,” the Celestial Emporium of Benevolent Knowledge, in which it is written that animals are divided into:

1. those that belong to the Emperor,
2. embalmed ones,
3. those that are trained,
4. suckling pigs,
5. mermaids,
6. fabulous ones,
7. stray dogs,
8. those included in the present classification,
9. those that tremble as if they were mad,
10. innumerable ones,
11. those drawn with a very fine camelhair brush,
12. others,
13. those that have just broken a flower vase,
14. those that from a long way off look like flies.