names

Problems with ID cards

security / By / 8 September 2011

From Bruce Schneier’s Crypto-Gram of 15 April 2004:

My argument may not be obvious, but it’s not hard to follow, either. It centers around the notion that security must be evaluated not based on how it works, but on how it fails.

It doesn’t really matter how well an ID card works when used by the hundreds of millions of honest people that would carry it. What matters is how the system might fail when used by someone intent on subverting that system: how it fails naturally, how it can be made to fail, and how failures might be exploited.

The first problem is the card itself. No matter how unforgeable we make it, it will be forged. And even worse, people will get legitimate cards in fraudulent names. …

Not that there would ever be such thing as a single ID card. Currently about 20 percent of all identity documents are lost per year. An entirely separate security system would have to be developed for people who lost their card, a system that itself is capable of abuse. …

But the main problem with any ID system is that it requires the existence of a database. In this case it would have to be an immense database of private and sensitive information on every American—one widely and instantaneously accessible from airline check-in stations, police cars, schools, and so on.

The security risks are enormous. Such a database would be a kludge of existing databases; databases that are incompatible, full of erroneous data, and unreliable. …

What good would it have been to know the names of Timothy McVeigh, the Unabomber, or the DC snipers before they were arrested? Palestinian suicide bombers generally have no history of terrorism. The goal is here is to know someone’s intentions, and their identity has very little to do with that.

What passwords do people use? phpBB examples

language & literature, security / By / 10 March 2009

From Robert Graham’s “PHPBB Password Analysis” (Dark Reading: 6 February 2009):

A popular Website, phpbb.com, was recently hacked. The hacker published approximately 20,000 user passwords from the site. …

This incident is similar to one two years ago when MySpace was hacked, revealing about 30,000 passwords. …

The striking different between the two incidents is that the phpbb passwords are simpler. MySpace requires that passwords “must be between 6 and 10 characters, and contain at least 1 number or punctuation character.” Most people satisfied this requirement by simply appending “1” to the ends of their passwords. The phpbb site has no such restrictions — the passwords are shorter and rarely contain anything more than a dictionary word.

It’s hard to judge exactly how many passwords are dictionary words. … I ran the phpbb passwords through various dictionary files and come up with a 65% match (for a simple English dictionary) and 94% (for “hacker” dictionaries). …

16% of passwords matched a person’s first name. This includes people choosing their own first names or those of their spouses or children. The most popular first names were Joshua, Thomas, Michael, and Charlie. But I wonder if there is something else going on. Joshua, for example, was also the password to the computer in “Wargames” …

14% of passwords were patterns on the keyboard, like “1234,” “qwerty,” or “asdf.” There are a lot of different patterns people choose, like “1qaz2wsx” or “1q2w3e.” I spent a while googling “159357,” trying to figure out how to categorize it, then realized it was a pattern on the numeric keypad. …

4% are variations of the word “password,” such as “passw0rd,” “password1,” or “passwd.” I googled “drowssap,” trying to figure out how to categorize it, until I realized it was “password” spelled backward.

5% of passwords are pop-culture references from TV, movies, and music. These tend to be youth culture (“hannah,” “pokemon,” “tigger”) and geeky (“klingon,” “starwars,” “matrix,” “legolas,” “ironman”). … Some notable pop-culture references are chosen not because they are popular, but because they sound like passwords, such as “ou812” (’80s Van Halen album), “blink182” (’90s pop), “rush2112” (’80s album), and “8675309” (’80s pop song).

4% of passwords appear to reference things nearby. The name “samsung” is a popular password, I think because it’s the brand name on the monitor that people are looking at … Similarly, there are a lot of names of home computers like “dell,” “packard,” “apple,” “pavilion,” “presario,” “compaq,” and so on. …

3% of passwords are “emo” words. Swear words, especially the F-word, are common, but so are various forms of love and hate (like “iloveyou” or “ihateyou”).

3% are “don’t care” words. … A lot of password choices reflect this attitude, either implicitly with “abc123” or “blahblah,” or explicitly with “whatever,” “whocares,” or “nothing.”

1.3% are passwords people saw in movies/TV. This is a small category, consisting only of “letmein,” “trustno1,” “joshua,” and “monkey,” but it accounts for a large percentage of passwords.

1% are sports related. …

Here is the top 20 passwords from the phpbb dataset. You’ll find nothing surprising here; all of them are on this Top 500 list.

3.03% “123456”
2.13% “password”
1.45% “phpbb”
0.91% “qwerty”
0.82% “12345”
0.59% “12345678”
0.58% “letmein”
0.53% “1234”
0.50% “test”
0.43% “123”
0.36% “trustno1”
0.33% “dragon”
0.31% “abc123”
0.31% “123456789”
0.31% “111111”
0.30% “hello”
0.30% “monkey”
0.28% “master”
0.22% “killer”
0.22% “123123”

Notice that whereas “myspace1” was one of the most popular passwords in the MySpace dataset, “phpbb” is one of the most popular passwords in the phpbb dataset.

The password length distribution is as follows:

1 character 0.34%
2 characters 0.54%
3 characters 2.92%
4 characters 12.29%
5 characters 13.29%
6 characters 35.16%
7 characters 14.60%
8 characters 15.50%
9 characters 3.81%
10 characters 1.14%
11 characters 0.22%

Note that phpbb has no requirements for password lengths …

Real-life superheroes

weird / By / 4 January 2009

From John Harlow’s “Amateur crimefighters are surging in the US” (The Times: 28 December 2008):

There are, according to the recently launched World Superhero Registry, more than 200 men and a few women who are willing to dress up as comic book heroes and patrol the urban streets in search of, if not super-villains, then pickpockets and bullies.

They may look wacky, but the superhero community was born in the embers of the 9/11 terrorist attacks when ordinary people wanted to do something short of enlisting. They were boosted by a glut of Hollywood superhero movies.

In recent weeks, prompted by heady buzz words such as “active citizenry” during the Barack Obama campaign, the pace of enrolment has speeded up. Up to 20 new “Reals”, as they call themselves, have materialised in the past month.

The Real rules are simple. They must stand for unambiguous and unsponsored good. They must create their own Spandex and rubber costumes without infringing Marvel or DC Comics copyrights, but match them with exotic names – Green Scorpion in Arizona, Terrifica in New York, Mr Xtreme in San Diego and Mr Silent in Indianapolis.

They must shun guns or knives to avoid being arrested as vigilantes, even if their nemeses may be armed. Their best weapon is not muscle but the internet – an essential tool in their war on crime is a homepage stating the message of doom for super-villains.

[Citizen] Prime patrols some of the most dangerous streets in Phoenix but, like most Reals, is reluctant to speak about the villains he has dispatched with a blow from his martial arts-honed forearm. He does admit helping a motorist change a flat tyre.

Richard Stallman on why “intellectual property” is a misnomer

business, language & literature, law, tech in changing society / By / 28 November 2008

From Richard Stallman’s “Transcript of Richard Stallman at the 4th international GPLv3 conference; 23rd August 2006” (FSF Europe: 23 August 2006):

Anyway, the term “intellectual property” is a propaganda term which should never be used, because merely using it, no matter what you say about it, presumes it makes sense. It doesn’t really make sense, because it lumps together several different laws that are more different than similar.

For instance, copyright law and patent law have a little bit in common, but all the details are different and their social effects are different. To try to treat them as they were one thing, is already an error.

To even talk about anything that includes copyright and patent law, means you’re already mistaken. That term systematically leads people into mistakes. But, copyright law and patent law are not the only ones it includes. It also includes trademark law, for instance, which has nothing in common with copyright or patent law. So anyone talking about “quote intellectual property unquote”, is always talking about all of those and many others as well and making nonsensical statements.

So, when you say that you especially object to it when it’s used for Free Software, you’re suggesting it might be a little more legitimate when talking about proprietary software. Yes, software can be copyrighted. And yes, in some countries techniques can be patented. And certainly there can be trademark names for programs, which I think is fine. There’s no problem there. But these are three completely different things, and any attempt to mix them up – any practice which encourages people to lump them together is a terribly harmful practice. We have to totally reject the term “quote intellectual property unquote”. I will not let any excuse convince me to accept the meaningfulness of that term.

When people say “well, what would you call it?”, the answer is that I deny there is an “it” there. There are three, and many more, laws there, and I talk about these laws by their names, and I don’t mix them up.

Usernames that botnets try

security / By / 22 November 2008

From Chapter 2: Botnets Overview of Craig A. Schiller’s Botnets: The Killer Web App (Syngress: 2007):

Default UserIDs Tried by RBot

Here is a list of default userids that RBot uses.

  • Administrator
  • Administrador
  • Administrateur
  • administrat
  • admins
  • admin
  • staff
  • root
  • computer
  • owner
  • student
  • teacher
  • wwwadmin
  • guest
  • default
  • database
  • dba
  • oracle
  • db2

1 Henry VI: Astraea

language & literature, word of the day / By / 13 January 2007

From William Shakespeare’s Henry VI, part 1 (I: 6):

CHARLES:

Divinest creature, Astraea’s daughter,
How shall I honour thee for this success?

Astraea: in Greek religion and mythology, goddess of justice; daughter of Zeus and Themis. Because of the wickedness of man, she withdrew from the earth at the end of the Golden Age and was placed among the stars as the constellation Virgo.

A living story, tattooed on flesh

commonplace book, cool stuff, fiction, language & literature, on writing, weird / By / 1 April 2006

From The New York Times Magazine‘s “Skin Literature“:

Most artists spend their careers trying to create something that will live forever. But the writer Shelley Jackson is creating a work of literature that is intentionally and indisputably mortal. Jackson is publishing her latest short story by recruiting 2,095 people, each of whom will have one word of the story tattooed on his or her body. The story, titled ‘Skin,’ will appear only on the collective limbs, torsos and backsides of its participants. And decades from now, when the last of Jackson’s ‘words’ dies, so, too, will her tale.

As of November, Jackson, the Brooklyn-based author of a short-story collection called ‘The Melancholy of Anatomy,’ had enrolled about 1,800 volunteers, some from such distant countries as Argentina, Jordan, Thailand and Finland. Participants, who contact Jackson through her Web site, cannot choose which word they receive. And their tattoos must be inked in the font that Jackson has specified. But they do have some freedom to bend and stretch the narrative. They can select the place on their bodies they want to become part of the Jackson opus. In return, Jackson asks her ‘words’ to sign a 12-page release absolving her of liability and promising not to share the story with others. (Participants are the only people who will get to see the full text of the story.) They must also send her two photographs — one of the word on their skin, the other a portrait of themselves without the word visible — which she may later publish or exhibit.

… Mothers and daughters are requesting consecutive words. So are couples, perhaps hoping to form the syntactic equivalent of a civil union. For others, the motives are social: Jackson is encouraging her far-flung words to get to know each other via e-mail, telephone, even in person. (Imagine the possibilities. A sentence getting together for dinner. A paragraph having a party.) …

… when a participant meets his or her demise, Jackson vows, she will try to attend that person’s funeral. But the 41-year-old author understands that some of her 2,095 collaborators, many of whom are in their 20’s, might outlive her. If she dies first, she says, she hopes several of them will come to her funeral and make her the first writer ever to be mourned by her words.