numbers

Magruder fools the Federals

From Shelby Foote’s The Civil War: Fort Sumter to Perryville (399):

No wheeze was too old for [John Bankhead] Magruder to employ it. One morning he sent a column along a road that was heavily wooded except for a single gap in plain view of the enemy outposts. All day the gray files swept past in seemingly endless array, an army gathering in thousands among the pines for an offensive. They were no such thing, of course. Like a low-budgeted theatrical director producing the effect with an army of supernumeraries, Magruder was marching a single battalion round and around, past the gap, then around under cover, and past the gap again.

Magruder fools the Federals Read More »

Users know how to create good passwords, but they don’t

From Usability News’ “Password Security: What Users Know and What They Actually Do“:

A total of 328 undergraduate and graduate level college students from Wichita State University volunteered to participate in the survey, and were regular users of the Internet with one or more password protected accounts. Ages of the participants ranged from 18 to 58 years (M = 25.34). Thirteen cases were deleted due to missing data, resulting in 315 participants in the final data analysis. …

When asked what practices should be used in the creation and usage of passwords, the majority of respondents, 50.8% (160), were able to identify most of the password practices that are recommended for creating secure passwords (Tufts University, 2005), although 62.9% (198) failed to identify a practice that would result in the most secure password; using numbers and special characters in place of letters.

Differences between password practices users reported and the passwords practices they believe they should use included:

  • 73% (230) of respondents reported that they should change their passwords for accounts every three to six months, but 52.7% (166) responded that they “Never” change their password when not required.
  • 50.8% (160) of respondents reported that they should use special characters in their passwords, but only 4.8% (12) reported doing so.
  • 63.5% (200) of respondents reported that they should use seven or more characters in their passwords, but only 35.5% (112) indicated that they use this number of characters with any regularity.
  • 70.5% (222) of respondents indicated that personally meaningful words should not be used, but 49.8% (156) reported that they use this practice.
  • 68.3% (215) of respondents report that personally meaningful numbers should not be used in passwords, but 54.9% (173) reported using this practice. …

The majority of participants in the current study most commonly reported password generation practices that are simplistic and hence very insecure. Particular practices reported include using lowercase letters, numbers or digits, personally meaningful words and numbers (e.g., dates). It is widely known that users typically use birthdates, anniversary dates, telephone numbers, license plate numbers, social security numbers, street addresses, apartment numbers, etc. Likewise, personally meaningful words are typically derived from predictable areas and interests in the person’s life and could be guessed through basic knowledge of his or her interests. …

It would seem to be a logical assumption that the practices and behaviors users engage in would be related to what they think they should do in order to create secure passwords. This does not seem to be the case as participants in the current study were able to identify many of the recommended practices, despite the fact that they did not use the practices themselves.

Users know how to create good passwords, but they don’t Read More »

Turnpikes, roads, & tolls

From Andrew Odlyzko’s “Pricing and Architecture of the Internet: Historical Perspectives from Telecommunications and Transportation“:

British turnpikes were a controversial response to a serious problem. Traditionally, the King’s Highway was open to all. The problem was how to keep it in good condition. As commerce grew, the need to maintain roads became acute. At first, in Elizabethan times, laws were enacted compelling all able-bodied commoner males to devote several days a year to labor on the highways. (See [1,66,80] for references for the background information as well as other items below that are not attributed otherwise.) The inequitable distribution of the burden this imposed and the lack of effective control mechanisms by the central government led to many complaints. As a result, in 1663, the first turnpike was authorized. A local group was authorized to create a turnpike trust that would borrow money to improve a section of a road, and then collect tolls from travelers for passage over that section of the road. This venture was set up (as were all subsequent turnpikes) as an ostensibly non-profit trust. (There were opportunities for profits there, for example in payment of above-market fees and other abuses, but those were illicit, and in any case were not the high profits that other, more private, enterprises, such as lighthouses and canals, offered.) The reason for the non-profit nature of turnpikes was presumably to allay concerns about a violation of the ancient principle that the King’s Highway was open to all. Still, this turnpike was very controversial (as were many later ones). Apparently largely for that reason, it took until 1695 before the next turnpike was set up [2].

In the early 18th century, the turnpike movement took off in earnest. Although there were frequent protests (sometimes violent, as in the burning of the toll gates around Bristol in 1727 and 1735), by mid-1830s there were over 20,000 miles of turnpikes in England. …

Tolls were usually doubled on Sundays for ordinary commercial traffic, but were eliminated for travel to or from church. They also “were never levied on foot passengers, and were thus unfelt by the labouring poor” (p. 124 of [80]). There were also options in many cases for a flat fee for annual access. Still, there were countless controversies about the toll, “the collection of which led to endless evasions, inequalities and favouritisms of all kinds, arbitrary exactions, and systematic petty embezzlements” (p. 136 of [80]). …

… road tolls are coming back as a result of growing congestion and improved technology. Unlike telecommunications, where technology is increasing capacity of fiber, coax, and radio transmissions, building new roads is increasingly difficult, and making existing ones carry more traffic can only be done to a limited extent. At the same time, electronic means for monitoring traffic and collecting tolls are improving, and we see central business districts in Norway, Singapore, and London imposing tolls. Most of these systems do raise privacy issues, too, since they are centralized ones with information about users, or at least cars. Still, there is a strong tendency to introduce ever more detailed monitoring of traffic, often with the explicit goal of charging users according to their level of activity (whether by governments or by insurance companies).

Turnpikes, roads, & tolls Read More »

Why businesses want RFID for inventory

From Technology Review‘s “Tracking Privacy“:

Technology Review: How would RFID work to track products?

Sandra Hughes [Global privacy executive, Procter and Gamble]: It’s a technology that involves a silicon chip and an antenna, which together we call a tag. The tags emit radio signals to devices that we call readers. One of the things that is important to know about is EPC. Some people use RFID and EPC interchangeably, but they are different. EPC stands for electronic product code; it’s really like an electronic bar code.

TR: So manufacturers and distributors would use EPCs encoded in RFID tags to mark and track products? Why’s that any better than using regular bar codes?

Hughes: Bar codes require a line of sight, so somebody with a bar code reader has to get right up on the bar code and scan it. When you’re thinking about the supply chain, somebody in the warehouse is having to look at every single case. With RFID, a reader should be able to pick up just by one swipe all of the cases on the pallet, even the ones stacked up in the middle that can’t be seen. So it’s much, much faster and more efficient and accurate.

TR: Why is that speed important?

Hughes: We want our product to be on the shelf for consumers when they want it. A recent study of retailers showed that the top 2,000 items in stores had a 12 percent out-of-stock rate on Saturday afternoons, the busiest shopping day. I think the industry average for inventory levels is 65 days, which means products sitting around, taking up space for that time, and that costs about $3 billion annually. Often a retail clerk can’t quickly find products in the crowded back room of a store to make sure that the shelves are filled for the consumer, or doesn’t know that a shelf is sitting empty because she hasn’t walked by lately. With RFID, the shelf can signal to the back room that it is empty, and the clerk can quickly find the product.

Why businesses want RFID for inventory Read More »

The growth in data & the problem of storage

From Technology Review‘s “The Fading Memory of the State“:

Tom Hawk, general manager for enterprise storage at IBM, says that in the next three years, humanity will generate more data–from websites to digital photos and video–than it generated in the previous 1,000 years. … In 1996, companies spent 11 percent of their IT budgets on storage, but that figure will likely double to 22 percent in 2007, according to International Technology Group of Los Altos, CA.

… the Pentagon generates tens of millions of images from personnel files each year; the Clinton White House generated 38 million e-mail messages (and the current Bush White House is expected to generate triple that number); and the 2000 census returns were converted into more than 600 million TIFF-format image files, some 40 terabytes of data. A single patent application can contain a million pages, plus complex files like 3-D models of proteins or CAD drawings of aircraft parts. All told, NARA expects to receive 347 petabytes … of electronic records by 2022.

Currently, the Archives holds only a trivial number of electronic records. Stored on steel racks in NARA’s [National Archives and Records Administration] 11-year-old facility in College Park, the digital collection adds up to just five terabytes. Most of it consists of magnetic tapes of varying ages, many of them holding a mere 200 megabytes apiece–about the size of 10 high-resolution digital photographs.

The growth in data & the problem of storage Read More »

John the Ripper makes password cracking easy

From Federico Biancuzzi’s “John the Ripper 1.7, by Solar Designer“:

John the Ripper 1.7 also improves on the use of MMX on x86 and starts to use AltiVec on PowerPC processors when cracking DES-based hashes (that is, both Unix crypt(3) and Windows LM hashes). To my knowledge, John 1.7 (or rather, one of the development snapshots leading to this release) is the first program to cross the 1 million Unix crypts per second (c/s) boundary on a general-purpose CPU. Currently, John 1.7 achieves up to 1.6M c/s raw performance (that is, with no matching salts) on a PowerPC G5 at 2.7 GHz (or 1.1M c/s on a 1.8 GHz) and touches 1M c/s on the fastest AMD CPUs currently available. Intel P4s reach up to 800k c/s. (A non-public development version making use of SSE also reaches 1M c/s on an Intel P4 at 3.4 and 3.6 GHz. I intend to include that code into a post-1.7 version.)

John the Ripper makes password cracking easy Read More »

Google on the Google File System (& Linux)

From Sanjay Ghemawat, Howard Gobioff, & Shun-Tak Leung’s “The Google File System“:

We have designed and implemented the Google File Sys- tem, a scalable distributed file system for large distributed data-intensive applications. It provides fault tolerance while running on inexpensive commodity hardware, and it delivers high aggregate performance to a large number of clients. …

The file system has successfully met our storage needs. It is widely deployed within Google as the storage platform for the generation and processing of data used by our ser- vice as well as research and development efforts that require large data sets. The largest cluster to date provides hun- dreds of terabytes of storage across thousands of disks on over a thousand machines, and it is concurrently accessed by hundreds of clients. …

We have seen problems caused by application bugs, operating system bugs, human errors, and the failures of disks, memory, connectors, networking, and power sup- plies. Therefore, constant monitoring, error detection, fault tolerance, and automatic recovery must be integral to the system.

Second, files are huge by traditional standards. Multi-GB files are common. Each file typically contains many applica- tion objects such as web documents. When we are regularly working with fast growing data sets of many TBs comprising billions of objects, it is unwieldy to manage billions of ap- proximately KB-sized files even when the file system could support it. As a result, design assumptions and parameters such as I/O operation and blocksizes have to be revisited.

Third, most files are mutated by appending new data rather than overwriting existing data. Random writes within a file are practically non-existent. Once written, the files are only read, and often only sequentially. …

Multiple GFS clusters are currently deployed for different purposes. The largest ones have over 1000 storage nodes, over 300 TB of diskstorage, and are heavily accessed by hundreds of clients on distinct machines on a continuous basis. …

Despite occasional problems, the availability of Linux code has helped us time and again to explore and understand system behavior. When appropriate, we improve the kernel and share the changes with the open source community.

Google on the Google File System (& Linux) Read More »

How much does stolen identity info cost?

From The New York Times‘ “Countless Dens of Uncatchable Thieves“:

In the online world, he operates under the pseudonym Zo0mer, according to American investigators, and he smugly hawks all manner of stolen consumer information alongside dozens of other peddlers at a Web site he helps manage.

“My prices are lowers then most of other vendors have and I will deliver them in real time,” reads a typically fractured Zo0mer post.

At the same forum, another user, “tabbot,” offers “any U.S. bank accounts” for sale.

“Balance from 3K and above: $40,” he writes. “Regular brokerage accounts from 3K and above: $70.”

Tabbot also offers full access to hacked accounts from credit unions. One, with a $31,000 balance, is being sold for $400. “I can try search specific info such as signature, ssn, dob, email access,” tabbot writes. “Account with an extra info will be more expensive.”

How much does stolen identity info cost? Read More »

Intel’s ups and downs

From FORTUNE’s “Lessons in Leadership: The Education of Andy Grove“:

By 1983, when Grove distilled much of his thinking in his book High Output Management (still a worthwhile read), he was president of a fast-growing $1.1-billion-a-year corporation, a leading maker of memory chips, whose CEO was Gordon Moore. … What Moore’s Law did not and could not predict was that Japanese firms, too, might master this process and turn memory chips into a commodity. …

Intel kept denying the cliff ahead until its profits went over the edge, plummeting from $198 million in 1984 to less than $2 million in 1985. It was in the middle of this crisis, when many managers would have obsessed about specifics, that Grove stepped outside himself. He and Moore had been agonizing over their dilemma for weeks, he recounts in Only the Paranoid Survive, when something happened: “I looked out the window at the Ferris wheel of the Great America amusement park revolving in the distance when I turned back to Gordon, and I asked, ‘If we got kicked out and the board brought in a new CEO, what do you think he would do?’ Gordon answered without hesitation, ‘He would get us out of memories.’ I stared at him, numb, then said, ‘Why shouldn’t you and I walk out the door, come back, and do it ourselves?'”

… once IBM chose Intel’s microprocessor to be the chip at the heart of its PCs, demand began to explode. Even so, the shift from memory chips was brutally hard–in 1986, Intel fired some 8,000 people and lost more than $180 million on $1.3 billion in sales–the only loss the company has ever posted since its early days as a startup.

Intel’s ups and downs Read More »

Hear someone typing & know what was written

From Edward Felten’s “Acoustic Snooping on Typed Information“:

Li Zhuang, Feng Zhou, and Doug Tygar have an interesting new paper showing that if you have an audio recording of somebody typing on an ordinary computer keyboard for fifteen minutes or so, you can figure out everything they typed. The idea is that different keys tend to make slightly different sounds, and although you don’t know in advance which keys make which sounds, you can use machine learning to figure that out, assuming that the person is mostly typing English text. (Presumably it would work for other languages too.) …

The algorithm works in three basic stages. First, it isolates the sound of each individual keystroke. Second, it takes all of the recorded keystrokes and puts them into about fifty categories, where the keystrokes within each category sound very similar. Third, it uses fancy machine learning methods to recover the sequence of characters typed, under the assumption that the sequence has the statistical characteristics of English text. …

The only advantage you have is that English text has persistent regularities. For example, the two-letter sequence “th” is much more common that “rq”, and the word “the” is much more common than “xprld”. This turns out to be enough for modern machine learning methods to do the job, despite the difficulties I described in the previous paragraph. The recovered text gets about 95% of the characters right, and about 90% of the words. It’s quite readable.

Hear someone typing & know what was written Read More »

Unpatched Linux, 3 months; unpatched Windows, 20 minutes

From Bruce Schneier’s “Linux Security“:

I’m a big fan of the Honeynet Project … Basically, they wire computers up with sensors, put them on the Internet, and watch hackers attack them.

They just released a report about the security of Linux:

Recent data from our honeynet sensor grid reveals that the average life expectancy to compromise for an unpatched Linux system has increased from 72 hours to 3 months. …

This is much greater than that of Windows systems, which have average life expectancies on the order of a few minutes.

… That’s the real story: the hackers aren’t bothering with Linux. Two years ago, a vulnerable Linux system would be hacked in less than three days; now it takes three months.

Why? My guess is a combination of two reasons. One, Linux is that much more secure than Windows. Two, the bad guys are focusing on Windows — more bang for the buck.

Unpatched Linux, 3 months; unpatched Windows, 20 minutes Read More »

Zombies from China attack Internet

From Computerworld‘s “Army of zombies invades China“:

China’s rapid Internet growth has brought with it a somewhat disturbing side effect: multiplying zombies up to no good.

Zombies, or Internet-connected computers infected by worms or viruses and under the control of a hacker, are used to launch denial-of-service (DoS) attacks, or send spam or phishing e-mails. An average of 157,000 new zombies are identified each day, and 20% of these are in China, security company CipherTrust Inc. reported this week.

… “Criminals look for a weaker link, so places like China, or anywhere behind the U.S. in terms of computer literacy, are a good target,” Stanley said.

China’s fast-growing Internet population is also an attraction, he said. As of January, there were 94 million Internet users in the China, up 18% from the year before, according to the China Internet Network Information Center (CNNIC).

Zombies from China attack Internet Read More »

Interesting way to acquire someone’s signature

From Simson Garfinkel’s “Absolute Identification“, chapter 3 of Database Nation:

Already, the United Parcel Service, the nation’s largest package delivery service, is also the nation’s leader in biometric piracy. For most packages, UPS requires that a signature be written to serve as proof of delivery. In 1987, UPS started scanning the pen-and-ink signatures recorded for each package delivery. These images were stored in a database and faxed to any person who called UPS’s 800 number and asked for a ‘proof of delivery’ receipt. In 1990, UPS improved its piracy technology by equipping its drivers with portable electronic computers called DIADs (Delivery Information Acquisition Devices). Each computer has a built-in bar code reader and a signature pad. When a delivery is made, the UPS driver scans the bar code on each package and then has the person receiving the delivery sign for the package. The bar code number and the handwritten signature are recorded inside the DIAD, and ultimately uploaded to the company’s databanks.

The push to make signatures available in electronic form came from UPS customers, Pat Steffen, a spokesperson for UPS, told me when I called the company to complain about the practices. Signatures are considered proof of delivery. Digitizing that proof allows UPS to manipulate it like any other digital data. The faxed proof-of-delivery certificates are sent automatically from UPS computers, she explained. It’s also possible for UPS customers to download tracking software and view the signatures directly on their personal computers.

Ironically, by making a person’s written signature widely available, UPS is helping to dilute the written signature’s very value. Once the signature is digitized, it’s easy to manipulate it further with a computer–for example, you can paste it at the bottom of a contract. UPS’s system is particularly vulnerable: any package can be tracked as long as you know the package’s airbill, and UPS issues its preprinted airbills in sequential order–for example, ‘0930 8164 904,’ ‘0930 8164 913,’ and ‘0930 8164 922.’ An attacker can easily learn a company’s UPS airbill, use that airbill to obtain a comprehensive list of every delivery recipient–and then make a copy of every recipient’s signature.

UPS understands the vulnerability, but it can’t address the problem very well. A note on the company’s web site says:

UPS authorizes you to use UPS tracking systems solely to track shipments tendered by or for you to UPS for delivery and for no other purpose. Any other use of UPS tracking systems and information is strictly prohibited.

But, realistically speaking, UPS can do little to prevent this kind of attack. ‘If someone wants to go out of their way to get package numbers, it can be done. If someone wants to go out of their way to do anything, I suppose that’s possible. It is not an easy thing to do,’ said Steffen. Guessing would be harder, of course, if UPS used longer airbill numbers and didn’t issue them in a predictable sequence.

Interesting way to acquire someone’s signature Read More »

Pi to unfathomable places

From “Man recites pi from memory to 83,431 places“:

A Japanese psychiatric counselor has recited pi to 83,431 decimal places from memory, breaking his own personal best of 54,000 digits and setting an unofficial world record, a media report said Saturday.

Akira Haraguchi, 59, had begun his attempt to recall the value of pi – a mathematical value that has an infinite number of decimal places – at a public hall in Chiba city, east of Tokyo, on Friday morning and appeared to give up by noon after only reaching 16,000 decimal places, the Tokyo Shimbun said on its Web site.

But a determined Haraguchi started anew and had broken his old record on Friday evening, about 11 hours after first sitting down to his task, the paper said. …

Pi, usually given as an abbreviated 3.14, is the ratio of the circumference to the diameter of a circle. The number has fascinated and confounded mathematicians for centuries.

Aided by a supercomputer, a University of Tokyo mathematician set the world record for figuring out pi to 1.24 trillion decimal places in 2002.

Pi to unfathomable places Read More »

More distribution channels = more viewers

From “NBC: iPod Boosts Prime Time“:

NBC’s “The Office” delivered a 5.1-its highest ratings ever-last Thursday among adults 18 to 49, a bump the network credits in large part to the show’s popularity as an iPod download. …

Such a connection between podcast success and broadcast ratings success is particularly significant because the NBC data is among the first available evidence of what network executives have been gambling on when striking their new media deals-that the new video platforms are additive because they provide more entry points into a show for consumers. …

NBC is confident that the iPod exposure contributed to the rise. …

The iTunes offering is bringing new audiences to the show that would not otherwise have watched, said Frederick Huntsberry, president of NBCU Television Distribution. “Consumers have choices, and we are not reaching all consumers with one technology,” he said.

ITunes is one way to bring fresh eyeballs to the network, he said, in particular the younger demo that uses video iPods. …

Yet ABC has also seen a ratings increase for its iTunes shows. To date since their debut on iTunes in October, both “Lost” and “Desperate Housewives” are up versus the same period last year. …

That growth and the knowledge that iTunes distribution possibly grew and certainly did not cannibalize ratings gave the ABC Disney Television Group the confidence to add another round of iTunes programs last week …

More distribution channels = more viewers Read More »

Paypal’s numbers

From “PayPal Prepares For a Challenge From Google“:

Long the Internet’s leading online-payments service, PayPal has a 24% market share of U.S. online payments, according to financial-institution consulting firm Celent LLC. PayPal, founded in 1998, boasts 96 million accounts with consumers who want to send payments online without revealing their credit-card or banking information to vendors. To use the service, customers simply set up an account with their credit-card or bank-account details, fill out a payment amount and the email address of the recipient, and send the payment via the Internet to PayPal. If the recipient doesn’t have an account, he simply opens one in order to collect the payment. The service gained traction on eBay and proved to be more popular than an in-house payment system it had been using.

For eBay, which acquired the online-payment business in October 2002, PayPal has been a big asset. The unit has helped accelerate trading on eBay’s auction sites in the U.S., Germany and the United Kingdom. Most recently, PayPal generated 23% of eBay’s total $1.3 billion quarterly revenue. And PayPal’s revenue is growing steadily: It was up 48% to $304.4 million in the fourth quarter compared with a year earlier.

Paypal’s numbers Read More »

The new American community: affinity vs. proximity

From “Study: Want Community? Go Online” [emphasis added]:

Nearly 40 percent of Americans say they participate in online communities, with sites around hobbies, shared personal interests, and health-related issues among the most popular. That’s according to a survey conducted by ACNielsen and commissioned by eBay.

The survey was conducted in late September. Of 1,007 respondents, 87 percent say they are part of a community. Of those, 66 percent say they participate in shared personal interest sites. Next comes hobby sites (62 percent), health community sites (55 percent), public issues sites (49 percents), and commerce sites (47 percent). Others participate in social or business networking sites (42 percent), sports sites (42 percent), alumni sites (39 percent), or dating sites (23 percent).

“We are finding that affinity is quickly replacing proximity as the key driver in forming communities,” said Bruce Paul, vice president of ACNielsen. …

“I think that a lot of people initially connect [on online communities] because they share information, which for a site like eBay is beneficial because they learn and grow from each other,” said Rachel Makool, director of community relations for eBay. “Then, of course, relationships form, and they grow from there.”

Researchers note that among offline communities, only membership in religious congregations (59 percent), social groups (54 percent), and neighborhood groups (52 percent) are more common than participation in online communities (39 percent). Professional groups (37 percent), activity groups (32 percent), school volunteer groups (30 percent), and health/country clubs (31 percent) came in behind online communities.

The study also shows that though 30 percent of online community members interact on a daily basis, only 7 percent of offline community members interacted that often. It also reveals that 47 percent of offline communities have an online component, such as e-mailing or chatting online.

The new American community: affinity vs. proximity Read More »

Blogging at IBM

From “3,600+ blogs: A glance into IBM’s internal blogging“:

Through the central blog dashboard at the intranet W3, IBMers now can find more than 3,600 blogs written by their co-workers. As of June 13 there were 3,612 internal blogs with 30,429 posts. Internal blogging is still at a stage of testing and trying at IBM but the number of blogs is growing rapidly …

US, Canada and Australia are very active countries but also in small European countries there are quite many internal bloggers. 147 in Sweden and 170 in the Netherlands to mention two examples. …

… the most common topics.

News or events that affect the business
“When IBM sold the personal computing division rumours were flying around before it actually happened and people were blogging about that, giving their opinions about what was going to happen and how it would affect IBM.”

Metablogging
“It’s a new technology of special interest to people who blog.”

Administrative things
“The little changes going on in the company — the water-cooler talk.”

Product announcements
“Not necessarily of general interest but of interest to the specific community working with the product.”

Hints and tips
“…for example about what bloggers have found interesting on the intranet.”

Blogging at IBM Read More »