Thursday, July 26, 2012

Grab Bag

Couple of bits of news and links unworthy of a full blog post today, so you're getting the equivalent of grubbing around in my desk drawer for something when I forget your birthday... not a novelty paperclip and a stress ball, but instead...

First up, Greek triple-jumper Voula Papachristou is in hot water this week - not a hilariously mis-timed jump, but over a racist tweet. I'm not about to repeat what she posted here, but it was enough to get her booted from the Greek Olympic Squad. At the same time it probably wouldn't have triggered any "word filters" - no "obvious" racial insults there. Moral of the story, meanings come from context as well as the words, you won't easily guess sense with a machine, but you might really alienate a huge group of people really quickly. Think before you tweet. It may also be the case that an organisation is liable for a tweet sent from a corporate device... twitter can easily be made read-only.. just a thought. (See BBC News)

Secondly, for the developers amongst our loyal readership  I happened across a great post on "Coding Horror" listing new programming jargon from stack overflow. I particularly enjoyed "Yoda conditions" and the concept of "Stringly typed"... take a look:

Finally, one for the travellers amongst us. Apparently, some hotel swipe-locks are right up there in the security stakes with bits of string and XOR based encryption, as a hacker rather irresponsibly demonstrated without first disclosing the problem to the company concerned. Still, you might want to stick your valuables in the hotel safe as well, until someone backdoors that too.

Monday, July 23, 2012

Trends on Twitter can Make You Look a T#t

In a recent flurry of fairly pointless "news", Microsoft was under the spotlight for including some slightly odd constants in their open-source code. The hex values, at least one of which, #B16B00B5 could be considered on the wrong side of sexist, were at the very best a little puerile.

Developers have been spelling things in hex for as long as we've been building software.  As hexadecimal numbers can contain the numeric digits 0-9 as well as letters A-F, the propensity for silliness is so much more than with decimal. One example you won't have to travel far to stumble across is #DEADBEEF, perhaps offensive to vegetarians?  FACE:B00C formed part of the address a popular social networking site used on world IPv6 day, and Microsoft have previous form, using 000FF1CE at the end of their product codes in MS Office.

In any case, it is probably sensible not to include anything likely to cause offence in your source code, though some of the comments in the Linux kernel sources range from the hilarious to the downright vulgar with some crossover in between - indeed the "F-word" was (is? I haven't checked) used as a placeholder to search for in one bit of source. I guess the largest software companies aren't used to having their work looked at in so much detail.

This story did have a useful point to it, however. The widespread reporting caused #bigboobs to trend on twitter, and whilst a good section of the tweets were having a sly dig at Microsoft, some were, well, what you'd normally expect from a reference on the Internet to boobs.

Twitter does have a control to prevent you opening adult content - however, as it seems to rely on users self-tagging tweets, it ranges in efficacy from chocolate teapot through fishes on bicycles. I've  had a look, and reckon the only reasonable way to keep twitter clean is to filter at search-term level, indeed going after the #bigboobs hashtag from behind guardian gets you no tweets. It's not perfect, but it will remind users to be careful what they click, and provide another backstop against liability and e-safety issues.

Wednesday, July 18, 2012

What does your password say about you?

Last week, Yahoo became the latest in a long list of sites to have a chunk of password data stolen. Read all about the breach at Computerworld, the cause at SC magazine, and Yahoo's response at Techworld.

This is a particularly nasty example of the breed - a month or so ago, we were busy shaking our heads and tutting at LinkedIn for failing to salt their passwords - a process which makes it harder for an attacker to recover plaintext passwords from encrypted ones. Sadly, Yahoo's problems go a step further, their list was leaked in plain text. There is a special circle of hell for developers who store passwords in plaintext.

Happily for readers of this blog, having nearly half a million plaintext passwords gives us an opportunity to peer into the minds of the people who set them.

Firstly, lets look at the year. It is suggested that this database table wasn't live, and that it only referred to accounts created prior to 2010, and wasn't used for validation of any user passwords. Poor housekeeping! If we assume many people set a password containing the current year, and look at the passwords with a year in them (I looked at all 4 digit strings starting 19 or 20) we see a peak at 2008, though there's still many more 2012s than there are 2013s...  i'll let you make your own mind up, but it doesn't look great does it?

The data gives another little hump in the 1980s, which I assume is users' birth years. Seriously, don't do this. If your birth year makes up half of your password, you've given an attacker a lot to go on. There's barely a break in the 200 year span I chose, so it's clear some of those numbers are part of a longer string, perhaps (all digit passwords? yuck!), and some may be chosen more arbitrarily. If your password contains 2087, you should be ok for a while as a sensible attacker will concentrate on past years... and by 2087 I am quite sure password encryption of today will be seen as quaint.

What else can we learn about the users of this service?

6 people thought "secure" was a secure password - too literal, I'm afraid! While 4 more chose "insecure" or a variant - maybe this is a throwaway account, but it's all leverage to a hacker who will try and escalate privilege further and get to something of value - amazon, ebay, your credit card, even World of Warcraft.

Then we peer a little more deeply into what makes these folks tick - 16 felt strongly enough to include "hitler" in their passwords, and a handful of others made the sort of statements about race and sexual orientation which aren't suitable for a family blog like this one. Over 150 are just general "haters" with varying targets from "you", through names ("John" is unpopular) to life (sad isn't it!), school (predictable) and food(!).

Over 1000 chose passwords containing "god", though any religious overtones are tempered by both godzilla and the godfather. Just under 1000 picked "jesus", and these are much less polluted by the secular. Good advice: keep your faith out of passwords, it will make them easy to crack! FWIW, almost 200 passwords were based on the deities of other religions. Satan comes in bottom with 26 - obviously the bad PR of being the devil does nothing for your popularity as a password.

For a bit of local colour, we find 4 passwords almost certain to refer to Leeds United, but more like 30 which are manchester - that's what a few years in the lower leagues will do for you! Chelsea (108) are streets ahead of London rivals Arsenal (57), though not all will be related to the football club.

Sport is eclipsed by sex it seems, having over 1000 sex related passwords ranging in levels from polite admiration, through to some quite graphic suggestions.

Only about 3% of users chose a password which contained anything other than alphabetic or numeric characters. This would seem typical of a consumer service where passwords are chosen on convenience rather than security. Of course if the service you choose to use happens to store your password in the clear, much of your hard work choosing a decent password is undone.

Updated for 2013: Breaking news, password habits still diabolical. Thanks to those inadvertently generous folks at Adobe, there's a whole new bunch of purloined passwords to play with. The BBC have reported that right at the top of the top 20 sits old favourite "123456", with "photoshop" and "adobe" making guest appearances (yes, this is up there with using your sort code as your banking password!). Interestingly "azerty" pops up alongside "qwerty", showing we've got similarly bad habits regardless of keyboard layout. Reload this page next year to see that nothing ever changes!