Monday 25 May 2009

How to make memorable but secure passwords

Some people, perhaps most, have a system for making passwords. Some systems
involve the use of the same password everywhere - easy to remember but if
discovered their online life is easily accessed. Others have different
passwords and write them down.

My system is to maintain long, virtually unique passwords which I never need
to commit them to paper or electronic note.

My goals are:

* at least 8 characters
* the use uppercase, lowercase, digits and symbols/punctuation
* the discovery of the system should not compromise my passwords
* no need to record any password
* be able to quickly work-out my password for any site

The System

* Make up a memorable code with preferably uppercase, lowercase, numbers and
symbols/punctuation.
* For each site, consistently use some aspect of the site such as 3 or 4
letters/numbers of the site URL - modified in some systematic way - and add
it to your memorable code. Add it using any rule you like.

There is a problem with this system: sometimes sites change their name
which, for me, has happened once. In this case I have not needed to change
my password but since most sites will send your password to you, should you
forget, you can easily have your old password recovered and then you can
change your password - it doesn't happen often.

Examples

Assume your memorable code is Ab19#z.

Example 1: Use the first, second, second-last and last characters of the
site, added in reverse order, first and last capitalized, insert after the
4th character of your memorable code.

So a password for google.com would be Ab19EloG#z.

And for ibm.com it could be Ab19MbbI#z. (You should have some way to handle
site names that 'fail' your system or require longer passwords than that of
your system).

Example 2: Insert the memorable code into the first and last characters of
the site name.

So the password for google.com would be gAb19#ze.

It goes without saying (hopefully) that you should make up your own system
and you should probably not use my examples.

Ideas

* Consider using the organisation type or country code.
* Consider using multiple systems. One for important sites and a simpler
system for ad-hoc, single-use and other sites not containing personal data
* Consider a version of the system for your home PC accounts

Your should assume that your system could be discoverable, so you need to
choose a memorable code that is secure by itself.

If you want to document your system, do so with care. You should not write
it down verbatim - try to obscure it ;-)

Saturday 23 May 2009

So, you don't use open source software because it is not well supported?

But what support do you get from software you pay for?

Lets start with Vista support.

If your Vista install has a bug or doesn't run some of your purchased applications or crashes, how will Microsoft help?

Their End User License Agreement (EULA) for Vista has the following:

(If you are interested, here is a simple commentary on Windows XP Home)

Length of Warranty: Basically 1 year as I read it.
B. TERM OF WARRANTY; WARRANTY RECIPIENT; LENGTH OF ANY IMPLIED WARRANTIES.
The limited warranty covers the software for one year after acquired by the first user. If you receive supplements, updates, or replacement software during that year, they will be covered for the remainder of the warranty or 30 days, whichever is longer.
Repair: Microsoft will repair or replace it or give you a refund.
D. REMEDY FOR BREACH OF WARRANTY. Microsoft will repair or replace the software at no charge. If Microsoft cannot repair or replace it, Microsoft will refund the amount shown on your receipt for the software. It will also repair or replace supplements, updates and replacement software at no charge. If Microsoft cannot repair or replace them, it will refund the amount you paid for them, if any. You must uninstall the software and return any media and other associated materials to Microsoft with proof of purchase to obtain a refund. These are your only remedies for breach of the limited warranty.
What they warrant it for: Nothing it seems. Microsoft don't warrant that Vista is fit for any task.
G. NO OTHER WARRANTIES. The limited warranty is the only direct warranty from Microsoft. Microsoft gives no other express warranties, guarantees or conditions. Where allowed by your local laws, Microsoft excludes implied warranties of merchantability, fitness for a particular purpose and non-infringement.
So... I hope you kept your receipt showing the amount you paid for Vista, otherwise will not get any refund, nor will Microsoft need to fix anything since you have no proof of purchase.

But you actually use more open source software than you think

Web sites

According to NetCraft, about 70% of the million busiest web sites/servers run open source software - Apache Web Server. Of all active web sites the figure is about 50%.

Google and Yahoo use mostly Open Source software to develop and run their services.

Operating Systems

If you run Linux then your Operating System is Open Source.
If you own an Apple Mac then your Operating System is Open Source.
Many companies and web service providers run Solaris. Solaris is now Open Source.

Mobile Phones

If you have a Nokia Symbian mobile phone - your phone's OS is Open Source.
If you have an iPhone, the OS is Open Source.
If you have an Android mobile phone, the OS is Open Source.

In fact, your mobile phone service provider is probably running equipment based on the ATCA standardized hardware platform running Carrier grade Linux (CGL) and other Open Source software.

For more information, see the IEEE SCOPE site.

Web Browsers

Firefox, Safari, Chrome and Webkit are Open Source web browsers.

Routers

Some ADSL routers use linux. eg. Netgear, Linksys, Huawei. Linux is Open Source.

Last but not least...

Almost every PC, mobile phone or PDA runs some version of Java. That is estimated to be installed on 5.4 Billion devices. Most of Java is Open Source.

So what do you have to worry about?

The universe runs on Open Source - Your work probably uses it - You already use it, so why not try it out on your current PC, or for that next work project or when you buy your next PC or laptop?

... and you will probably get more support than you do right now.

Real Support

The following companies and organisations develop, support or have donated commercial products as Open Source:
Google
Cisco/Linksys
Apple
IBM
Nokia
Yahoo
Sun (now Oracle)
Sony
Red Hat
Pixar
JBoss
Dell
LG
Samsung
Novell
Mozilla
HP
Intel
NVidia
HTC
Motorola
Texas Instruments
EMC (VMWare)
Microsoft - yes, they are helping as well!
Most (all?) universities
Perhaps it would be easier to list companies not supporting Open Source software.
Want more Open Source software?

Try here.

Some links to quality and popular Open Source software


What application do you want?

Anti virus? Try ClamAV for unix/linux or ClamXAV for Mac OS-X or ClamWin for Windows.

Word processor, Spreadsheet, Presentation etc.? Try OpenOffice

Web browser? Try Firefox, Webkit, Chrome (from Google), Safari (from apple - based on WebKit), Stainless

Mozilla Firefox runs on Windows, Mac OS-X, and Linux PCs
Webkit runs runs on (Windows and Mac OS-X PCs. Safari probably a better version for most people.
Google Chrome runs on just Windows for now. You can get an beta Mac OS-X version here.
Apple Safari runs on Windows and Mac OS-X PCs
Stainless (closed source?) runs on Mac OS-X. It is tiny, very fast and very simple. I added this because it is an interesting project.


Graphics editor? Try the GIMP

Media player? Try VLC

Bit Torrent client? Try Transmission (open source).

Sound editor? Try Audacity

Email client? Try Mozilla Thunderbird.

Virtual PC environment? Try Virtual Box

This allows you to run other operating systems (guests) on your current OS (host). For example you might like to run Linux on your Windows PC. Linux would run in a window or full-screen if you like and at the same time you can run all your other Windows applications.

Virtual Box allows you to easily install multiple copies of Linux and even other Windows versions on your current Windows PC. It also works on your Mac so you can run Windows and Linux on your Mac - this is what I do. You can start them up and shut them down just like real PCs.

Friday 15 May 2009

Sending email to multiple recipients - a better way

Current Practice

Generally when people send email they list the recipients in the TO field. This means that each recipient gets a copy of the email and a list of all the other recipients.

Nothing wrong with this but if this email is forwarded, generally a copy of all the other email address is forwarded as well. Now if the email message is really interesting it may be forwarded with increasing lists of email addresses to people who may not know who any of the other email addresses are.

In a perfect world this may be fine, but should this email with lots of email addresses fall into the wrong hands it could end up on SPAM lists or worse: someone could use the chain of email addresses to establish relationships between people in order to launch a more believable attack.

For example if A sends an email to B, C and D then a SPAMer could send SPAM to B, C and D and make it appear that the email came from A (and vice-versa). Since B, C and D already know A the email may get passed their SPAM filters and opened - The SPAMer is now only one click away from launching an attack on their computer.

A Better Practice

Instead of using the TO field, simply use the BCC field and never use the TO or CC fields.

How Does This Help?


Addresses in the BCC field all get a copy of the email but they do not get the list of other people's email address - they only see their own email address.

Should they forward the email on, they only forward on their own email address.

If people begin to adopt this practice, there will be fewer email addresses falling into the hands of the SPAMers.

Sunday 3 May 2009

Another Warrimoo Power Station Online



Our solar photovoltaic system was connected to the grid via feed-in meter last week.

Initially I was told that they would need to replace my existing 3 phase meters with a single poly-phase meter. But all the contractor did was install another meter.

Integral Energy, the regional electricity provider, installs the feed-in meter in a gross-feed-in configuration. This means that the feed-in meter counts all the energy that we generate and not just the excess energy at any point in time. So if feed-in rates are increased we will be credited for all the energy we produce.

Presently the feed-in rate is roughly the same as the usage rate: 14.62 c/kWh (excl. GST).

http://www.integral.com.au/wps/wcm/connect/8377a4804925a5499a279ff738d2752c/Sunpower+Interconnection+Agreement.pdf

http://www.integral.com.au/wps/wcm/connect/integralenergy/NSW/NSW+Homepage/forHomesNav/Sunpower/

Saturday 2 May 2009

Online Documentation Conversion Services


I needed to convert a MS Publisher document into a PDF recently. I stumbled upon this site:

FreePDFConvert

It seemed to do a reasonable job.

A friend gave me two other sites that might be useful as well:

DocMorph

Media-Convert