Archive for January, 2016

Passwords

Posted: January 29, 2016 by uszik11 in Identity theft, Password need-to-knows, Personal safety, Uncategorized, Vulnerabilities
Tags: , , ,

Are your passwords strong enough to resist a brute force attack?

Passwords are just about dead. Many systems now offer “two factor identification.” You give them your cell phone number and you have to use both a password and a code number sent to  the phone for your log in.  But passwords continue. They are easy for administrators. They are part of the common culture.

Steve Gibson has the engineer’s “knack.” (See the Dilbert video here.) His company, Gibson Research Corporation (here), sells a wide range of computer security products and services. He also offers many for free. Among the freebies is Haystack: How Big is Your Haystack – and how well is your needle hidden? (here)  This utility provides a metric for measuring password security.

It is pretty easy to do yourself, if you like arithmetic. 26 upper case letters, 26 lower case, 10 digits, 33 characters (with the space) for 95 printable ASCII characters in the common set.  So, if you have an 8-character password that is 95 to the 8th power possible combinations: 6.634 times 10 to the 15th power or over 6-and-a-half quadrillion. If you could try a million guesses a second, it would take 6.5 billion seconds or just over 200 years. (60 seconds/minute * 60 minutes/hour * 24 hours/day * 365.25 days / year* 200 years =6.3 billion .)

Gibson Research makes all of that automatic. Just key in your password, and it tells you how long it would take to crack.

Cracking passwords is a “routine activity” for a hacker. They have tools.  At one meet-up for hackers, the speaker told us, “If you have to use brute force, you are not thinking.”  They do not type in a million guesses per second, of course. They have programs to do that. Also, most websites just do not allow that kind of traffic: you cannot do a million guesses per second. What the hackers do is break in to a site, such as Target, Home Depot, LinkedIn, or eHarmony, download all of the log files, and then, on their own time, let their software attack the data offline.

Also, hackers do not use the same computers that you and I do. They start with gaming machines because the processors in those are built for high-speed calculation. They then gang those multiple processors to create massively parallel computers.  The calculators from GRC show the likely outcome for brute force by both a “regular” computer and a “massive cracking array.”

If someone got hired today at a typical midrange American corporation, their password might just be January2016. If, like most of us, they think that are really clever, it ends with an exclamation point: January2016! Hackers have databases of these. They start with standard dictionaries, and add to them all of the known passwords that they discover.

One common recommendation is to take the first letters of a phrase known only to you and personal only to you. My mother had naturally red hair for most of her life. She was born in 1929 and passed in 2012. So, “My mother’s red hair came from a bottle” becomes mmrhcfab19292012. According to Gibson Research, brute force guessing with a massive cracking array would take over 26 centuries.

Gioachino Rossini premiered his opera, William Tell, in 1829. “William & Tell = 1829” would take a massive parallel cracking machine about 1 million trillion centuries to guess. On the other hand, a “false phrase” such as Five + One = 27 could not be done in under 1.5 million centuries.

TMAR Four 3c3c

Texas State Guard Maritime Regiment non-commissioned officers at leadership training.  Only the one on your far right is a real Marine.

Remember, however, that a dictionary attack will crack any common phrase.  With over 1.7 million veterans of the United States Marine Corp, someone—probably several hundred someones—has “Semper Fi” for a password. Don’t let that be you. A brute force attack would need only 39 minutes, but that is not necessary: a cracker’s dictionary should have “Semper Fi” in it already.

(Above, I said that cracking passwords is a “routine activity” for a hacker. “Routine activities” is the name of theory of crime.  Attributed to sociologists Marcus Felson and Lawrence E. Cohen, routine activities theory says that crime is what criminals do, independent of such “social causes” as poverty. (See Routine Activity Theory on Wikipedia here.) That certainly applies to password crackers. Like other white collar criminals, they are socially-advantaged sociopaths.  They are planfully competent, calculating their efforts against a selfish return.)

Beware; Honda Cares!

Posted: January 24, 2016 by IntentionalPrivacy in Historical and future use of technology
Tags:

I have watched the YouTube video “United Breaks Guitars” several times, and while it makes me laugh every time I see it, I have come to understand that the issue is really bigger.

“United Breaks Guitars” is the story of a man who hands over his Taylor guitar to United baggage and watches from inside the plane, helpless to protect it while United baggage handlers deliberately break it.

Stories like this often start with “I shoulda …” as if it is somehow our fault that we unwittingly entrusted someone whom we paid—yes, PAID—to treat us and our belongings with respect. Instead when they abuse our trust—when they lie, do not deliver on their promises, or worse, deliberately break something that has been committed to their care—we are supposed to accept it and move on with our lives.

I watched this video again while I was writing this article. I was thinking of words to substitute for the song lyrics to fit my recent problem with my new 2015 Honda Accord, which I purchased in September. Unfortunately, most of the words I thought of were not printable.

While I have bought a couple of new cars, they were practical and did not have any extra features. The only thing that I have ever purchased that cost more was a house. I fell in love with this car. It had amazing technology. It was a beautiful Obsidian Blue Pearl. The doors close with a very solid thunk. It drives great and it is comfortable. It has many other features that I enjoy.

However, it has some features that I do not enjoy. One such feature is that you cannot unlock the passenger door from outside the car with the key fob if the car is parked and running. I was told that was a safety feature. That one is annoying, but I can live with it. Other features are not so acceptable.

I am stuck in traffic every day for a couple of hours. I download audio books to my phone, and I was very happy to discover that I could hook my phone into the car’s Bluetooth and listen to my current book on my long commute. Unfortunately, if I receive a text message while my phone is connected, the text message replays every time I use my right turn signal until I turn the car off.

Imagine: When I get in my car after leaving work, I text my husband to tell him I am on my way home. I’m driving down the road and he texts me back “ok.” There are at least five right-hand turns on my route home. Ok … ok … ok … ok … OK!

The first time it happened, I almost drove off the road. The next time, I pulled off the road and tried to figure out how I could fix it. I work in technology and there must be some option I could change, I thought. As I explored the options, I decided the user interface was terrible and counterintuitive. I got the manual out; it did not explain the options at all. The manual actually only refers to the iPhone, but it does not explain the options there either.

But no, none of the available options made a difference in the car’s behavior.

I was sure there was something I was missing in the settings or maybe the dealership could install an update that would fix the problem. I drove to the dealership. I took a service writer for a ride in my car and let him experience the text message problem. He told me that it was supposed to work like that. My choices were to turn off the right-hand camera or not attach the phone to the car.

Spending that much on a car and not being able to use the features I bought it for seemed ridiculous to me.

Next, I talked to his boss, who also dismissed my issue and me.

My phone is a Samsung Galaxy S5 and my carrier is Verizon. Yes, they are both on Honda’s list of approved phones and carriers.

car-3

Then we discovered that my husband’s iPhone 5 does not connect at all, even though it is also on Honda’s approved list.

I went home and wrote a letter to Honda America. A month later I heard from “Crystal,” who said she would contact the dealership and then call me back. That was in early November, and I have not heard from her since.

The car has pale gray velour seat covers. I drink coffee in the car and I knew what those seats would look like in six months without stain repellent. I purchased the Auto Butler interior stain repellent as well as the exterior coating to protect it from the Texas sun.

As I was driving to work one morning, my coffee tipped over. Instead of the coffee beading up the way the loan officer had shown us so I could pull over and wipe it up, it soaked right in. I was furious.

I called the dealership and asked to speak to the General Manager. The switchboard told me it wasn’t convenient for him to talk to me. I told her that it wasn’t convenient for me to have spilled coffee all over the inside of my car either. She switched me over to the Service Director.

I explained my problems with the car.

He told me to bring it in and they would make it right.

That was the week before Thanksgiving. They did clean the seat (although I swear I can still see coffee stains). When I picked up the car, the new, pale green bathmats I use as seat protectors were wadded up on the floor with great big, greasy footprints on them.

The Service Director (I’ll call him “George”) gave me a 2015 Honda Accord loaner. The loaner—with a different user interface—did not have the text message issue.

They kept my car for two weeks, claiming they put in updates and reset everything. When I got the car back, George sent me a link that explained how to reset Bluetooth on my phone to fix connection issues. I applied the Verizon update to my phone that had come out the day before. Even though I did not have a connection issue, I deleted the HandsFree link from my phone. I followed the directions for resetting Bluetooth. Then I reinstalled the phone in the car.

It did not help.

Instead, the car had a new problem. I was listening to the radio and the Bluetooth on the phone was turned off. I got a text message, the car turned on Bluetooth and played the message. I turned on the right turn signal and the message replayed.

George told me the Honda engineer said that problems with phones happen because the phone model they work with three years before the car comes out is not the same phone that hooks up to the car. While I can understand that phone models change, the phone uses Bluetooth 4.0, and it is supposed to be a common standard.

I called George and said I wanted it fixed. Fix the car, replace it, or give me my money back. I said if the loaner did not have the problem, my car should not have an issue either.

He sighed and told me to bring it in again.

They had it for a week when George called to say that Honda had agreed to replace the audio unit. He made it sound like it cost several thousand dollars to replace and they were doing me a big favor. He finally called me five days later to say it was fixed and I could pick it up any time.

So at noon on Thursday, I drove to the dealership to trade the loaner for my car. Instead of taking five minutes to turn in the keys, get a receipt, and pick up my car, I sat there for 45 minutes. When I was called to the desk finally, a different service writer tried to hand me a bill for $561. I politely handed it backed to him and said it was supposed to be warranty work. He handed it back to me. I said that he had better check unless he wanted me to call my lawyer right then. Another twenty minutes went by. Magically the charges had disappeared when they handed me the receipt the second time. I finally got my keys and my car, and hooked the phone back into the car.

Did they go for a test drive with me to show me it was fixed? No. I got in the car and had someone send me a text message. Problem still there.

In the meantime, my husband had taken our 2005 Honda into the same Austin, Texas, dealership to get it inspected because the power steering was making a noise. They resealed the power steering pump, and replaced the valve cover gasket and the cam plug. When he picked the car up and drove away, the engine light came on. He took it back and they charged him another $65 to tell him that an additional $670 was needed to replace the spark plugs and the induction coils. He went to an auto parts store and picked up four spark plugs for $52. When he pulled out the spark plugs, he found two springs under one of the spark plugs and none under one of the others.

Technology is supposed to make your life easier, better, and safer. I would argue that this car does not make my life easier, better, or safer: its problems are annoying and distracting. I should not have such issues with a brand-new car. I should not have such customer service issues with the dealership either.

The warranty package I bought with this car is called “Honda Cares.” It sounds great!

Honda, do you care? If you do, you will fix my car!

In fact, you should fix both our cars.