jamezpolley.com

This makes me proud.

If only I’d gotten around to fixing that 10-word minimum by now, I wouldn’t have to write this sentence.

I just read a lovely article on Coding Horror, about “Rainbow Tables” – precomputed dictionaries of hashes of possible passwords, used for fast cracking of weak passwords.

At the end of the article is a quick primer on the simplest way to raise the bar on rainbow tables, salting.

That’s why you should never rely on hashes alone– always add some salt to your hash so the resulting hash values are unique. Salting a hash sounds complicated (and vaguely delicious), but it’s quite simple. You prefix a unique value to the password before hashing it:

hash = md5('deliciously-salty-' + password)

If you’ve salted your password hashes, an attacker can’t use a rainbow table attack against you– the hash results from “password” and “deliciously-salty-password” won’t match. Unless your hacker somehow knows that all your hashes are “delicously-salty-” ones. Even then, he or she would have to generate a custom rainbow table specifically for you.

That’s just one notch though; as Coding Horror says, the response from the bad guys is to generate their own deliciously-salty- rainbow table just for you. Probably not going to happen if the attacker is your roommate trying to open your private journal file. Probably *will* happen if the application used by millions of a bank’s customers to access their accounts..

The next notch is to use a randomised salt each time. The attackers don’t just need one rainbow table just for you, they need one for every possible salt. As the article says, even the smallest rainbow table is 338mb; multiply that by, say, 26^2(=676) (on the assumption of a two-character, lower-case-letter-only salt) and you have 228,488Mb (223.13Gb) of tables – and that only covers you for passwords of up to 14 characters, solely consisting of letters and numbers.

Coding Horror, with a bit of help from me, has now bought you up-to-date on the state-of-the-art in cryptography, circa the mid 1970s, when Thompson and Richie implemented this scheme to prevent dictionary attacks on unix /etc/passwd files.

Check Coding Horror again tomorrow for a fresh dose of vintage computer news!

Well, two, actually. One is that it gave me a nice excuse for my annual pilgrimage to my hometown-that-never-was-but-someday-shall-be, Brisneyland.

They other is that it may well be Howard’s biggest blunder ever.

From the blog of a certain taxi driver I’ve mentioned before:

APEC

If John Howard is smart he would avoid calling an election for as long as possible, if order to put space between APEC and some of his biggest fans. Such is the level of discontent from small businesses after the costly disruption to Sydney’s CBD.

A Circular Quay restaurant owner bitterly complained, “After what Howard did to my business this week there’s no way I’ll be voting for him again.” A mid-City coffee shop owner estimated a $10,000 hit from APEC. Indeed, many restaurants simply closed their doors due to the lack of bookings. Other small business passengers reported a 60% loss of trade.

Pictures at the birdchick blog.

This sentence added just to put myself above my self-imposed 10-word minimum.

James Purser comments on the Coalition’s confusion between the Government and the party which temporarily has a majority in the lower house.

There is no guarantee that any one party will remain in power and this is why the Public Service has to – as a core function – retain its independence and the perception of its independence. The country cannot run effectively if the men and women who run the day to day operations of our government, whether it is defence, social services or intelligence are forced to toe the party line. For Public Servants, the nations interests must always come before the political interests of the elected government.

I sent this email:

> I’m currently using the username zhasper_

>

> This is because, at some point, I signed up with the username zhasper. I don’t

> know what email address I used for this username, and I have no idea what my

> password was. As a result, I’ve not logged in since just after I created the

> account.

>

> Is it possible for you to send a password reminder/reset email to the email

> address associated with the account zhasper, if their is one?

Their response:

Hi,

The email you used to sign up with is the one you have just used to contact

me.

I have also reset your password.

It is now: xxxxxxxx

Feel free to change it once you log back in.

After some prodding and poking and trying to understand what I was doing wrong, I realised what was going on, so sent this response:

Hi.

You’ve reset the password for zhasper_, the account that I already

knew the pasword too, that I have no problem accessing.

I was asking about the account zhasper – note the lack of underscore.

Thanks!

This morning, I get this response:

Hi,

New Password: xxxxxxx

Guess which account had its password reset?

I’m narky now.

You’ve reset zhasper_ again. I’m not having problems with that

account. Try again.

Lets see if they get it right this time.

From what I’ve read, it seem s that the Chaser team got through at least one, possibly two, checkpoints, before they decided that the joke had gone far enough, turned around, and started to leave the secure area. It was only at this point that police realised something was amiss, and in an attempt not to look completely useless, immediately arrested everyone in sight.

I’m not really surprised that 170+ million in security spending buys you guards who wave through any car that looks vaguely expensive and has a $2 flag flying on the hood. Security theater is more and more often replacing real security these days – I’d have been more surprised if there were any actual security involved.

I’m not really surprised that everyone would be arrested – no-one responds well to being exposed as foolish, especially people in supposed authority positions. I am a little surprised that they’ve apparently been let out – why did our parliament have to pass special laws enabling people to be locked up without charge for the duration of APEC if we’re not going to use them even on people who’ve demonstrated they can bypass the security system at will?

What does surprise me is some of the stupid, stupid things that some of our top police have been willing to say in front of the press.

Police Commissioner Andrew Scipione said he was furious at the stunt which could have had the comedians shot by snipers.

“The snipers are there for a reason . . . Clearly they are there because they mean business. They’re not there for show.”

(taken from news.com.au)

Wow. The Police Commissioner is admitting that he’s put on our rooftops snipers so poorly trained they might shoot any random person who happens to be within the restricted area and being shown some attention by police.

Did I mention that I’m glad I’m in Brisbane?

From the ABC, this gem:

New South Wales Police Minister David Campbell says …

“This is the most significant security event in Australia’s history. It’s the most significant, international, diplomatic event in Australia’s history and therefore is extremely serious.

Yep. More significant than random indian doctors trying to visit their wives; more significant than bombs going off in bins outside Hiltons – yep, a crew of comedians being waved through checkpoints on the basis of a $2 flag on the bonnet of their car ranks right up their with September 11 and the London Underground bombings.

My favorite statement has to be this, a little further down the page:

Foreign Affairs Minister Alexander Downer says The Chaser team were not going to harm anybody and the arrests are proof the security measures are working.

Firstly, I think Mr Downer’s people need to have a chat with Mr Campbell’s people – one of them is saying that this is the most significant security event in Australia’s history, the other is saying that “they weren’t going to harm anybody”. Pick one, any one, but please try to be consistent.

Secondly – how can anyone think that security measure are “working” when the police only notice something wrong becuase the Chaser guys decided they’d gone far enough and voluntarily turned back? It’s a good thing they really were harmless..

Just in case you had any doubt that the security was anything other than security theater, here’s Mr Campbell again, from the same ABC link again:

“The Government has made the point time and time again that we’ve got the most serious, the biggest security operation in Australia’s history…. and it needs to be taken seriously.”

That’s right – it doesn’t have to work, it doesn’t have to be effective – it just needs for all of us to pretend that it’s working.

Some photos I’ve taken recently. All available over on flickr

Yes, they move doghouses. You either know what this is about, or you don’t.

This was in the inflight magazine on the flight.

Full text reads:

Without a Net?

Google has made a major breakthrough with web applications such as its free online word processor and spreadsheet. User’s(sic) had complained that although they worked well, they only worked online. Google now has a way to make them work without an internet connection. www.google.com.au

They’re kinda right – they’re referring to Gears, of course. It’s a pity the only company with a public release demonstrating using Gears for word processing is Zoho, a competitor of Google’s…..

Screens are currently showing the DriverCam view. Just to my right, there’s a series of screens down the aisle, a la many planes.

The longer distance trains have screens on the back of the seat in front, with a choice of 5 movie/entertainment channels and ~8 radio channels. This model just has the radio.

Queensland trains rock.

LolKitties for Christ. Nuff said.

Only in Brisneyland do you need, not just a sign warning you of the "Automatic Escalator", but instructions on how to use same.

Seen outside a cheap hotel:

As opposed to internet that gets switched off between 10pm and 6am, so that our guest s can get a good night’s sleep

Because, after all, that’s what you’re all hanging out for, isn’t it?

* New iPod range

I won’t be getting one. My music collection runs to about 23Gb, and that’s before I start putting in the videos I want to carry with me (and might watch on an iPod). Unless it can hold my entire collection, it can’t replace my existing 30Gb model. Unless it can have the same tiny form-factor, ruggedness, and shock-resistance as my shuffle (gumstick model of course, not the clippy model that I hate), it can’t replace that either.

As far as web browsing and such goes – I’ve got my n800 for that, and it runs a (mostly) open OS and application stack, so it’s getting better all the time. Until the iPod runs a stack that’s just as open, it can’t replace that either. Oh yeah – and it needs an 800×600 screen, too – none of this 320×480 nonsense.

If my iPod died, at this point, I’d replace it with a Classic. Once they have sufficient capacity to hold my whole library, I’d think about it.

* Brisneyland

Rocks! I hired a bike today from Riders. I rode… wait..

Here you go – an map of what happened:

View Larger Map

Google Rocks (and I’m not just saying that because I work there :p)

My legs are bloody sore now.

Click on the “Larger version” link for notes about the legs of the trip.

The total ride was about 30km. I rode almost the entire way on bikepaths, with a few forays onto bike lanes on roads. I road across one pedestrian/bike only bridge, and another that takes busses as well.

Brisbane is really doing well at putting in the infrasctructure, especially public transport (and roads), to sustain a lot of growth. The second bridge already makes it much faster for a lot of people to use public transport than drive to uni. Likewise, the two existing busways (and the twoish more currently in production) link other places via public transport in a way that isn’t subject to peak hour traffic – and thus make it faster to take public transport to those places than to drive there in peak hour.

The bike integration is good too: bikes are encouraged on ferries and trains (with limitations during peak hour), and even busses are started to be equipped with bike carriers. At West End ferry wharf, there’s a shed for you to lock your bike in – an extra level of protection from the elements and from vandalism above just an average bike rack, designed for regular commuters. There were bike paths everywhere.

Integrated ticketing, and sensible zoning, make transitioning between different modes of transport painless. They’re even working on integrating taxis into the rest of the public transport system, to make up for those tiny shortfalls where, say, a train line doesn’t quite connect to a bus route, that only affect a few people and really aren’t cost effective any other way.

I’ll be moving up here just as soon as we open a Brisbane office..

* gReader

Rawks! It now tells me I have 1000+ items, instead of just 100+. And – It has search! OMFG! Rawxt! Thanks so much to the team who worked on that, whoever you are!

he who, of his own free will, on a half a pint of sherry, was particularly ill:

We should remember John Stuart Mill’s famous justification of the importance of the “marketplace of ideas”. People should be given the chance to hear, and understand, even the most disagreeable opinion, because, “If the opinion is right, they are deprived of the opportunity of exchanging error for truth; if wrong, they lose what is almost as great a benefit, the clearer perception and livelier impression of truth, produced by its collision with error.”

From Amy Corderoy’s column