Rubénerd!

Remember in November 2011 when I voted for a non-JavaScript Google +1 button? Let's see how we're doing with getting an answer.

Comment 34 by rlueb...@gmail.com, Aug 27 (2 days ago): This was reported September 2011 and is NOT fixed yet. Still no +1 without Javascript, only sharing. And still not a single remark from Google ... Please add this feature. Due to laws in Germany +1 is unusable this way.

I had my Google+ account suspended for using my real name in March 2012, and I don't search with Google while logged in anyway. Still, would be nice to let Googlers vote for my stuff without JavaScript.

There have been so many password "hacking" stories lately, I thought I'd write this post so I can refer back to it. For added security, I've included the above image of Makise Kurisu, the scientist in my anime harem.

Covering my behind

Crypto is an exact science, so before I go any further I will make these clear.

• When I say random, technically I mean pseudorandom. Algorithms are deterministic, and computer order and logic can't strictly speaking produce "true" randomness. Contemporary algorithms are an order of magnitude better than the BASIC RND() function of yore though.

• When I say impossible and one way, I mean practically speaking. Our current algorithms would take the birth and death of several universes to brute force with current hardware, but that doesn't mean it's impossible. Just very very very very improbable!

How passwords are supposed to be stored

When you create an account with a well designed, secure website, your chosen password is not stored anywhere. Instead, your password is put through a one way cryptographic hashing algorithm which converts it to random gibberish, along with some salt or random information only the web server knows.

When you attempt to log into your site, the password you give is hashed and compared to the hash on file. If they're the same the server knows you have the right password.

It's a proven, tested technique and it works... provided everything is implemented properly. No doubt you've seen plenty of news stories suggesting sound security is harder than coming up with some snappy alliteration on a blog post.

Why go to the trouble?

Rather than storing a hash of a password, you could simply store the password and compare it when someone logs in. It's simpler, and a worryingly large number sites still do this.

The problem is, if the database is broken into, the malicious hacker has access to all your customer's passwords. People like conserving energy (politically correct way of saying lazy!), and are probably using those same passwords for all sorts of stuff including their banking sites, email, social networks and so on. You can see what a disaster this could be!

If you store them as hashes, all anyone ever sees is random gibberish... even the site owner!

How to tell

Short of asking the site administrator, there are two main tells that a site is storing your passwords instead of a hash:

• They're able to provide you with your password. This could happen when you first create your account and they send you a welcome email, or if you've said you've forgotten your password. A secure site should always direct you to a page to reset it, because they don't know your password either.

• Hashes take any password length and adjust them to a uniform size (such as 128 bits). Not always, but often if a site puts a limit on your password length, it's because they're storing it as plaintext in their database.

There may have been (bad) excuses for these practices in the past, but not any more. If a site you access does either of these, it's time to question how important they are and whether they're worth risking your data and security over. Blunt, but true.

If you suspect a site you access is storing your password in plain text and you have no choice but to use them, complain, and make sure you pick something random and unique to that one site. If/when they get broken into, you'll be glad you did.

First, make sure you're proactive about privacy and security by using NoScript and a cookie manager. Head to a Blogger powered site, like this one. Marvel at the blank page! Temporarily allow blogger.com in NoScript. Marvel at the spinning gears... that just don't stop! Spin spin spin!

It's pretty poor form for a company as large as Google to require JavaScript to even load content, but to require a cookie? Madness.

In a related note, @hanezawakirika forwarded me this epic flowchart showing when to require Flash when loading a site. Same principle applies!

Yay, got some more spam DMs from cracked Twitter accounts this afternoon!

Hi this user is making really bad rumors about you [dodgy link redacted]

And one I haven't seen for a while.

lol...omg i am laughing so hard at this pic of me my friend uploaded [dodgy link redacted]

On the one hand I find it hard to believe anyone still falls for this stuff, but I guess they are if the spammers can still justify sending them out.

Sean Ludwig writing for VentureBeat:

Google announced today that its Gmail service has 425 million monthly active users. That means it has blown past Hotmail for the first time, becoming the largest email service in the world.

While this trend was inevitable, I think a far more interesting comparison would be the number of people using alternatives to email. Aside from a few fringe cases, people still have and use email, but are supplementing them with social networks and the like.

I long since ditched both Hotmail and Gmail, but ironically enough I still know far more people at UTS with Hotmail/MSN accounts than anything else!

If I could be further impressed with my crypto-hero Bruce Schneier, I would be. Richard Stallman on the other hand, I find myself vehemently disagreeing with him for the first time in a long... time.

Siemens Simatic S7-300 PLC photo by Ulli1105 on Wikimedia Commons.

For those who haven't been following, it's been widely reported that the Stuxnet worm was developed by the United States government. Stuxnet took advantage in a vulnerability in Windows and certain Siemens PLCs that Iran used in their nuclear facilities. Of course, it affected plenty of other people as well.

Why am I bringing this up now? Because it's a fascinating look into the brains on two different tech luminaries.

Richard Stallman

Richard Stallman, the champion of the copy-left Free Software Foundation, hasn't made a secret of his policical leanings. While I've largely agreed with his stances on warrentless wiretapping, security theater and the like, I was a a little disturbed by his take on Stuxnet. From his March-June 2012 archives (emphasis added by me):

Stuxnet was made by the US and was approved personally by Obama.

I don't think such an attack against Iran is necessarily wrong. However, it can backfire.

So the man of uncompromising principals lets slip that he condones state sponsored attacks, despite even admitting they can backfire. Not only that, this remark is included on the same page where he asks for diplomacy to resist "being pressured into war".

Hacking a foreign government's computers constitutes diplomacy and doesn't pressure us into war? For once, I find myself unimpressed sir.

Bruce Schneier

Let's take the other side. In the context of proposing a cyber security treaty, Bruce Schneier appealed for restraint in one of his recent posts, which serves as a useful counterpoint to Richard's stance.

We're in the early years of a cyberwar arms race. It's expensive, it's destabilizing, and it threatens the very fabric of the Internet we use every day.

Specifically regarding Stuxnet, he addresses my concerns exactly. Forgive the large blockquote, he just lays it out perfectly here.

[C]ountries are engaging in offensive actions in cyberspace, with tools like Stuxnet and Flame.

Arms races stem from ignorance and fear: ignorance of the other side's capabilities, and fear that their capabilities are greater than yours. Once cyberweapons exist, there will be an impetus to use them. Both Stuxnet and Flame damaged networks other than their intended targets. Any military-inserted back doors in Internet systems make us more vulnerable to criminals and hackers. And it is only a matter of time before something big happens, perhaps by the rash actions of a low-level military officer, perhaps by a non-state actor, perhaps by accident. And if the target nation retaliates, we could find ourselves in a real cyberwar.

Richard Stallman and a growing cohort of technically minded people don't necessarily see a problem with exploiting security holes for political reasons, even if they acknowledge the potential for escalation and "collateral damage".

I find that... disturbing.

An exerpt from the Multiple sub-Nyquist sampling encoding article, under Cultural and geopolitical impacts:

One could say that without Hi-Vision, there would be no modern digital HDTV. There is some latent truth in this, but you must look back in time 20 years when Japan was the world's "consumer electronics research heaven".

I am a passionate Wikipedia article creator, contributor, template code writer and defender, but... I guess we can all afford a little downtime ;D

Given a spam filter of mine recently past the dubious 6 millionth spam comment filtered, I've decided to do the unthinkable and disable comments entirely. Here's my logic!

It didn't used to be this way Smithers...

Back in the bad old days of blogging, we didn't have comment systems. My first site was run off a simple Perl CGI script I wrote, but even as I moved to RapidWeaver I still didn't have blog comments. I got around the problem by running a Vanilla Forums install, and linking to my posts. It worked reasonably well.

When I moved to WordPress in 2005, I suddenly had blog comments. I liked that the barrier to entry was lower than a forum; users didn't need to register for an account to post a comment, so the upshot was more people left comments. Some posts I've written, such as font smoothing on Snow Leopard and the Canadian Hinton Train disaster have spawned entire discussions with disparate people around the world.

Like so many technologies though, it didn't take the douchebags long to realise they could wreck it for the rest of us. I can't tell exactly when it started getting out of control, but in the last few years the amount of blog spam has exploded here. My combination of TanTanNoodle's Simple Spam Filter and Automattic's Akismet do as best a job as they can to stop the onslaught, but at this stage I feel as though I'm trying to stop a waterfall by holding out a sheet of newspaper.

Some statistics

• Since 2008, TanTanNoodle's SimpleSpamFilter reports that it's blocked 6,131,412 comments. That's right, more than 6 million spam comments. As I said on Twitter, this is absurd!

• Since 2005, Akismet reports that it has blocked 196,192 comments, missed 1,844, and had 22 false positives. The latter I suspect is optimistic, I'm sure plenty more legitimate ones have been lost.

• WordPress reports 3,336 legitimate blog comments.

That graphs shows why I'm not studying stats

So now I come to the inevitable question... is having comments on my blog worth it?

For the first time, I'm thinking not. With uni and family work consuming more of my time thesedays, I simply couldn't be bothered trawling through what's been caught in the hopes of finding a couple of legitimate comments. I'm tired of having my email inbox flooded with notifications of generic, bogus comments linking to dodgy websites.

Hosting sites with public facing interfaces are also harder to keep secure too, while I'm at it.

So what's the alternative? The more I think about it, the more I realise the alternative already exists, and people are using it. I get more comments from people on Twitter and the like than I ever got on my site here.

I'm also reminded of how blogging used to work, with trackbacks and the like. Before comment systems, if you wanted to comment on someone's post, you'd write a response post on your own blog and link back. Such was the promise of the early "blogosphere", a loose knit federation of writers with their own spaces. A bazaar rather than a cathedral, if you like.

So here we go!

I'm going to trial disabling the comment system on Rubenerd.com, and replacing the comment form with static, HTML links for those who want to post to Delicious, Twitter and so on, along with the permalink (URL) for this page for those who want to respond on their own blogs. Like it used to be :).

If it works for John Gruber and the like, I'm hoping it'll work for me. It'll reduce my workload, the load on my server, and the number of plugins I need to keep updated. We'll see.

My glorious friend and potential partner in crime Vadim has launched a blog. He's already beaten me in the number of new posts for this month, and we're only two days into it!

Love technology and anime (+some games like SSFIV:AE2012), thats what I’m mainly gonna blog about. I play the trumpet so you might see some music related stuff here too. Love swimming; hey you! yea you! Stop sitting at your computer all day and join me for a swim! Learning Japanese and very into japan, so that will be a very trendy topic on this blog as well ;)

He has quite the thing for Kenny, who wears as much orange as he does! Grab his RSS feed before I break your dam. No wait, that was Stan and Cartman.

My previous Bitcoin post drew some ire from those saying it was a viable alternative to the broken financial system. From Slashdot:

"A fortnight ago the Bitcoin financial website Bitcoinica was hacked and the hacker stole $87,000 worth of Bitcoins. At the time the owner promised that all users would have their Bitcoins and US dollars returned in full, but one of the site developers has just confirmed that they have no database backups.

So the alternative is to run a deflationary currency off vulnerable servers without database backups. Ah but the existing banking system gambles with our money too, so it's fine!