Category Archives: Security

Better change your passwords

1234

Seriously. I’m not just telling you this because it’s World Password Day (it is, though, and I don’t know what Betty White has to do with anything). I’m saying it because it has come out that a security pro at Hold Security discovered an absolutely massive theft of usernames and passwords from Russia’s largest email provider, mail.ru, about 275 million stolen records. Not only that, there was a significant amount of credentials stolen from Gmail, Hotmail, and Yahoo account holders as well. Incidentally, many reports are saying ‘Microsoft’ instead of ‘Hotmail,’ which is a Microsoft property, but they also have Outlook which hasn’t, as far as I can figure out, been hit.

Most surprising of all, even more than the fact this is one of the largest theft of electronic records in history, is that the teenage hacker who acquired them was willing to sell the whole multi-hundreds-of-millions record lot for the grand sum of $1. But wait, there’s more! The hacker was discovered via his bragging of the theft in an online hacking forum, and when the Hold Security employee who engaged offered to leave positive feedback for the hacker, the price was dropped to free. That’s right, free for the mere quid pro quo of a positive review.

Off topic, but that touches on the concept of what is known as the reputation economy, in which someone’s actual worth depends on what others say about them in public and think about them in private. You can read more about it here.

It’s no secret people use bad passwords all the time, and reuse them over and over for multiple functions and sites. Don’t do that! Use a passphrase – in class just today, my students suggested ‘sheturnedmeintoanewt,’ a line from Monty Python and the Holy Grail, which turns out to be a perfect passphrase. It’s long, complex, yet easy to remember. Plus, it would take 16 BILLION years to crack! How do I know? Because we plugged it into howsecureismypassword.net, and that was its estimate. Even if it’s off by a billion years or so, that’s still pretty good. If we capitalize just one letter, the ‘n’ in newt, it jumps up to 17 quadrillion years. This isn’t the be-all end-all for accurately determining password strength, but it’s a good estimator.

Pretty secure

Pretty secure

If you’d like to use a different password for each site or service, but are worried about keeping track of them all, you can use a password manager like KeyPass to manage them all. Some password managers even enter the passwords for you. I don’t know how I feel about that personally, but it is easier. Beware, password managers often have a master password and if you lose or forget that, you are screwed – you’ll be resetting passwords forever.

Everyone knows I hate passwords and especially the policies that go along with them, and I hope the scourge of passwords is one we can raze from this earth in the very near future, replaced with something more robust – but not 100% foolproof – like biometrics (fingerprint scanners, for example). Until then, just remember: It’s only a flesh wound.

I don’t know why I bother

...

SplashData has, as they are wont to annually do, released their list of the worst passwords of 2015. Definitely look at the link, there’s  lot of additional information there regarding how dumb we are when it comes to this. Want to take a guess which terrible password takes the top spot? That’s right, 123456. Anyone suprised? Anyone? No? Frankly, if that’s your password, you deserve whatever happens. Not to be all alone, other number-based passwords made the list as well, including 12345678 and 123456789. Other idiotic passwords include qwertyuiop, login, and passw0rd. That last one is especially offensive, as though the person thinks they are pulling a fast one by having a zero instead of an o. They’re in for an unpleasant surprise.

I used a different header image than I originally had intended, one that showed the bad passwords from 2014. They’re generally the same as last year, but I ended up not going with it because it was redundant considering the list below, but the original version of this post still referenced it. So I made a fun edit, and instead I found the Facebook post used in the header which – although I sincerely hope it’s fake – really very much hope that it is fake – shows how gullible people can be. If it’s real, I wouldn’t at all be surprised. Now hold on while I allow a Nigerian prince access to my bank account.

There are some passwords on the list that are less offensive, as though the person tried, including dragon and starwars, but geez oh man, at least throw a capital letter or exclamation point or something in there, even the passw0rd people up above did that. If you really need to make a strong password, remember a sequence of at least four random words is the best alternative, and hopefully one day passwords will go the way of the dinosaurs and disco (although I do love disco), and we can switch to things like biometrics full time. Here’s the full list, pasted from Cnet:

1 – 123456 (unchanged from 2014)
2 – password (unchanged)
3 – 12345678 (up 1)
4 – qwerty (up 1)
5 – 12345 (down 2)
6 – 123456789 (unchanged)
7 – football (up 3)
8 – 1234 (down 1)
9 – 1234567 (up 2)
10 – baseball (down 2)
11 – welcome (new)
12 – 1234567890 (new)
13 – abc123 (up 1)
14 – 111111 (up 1)
15 – 1qaz2wsx (new)
16 – dragon (down 7)
17 – master (up 2)
18 – monkey (down 6)
19 – letmein (down 6)
20 – login (new)
21 – princess (new)
22 – qwertyuiop (new)
23 – solo (new)
24 – passw0rd (new)
25 – starwars (new)

Incidentally, if you think you have a pretty robust password, and want to test if you really have the goods, you can go to howsecureismypassword.net and see. The site is legitimate, I promise, it’s not stealing your credentials or anything like that, and it will show you how strong your password really is. Here’s mine – I’ve got the process down.

That's right

That’s right

The Ogre-Faced spider of drones

Ogre-faced spider

As many of you know, I considered going to grad school for biology, specifically because I wanted to investigate the cognitive capabilities of spiders. I believed there were certain species of spider that had the genuine ability to think and plan out strategy, and although I decided to pursue another path, I would also like to note that I have since been proven right. I knew it all along. Not all of them have the ability to think, of course, in fact I frequently use the example of a black widow and her behavior to illustrate concepts in artificial intelligence, specifically to define what is and isn’t intelligence.

So if you take a look at the lovely lady in the header image, you’ll see a spider that is unique in many ways, not the least of which is that it has two different and distinct colloquial names – one based on her appearance, and one based on her behavior. That’s unusual in the insect kingdom (which isn’t really a kingdom in the biological sense, but you know what I mean). Her first name is the ogre-faced spider, for reasons I think are pretty obvious. Her other name, however, is the one we’re concerned with and it describes not just her behavior but what I believe is at least a low-level ability to cognate: the net-casting spider.

Net-casting spider in action

Net-casting spider in action

That’s right! This spider makes a net, waits for some unsuspecting bug to mosey underneath, then not only traps the bug in the net, but will expand the net to fit the bug if necessary, or in some cases allow the bug to pass if she feels it will put up too much of a fight. And people say spiders can’t think. Or maybe they don’t say that, but if they do, they shouldn’t.

So why all the talk of spiders that can do the thinky thinky? Well, besides the fact that I use spider cognition – insomuch as it is – to explain artificial intelligence concepts, the netcasting spider is also the first thing I thought of when I saw this post over at Engadget: It turns out students at Michigan Tech are developing a drone that, just like the netcasting spider, can throw out a net to catch other drones in midair! How badass is that? Here’s the gif, borrowed from Engadget’s post:

Dronecatcher

Dronecatcher

The designers call it ‘Robotic Falconry,’ which makes perfect sense if you’ve ever seen a falcon hunt; they often pluck their prey, if it’s a bird, out of midair. The rogue drone, as it were, is similarly plucked right out of the air via net and hauled away, helpless, to someplace for…well, I’ll say tea and cake, but more likely disassembly.

I like this idea. It seems a less-lethal way of dealing with a rogue drone. If you think that perhaps this is addressing an issue that isn’t a real problem, you might want to read this post from Ars Technica. We don’t want to see anyone get hurt, and this guy was ready to do it. There’s a fascinating follow-up to that whole thing as well that could set law and policy about drones and would necessarily be very wide-ranging, covering ownership, privacy, property, and how all these things interact and overlap where drones are concerned. Additionally, as Engadget’s post also points out, Japan is testing a net-casting drone because shooting them down could be harmful if they are loaded with a dangerous substance, a problem they’ve already had to deal with.

This could all be focused into something productive, though. What we REALLY need is some kind of gladiatorial drone-combat sport thing – that would be fun to watch. Just like the BattleBots competitions they have, drone wars could become a real thing. A real, exciting thing. Drones with nets, drones with lasers, drones that shoot flames and crash into each other. I’d watch that.