Monday, August 1, 2016

Do You Even Password?

As an industry it is time to admit to ourselves that we are terrible at providing a user experience that is simultaneously easy to use and secure.

This kind of nonsense needs to stop:
Your new password must have:
        maximum of x repeated characters
        minimum of y alphabetic character
        minimum of z upper case alphabetic character
        minimum of n non-alphabetic character
        minimum of p digit
        minimum of q special character
        minimum of r characters in length

First of all - this might at first sound like a simple question: Why is the program that I am using to set my password able to read my password?

Huh?  Because you typed the password into it?  No, that requires the program to store the password, not to read it.  The reading part is only necessary to perform analysis on the password in order to determine if it adheres to all of the rules and if not to be able to report back which are violated.

Without that analytical step the next action typically taken is to feed the stored password to a one-way cryptographic hashing algorithm which produces the output that it typically stored in a user directory.  How this works is that when someone tries to use the credential for authentication - they enter their password, which is hashed & the result is compared with the stored result.  In this way the original password is kept secret & never accessed by anything by the hashing routine. 

The analytical step however does read the password which introduces a new potential vulnerability if that verification code or the memory that it uses is co-opted.

So why are we doing this?

Users have tendencies to use overly simplistic & easy to remember (or intentionally easy to guess) passwords rather than invest the effort in to memorizing more complicated ones.  This weakens the effectiveness of the hash code scheme as a protective measure.  Thus these rules are put in place to force users to choose passwords that are more difficult to guess.

How do you break hash codes or make them less effective?

If your password is set to "secret" then the hashing algorithm will produce a particular result stored for your account.  If I also use "secret" as my credential then an identical hash code will be stored in my account.  If I know one password then I know them both. 

People have run common hashing routines using dictionaries as input to produce what are called "rainbow tables" that list the hash codes for every word in most common languages.  That makes it easy to look up the most commonly used passwords.

So what else could we could instead?

If the point of the rules is to produce passwords that don't exist in any rainbow tables - why not employ actual rainbow tables into the solution?

How would that look?  Rather than a long list of rules to adhere to instead provide a single admonishment: "Choose a difficult to guess password."  Then whatever they enter is immediately hashed.  Thereafter however the hashed value is then analyzed to see if it can be cracked with a rainbow table.  If so - then the user is informed of this & required to change their password.

The advantage of this approach is that as the tables grow over time & more hashcodes are cracked over time existing users will be warned and protected.  It doesn't have to stop merely at the login/setup process.

The downside is having to maintain, generate & augment local rainbow tables.

This is one idea.  Do you have a better one?  I'd love to hear about it.

Tuesday, September 1, 2015

Getting Around to Things

I find that the most difficult thing about being productive is Consistency.  I am extremely flighty with my attention.  I get excited & ramped up about things very easily.  I revel in the Raw Potential of things.

I will find myself down for the marathon investment of time to get something bootstrapped & running and I will gleefully throw myself into new endeavors this way.

The problem comes when the neat nifty newness wears off & I find myself level-grinding to keep things going.  My momentum - which I dumped so much energy into in order to fight the inertia that keeps things from starting to begin with - peters out - along with my interest level.

To combat this - I try to compartmentalize projects and to keep several of them going at any given time.  This was when I find myself fed up with something there are many other shiny things to compete for my attention - all of which require time, effort & attention and which would be productive to work on.

So I suppose that I work cyclically.

At this time I have finally circled back to Python and web2py.

That being said I found it extremely interesting to learn that web2py will run on Jython.

I have no idea what the performance is like. 
Would it run comparably to C-based-Python? 
What are the implications for hosting?

What is compelling about this is the ability to leverage existing Java libraries which are themselves inherently more performant than Python equivalents.  Since I write a lot of Java & am still gaining confidence in Python - this provides me with emotional security.  The question is - at what cost?  Performance of Python code is likely to take a hit and hosting costs will undoubtedly go UP significantly.

Just what is the acceptable price tag for my feelz?


Monday, April 27, 2015

#nerdshaming SUCKS

The Cultural Appropriation of Nerds is going strong and frankly it stings.
 
40 years ago I started going to public school and was harassed and beaten down verbally, emotionally, and yes - physically on a constant basis for being a nerd.

I was belittled for being obsessed with things that no one else cared about (Computers, for example) and regularly called out in the open for throwing the grading curve.

So nowadays when I see people affecting "Nerdy" things based on stereotypes perpetuated by shows like Big Bang Theory or Portlandia I see people "trying to be cool".  (And that's called "Cultural Appropriation" when some people do it)
 
Much like racial slurs that have been reclaimed & worn like a badge "Nerd Culture" is a defense mechanism against "The Norms" whom have beaten us down & locked us out and now that the societal value of nerds has been proven, those same "Norms" want to raid the cupboards and claim ownership of what they once ostracized.

Allow me to level-set with this anecdote: I dressed as Wolverine for Halloween in Junior High - and No One Knew Who I Was Supposed To Be.  (They just knew that those claws I made in metal shop should get me suspended)


I was the (now) "infamous" cis-white skinny male who "couldn't get laid in a whorehouse with $100 bill hanging out of my fly."
 
So I ended up huddled defensively at That Table in the lunchroom with all of the other people who took such crap regularly.

I can't imagine what that experience was like for girls - because none ever spoke to us except to put us down.

The exception that I remember was the "Big Win" of being asked to the Sadie Hawkins dance!

But of course what I didn't know what that I was "settled on" so that the girl wouldn't have to deal with the shame of going alone.
 
I got eyerolls from her from the minute I showed up (with my mother driving) to pick her up.

And as soon as we walked in the gym where the dance was held, she ditched me & ran over to her friends where she stayed the entire time & they all made sure to let me know I wasn't welcome.

I honestly don't even remember if I brought her home or not. (I think that she just ditched me)  I just remember awkwardly standing around by myself the whole time - just like every other day.
I felt worthless and used.

Since I don't recall ever seeing "girl nerds" clump together in groups I don't know if there was such a group - so I can only guess that such an existence would have been an even more lonely one than mine.

All that I remember was that Girls Hated Nerds and if you wanted to ever get a date - you needed to lock away anything about yourself that resembled that and keep it hidden.

My way out of social ostracization was music.  Acid Rock & Heavy Metal were "cool" back then & by learning to play bass & wearing a denim or leather jacket suddenly I wasn't seen as a nerd anymore.  "Burnouts" were much higher on the social pecking order.  (see The Breakfast Club for reference)  But of course I still had to hide the nerdiness from the Other Burnouts - who remembered me for what I really was & wanted nothing to do with me unless I "got cool".  (Which included also hiding any interest in "New Wave" music, incidentally)

Fast forward to today - where 'many' modern feminists have picked up the old habit of nerdshaming by labeling a group that already has massive social anxiety - who might have been slowly gaining mainstream acceptance (by way of providing tech-support) and then branding them as misogynists with a wide brush.

As I understand it the label was earned at comics and video game conventions when vendors started hiring "booth babes" i.e. attractive women dressed in costumes to attract the attention of a demographic desperate for female interaction.  There they were - actually paid to talk to them...  And what do those nerds pick as a subject to talk about?  Why their costumes of course!  And when those actresses failed to have the background material on whomever they were portraying -- the nerds reacted to being "played" with hostility.

That such hostility spilled over onto the other females at such conventions is, I agree, wrong.  But the idea of establishing a nerdy pecking order based on how many obscure facts that you know about a given subject is not something with which only female nerds have to endure.  That is universal treatment that we all do to each other since what other currency is there in such a culture except knowing obscure things?

Such super-fan mentalities extend to everything.  I can clearly remember school-bus crucibles where I needed to be able to name Van Halen or Led Zeppelin songs that weren't hits to prove that I was in fact a True Scotsman and thus prove myself worthy of acceptance.  If you are not a sports fan & ever speak to one, you will no doubt have had a similar experience.

In the spirit of No True Nerds - I will offer these simple missives:
  1. The cis-hetero-male-nerds that I have known did not hate women (& thus by definition are not misogynists) but they have been mistreated by women (girls actually, but the distinction invites more arguments) and so are wary of being further mistreated.  This added to the endemic lack of socialization skills/inclination makes them walking disasters waiting to happen & perhaps worthy of a molecule or two of compassion/understanding/help/lending a clue.
  2. If you find yourself in the group that I am talking about - today is the best time in history to be a nerd.  Bullying is actually taken seriously when you ask for help.  (I actually switched classes to avoid bullies several times) And physical abuse is no longer tolerated.  I will take a Tweet-storm over an actual pummeling any day.  So don't take it out on other people and at least try to learn some social skills.  They will only make your life easier.
  3. Using a computer a lot doesn't make you a Nerd.  Liking movies based on comic books or watching Star Trek/Wars doesn't make you a Nerd.  Thick glasses that you wear by choice don't make you a Nerd.  If you haven't been abused for liking unpopular things - you aren't a Nerd.  A "nerd" is not something that anyone wants to be - but when you wake up with that Albatross around your neck - the only thing to do is to own it.  So let the nerds be & go be whatever you are.
And to make one last distinction - I never wanted to wear "Nerd" as a label.  I settled for "Geek" - because "Paid Geek" is a term that garnished some modicum of respect.  And if you think that the term "Nerd" has lost all of it's teeth today - then substitute the word "Dork" and re-read to get the spirit of what I am trying to convey.

In closing, feel free to shit on my story.  I'm an adult now and I can take it.  But don't for one minute assume that reliving & talking about this wasn't painful.  I do not want other people to have to live through that.

Wednesday, March 11, 2015

!2Swift: Catch A Rising Star

According to Tiobe, Swift's popularity is on the rise.

Ruby has slipped a notch to #18 & Swift has risen to #17.

To put this in perspective, ObjectiveC is currently #3 behind C & Java.

To further put this in perspective, Swift ranks just below R, Transact-SQL, PL/SQL, Pascal, & Delphi/Object Pascal.

Coming into the community at this point is somewhat surreal.  There are a lot of grizzled ObjectiveC veterans who are grumbling about having to get on the learning curve again.

I see them as whiners - mostly because I am jealous of their experience and knowledge of the Cocoa and Foundation frameworks which I am struggling to come to terms with from a Swift-only perspective.  To me, they already understand the hard parts of app development.  Syntax-wrangling is just a way to keep things interesting.

But then I suppose that the mindsets are very different.  Objective C is a product of the 1980's and it shows.  Java was more of a 1990's mindset.  Looking backwards through the lens of time that doesn't see like very much of a difference numerically but from a technical viewpoint they are very different indeed.

Friday, March 6, 2015

When Politics Chooses You

I have waited a long time to comment on this topic because it is explosive and people generally prefer to react than to Think or to scream rather than to Debate.

I mention it now because it is directly relevant to the IT Industry and further has growing relevancy in many facets of modern culture.

I have plotted the arc of hashtag-activism and the impact of Modern Feminism for a few years now: from #elevatorgate to #gamergate to #metalgate there has been a repeated pattern of behavior that results in conflict.

How I characterize that behavior dictates what side of the battle I am on so I am going to try to avoid the logical fallacy that there are only two sides for as long as I can.

What makes this relevant to the IT industry is the Ellen Pao case.

Though it was filed in 2012 the day to day reports are seen through the lens of current controversy.

It by no means mediates the situation that the plaintiff in the case is the current CEO of Reddit.  I am truly interested in the profile of the selected jurors and what the composition of the rocks that they were living under so that they are unaffected by that fact.

What is clear to me throughout is that ideologues are speaking past each other & there is not much in the way of resolution. Court cases however eventually end & thus force closure.

While I by no means expect activism to end - legal precedents have a way of setting a tone for future discussion.

A safe prediction is that no matter which way the lawsuit goes there will be a #backlash campaign of some sort and a #backlashResponse counter-campaign that will seek to discredit the first - and people will retreat to their corners to reload their trebuchets with fresh dogma to launch on Twitter.

I find it all too unfortunate that part of this case revolves around a broken monogamous relationship and a love-polygon.  That raises a Fog Of War that makes it more difficult to focus on the core legal issue : "Was there systemic sexism?"

From the perspective of a lawyer - it would be better to have more clear-cut examples when trying to establish legal precedent.

Without casting judgement on the involved parties - part of the beginning of #gamergate involved a story about a love-polygon - which only poured accelerant onto a heat-source.  It is my opinion that this was not helpful at all when trying to focus on Issues.

What people choose to do in their love-lives should be their own business.  Full stop.

That being said - there are still limits - for example when you trade sex as a commodity for favor - a recurring theme in the news.

So how do we deal with that reasonably?  If people's sex lives are their own then how do we make sure that no "funny business" is going on trading favors of one kind for another?

It would appear that in the modern age, not everything that is old-fashioned is obsolete.

The traditional answer was not to have anything to do with each other thereby removing the potential appearance of an improper relationship.  Therein lies the heart of Victorian Values - the relishing of appearances.

Unfortunately there was a lot of "turning away" from human beings in an effort to keep up appearances at that time and so we don't look back so fondly on that sort of pretentious behavior anymore.  However, in small doses a little prudence can go a long way.

You will notice that I am still walking the tightrope of not calling people out nor taking sides.

For now I will cleave to the loneliest path - right down the middle - swatting away opportunities to form an opinion in the way that a Buddhist monk swats away stray thoughts while meditating.

They are only distractions that keep us away from The Truth:
We all live in the same world & must continue find the optimal ways to get along with each other.

These are Trigger Issues and even mentioning them raises the risk of conflict.  I have had this happen already with friends of mine who immediately went into ears-closed-mouth-yelling mode.  So do be careful.

Tuesday, January 20, 2015

Give Up The func

There is a Thing about learning new languages - it tends to make you Think Differently.

I've written a lot of perl and Java over the years & so it took me a while to get the whole Functional Programming thing...

It basically took me learning Swift.

That being said - I don't write Swift code for a living.

As a result there strange new ideas have been seeping out into my perl & Java code.

I recently found myself, for example, emulating functional programming in Java by using an Enum as a return-type which would trigger a variety of different methods with a switch statement.  

Each different element of the Enum is treated as a case inside the switch.  

Then for the last line of the switch I added:
throw new AssertionError(this.name());

Which is essentially the compiler saying "WTF?"...

Admittedly this is, at best, a very weak example of Functional Programming - but I'm not here to demonstrate the Java implementation of a Closure - others have done that far better than I could.

The point of this is that simply that rather than limiting myself to the constraints of managing a return-type - that type itself might reflect a relationship to varied behavior.

Does that mean that we can pass around references to functions?  Not exactly, but usually what you are trying to accomplish can still be done with some code contortionism.

Loose functions are simply methods in Java so an Enum of triggers could fire cases in a switch, all of which behave differently & call various methods.

Depending on what data those methods need to access dictates if they are Class methods or if you need to define a Class to generate object instances.
 




Wednesday, January 14, 2015

Old Dog Learns New Trick: The NCO

While learning Swift I came across something to which I was not accustomed: the Nil Coalescing Operator.


For example:
optionalValue ?? valueIfNil

Which more or less translates to: "The value of optionalValue unless it isn't defined, in which case default to valueIfNil"

Usually this would be written as:
(optionalValue != nil) ? optionalValue! : valueIfNil;

I liked what I saw & looked into it and to my surprise it also exists in perl as the Null Coalescing Operator / Logical Defined-Or operator.

In perl the above example is rewritten as:

$optional_value // $value_if_null

Which is in turn shorthand for:
defined($optional_value) ? $optional_value : $value_if_null

However there is more - because in perl there is a shorthand notation for this:
$optional_value //= $value_if_null
  
Which is the equivalent of:
$optional_value = $optional_value // $value_if_null