Dec 032013
 

Before those po-faced spoilsports start jumping up and down screaming that Christmas is supposed to be all about the baby jesus, let’s take a look at the origins of Christmas…

Turns out that it might not be an exclusively Christian thing after all – despite “his” name being right there in the name – as it seems there have been other religious festivals at around the same time of year. And long before Christianity.

After all the puritans did oppose Christmas as being too “pagan”. And there is a lesson to be learnt from the mistakes made during the English Civil War – however long ago it may have been – whilst the ultra-religious are perfectly free to believe that Christmas is all about religion, it is plain that the overwhelming majority of the population are more interested in the party aspect of Christmas.

No harm in that. There’s a lot to be said for having a party or two with friends, co-workers, and family in the “bleak mid-winter”. No reason to introduce any religious poppycock if that isn’t your thing.

But where did this notion of paganism in association with Christmas come from? It turns out that having a mid-winter festival has been popular for ages :-

  1. Yule is a Germanic mid-winter festival that has vestiges in our current celebration of Christmas such as the Yule log and probably the Christmas tree.
  2. Saturnalia was an ancient Roman festival in honour of the god Saturn marked with revelries and gift giving.
  3. The Winter Solstice has probably been “celebrated” as a brief time of plenty before the famine months of winter begin, for thousands of years. Holly, Ivy, Mistletoe are all aspects of Christmas with a potential pagan past.

There is a tradition that the date of Christmas was deliberately chosen to match the dates of existing religious festivals; whether this is true or not is almost irrelevant. What is almost certainly true is that the importance of the christian festival of Christmas owes a great deal to earlier mid-winter festivals.

After all Christians are masters of the art of syncretism.

Dec 032013
 

People like me keep banging on about why the security of passwords is so important. We keep telling people they need strong passwords, when what people really want are easy to remember passwords. Of course we keep on saying the same message because not everyone pays any attention.

The truth is that it is possible; or at least partially possible to have both strong passwords and relatively easy to remember ones. But first why is it necessary at all?

The sad fact is that there are criminals out there; not spotty teenagers in basements having some sort of weird fun, but genuine criminals who want your account details for a variety of reasons. Organised crime has moved on from bathtub gin, bank robberies, and drugs realising that (amongst other activities) computer crime can be quite profitable with a lower risk of being caught.

The most obvious accounts targeted by criminals are bank accounts – online access to your bank. Whilst they will target such accounts, criminals will also target the most innocuous accounts as well – your ISP account, or a work account. The lowest level of usage of a stolen account is to send spam; not in vast quantities but even several hundred spams sent in your name can really ruin your day.

And will continue to have a less obvious negative effect over time – your email address will be less trusted by recipients if it has ever been used by a spammer. And of course that is the damage I know of. The criminals may use your account for other purposes.

In fact it is probable that any stolen account has a small but definite value on underground markets such as the Silk Road (or deeper and darker places).

And that is excluding the damage that criminals can more directly cause you by access to all the data contained within your account.

How Do Criminals Get Your Password?

So how do criminals get hold of account passwords? It turns out there are three main methods, and one is only useful in certain circumstances (and happens to be the most technical and so the most interesting to geeks).

Just Ask!

It may seem crazy, but probably the easiest method of obtaining account details is simply to ask for those details! The question is normally dressed up to confuse the situation so that it appears to be a legitimate organisation asking for the password. An email from your bank asking you to login via a provided link; an email from your IT support department asking for your password to increase your mail quota.

The defense against this is to never tell anyone your password. Your password is a method of demonstrating that you are yourself; if you give it away, you let other people pretend to be you.

Don’t do it.

Just Guess!

Some people use passwords so weak that they can be guessed relatively easily – or at least easily when the password guessing is scaled up. If a criminal has a 0.001% chance of guessing a password, but they try 1,000 different accounts with 10 different passwords at 1,000 different sites per day, they can expect to get 100 accounts a day!

The best defense against this sort of attack (for an individual) is to make sure you do not have a weak password – go for one that is long and strong (we’ll get to that later).

Password Cracking

The last method of getting account passwords is only possible with access to the password hashes which normally involves exploiting some kind of vulnerability. Once access to those hashes is obtained, it is possible to use a password cracking dictionary to generate a list of candidate passwords and calculate the password hash for each one. When the hash for a candidate password matches the hash of a real account, you know what the password is.

It shouldn’t be possible for a criminal to get access to password hashes, but they do get access to them on a regrettably frequent basis. In addition, it is not uncommon for password cracking to be used as the ultimate test of whether a password is “strong enough” – if it can be cracked with a reasonable level of resources, it is weak.

The best defense against this kind of attack is again to use a long and strong password.

Long And Strong (And Memorable) Passwords

The best passwords are long and random, but very definitely not memorable – as an example, a typical random password might be Y2JkOGY3OTg0YzY1NGMyNTUxMmUzZDkyNDFhZTU2OWYgIC0K. Not the sort of password anyone would want to remember, although password stores such as LastPass allow the use of such passwords. Certainly worth investigating.

However it still needs a master password and there are other circumstances where passwords you have to remember are essential. In such cases memorable becomes a requirement, but we still need strong passwords.

For most of us, a memorable password is made up of dictionary words, yet we are often told that a word-based password (no matter how cleverly transformed it might be) is a weak password. It turns out to be correct for single word passwords, but multi-word passwords are still relatively strong. A lot weaker than truly random passwords of an equivalent length, but somewhat surprisingly a lot stronger than short truly random passwords.

The mathematics of this gets a bit hairy, so take it on trust – length is the most important factor in determining password strength with certain exceptions (a very long word isn’t strong no matter how long it is).

The XKCD Password strength comic

Stringing together a whole bunch of words may not seem the most sensible way to come up with a memorable password; in fact I’ve been using a five word password for many years, and at this point I can’t forget it! I would suggest though that the XKCD method can be strengthened a wee bit by adding a symbol between every word – pick a random symbol like “@”.

Now pick three to four “random” words, and string them together with your random symbol :-

${word 1}${symbol}${word 2}${symbol}${word 3}${symbol}${word 4}${symbol}

Becomes: four@blatter@pong@zoo@

One thing to watch out for – you should have at least one “unusual” word in the list of random words, and don’t have too many short words – the password trustno1 is a weak password!

Nov 182013
 

Today the news comes that Google and Microsoft have agreed to block child abuse images. Great!

Anyone reading (or watching) the news story could be forgiven for thinking that this will solve the problem of child abuse images on the Internet, but that won’t happen. What Microsoft and Google have done is a tiny increment on what they were already doing – instead of just excluding hosts given to them by the Internet Watch Foundation, they are also going to ‘clean up’ the search results for certain searches.

It isn’t blocking child abuse images. The search companies can’t do that; anything who thinks so needs to go and learn a bit more about the Internet which includes the government. Who have of course come out of their rabbit hutch spitting lettuce leaves everywhere, saying that if this action by the search companies isn’t effective they’ll legislate.

Which is just about the clearest evidence so far that the government is completely clueless when it comes to technology; obviously Eton‘s reputation is overstated when it comes to technology education.

People tend to think of child abuse images as being a little bit like anything else you browse to on the Internet – you just search for it, and up it pops. I haven’t tried, but I suspect what you would get is a large number of pages like this one – talking about child abuse images in some way, but no real images. Undoubtedly there are some really dumb child pornographers out there who stick up their filth on ordinary web servers; whereby they’ll quickly get indexed by the search engines and someone law enforcement bods will come pounding on the door.

However the biggest area of child abuse image distribution is likely to be one of the variety of ‘stealth’ Internets … the “dark nets’, or ‘deep web‘.

The later are web sites that cannot be indexed by the search engines for various reasons – password protection, links have never been published, etc. These would be the choice of the not quite so dumb child pornographer.

The former are harder to find – they are roughly analogous to peer-to-peer file sharing networks such as Bittorrent which is widely used for sharing copyrighted material (films, music, etc.). But ‘friend to friend’ file sharing networks are private and not public; you need an invitation to join one. This is where the intelligent child pornographer lurks.

And all the hot air we’ve heard from the government so far is going to do pretty much bugger all about the really serious stuff. If you are a clueless politician reading this, get a clue and ask someone with half a brain cell about this stuff. And don’t invent half-arsed measures before asking someone with a clue about whether they’re likely to be effective or not.

Nov 172013
 

Today there has been a bit of a “discussion” on the age of consent thanks to a suggestion from Professor John Aston that we should perhaps consider lowering the age of consent to 15 in the light of just how many young people indulge in illegal acts. The government in a classic demonstration of wooly thinking has ruled this out.

But there’s no harm in having the discussion … and I’d be perfectly happy if the age of consent were raised to 18, or even 30!

The trouble with a simplistic age of consent barrier is that it criminalises consensual sexual activity between two teenagers; to the extent that they could find themselves on the sex offenders register. As adults we could brand the behaviour of such teenagers as irresponsible, and immature, but criminal? That seems a bit extreme.

Simply lowering the age of consent to puberty – when a child becomes an adult in physical terms – is also wrong as it leaves those teenagers open to exploitation by sexual predators.

What seems sensible is to adopt measures similar to Sweden’s where an age of consent is a fuzzier thing. Let us pick an age – such as 18 – as the age of consent, but where either participant is under that age of consent, then the act is only criminal where the other party is more than 2 years older.

One other thing that struck me about the discussion in the media today – there is a wide assumption that the only sexual predators hunting young people are men. Yet there are female abusers, and by casual assumptions we are making it harder for the victims of female abusers to come forward.