More Zonkyness

Blog

  • Remembering Steve Jobs

    Today was the day we learned that Steve Jobs died. This is of course massive news within the technology industry as Steve Jobs has been such an important player in the industry since the beginning of the personal computer revolution (long before the iPod and all the other iThingies). As with everyone who dies, my sympathy goes out to anyone who knew him.

    The reaction has been … interesting. Amongst the other compliments he has been called a great innovator, which to those who observe the industry closely seems a touch inaccurate. There are plenty of things that Steve Jobs was – he was a great businessman who not only built up Apple in the first place, but returned to rescue it from obscurity (and possibly saving it).

    He had the ability to take innovations and introduce them to the mass market – he could somehow lead his engineers into producing usable mass-market products. But without meaning to criticise he was not as much of an innovator as is sometimes made out to be.

    Looking through the history of the products he brought to the mass-market …

    Apple I & Apple II

    Neither of these were truly original. The Apple I was one of the first personal computers that were available fully assembled, but it was not the first. The basic concept of the personal computer released as a product can be traced to the IBM 5100 (1975) or the HP 9830 (1972). These may have been a lot more expensive but were probably more successful than the Apple I which only sold about 200.

    The Apple II was a good deal more successful – probably the closest to a dominant personal computer around before the original IBM PC took off, but was no more truly original. For instance amongst the hordes of similar personal computers around at the time, there was the quite close Commodore PET (which was admittedly somewhat less expandable).

    And the least said about the Apple III, the better!

    The Macintosh

    Most people assume that the Macintosh was the first computer with a graphical user interface, but it was not even the first from Apple themselves! They brought out the somewhat less successful (and very expensive) Lisa first. The first GUI computer was the Xerox Alto first built in 1973 – before Apple even existed! Admittedly this was never a commercial product, but Xerox did eventually launch a commercial workstation based on this early experiment – the Xerox Star, in 1981. That’s still 2 years before the Macintosh.

    The Macintosh did however bring the graphical user interface to a mass audience even if the first Macintosh computers were more than a little constrained by lack of memory (128Kbytes anyone?).

    The iPod

    After a few successful years with the Macintosh (and having ditched Steve Jobs in 1985), Apple started to go downhill. Until Steve Jobs returned, and helped to turn the company around with the launch of Macintoshes that were better designed in terms of styling. Although he was probably right to kill it off, he also did something interesting on his return – he killed the Newton product line which although it was not really recognised at the time, was actually Apple’s first slate computer (it was marketted as a PDA but with a much bigger screen than most PDAs).

    But the next big thing was the launch of  the music player that nearly everyone has tried at one time or another – the iPod. Again to disappoint the reflex Apple fans, this was not a massive innovation from Apple – there were portable digital music players launched before this. Such as the music player (with a somewhat limited capacity of 3.5 minutes!) envisaged by Kane Kramer way back in 1979 (and patented in the UK in 1981). Apple even hired him when they were facing patent litigation over the iPod.

    Altogether there were five different music players launched in the market before Apple took a hand. But of course Apple made it easy enough for the man in the street to use.

    The iPhone

    The iPhone was an interesting product – a “smartphone” (it might have been more accurate to call it a featurephone) that on the basis of pure feature comparison was weaker than the competition in every way – a less capable data network (no 3G), many missing hardware features that were present on other smartphones (GPS, proper bluetooth support, a slot for memory expansion, etc.). It couldn’t even load additional apps – Steve Jobs tried telling everyone that apps should be on the Internet and not installed on the phone!

    It did do two things better than the competition though – firstly the CPU was of reasonable strength to run a smartphone with. At least the pre-iPhone smartphones I used were positively anaemic in performance due to weak CPUs. Secondly, the iPhone made using a smartphone simple. And that was the real reason the iPhone took off – anyone could use it.

    The iPad

    And yet again Steve Jobs does it – take a product that was pretty much universally unpopular, or at most was popular only in certain vertical markets, and pushes it out to the mass market in a way that everyone can enjoy. Again very little in the way of innovation, but a great product (with some odd weaknesses until the iPad 2).

  • iPhone 4S: Yawn or What ?

    So it has been announced at last. The iPhone 4S, which is more or less an iPhone 4 with some fiddling – a faster processor, an improved antenna, and a software update that gives it a feature that Android has had for a while. That is voice control.

    Undoubtedly it will all be done in a very slick way – that is the Apple way, but is it enough ?

    Well it all depends on what you mean by “enough”. It will undoubtedly sell – both to the Apple fans who worship anything Apple produces whatever the merits, but will it sell enough to keep Apple’s current level of influence in the mobile smartphone sector ? After all, Steve Jobs has now left and everyone is wondering how the new Apple will maintain it’s leadership in the smartphone and slate market.

    Well the iPhone 4S is nice, but so is my iPhone 4. But it is hardly a major improvement – yes it’s faster; probably a lot faster. And the antenna improvement will please those who managed to tickle the antenna problem on the iPhone 4 (I could only do so by going through ridiculous contortions).

    It’s a perfectly reasonable mid-life facelift, but it’s a touch late for a mid-life facelift, although admittedly a bit early for a whole new phone. Oh! Sure Apple will claim that the internals are completely different, but it’s still an improved iPhone 4 rather than an iPhone 5. Although it’s unreasonable, Apple’s problem here is that the iPhone 4S looks a little boring and in a post-Jobs era, they need to convince people that they are still able to release exciting products. And this isn’t it.

    The big problem I see from my personal perspective is that there is no option for an iPhone with a big screen (and no I don’t mean an iPad!). If you look at the oodles of choice you can find in the Android phone market, you will find examples of premium smartphones with larger screens than the iPhone. Such as the Samsung Galaxy S II with a 4.3″ screen, and that is not even the largest smartphone screen you can find (although it may well be the best).

    Sure not everyone wants a large screen on their smartphone, but I do and Android gives me that choice. And plenty of other choices – 3D screens, physical keyboards, etc. And no being chained up in Apple’s walled garden!

    So yes, sorry Apple but it’s a bit of a yawn event. Try again with a proper iPhone 5 with a large (for a smartphone) screen.

  • Palestine Asks The UN To Recognise Their Statehood

    As expected the Palestinian authority has asked the UN to recognise them as a state.

    As expected the Israelis stood up to protest about the idea of giving statehood to the Palestinians and undoubtedly their tame lapdogs, the US government will veto the request.

    But would it do any harm if the UN recognised Palestine as a state ? And would it actually help make things a little better ? Quite possibly. Although it would not do much in itself, it send a message to Israel that the world’s patience is limited and that it expects Israel to negotiate in good faith – which it appears unable to do so at the moment.

    As an example, in his speech to the UN, the Israeli Prime Minister (Benjamin Netanyahu) kept going on about how Israel needed military security – to include the freedom to place Israeli forces inside Palestine, to demilitarise the Palestinian state, to keep control of the Palestinian air space.

    The way that he put it sounded almost reasonable – well he’s a politician, so he should be able to make almost any position sound reasonable. But would Israel accept their own demilitarisation ? Or Palestinian forces being free to wander around Israel ? Or Palestinian control of the Israeli airspace ?

    According to the number of casualties suffered by each side, Palestinians have far more to fear from Israeli forces than visa versa (although Israelis do have legitimate concerns) – according to the Wikipedia article on the conflict, there have been 7,978 Palestinian causalities since 1987 and 1,503 Israeli casualties. More than 5 times as many.

    Recognising the state of Palestine is not going to bring peace; neither is ignoring the Palestinian request. But recognising the right of Palestine to be recognised as a state will send a signal that the world recognises their right to exist as a state – in the same way that the world recognises the right of Israel to exist as a state.

  • Was Einstein Wrong? Neutrinos Break Universal Speed Limit!

    CERN announced today that they had published results indicating that they have discovered that neutrinos may travel at speeds a tiny fraction faster than the speed of light – breaking what you could call the Universe’s speed limit. At least according to Einstein‘s theories.

    This has caused a certain amount of fuss amongst the media, and probably a lot of discussion around every water cooler where physicists gather. Of course the media has grandly announced that Einstein was wrong. Well, not really (and I should add that I’m no physicist).

    Firstly, this is more a “Hey! That’s weird” moment – nobody except the media is saying we should tear up Einstein’s theories as yet. CERN themselves have said what amounts to “Hey guys! Can you check this out, because it’s weird”. They want other scientists to check their results because it is so unexpected.

    Secondly even if this pans out, and CERN have found that something travels faster than light it doesn’t mean that Einstein was completely wrong. He came up with a theory that explained the Universe as understood for pretty much a hundred years. Just like the Newtonian universe that went before, the Einsteinian universe was correct (and may still be so) for the Universe as understood by scientists until this discovery.

    Bear in mind that the Newtonian universe is taught in schools today – not as a historical curiosity, but as a simplistic if somewhat flawed model of how the Universe works, suitable for children learning about the Universe.

  • Password Security & Cracking ‘Em

    This blog entry is of the form of some working notes to help me get to grips with this area of security. Would welcome corrections!

    There are two basic forms of password cracking :-

    1. Brute force cracking where every possible password combination is tried.
    2. Dictionary cracking where the password cracker uses a list of possible passwords to try … and optionally some algorithms for varying each word in the dictionary.
    I’m more interested in brute force cracking for now, so I’ll just say a few words about dictionary cracking …

    Password Hashes

    Some people are under the mistaken impression that it is possible to protect against password cracking by preventing multiple login attempts – try to login more than 5 times in a minute, and the account is locked.

    People trying to break into systems know about this of course, so they rarely if ever try it (the exception is multiple attempts against equipment that does not perform account lockouts). What they do is obtain the encrypted password in some way – grabbing the /etc/shadow file from a Unix system, dumping Windows password hashes, etc.

    Once you have a password hash, or a number of password hashes, it is possible to attempt to crack the passwords. Not by trying to reverse the password encryption – that should be impossible, but by using the same algorithm for encrypting the password in the first place.

    For instance if someone sets their password to “bad”, the password hash that gets stored in ActiveDirectory or in a Unix system’s /etc/shadow file may look something like “bae60998ffe4923b131e3d6e4c19993e” (actually it won’t but we’ll gloss over that detail for now). The password cracker starts encoding 1 character passwords, moving onto all possible 2 character passwords, 3, etc.

    Eventually he or she finds one that matches that “hash” at which point they will have the account’s password.

    Dictionary Cracking

    Brute force password cracking has historically been thought of as too computationally intensive to try, so people resorted to restricting the amount of passwords to search through by observing that most people use either simple words, or words made slightly more obscure through some method.

    For example, the following are some passwords picked from a list of frequently found passwords (but before getting smug about your password being nowhere near as this simple, you may want to check first) :-

    • password
    • letmein
    • xxxxxxxx
    • qwerty
    • 123456

    In addition, people often take a simple word like “monday” and make it more complex by replacing certain letters with digits – l33t speak – so “monday” becomes “m0nday”. There is no point to this at all – it is one of the most common algorithms for supplementing a dictionary. Similarly adding digits to the end of a word, etc.

    Brute Force Cracking

    The option of brute force cracking is the process of going through every single password combination and trying each one in turn. This would seem to be a very slow process, but computers are becoming quicker and quicker. For example, with a GPU password cracker, my workstation can tackle around 380 million passwords a second … and it is not an especially quick GPU!

    As to how fast password cracking could be today, it is hard to say … some of the more interesting hardware out there doesn’t come with benchmarks, and there’s some guesswork involved. But it is probably safe to say that nothing quite comes up to the 100 billion password attempts a second mark … yet.

    It is relatively easy to calculate the number of possible passwords for any particular length … take the size of the character set used in the password, which can usually be assumed to be 96 (all ASCII without the control set) and raise to the power of the length of the password.

    Length Passwords Time (380M/s) Time (100 billion/s)
    2 9216 <1s <1s
    3 884736 <1s <1s
    4 84934656 0.2s <1s
    5 8153726976 23s <1s
    6 782757789696 37m 8s
    7 7.5E13 59h 12m
    8 7.2E15 5725h 20h
    9 6.9E17 62 years 1916h
    10 6.6E19 6035 years 20 years
    11 6.4E21 577,845 years 2028 years
    12 6.1E23 55473145 years 193297 years

     

    There are several points to learn from this table :-

    1. The numbers of passwords gets very large very quickly. But not quickly enough to keep up with password crackers.
    2. Any password of less than 7 characters is trivial to crack … even with relatively modest hardware.
    3. Any password of less than 9 characters is trivial to crack if you have access to a large network of machines to work with.
    4. If you want to be safe for another decade or so (and policies can last quite a while), you will probably want to pick 12 characters as the minimum password length.
    5. These are the times to search the whole password space … it is not necessary to search through every single possible password to find the password you are looking for. That password might be found in 1/10 of the maximum time, or 3/4 of the maximum time. As long as the person generating the password has not been spectacularly dumb, it will still take a significant proportion of the total time to find the password.

    If you look at the different brute force password cracking software out there, it quickly becomes apparent that there are simplistic password crackers that attempt each password combination in turn, and there are more sophisticated password crackers that attempt to tackle the most likely password combinations first. They do this by looking at passwords consisting of words, parts of words, pronounceable sequences that could be words, etc.

    However good they are, all they do is increase the likelihood of obtaining the password in less than the maximum time. And possibly not by very much; let’s be generous and suppose that an intelligent brute force password cracker can produce the password on average after processing 25% of the possible passwords rather than 50% of the possible passwords. So for example for a 10 character password, an intelligent brute force password grabber could be expected to find the password after 1,500 years rather than 3,000 years (with a worst case scenario of 6,000 years in either case) … helpful, but not enough to make password cracking practical for 10 character passwords.

    Poor Passwords

    Everyone is obsessed with telling everyone what makes a strong password, so there’s no need for me to do likewise. But here’s my thoughts on what makes a weak password :-

    • Contains a single word in any language however it may have been deformed.
    • Common sequences of digits (i.e. “31415926”) or letters (“qwerty”) … they are effectively the same as words and appear in dictionaries of words to try for dictionary attacks.
    • Where letters have been changed into digits is no stronger than the password with the letters would have been – the classic “monday” -> “m0nday”.
    • Appending simple digits or symbols.
    • Anything short; an otherwise strong password is weak if it is too short (less than 10 characters; preferably 12).

    In fact the list of what makes a password weak is so long that it’s always a good idea to test how strong your password is. Preferably with a hacking tool; and not with one of those web forms where they probably don’t test too well to avoid irritating potential customers.

    Passwords Suck!

    Ha! Yes you’re right … passwords are now a pretty poor way of demonstrating identity. However whilst there are many alternatives, none are universal so until someone comes up with a suitable replacement we are kind of stuck with them.