More Zonkyness

Time For More Time At Pedestrian Crossings!

Jun 152012

Today somebody finally woke up and realised that the amount of time that pedestrians get to cross the road at a crossing is ludicrously short. They concentrate on the problem that the elderly have in crossing a road in the short time that the little man shows green.

But they are not the only ones who can have trouble. And it is not just about the trouble in crossing in time.

Why should pedestrians huddle at the edge of the road waiting until they get the chance to rush across the road tugging at their forelocks ? Car drivers may protest that giving pedestrians more priority will slow them down, but come on – it isn’t as if you don’t get there quicker than pedestrians anyway. What is a few extra minutes ?

Car drivers might argue that because they pay so much in motoring taxes that they deserve extra priority on the roads. Well, it’s an interesting argument, but is really totally irrelevant. Taxes of any kind are raised in all sorts of different ways and put into a common pool from which government spending is taken – both central government and local government. And the government decides how much will be spent on roads in competition with all the other demands on government funds.

And roads are not the only costs that motoring causes – there is also dealing with the health issues related to motoring such as accidents and respiratory issues.

Besides which, the way that local roads are funded – and all pedestrian crossings are on local roads – means that a relatively small proportion of the costs is made up of motoring taxes. No council funds come directly from motoring taxes, but from council taxes instead. Which means that pedestrian waiting to cross the road may actually be paying more towards the roads than you think.

Besides which it is not simply about the money, but about simple fairness and safety. In terms of safety, the lights need to be green not just long enough to allow slower pedestrians to cross the road, but also to allow pedestrians who are reasonably close to the crossing to cross the road. And even long enough at cross-roads to allow pedestrians to cross both roads – to do the equivalent of a left or right turn.

LinkedIn Password Compromise: The Unanswered Questions…

Computing, Security No Responses »

Jun 062012

If you have not already heard about it, and you have a LinkedIn account, you should be aware that a large number of password hashes has been found in the wild. This means it is possible that hackers have the ability to crack your password and break into your account.

Change any LinkedIn account passwords now.

But there are still just a few unanswered questions :-

Why were the password hashes unsalted ?

Storing passwords in the clear is just about the most irresponsible thing a website operator can do, but storing passwords in hashed form without a so-called salt is also a clear indication that someone needs a slap and told to go the extra 10m. It has long been known (i.e. for decades) that using a simple password hash allows for someone to find out what the original password was.

This is why the Unix system from the 1970s used a salt to make revealing passwords harder.

Technically a salt is a few extra bits of randomness added to the hash (and included in the output) to make pre-computing the password hashes more expensive. It also obfuscates identical passwords.

So why weren’t LinkedIn salting their passwords? Couldn’t be bothered? Assumed that their systems were so secure that nobody could break in? Whatever the reason, it was not a good enough reason – allowing their site to be hacked is bad enough, but caring so little about the security of our data shows pure incompetence and arrogance.

Are We Sure These Password Hashes Belong To LinkedIn?

In a word: No. We assume it is, and there’s some evidence to support that assumption. Several bloggers (one), have posted indicating that they have checked and found that their own LinkedIn password hash can be found in the file.

So we can assume that these password hashes are from LinkedIn, and to change our password if we have an account. Perhaps this is wrong and this huge list of password hashes is just some prankster’s idea of a fun day, but this is one of those cases where you assume it is real to be safe.

But There Are No Usernames. Aren’t We Safe?

I’ve come across at least one comment indicating that because the usernames aren’t associated, there isn’t anything to worry about.

It is true that the information as released is not especially helpful – if you cracked all the password hashes you still wouldn’t know if my password was #32768, #65536, or any of the others. But you could still use that information with the help of a botnet army and enough time to let the tools like Hydra do their work.

And we do not know that the person or group who obtained this information in the first place does not have access to further information. Even if all they had access to was a database table containing just the password hashes, they will almost certainly know the frequencies of every password.

So no, we’re not safe.

Only 6.5million? I Thought LinkedIn Had 150million Accounts?

Indeed! It does seem strange that there are only 6.5million password hashes in the released file.

But those who have had a chance to poke around in the released file (including myself) have found that there are no duplicate hashes. Which would be normal in a salted password hash file, but given how woeful most people are at picking good passwords you would expect a very large number of duplicates in 150 million password hashes. Whether you would get as few as 6.5 million unique password hashes seems a touch unlikely, but possible.

Of course it may be that the person or group who grabbed this password dump in the first place only managed a partial dump for some reason.

But If The Original Leak Isn’t Fixed, Isn’t Changing Our Password A Waste Of Time?

It is certainly true that if LinkedIn hasn’t fixed their original problem, or has not implemented some form of remedial action, then it is possible that an attacker could break in with exactly the same method as they did before, and steal the passwords again. Which means we will probably have to change our passwords again – once LinkedIn finally gets around to announcing this has all been fixed.

But not changing your password now is foolish in the extreme – you should assume that the attacker(s) have your account details now.

Stupid Ad Mistake …

Humour, Media No Responses »

Jun 042012

You know those annoying ads you can see surrounding this posting ? The ones that don’t go anywhere near paying for the costs of running this site ?

I get to see them myself, and was somewhat surprised to find one today that had just a teensy little problem with it :-

Nine Mistakes You Should Avoid in 2011

Which was advertising a financial services company. Got to admit that whilst anyone can make a mistake, I would be very unlikely to let someone near my money who is likely to make this sort of mistake!

Ambling Alongside The Hamble

Photography No Responses »

Jun 042012

Not exactly the most productive afternoon what with the combination of hayfever, a broken monopod, and too many people rushing by.

#1: Death In Life

56357

#2: An Afternoon Walk

56362

Taxing The Granny Annex?

Politics No Responses »

Jun 022012

Apparently the government has announced plans to stop charging council tax for those who live in so-called “granny annexes”. The opposition has quite rightly pointed out that this is an interesting position to take as there has long been a council tax exemption for those living in granny annexes who are over 65, or who are impaired in various other ways.

For those not familiar with granny annexes – and this may come as a surprise to many Tories, but not everyone is familiar with the concept – if you have a large enough house, it is possible to set aside part of it as a separate dwelling. Usually to give some member of the family some level of independent living – traditionally used for a live-in grandparent. Thus the term “granny annex”.

It may come as a bit of a surprise to many Tories, but most ordinary hard-working families live in homes where space is at a premium. Indeed having the spare space to create an annex could be a definition of “wealthy”. Or in other words, Tories have come up with a nifty way of giving a tax cut to the wealthy whilst trying (and failing) to sound like they are helping ordinary people.

Or to put it another way, why are we giving council tax exceptions to grannies and disabled people? If someone over the age of 65 lives in their own flat they have to pay council tax, but if they live in an annex in their family’s home, they don’t. I’m not against the idea that those who are somewhat constrained in their income should get some sort of discount on their council tax, but getting a discount because you have rich relatives?

Older Entries Newer Entries