Was Einstein Wrong? Neutrinos Break Universal Speed Limit!

 Science  No Responses »
Sep 232011
 

CERN announced today that they had published results indicating that they have discovered that neutrinos may travel at speeds a tiny fraction faster than the speed of light – breaking what you could call the Universe’s speed limit. At least according to Einstein‘s theories.

This has caused a certain amount of fuss amongst the media, and probably a lot of discussion around every water cooler where physicists gather. Of course the media has grandly announced that Einstein was wrong. Well, not really (and I should add that I’m no physicist).

Firstly, this is more a “Hey! That’s weird” moment – nobody except the media is saying we should tear up Einstein’s theories as yet. CERN themselves have said what amounts to “Hey guys! Can you check this out, because it’s weird”. They want other scientists to check their results because it is so unexpected.

Secondly even if this pans out, and CERN have found that something travels faster than light it doesn’t mean that Einstein was completely wrong. He came up with a theory that explained the Universe as understood for pretty much a hundred years. Just like the Newtonian universe that went before, the Einsteinian universe was correct (and may still be so) for the Universe as understood by scientists until this discovery.

Bear in mind that the Newtonian universe is taught in schools today – not as a historical curiosity, but as a simplistic if somewhat flawed model of how the Universe works, suitable for children learning about the Universe.

Password Security & Cracking ‘Em

 Computing, Security, Working Notes  No Responses »
Sep 182011
 

This blog entry is of the form of some working notes to help me get to grips with this area of security. Would welcome corrections!

There are two basic forms of password cracking :-

  1. Brute force cracking where every possible password combination is tried.
  2. Dictionary cracking where the password cracker uses a list of possible passwords to try … and optionally some algorithms for varying each word in the dictionary.
I’m more interested in brute force cracking for now, so I’ll just say a few words about dictionary cracking …

Password Hashes

Some people are under the mistaken impression that it is possible to protect against password cracking by preventing multiple login attempts – try to login more than 5 times in a minute, and the account is locked.

People trying to break into systems know about this of course, so they rarely if ever try it (the exception is multiple attempts against equipment that does not perform account lockouts). What they do is obtain the encrypted password in some way – grabbing the /etc/shadow file from a Unix system, dumping Windows password hashes, etc.

Once you have a password hash, or a number of password hashes, it is possible to attempt to crack the passwords. Not by trying to reverse the password encryption – that should be impossible, but by using the same algorithm for encrypting the password in the first place.

For instance if someone sets their password to “bad”, the password hash that gets stored in ActiveDirectory or in a Unix system’s /etc/shadow file may look something like “bae60998ffe4923b131e3d6e4c19993e” (actually it won’t but we’ll gloss over that detail for now). The password cracker starts encoding 1 character passwords, moving onto all possible 2 character passwords, 3, etc.

Eventually he or she finds one that matches that “hash” at which point they will have the account’s password.

Dictionary Cracking

Brute force password cracking has historically been thought of as too computationally intensive to try, so people resorted to restricting the amount of passwords to search through by observing that most people use either simple words, or words made slightly more obscure through some method.

For example, the following are some passwords picked from a list of frequently found passwords (but before getting smug about your password being nowhere near as this simple, you may want to check first) :-

  • password
  • letmein
  • xxxxxxxx
  • qwerty
  • 123456

In addition, people often take a simple word like “monday” and make it more complex by replacing certain letters with digits – l33t speak – so “monday” becomes “m0nday”. There is no point to this at all – it is one of the most common algorithms for supplementing a dictionary. Similarly adding digits to the end of a word, etc.

Brute Force Cracking

The option of brute force cracking is the process of going through every single password combination and trying each one in turn. This would seem to be a very slow process, but computers are becoming quicker and quicker. For example, with a GPU password cracker, my workstation can tackle around 380 million passwords a second … and it is not an especially quick GPU!

As to how fast password cracking could be today, it is hard to say … some of the more interesting hardware out there doesn’t come with benchmarks, and there’s some guesswork involved. But it is probably safe to say that nothing quite comes up to the 100 billion password attempts a second mark … yet.

It is relatively easy to calculate the number of possible passwords for any particular length … take the size of the character set used in the password, which can usually be assumed to be 96 (all ASCII without the control set) and raise to the power of the length of the password.

Length Passwords Time (380M/s) Time (100 billion/s)
2 9216 <1s <1s
3 884736 <1s <1s
4 84934656 0.2s <1s
5 8153726976 23s <1s
6 782757789696 37m 8s
7 7.5E13 59h 12m
8 7.2E15 5725h 20h
9 6.9E17 62 years 1916h
10 6.6E19 6035 years 20 years
11 6.4E21 577,845 years 2028 years
12 6.1E23 55473145 years 193297 years

 

There are several points to learn from this table :-

  1. The numbers of passwords gets very large very quickly. But not quickly enough to keep up with password crackers.
  2. Any password of less than 7 characters is trivial to crack … even with relatively modest hardware.
  3. Any password of less than 9 characters is trivial to crack if you have access to a large network of machines to work with.
  4. If you want to be safe for another decade or so (and policies can last quite a while), you will probably want to pick 12 characters as the minimum password length.
  5. These are the times to search the whole password space … it is not necessary to search through every single possible password to find the password you are looking for. That password might be found in 1/10 of the maximum time, or 3/4 of the maximum time. As long as the person generating the password has not been spectacularly dumb, it will still take a significant proportion of the total time to find the password.

If you look at the different brute force password cracking software out there, it quickly becomes apparent that there are simplistic password crackers that attempt each password combination in turn, and there are more sophisticated password crackers that attempt to tackle the most likely password combinations first. They do this by looking at passwords consisting of words, parts of words, pronounceable sequences that could be words, etc.

However good they are, all they do is increase the likelihood of obtaining the password in less than the maximum time. And possibly not by very much; let’s be generous and suppose that an intelligent brute force password cracker can produce the password on average after processing 25% of the possible passwords rather than 50% of the possible passwords. So for example for a 10 character password, an intelligent brute force password grabber could be expected to find the password after 1,500 years rather than 3,000 years (with a worst case scenario of 6,000 years in either case) … helpful, but not enough to make password cracking practical for 10 character passwords.

Poor Passwords

Everyone is obsessed with telling everyone what makes a strong password, so there’s no need for me to do likewise. But here’s my thoughts on what makes a weak password :-

  • Contains a single word in any language however it may have been deformed.
  • Common sequences of digits (i.e. “31415926”) or letters (“qwerty”) … they are effectively the same as words and appear in dictionaries of words to try for dictionary attacks.
  • Where letters have been changed into digits is no stronger than the password with the letters would have been – the classic “monday” -> “m0nday”.
  • Appending simple digits or symbols.
  • Anything short; an otherwise strong password is weak if it is too short (less than 10 characters; preferably 12).

In fact the list of what makes a password weak is so long that it’s always a good idea to test how strong your password is. Preferably with a hacking tool; and not with one of those web forms where they probably don’t test too well to avoid irritating potential customers.

Passwords Suck!

Ha! Yes you’re right … passwords are now a pretty poor way of demonstrating identity. However whilst there are many alternatives, none are universal so until someone comes up with a suitable replacement we are kind of stuck with them.

Corporate Email Leaks – Measuring The Stupidity

 Computing, Security  No Responses »
Sep 092011
 

I was alerted to this by an article on The Register which points to the Godai Group‘s investigation into what happens when you register domains “close” to a reputable company and grab all the emails that happen to pop by. It is hardly a surprise to anyone who has run an email system, but you will get tons of email delivered caused by email address typos. Specifically Godai Group looked at a specific type of typo – accidentally leaving out a “.”. For example, one of the domains that the Godai Group picked up on was some-person@ca.ibm.com where “someone” has registered caibm.com (no dot) … whether or not that person is sniffing those emails cannot be known, but they could.

Again, to those who have run email systems it is no surprise to learn that some of the emails contain “interesting” information not limited to :-

  • Trade secrets
  • Business invoices
  • Personal information about employees
  • Usernames and passwords!
  • Network diagrams.

What is not mentioned is that those Fortune 500 companies almost certainly have policies in place prohibiting acts such as sending passwords and other sensitive information by email. But of course there is a description for someone who reads all of the corporate policies – someone who isn’t doing their job!

There is an interesting list of mitigations in the Godai Group report, but it could be a lot more extensive :-

  • When sending out an email to an address where the left hand side would be a valid internal address, flag the destination in your logs. Use that information to build up a list of domains for which you should check for valid internal addresses and freeze (hold in the queue) any messages that match. As an example, if mike.meredith@ca.ibm.com were a valid address you might want to freeze any emails addressed to mike.meredith@caibm.com.
  • Use your email logs to build up a database of domains that you send email to. This will allow you to identify similar domains that may be practicing so-called “doppleganger domains” that you may want to take some action against. You may think you can guess what the domains would be, but there is a lot to be said for hard evidence.
  • Perform content filtering on outgoing email, and build up a set of rules to catch emails containing patterns that match certain kinds of emails you do not want leaving your organisation – to begin with a pattern matching “password [is] XXXXXX”. This could take considerable effort to build, and there will always be the chance of a false positive so you will want a sensible warning message when emails matching the relevant content filter get caught – “Please check that this email does not contain confidential information; please check the recipient address, and if necessary re-phrase the email”.
  • Encourage the use of end-to-end encryption such as PGP. Plain encryption is not sufficient – “walled garden” email systems such as GroupWise support encryption for internal emails, but this is about external (even if it isn’t intentionally so) email which is not encrypted with such corporate email systems. In fact systems such as GroupWise may be considered dangerous in this context – it comes with the word encryption on the tin, and even allows you to “take back” emails that you have sent that you regret. These facilities encourage dangerous practices.
  • Education, education, education. But this will not accomplish much – not only are the people who really need to be educated not listening, but these problems are mistakes – both in terms of accidentally sending emails to the wrong address, and in terms of emailing information that should probably not be sent via email.
  • Lastly, and perhaps for amusement value, you could try persuading senior managers that the danger of them sending inappropriate information accidentally out to third parties via email is so great that it justifies setting up a process by which all their email sent to external address is manually reviewed to ensure that it is not an accidental release of internal information. Good luck on that one!

Western Intelligence Services Doing Business With Gaddafi’s Libya

 Media, Politics  No Responses »
Sep 032011
 

Today (or perhaps yesterday) the news was out that the various western intelligence services – MI6, CIA, and the French Intelligence organisation – were all “doing business” with Gaddafi’s regime in Libya. My first reaction is to say: “And so they should”.

Intelligence services are funded for a reason, and that reason is to gather intelligence on various aspects of world affairs. And that includes doing business with repugnant regimes in order to gather intelligence on them, and to collect information they have that they are prepared to share. Given Gaddafi’s instability (look at his latest pronouncements which seem to indicate that he has lost touch with reality), and propensity to stir up trouble beyond the borders of Libya, the chief of any intelligence agency not doing business in Libya would be guilty of gross negligence and deserves the sack.

When you look into the details of what the intelligence agencies were up to, it becomes clear that the CIA at the very least was going a little too far in abducting suspects, dropping them off in Libya for torture, and popping by a little later for the answers to the questions they asked.

As in all things, if you sup with the Devil, you need to use a very long spoon and the CIA would appear to have become too close to the Libyan regime.

Why Executing Criminals Is Wrong

 Politics  No Responses »
Sep 032011
 

I have blogged before about the death sentence (and possibly other entries too) but people are still being executed, so there is no reason why I should stop ranting about this. Hopefully this entry will be a little more fact-orientated than previous attempts.

Execution is one of those contentious issues, and in a country that has long banned the death sentence the whole debate starts up again when we discover people such as Harold Shipman and Fred West. It is difficult to argue against the death sentence when such creatures are in the news, but it has to be done.

If You Execute Criminals, You Also Kill The Innocent

Criminal justice systems are run by fallible people; no matter how hard we try, people will always make mistakes and some of those mistakes can cause disastrous consequences – and in the case where criminals are sentenced to death, it is not just possible, but really has happened that innocent people are killed by the government. Detailed statistics on this are practically impossible to locate – partially because we don’t know who has been executed for a crime they have not committed.

All we know is that some people have been executed because they were innocent, and some people were executed because they did not receive a fair trial. For instance, take the case of Sacco and Vanzetti where two men were executed in 1927, but in 1977 the governor of Massachusetts admitted that they had received an unfair trial and that “any disgrace should be forever removed from their names.”. This coming despite the possibility that Sacco was in fact guilty of the crime – ballistic tests on his gun in 1961 indicated it was used in the killings although it had been interfered with enough that any prosecution based on those ballistic tests would be unfair.

So here we have a case where two men were executed – one who was innocent and received an unfair trial, and another at worst received an unfair trial. And of course these two anarchists were involved in a particularly well publicised case – how many others executed have received no help in establishing their innocence ?

Of course other people have tried coming up with useful statistics, and I will myself …

Out of a list of 33 “notable” executions in the UK since 1910, 6 were of people had their convictions quashed posthumously. This gives a rate of 18% of executions being of innocent people! An alternative figure of 632 executions in the UK between 1900 and 1949, would reduce the false execution rate to 1%. Neither of these figures is satisfactory, although the second is probably closer to the mark – although it misses out the number of executions between 1950 onwards, the figure for the number of innocent people executed is probably also not complete.

But it does illustrate that of all executions, some include innocent victims – perhaps 1%. Or in other words, out of every 100 people executed, at least 1 person is innocent of the crime he or she is executed for.

Perhaps you might think that 1 out of every 100 people executed is a small price to pay, but consider how you would feel if that innocent person was someone you loved more than your own life ? Your husband, your wife, your son, or your daughter. How would you feel then ?

Every innocent victim of the hangman’s noose is someone’s loved one.

But We’ll Only Do It For The Really Bad

If you restrict executions to the really heinous crimes where you are really sure that the criminal is guilty, what happens ?

Well firstly, it does not stop innocent people from being executed. Take the example of Timothy Evans, a man who was initially found guilty of murdering his own daughter (and he was suspected of killing his wife too); yet three years later it was discovered that his neighbour John Christie was a serial killer and eventually shown to have killed the daughter and wife. Timothy Evans was eventually pardoned in 1966. Of course it was a bit late for him as he had already been executed.

No matter how certain you are that someone is guilty of a crime, there is always the chance that they are not in fact guilty.

Secondly, it is a slippery slope – if you execute someone for committing a really nasty murder, it becomes easier to allow executions for “less serious” murders, and then so-called lesser crimes. As an example of this in action, see the Bloody Code article where the UK in little more than 100 years went from 50 crimes punishable by death, to 220 crimes punishable by death.

Life Imprisonment Is Cheaper

This is actually an argument in favour of abolishing the death sentence, but a despicable one.

It is true that in the US today, it is probably cheaper to imprison someone for life rather than sentence someone to death. This is because most death sentences go through an excruciating process involving many appeals to all parts of the criminal justice system. If us woolly liberals would just shut up about the death sentence, it would be possible to execute people very cheaply.

But we’re not going to shut up about it.

And looking at the money involved is contemptible – this discussion is about justice, mercy, and all sorts of ideals. If society cannot afford a just criminal justice system, it can no longer be called a society.

Cruel And Unusual Punishment

No matter the method a country chooses to execute a criminal, it amounts to cruel and unusual punishment – prohibited by the UN (article 4 of the Universal Declaration of Human Rights, although I’ve used the traditional English phrase rather than the wording of the UN). The reasons why the death sentence is inhuman is varied, but includes :-

  1. Most people sentenced to death spend a long time on death row awaiting execution – an average of 14 years in 2009 (and the link contains other interesting information). The reasons for this are irrelevant. The effect on the prisoner amounts to psychological torture sufficient that many on death row have requested rapid execution to end their suffering – even prisoners who were eventually found innocent.
  2. We may have moved on from impaling, or other forms of execution that take the victim many days to die, but that does not mean the current methods are humane – even the “most humane” method of lethal injection has those who claim it causes unnecessary suffering in some cases.
  3. There is a degree of arbitrariness in how the death penalty is applied leading – a serial killer with 48 victims to his name can “get off” with life imprisonment whilst someone who has killed just one victim is executed. The more you dig into just how arbitrary the death sentence is, the more you should get concerned about it. Shouldn’t justice be even-handed ?

Final Word

This may not be the final version of this blog – as things occur to me, as I get the incentive to write, and as facts crop up I will be adding to it. But for now it is enough.

This probably won’t convince anyone in favour of the death sentence to give up and start opposing it, but it might encourage those who are undecided to look a bit deeper and come down in favour of abolishing it.

 Older Entries  Newer Entries