mxcl's shared items
A young boy went up to his father and said, “Dad, the teacher gave us an assignment to determine the difference between potentially and realistically.
Can you help me?” The father thought for a moment, then answered. “Go ask your mother if she would sleep with Brad Pitt for a million dollars. Then ask your sister if she would sleep with Brad Pitt for a million dollars, and then, ask your brother if he’d sleep with Brad Pitt for a million dollars.
Come back and tell me what you learn from that.” So the boy went to his mother and asked, “Would you sleep with Brad Pitt for a million dollars?” The mother replied, “Of course I would! We could really use that money to fix up the house and send you kids to a great University!”
The boy then went to his sister and asked, “Would you sleep with Brad Pitt for a million dollars?” The girl replied, “Oh my God! I LOVE Brad Pitt I would sleep with him in a heartbeat, are you nuts?!?!?!”
The boy then went to his brother and asked, “Would you sleep with Brad Pitt for a million dollars?” “Of course,” the brother replied. “Do you know how much a million bucks would buy?”
The boy pondered the answers for a few days, then went back to his dad. His father asked him, “Did you find out the difference between potentially and
realistically?”
The boy replied, “Yes… Potentially, you and I are sitting on three million dollars………….. But Realistically,……… We’re living with two sluts and a gay guy.
Orginial Post On:
Allow me to be the first to confess that twelve is not a magic and inviolable number. It just sounds better than The Rule of Several, Give or Take Two or Three, With Lots of Exceptions. So don't get hung up on the number twelve.
The power of this rule is that seemingly impenetrable topics are less intimidating if you know there are only a dozen concepts to learn. And often the details of a subject are unimportant if you know the big concepts. Let me give you an example.
As I've mentioned, my wife and I are in the process of building a house. One of our goals was to make it as energy efficient as practical, while still having the features we wanted. And that meant learning the twelve-or-so concepts of green building that would get us where we wanted to go. Those concepts aren't neatly listed anywhere, so you have to flail around until you scare them up. For example, I spent a huge amount of time trying to figure out the best type of insulation for the walls. I looked at everything from SIPS to hippy ideas about hay and compressed dirt, to blown-in cellulose, to standard batting. And it seemed no one could give me a definitive answer on what R-value was best for a home in my area. Big developers used whatever was cheapest and met code, because they didn't have to pay the utility bills after their homes where sold. And every individual home builder and owner seemed to have his own theory on insulation type.
Eventually we talked to some engineers who explained some of the twelve concepts to us, and that made the decision easy. It turns out that in my climate, no matter how you insulate the walls, it's the windows and roof that will determine (mostly) how much heat penetrates your house. There was never a need to learn about exotic wall insulation methods. We just had to make sure we knew the twelve concepts about windows, roofs, thermal mass, orientation to the sun, chimney effect, and a few other concepts more important than wall insulation.
If someone is explaining a subject to you by listing lots of facts and examples, without explaining any of the twelve concepts, you probably aren't learning anything useful.
A technology works in theory if you have a piece of software and you can make it do what you want it to do for the purposes of demonstrating it and letting others try it out.
It works in practice if people who utterly don't care about your technology successfully use it because it makes life easier for them.
Plaxo and Google yesterday reported that they took 1000 random Google users who were interested in signing up at Plaxo, a combination of OpenID, OAuth, and a user interface targeted to this particular situation, and measured how many users would actually manage to sign up via OpenID instead of username and password. No prior OpenID or other knowledge was required. It turns out that 92 percent of those random users managed to sign up a Plaxo.
Does your website manage to register 92 percent of the people who want to, with the supposedly simpler username and password? Didn't think so either.
That is very impressive. Congratulations to Joseph and Eric and their teams.
It clearly shows where the OpenID user experience needs to go. (Nothing particularly hard there, but a bit against conventional wisdom so far.)
Even more importantly, it proves in practice that the theoretical benefit of "easier sign-up for users" is actually real and can be measured, and beats the state of the art. If your competitor manages to sign up 92 percent of potential customers, and your site remains at, say, 50 percent — do you really think you can survive that for long?
I went hiking today and on my way home, I decided to stop by a gas station and grab myself a bottle of diet pepsi. In the middle of the afternoon, during the week, is typically a very slow time for a gas station and today was no exception. When I walked in, the gas station attendant was apparently so aimless that she had time to get into a very involved conversation with the only other customer in the store.
The women were both very animatedly discussing marriage. The customer kept interrupting the attendant to insist that ‘she didn’t need to get married, she could be perfectly happy being alone for the rest of her life!’ in that way that people do when they’re trying to convince themselves more than they’re trying to convince you. Still, the attendant nodded enthusiastically in agreement.
After grabbing my diet, I stood behind them uncomfortably gnawing my bottom lip. A couple of times, I considered holding up my bottle and asking, “Hi! Do you mind if I just buy this and leave?” But, I refrained because I was raised to believe that interrupting is impolite.
Finally, the gas station attendant acknowledged me, although she had no interest in actually ringing up my purchase. Instead, she asked, “You’re not married, are you?”
“Well, yeah. I am,” I answered.
“You guys probably haven’t been together for long, though, right?”
“Well, um, almost 8 years now.”
Both the attendant and the customer crowed at me, awestruck, as if I just told them I was preparing to celebrate my 50th wedding anniversary or something. You know the institution of marriage is in trouble when anything over 2 years is considered impressive.
“Wow! People like you are a dying breed,” the customer said, “Not many people can get married nowadays and make it work!”
“Well,” I replied carefully, “A lot of people go into marriage with a lot of unrealistic expectations.”
“Ain’t that the truth!”
At that point, I plopped my diet pepsi on the counter, gave the attendant a very meaningful glance, and sighed in relief when she took the hint and rung me out. After all, I seriously have better things to do than discuss the ins and outs of my relationship in a goddamn gas station.
But the whole thing did get me thinking about the expectations people seem to have about marriage. From what I can gather, it seems as though people get married hoping for a fairytale. They envision a lifetime of being completely in sync with another person, where every situation is tackled zestfully and worked out with optimal results and no one ever feels the least bit lonely or taken for granted or unloved. Oftentimes, if you ask them, they’ll concede that people do change, but in their particular case, they are expecting to change together because they are best friends and soul mates and they intend to stay that way forever.
Two years later, when they’re filing for divorce, you’ll find them wondering where they went wrong. The easy is answer, there is no such thing as fairytales. A marriage is a series of peaks and valleys. Sometimes, you’ll be so in love with your partner that you can’t imagine life without them. Other times? No so much. Hell, there will be moments in your marriage where you won’t even particularly like your spouse. People who say there’s no place for ambivalence in a marriage usually haven’t been married for very long.
Unfortunately, when plunged deep into the valley for the very first time, most couples panic and call the marriage counselor. If that doesn’t prove to be a quick fix, they find an attorney. After an expensive, bitter, hateful divorce, they go their separate ways destined to repeat the entire scenario with their next spouse.
No one ever tells them that the valleys are temporary. If they wait it out with good humor, they’ll likely peak again.
I don’t really know how men feel about the valleys in a marriage. However, I do know women tend to overreact intensely to any sign of dissatisfaction in the marital home. Women have an almost obsessive need to feel connected to their partner and even the slightest amount of distance instigates crying fits, martyrdom, temper tantrums, blame games and other overemotional displays of womanly angst. A man forgets one birthday or is less than enthused about a single outing and suddenly the love is gone and the relationship is dead. Unfortunately, jumping the gun or attempting to force a connection never helps. You can’t nag your way into a happy marriage.
I’m not a marriage expert. As I said earlier, I’ve only been married a shade under a decade myself. However, I’ve found that when my marriage hits a valley, a useful and effective thing to do is occupy my time somewhere else. I’ll take up a new hobby, get involved with another cause, or make a new friend. If I want to take up salsa dancing and my husband doesn’t, I don’t whine and cry that he never does anything I want to do or insist he doesn’t love me anymore. Instead, I’ll shrug my shoulders and go salsa dancing myself.
A long time ago, it occurred to me that we are two separate people who will likely grow and change over the years, but it’s not necessary for us to live the exact same lives. Sometimes, we’ve got to be willing to do our own thing. Our individual identities are our own and we’ve got to take some personal responsibility for our satisfaction in life instead of depending on each other to make us happy.
Besides, in doing our own thing, we often find more things to love about each other. No matter how long and tedious the valley may seem at the time, we always peak again.
Edit 2: Oh God Oh God 4chan has Robot9000. soup /r9k/. Have fun with the bot and do one last barrel roll for me.
Edit: As expected, with the huge flood of new traffic after this post went up, the channel is full of new folks coming in and playing with the bot. This is unavoidable and expected for these first few days, and ROBOT9000 is actually controlling the noise pretty well. Still, #xkcd-signal is a social channel — if you just want to play games with the moderator/concept, please use #moderator-sandbox. Thanks!
#xkcd has had about 250 chatters these days. Large communities suck. This problem is hard to solve, but we’ve come up with a fun attack on it — enforced originality (in a very narrow sense). My friend zigdon and I have put together an auto-moderation system in an experimental channel, #xkcd-signal, and it seems to work well, so we invite you all to take part.
When social communities grow past a certain point (Dunbar’s Number?), they start to suck. Be they sororities or IRC channels, there’s a point where they get big enough that nobody knows everybody anymore. The community becomes overwhelmed with noise from various small cliques and floods of obnoxious people and the signal-to-noise ratio eventually drops to near-zero — no signal, just noise. This has happened to every channel I’ve been on that started small and slowly got big.
There are a couple of standard ways to deal with this, and each one has problems. Here’s an outline of the major approaches (skip down if you just want to read about ROBOT9000):
- Strict entry requirements: This is the secret club/sorority approach. You can vet every new person before they’re allowed to speak. This sucks. It reminds me of Feynman’s comment on resigning the National Academy of Sciences — he said that he saw no point in belonging to an organization that spent most of its time deciding who to let in. The problems are apparent during sorority rush week on college campuses. Not only is the question of who does the vetting (and how) difficult, but the drama reaches horrifying levels as bitter counter-cliques rise up and do battle.
- Moderators: This is the approach IRC channels and forums usually take. You designate a few ‘good’ people who can deal with noise as it happens, by muting, kicking, banning, or editing content as need be. There are a couple problems here — the circle of moderators has to grow with the community. It eventually becomes fairly large, with complicated dynamics of its own, and the process of choosing moderators leads to sorority/NSF-esque drama and general obnoxiousness. I don’t like the elitism that inevitably develops, and prefer more egalitarian systems.
- Running peer-moderation: When it’s possible, this is a good approach. It’s used to great effect on comment threads, with Slashdot pioneering the whole thing and sites like reddit stripping it down to an effective core. But it doesn’t work very well for live time-dependent things like IRC channels.
- Splinter communities: This has happened on most IRC channels I’ve been on — small invite-only side channels sprout up with particular focuses. Often, the older core members of the community go off to create their own high-signal channel, which is generally kept quiet. But this is limited — it lacks the open mixing of the internet that often makes online communities work.
I was trying to decide what made a channel consistently enjoyable. A common factor in my favorite hangouts seemed to be a focus on original and unpredictable content on each line. It didn’t necessarily need to be useful, just interesting. I started trying to think of ways to encourage this.
And then I had an idea — what if you were only allowed to say sentences that had never been said before, ever? A bot with access to the full channel logs could kick you out when you repeated something that had already been said. There would be no “all your base are belong to us”, no “lol”, no “asl”, no “there are no girls on the internet”. No “I know rite”, no “hi everyone”, no “morning sucks.” Just thoughtful, full sentences.
There are a few obvious questions/objections, and I think each of them has been answered by experiment:
Q: Can’t you just tack a random set of letters on the end to ensure your line is unique (or misspell things, add in gibberish, etc)?
A: Of course. The moderator has plenty of holes if you’re acting in bad faith. But if you’re doing that, why are you in the channel at all? Folks who persist in doing this anyway earn (like any spammers) a prompt manual ban.
Q: Won’t it get harder and harder to chat as lines get “used up”?
A: You underestimate the number of possible sentences. We’ve been working off two years (2 million) lines of logs, and it’s not very hard at all — I expect the channel will be able to run for at least a decade before it becomes a problem, and probably long past that.
Q: What about common parts of conversation, like “yeah” and the like?
A: Surprisingly, it doesn’t seem to be a huge problem. In some cases, they can be done without entirely, and in others, you’re just forced to elaborate a little bit on what you’re agreeing with and why.
I talked it over with zigdon, a Perl guru, and he coded it up. We called the project ROBOT9000 (the most generic, unoriginal name for a bot that we could think of). Then we started a sister channel to #xkcd and put the bot in it. #xkcd-signal has been running for the last couple weeks (using the last two years of #xkcd logs) with about 60 reasonably active chatters, and it’s working beautifully — good, solid chat between relative strangers, with very little noise. (We’ll see how it handles the influx of people as we announce the experiment to the wider net.)
In zig’s implementation, the moderator bot mutes (-v) chatters for a period after every violation. The mute time starts at two seconds and quadruples with each subsequent violation, so you have five or six tries to get the hang of it. Your mute-time decays by half every six hours (we’re still tweaking the parameters). When looking for matches, the bot ignores punctuation, case, and nicks.
The big problem we ran into, actually, was meta-discussion overwhelming the channel. Every new person wanted to speculate about the rules and their effect, and every violation was followed by a long postmortem. At first, we had a scoreboard showing who was the best at talking without violation, but this quickly turned into a competition, destroying actual chat. When we took down the scoreboard and banished meta-discussion of the channel to #meta-discussion, everything worked out nicely. (And, of course, for discussion of the concept of #meta-discussion people had to go to #meta-meta-discussion, and for chat about how silly that whole idea was, we created #meta-meta-meta-discussion …)
You’re welcome to come hang out with us. The moderator bot is running in #xkcd-signal on Foonetic (irc.foonetic.net or irc.xkcd.com). But again, it’s a social channel; take discussion of the concept to #meta-discussion.
If you’d like to run this bot in your own channel, zig has published an initial version of the code here:
http://media.peeron.com/tmp/ROBOT9000.html (Perl bot, SQL skeleton)
The multi-platform password cracker Ophcrack is incredibly fast. How fast? It can crack the password "Fgpyyih804423" in 160 seconds. Most people would consider that password fairly secure. The Microsoft password strength checker rates it "strong". The Geekwisdom password strength meter rates it "mediocre".
Why is Ophcrack so fast? Because it uses Rainbow Tables. No, not the kind of rainbows I have as my desktop background.
Although those are beautiful, too.
To understand how rainbow tables work, you first have to understand how passwords are stored on computers, whether on your own desktop, or on a remote web server somewhere.
Passwords are never stored in plaintext. At least they shouldn't be, unless you're building the world's most insecure system using the world's most naïve programmers. Instead, passwords are stored as the output of a hash function. Hashes are one-way operations. Even if an attacker gained access to the hashed version of your password, it's not possible to reconstitute the password from the hash value alone.
But it is possible to attack the hashed value of your password using rainbow tables: enormous, pre-computed hash values for every possible combination of characters. An attacking PC could certainly calculate all these hashes on the fly, but taking advantage of a massive table of pre-computed hash values enables the attack to proceed several orders of magnitude faster-- assuming the attacking machine has enough RAM to store the entire table (or at least most of it) in memory. It's a classic time-memory tradeoff, exactly the sort of cheating shortcut you'd expect a black hat attacker to take.
How enormous are rainbow tables? The installation dialog for Ophcrack should give you an idea:
It takes a long time to generate these massive rainbow tables, but once they're out there, every attacking computer can leverage those tables to make their attacks on hashed passwords that much more potent.
The smallest rainbow table available is the basic alphanumeric one, and even it is 388 megabytes. That's the default table you get with the Ophcrack bootable ISO. Even that small-ish table is remarkably effective. I used it to attack some passwords I set up in a Windows XP virtual machine with the following results:
| found? | seconds | |
| Password1! | 700 | |
| Fgpyyih804423 | yes | 159 |
| Fgpyyih80442% | 700 | |
| saMejus9 | yes | 140 |
| thequickbrownfoxjumpsoverthelazydog | 700 |
You wouldn't expect this rainbow table to work on the passwords with non-alphanumeric characters (%&^$# and the like) because the table doesn't contain those characters. You'll also note that that passphrases, which I am a big fan of, are immune to this technique due to their length. But then again, this attack covered 99.9% of all possible 14 character alphanumeric passwords in 11 minutes, and that was with the smallest of the available rainbow tables. We could do better by using larger, more complete rainbow tables. The Ophcrack documentation describes the differences between the available rainbow tables it uses:
| Alphanumeric 10k | 388 MB | Contains the LanManager hashes of 99.9% of all alphanumerical passwords. These are passwords made of mixed case letters and numbers (about 80 billion hashes). Because the LanManager hash cuts passwords into two pieces of 7 characters, passwords of length 1 to 14 can be cracked with this table set. Since the LanManager hash is also not case sensitive, the 80 billion hashes in this table set corresponds to 12 septillion (or 283) passwords. |
| Alphanumeric 5k | 720 MB | Contains the LanManager hashes of 99.9% of all alphanumerical passwords. However, because the tables are twice as large, cracking is about four times faster if you have at least 1 GB of RAM. |
| Extended | 7.5 GB | Contains the LanManager hashes of 96% of all passwords made of up to 14 mixed case letters, numbers and the following 33 special characters: !"#$%&'()*+,-./:;<=>?@[\]^_`{|} ~. There are about 7 trillion hashes in this table set covering 5 octillion (or 292) passwords. |
| NT | 8.5 GB |
You can use this table set to crack the NT hashes on machines where the LanManager hash has been disabled. The set contains 99.0% of the hashes of the passwords
made of the following characters:
There are 7 trillion hashes in this table, corresponding to 7 trillion passwords (the NT hash does not suffer from the weaknesses of the LanManager hash). |
Note that all rainbow tables have specific lengths and character sets they work in. Passwords that are too long, or contain a character not in the table's character set, are completely immune to attack from that rainbow table.
Unfortunately, Windows servers are particularly vulnerable to rainbow table attack, due to unforgivably weak legacy Lan Manager hashes. I'm stunned that the legacy Lan Manager support "feature" is still enabled by default in Windows Server 2003. It's highly advisable that you disable Lan Manager hashes, particularly on Windows servers which happen to store domain credentials for every single user. It'd be an awful shame to inconvenience all your Windows 98 users, but I think the increase in security is worth it.
I read that Windows Server 2008 will finally kill off LM hashes when it's released next year. Windows Vista already removed support for these obsolete hashes on the desktop. Running OphCrack on my Vista box results in this dialog:
All LM hashes are empty. Please use NT hash tables to crack the remaining hashes.
I'd love to, but I can't find a reliable source for the 8.5 GB rainbow table of NT hashes that I need to proceed.
The Ophcrack tool isn't very flexible. It doesn't allow you to generate your own rainbow tables. For that, you'll need to use the Project Rainbow Crack tools, which can be used to attack almost any character set and any hashing algorithm. But beware. There's a reason rainbow table attacks have only emerged recently, as the price of 2 to 4 gigabytes of memory in a desktop machine have approached realistic levels. When I said massive, I meant it. Here are some generated rainbow table sizes for the more secure NT hash:
| Character Set | Length | Table Size |
ABCDEFGHIJKLMNOPQRSTUVWXYZ |
14 | 0.6 GB |
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 |
14 | 3 GB |
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+= |
14 | 24 GB |
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/ |
14 | 64 GB |
A rainbow table attack is usually overkill for a desktop machine. If hackers have physical access to the machine, security is irrelevant. That's rule number 3 in the 10 Immutable Laws of Computer Security. There are any number of tools that can reset passwords given physical access to the machine.
But when a remote hacker obtains a large list of hashed passwords from a server or database, we're in trouble. There's significant risk from a rainbow table attack. That's why you should never rely on hashes alone-- always add some salt to your hash so the resulting hash values are unique. Salting a hash sounds complicated (and vaguely delicious), but it's quite simple. You prefix a unique value to the password before hashing it:
hash = md5('deliciously-salty-' + password)
If you've salted your password hashes, an attacker can't use a rainbow table attack against you-- the hash results from "password" and "deliciously-salty-password" won't match. Unless your hacker somehow knows that all your hashes are "delicously-salty-" ones. Even then, he or she would have to generate a custom rainbow table specifically for you.
UPDATE: Please read Thomas Ptacek's excellent and informative response to this post. It goes into much more detal about the nuts and bolts of password hashing. Unlike me, Thomas is a real security expert.
| [advertisement] Axosoft's OnTime 2007 allows software development teams to collaborate and ship software on time. It manages projects hierarchically, tracking defects, requirements, tasks, and help desk incidents in one place. Hosted or installed. Windows or Web. Free SDK and Free single-user license. |
photo by: ?
capped and submitted by: Ben
