America, Fuck Yeah!

Published on December 12, 2009 in Uncategorized. 0 Comments

Another unfinished blog from January 27, 2008.


I watched some clip from an Australian TV show asking random American’s questions about different countries, political leaders etc. Basically it was to point out why the rest of the world thinks we’re stupid.

Here are a few questions for you:

Which country laid the foundation for the the internet?

Which country does the rest of the world send it’s best and brightest students to learn?

Who dominates up in this bitch?

Answer: Not Australia.

It took every major European economic power to combine to compete with US. And we’re still holding our own.

Don’t get me wrong, America has it’s share of stupid people. We have loads of stupid people. But despite that, America has made pretty much every major contribution for the past two centuries.

Think about it:

Flight – The Wright Brothers “discovered” human flight. Then Bill Boeing made the sky’s his bitch. Airbus is competing with Boeing, thanks to large EU subsidies. Still everyone in the flight industry knows, Boeing planes are more reliable and better built than Airbus.

Microsoft, dominates the computer. Apple is second. And Google owns the internet.

Cars – Okay, American cars suck. But only in america. Else where they’re far more reliable. Thats a wierd one.

Tools – American tools last a lifetime.

Electronics – They’re hard to comeby and they’re pricey, but american made electronics easily rival their japanese and german counterparts.

The Password: Internet’s Achiles Heel

Published on December 12, 2009 in Uncategorized. 1 Comment

This is another unpublished blog from March 31st, 2009. I’m publishing these not quite done blogs prior to my refresh.
—-
Today alone, I’ve read two different pages related to password word security for websites. One asked why some websites limit passwords up to 10 characters, and the other discussing some wacky scheme to come up with an easy to remember but hard to guess passwords.

Okay, let’s talk about passwords. They suck. Specifically, they suck at what they are tasked to do: protect your data. Why? Simply, it’s too damn hard to protect your password(s).

Passwords are vulnerable to many common attacks, and I’ll enumerate some of them.

Password’s can be attacked based on strength. A password strength is determined by mainly: it’s hard to guess. By guess, I don’t mean, pull out of thin air like a human does, but guess as a computer guesses, by trial-and-error over a known set of values.

The least most sophisticated, but still effective attack against password strength is a brute-force attack. That is, the computer (or groups of computers) try every combination of characters until it finds a match. This site has a pretty good table of password complexity to cracking time by brute force guessing.

There are a number of safeguards for this attack, that a surprising number of systems don’t employ:
1) Only allow a few failed attempts before locking an account
2) Require complex passwords

Another common attack is a dictionary attack. Again this is a brute force attack, a bunch of values are tried until success, using predetermined values. There are a number of websites that list the most common passwords, and for good reason, so many people still use them.

Again, limiting the number of attempts will prevent compromise, as well as enforcing a password complexity that does not allow dictionary words. You would be surprised to see the size of these dictionaries, including most foreign words, as well as common translations such as: score -> $c0r3 etc.

A simple way of storing passwords is to not store them at all (since passwords are as valuable as the data they protect it makes sense to avoid exposing them). Instead it’s to take them, convert them into something else (hopefully deterministically), then store that. As example: “god123″ -(x)-> 38ef28scF. Then during login, we can convert the value, and compare the result with what we stored, and if it matches then we have success. If an attacker is able to access our database that stores our hashes (again protect by a password!) they can use a rainbow table–basically a bunch of precomputed hashes, to reverse lookup our passwords.

To protect against this attack, it’s common to “salt” the hash. That is, add some extra known values to the end of the password, prior to hashing it to obtain a (hopefully) unique value. Example: “god123″ + “!#12#&” -(x)-> e4fced8021. Of course now this means the salt is now valuable must also be guarded.

Then there is the case of hashing. Not all hashing functions are made equal. For there to be an effective hash, it should have high collision resistance. Said another way: it should be rare (like astronomical odds) that two inputs produce the same output. If they do, that’s a collision, and if the hashing algorithm produces a lot of collisions, then my job to find matching passwords is reduced by that amount.

Yet another attack is the man in the middle attack:

I can put up a webpage that fools you into giving me your password, and then use that to login as you. Web browsers have protections in place to verify the authenticity of a website, but how many users are savvy enough to understand those little certificate errors?

Then there is the case of the people whom you give our password out to. I’ve worked on a number of systems that submit your password over the internet in plaintext (ie without encrypting it). How many people use the same passwords for multiple websites? It’s bad practice for sure, but I know I’m guilty of it!

Unfortunately, despite they’re many vulnerabilities (and I’ve only scratched the surface), passwords are still here to stay.

Interviews

Published on December 12, 2009 in Programming. 0 Comments Tags: , .

This was an unpublished draft from 9-23-2009. I’m going through and publishing my not-quite-ready-for-prime-time blogs prior to my refresh.

—-
Interviewing for Software jobs sucks.

You have to answer silly pseudo-technical questions that are designed to show the interviewer “think” but doesn’t really offer any real insight into their true capabilities.

To me, interviews should do three things:

1) Prove that your resume is not bullshit. Prove that you understand the fundamentals required for the job.
2) Show that you are capable of solving a business need of the company.
3) Prove that your personality is a good fit with the company.

You might be asked to write a program to reverse a string. So take the string “foobar” and turn it into “raboof.”

The problems with these types of questions is that they don’t represent real world problems. Reordering a string might be an issue if you’re programming in assembly or C, but in any other language, it’s unnecessary. What have you proven? That you can do simple high-school level programming tests? And if you give the sensible answer “Call String Reverse” you’ll get crapped on because the person doing the interview would rather prove how smart *they* are rather than judge your abilities. I remember one interview, I was asked “How do you convert a string into a number in C++?” So take “1234″ and convert that into the numerical value. I said “Easy. Use the standard stringstream class. It’s written by smart people (the language writers) and it’s safe.” Of course that wasn’t the “right” answer (it is, actually) because it was too easy.

How about figuring out if this person knows the fundamentals of being a good engineer?

Other interviewers will ask you silly brain teasers like why is Oct31 and Dec25 the same?

Again, pointless.

I’ve had the pleasure of interviewing candidates and I refuse to ask them these pointless questions. Instead I ask them questions that show that they have a basic understanding of engineering principals. Then, because I am a real developer, and I’m working on real problems, I typically will ask them a question related to what I’m working on.

I remember asking one candidate how would he ensure that database was kept in sync with an OpenLDAP Directory (which is what I was working on at the time). The candidate came up with a clever solution (clever because it was the same solution I had already come up with days earlier since I am zee bomb), and I knew this person would be capable. From time to time, if I’ve just learned some new nuance about something, I might ask them if they knew about it. If they did, bonus points, if not, no big deal.

I’ve heard that Google conducts their interviews as if they were a PhD oral examination. This ensure they’re hire the smartest of the smarts, yet they can’t make compelling products (a more cogent anti-google argument will be explained in a later blog).

MSFT is notorious for using the brain teaser approach to hiring software engineers. Instead of wanting to know how to reverse a linked list, perhaps knowing something about buffer overflows and why they’re bad might be something a bit more important.

Chicago (Pics)

Published on September 23, 2009 in Health and Photography. 1 Comment

A few weekends ago I was in Chicago for the Chicago Half Marathon. My performance was pretty abysmal–the only thing I could take comfort in was that I finished as at least 4000 runners did not. I’m not gonna make excuses for myself, and we all know losers always whine about doing their best. Anyway, pictures from around Chicago after the jump.

Continue reading ‘Chicago (Pics)’

The Ten Commandments of Barbecue

Published on June 8, 2009 in Food. 1 Comment Tags: .

Last night I was smoking meat (insert all the gay jokes you can) in preparation for a Barbecue, and the applewood smoke caused a vision. I was alone, atop a rocky mountain and I saw a burning shrub who spoke these words to me, and instructed me to pass them along.

  1. Charcoal is the one true method of BBQ. No other methods shall come before it.
  2. Never take the BBQ name in vain. Thou shalt only BBQ Pork. All other food may be grilled, but only Pork shall be designated BBQ.
  3. Honor thy host and hostess: thou shalt never attend a BBQ empty handed. Chips are acceptable as an offering unless thine host claims a potluck. To which offering chips becomes a sin.
  4. Thou shalt always provide corn bread for your guests.
  5. Thou shalt not ask guests to bring food to a BBQ unless you declare a potluck.
  6. Thou shalt never be more than 20 minutes late to a BBQ. In doing so, thy name shalt not be spoken of for 127 days.
  7. Thou shalt not steal. Thou shalt never ask for a ribplate to take home. Only a host may decide if those who could not attend a BBQ are worthy of a ribplate.
  8. Thou shalt never use the same utensils for cooked and uncooked food.
  9. Thou shalt not use store bought BBQ sauce.
  10. If thou is an Acolyte to the ways of the BBQ, food of the Chinese takeout persuasion is an acceptable form of backup.