0 readers, 38 topics

An Observation About Passphrases: Syntax vs Entropy

I suggested in the article to use passphrases instead of «traditional» passwords, for multiple reasons, including: sheer strength, memorability, and conforming to idiotic password creation policies without actually following detrimental recommendations of the policy authors.

This recommendation gives rise to a reasonable doubt: «what if syntactically correct phrases are as weak as dictionary words in comparison to a random string of symbols?''. Indeed, syntax itself should weaken a passphrase, as it provides some „predictability'' to the phrase. I want to address this problem, by comparing syntactically correct passphrases to random collections of words (which we all consider sufficiently strong… hopefully).
Read more →

Password Strength Explained

This is a scheme of how we define password strength in a strict scientific manner without bullshit and lyrics:

1. we clarify what is a guessing attack and set aside all other types of attacks;

2. we prove the theorem: any two guessing attacks differ ONLY by the ORDER in which they try candidate-passwords;

3. we demonstrate that password strength (in any practical sense) is a function of an attack;

4. the strength of a given password is the position of this password in the attacker's dictionary;

5. the defender's strategy is an approximation of the attack dictionary order;

6. an approximate order is equivalent to a specific set of orders (i.e. different attacks);

7. thus, the defender's password strength is an expected value for the password strength over the given set of attacks.

You can read the implementation of this scheme in my paper: "A Canonical Password Strength Measure". It gives us a feasible meaningful unambiguous measure that everyone can implement.

It is also worth noticing that Shannon's entropy is entirely irrelevant to the password strength problem. Entropy is based on the ASSUMPTION of possible outcomes. This set is well defined in the context of measuring a memory size, and not defined at all in the context of password creation/guessing.

In contrast to my work, the «password strength» discourse is extraordinarily rich on bullshit. Take a look at this masterpiece. This is a great example of how to write some 35K of text without answering the question, and even without understanding the subject. Let me quote the key paragraph:

Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.

This is one of the best non-answers I have ever seen, and a very succinct one too. No wonder it originates from the government officials! It obscures the matter it addresses in almost every word — «effectiveness», «resisting», «complexity», «unpredictability» — what are they? So, essentially the quoted paragraph reads:

Password strength is a function of something unknown to us.

It is time for us to do some trivial maths and terminate the «password strength» nonsense.

Your "A++++" Air Conditioner Wastes Half Of Its Labour

It doesn't mean the «energy efficiency» rating is wrongfully stated, the statement is true, regarding electrical efficiency of the device, yet the cold produced by the device is not delivered to your house as you might think. It is split unevenly between your house and the Earth's atmosphere, where less than 1/2 is delivered to you, all the rest surprisingly enough is dumped into the atmosphere, no matter how many «pluses» they print on the energy efficiency label.

Forget about «A++++» — let's do some elementary physics

This beautiful picture is not true. Well, technically it is not entirely untrue, in absolutely dry air this picture is true, for example in Atacama desert or on Mars, but chances are the atmosphere of your house contains plenty of water, which is not mentioned on the picture. When your air conditioner cools air down it cools ALL components, of which the significant part is water vapour. The water vapour concentration is limited by the air temperature, lower the temperature lower is the maximum possible water content. That creates the dew point phenomenon. If you drop the air temperature below a certain level water condenses out, and your air conditioner heat exchanger operates most certainly below the dew point, this is why water comes out from the device. ...And goes straight outdoors carrying the cold produced on your expense to the earth atmosphere. So that the correct scheme should look like this:

water separation

Please, stop chanting «A+++++»

Even if we assume 100% efficiency of the device, it simply DISPOSES OF a significant part of its END PRODUCT. Now, let's us estimate how much significant is it.

Let's assume you want to cool a room down to comfortable 24 C, in a hot day (37 c, with 68% humidity, which is a typical July day in my home town).

Thus the air initially contains 0.03 kg of water per m^3.
If we now generously assume that the air pump operates at 11 C then we only need to cool 1/2 of the room volume in order to reach 24 C. It means that the heat exchanger produces 100% humid air at 11 C, which contains 0.01 kg of water per m^3.

Thus, the heat exchanger dumps 0.02 kg of cool water per m^3 of air.
Vaporization heat of water is 2257 kJ/kg, therefore your air conditioner dumps 0.02*2257 = 45.14 kJ/m^3
Let's see how big is this number.

Specific Heat capacity of humid air in our context is about 1.034 kJ/kg/K (with insignificant variation for such a rough calculation) and the density is about 1.2 kg/m^3. Thus the «consumer value» (pardon my language) of the air conditioning is roughly: 1.034*(37-24)*1.2 = 16.13 kJ/m^3

While the actually produced work consists of cooling half of the given amount of air from 37 to 11 C plus condensing water, which amounts to: (1.034*(37-11)*1.2 + 45.14)/2 = 38.7 kJ/m^3

Finally the ratio is: 16.13 / 38.7 = 0.42 — i.e. roughly 58% of the cold produced by your air conditioner goes straight outdoors.

Of course, it is a very rough estimation, but it gives you the order of magnitude of the phenomenon. Although I tried to give a conservative estimation, feel free to directly measure your air conditioner water output in order to get the precise number — I bet it will be even worse than «60%» stated in the title.

This loss does only seem inevitable!

The sad part is that this energy is completely recyclable for no cost — all you need to do is to vaporize this water on the heat exchanger of the condenser unit — BUT NOBODY CARES.

Android's Security Policy Is: "All Or Nothing"

This is the essay about the biggest and the most successful infosec profanation campaign in the world. It undermines the very idea of security awareness in each and every aspect, and it does so very subtly too. Initially I wanted to tell you how this profanation works and why it would be successful at cleansing users' minds from any security related thoughts; today I have upgraded my test-bunny Android device and realized that my «prediction» is getting late — Android has entered the final stage of the campaign: after the applications succeeded at damaging users' security awareness, the core system itself openly stepped into the battle, to commit the final blow.
Read more →

The Flattr Experiment

I decided to join flattr.com — a very neat donation platform. Isn't it reasonable to donate some money to the authors you like? Would it motivate you to donate if it leads to the elimination of ads? At least we can run this simple experiment. You are reading me (I know you do), and you are taking for granted the complete absence of ads on this clean and concise website. Please, consider making a flattr donation of any size if any article amused you. If it works sufficiently well to keep me from starvation, then ads will never appear on ithipster.com

Flattr this

Each Security Hole Is Created By Someone Deliberately.

Naked Security reports another (not very special) piece of malware for Android. It is quite sophisticated and effective, it has fooled almost 200K users.

I want to talk about one particular detail, quote:

The apps were installed directly onto unwitting Android devices as the extension bypassed the operating system’s permissions process.

Once again my question is how is it even possible in a mentally sane world??? Who created this bypass and why? No questions asked to Android, everybody is throwing feces at «evil-evil-evil» developers of malware. I believe that the idea of infosec related media is to channel the users' wrath into a safe direction, away from those who made malware possible in the first place, and suppress real inconvenient questions to the «trusted» developers and «respected» vendors.

Within the next few days I will explain you all evils of the android quasi-security — today I am too angry.

There Is Enough Wasted Electricity To Power All Cars In USA

I was confronted with a serious argument against Tesla cars (or electrically powered automobiles in general). It reads thusly: «If you replace all cars with Teslas the power grid will not be able to sustain the resulting tremendous surge of energy consumption». To me it sounds like a legit matter for a quick investigation, so here we go.
Read more →

Utilizing Wasted Energy Of The Slag Dumps

Today I want to talk about ecology, in a very unorthodox manner, as I always do with any subject. There is one very necessary practice in the metallurgy all over the world: slag dumping. Of course, our cherished environmentalist buzz-makers know nothing about that, because steel and copper, just like coffee and croissants, grow on trees. And it is much better to keep them at their present state of ignorance, as long as we want a serious, intelligent, and productive discussion on the topic.

First of all, there is nothing wrong with the metallurgy in general and the slag in particular. However, there is some room for a significant improvement that benefits our «environment», unlike bullshit «carbon taxes» or «wind turbines». In order to understand the basics of the problem watch any of the «slag dump» videos on youtube, like this one www.youtube.com/watch?v=zKOENNXsSBQ This «molten lava» is slag, an inevitable byproduct of any metallurgical process. It has no use in the industry, it contains no precious components, and it has to be removed from furnaces, in order to keep them running.

The first thing that must strike you as you see the action is: «what a waste of energy!!!» Indeed, slag is hellishly hot, where «hot» means two important properties: abundant and high potential, which makes the energy easily CONVERTIBLE. But, hold on, this shit is solid under normal conditions. When you extract energy from molten slag it will solidify, incapacitating any conceivable heat exchanger.

Let's apply some IT reasoning here. While it is difficult to take energy away, how about taking an energy consumer in? Picture that, you have to heat something, so you mix it into hot slag. The output will very likely to be total garbage… Yes! GARBAGE! Put garbage in, melt it by the heat contained in the slag, and then shape it in building bricks, or fillers, or whatever you need to build artificial islands…

In the end you get a pretty normal solid waste processing plant running on free energy.

On The "Bottom-Up" Approach To Data Security

Once I stated the title I immediately realized that there are many distinct dimensions having their own «bottoms» and «ups». So I must specify. The «bottom» is a set of elementary data manipulation operations available to you as a programmer or a data security specialist (although it is often the same «you»). The «top» is a transitive closure of this set. The set of operations available for a user is rather close to the «top», and mapping them into the basic data handling operations constitutes the essence of the programmer's job. The «bottom-up» approach to data security is a job of defining all the necessary data access rules in terms of the basic data handling operations — you apply certain restrictions to various data elements and they affect the data system overall behavior, namely data accessibility in the high-level terms used by the end users. The most elaborated text-book example of this approach is SQL — it gives you very low-level security bricks to build a custom building without specifying explicitly this building emergent properties.
Read more →

A CERN Physicist Fails At Elementary Physics

Recently I had a conversation with a renowned CERN physicist Konstantin Toms. In this conversation, all of a sudden, he exposed himself failing to spot the difference between power and work. The conversation happened in a public place here: lj.rossia.org/users/ktoms/17248.html
it was performed in Russian, so I have to translate it for you, however, Dr. Toms is informed of this fact and is welcome to make his corrections if he has any.
Read more →