“Do You Deny That This Shit Be Bangin’?”

From Penny Arcade’s Tycho Brahe:

[A] District Attorney in Texas is on trial for building himself a sweet rig on the county dime. This machine in question sports “two hard drives, seven fans, high-end video and audio cards, a wireless Internet connection and cables that glow under ultraviolet light.” It’s a crime, yeah, but it’s an awesome crime. I make an exception for awesome crimes.

Hacked

Looks like spambots are starting to exploit a flaw in my aging version of WordPress to post links in my sidebar; guess it’s time to upgrade soon.

The Oddest of Oddities

This being Dr Seuss’s birthday, in addition to my daughter Joy’s, someone felt inspired to write an atheist’s tributory piece. Following is an excerpt.

In a place known as Whoville the folks got distraught
When Horton the elephant said what he thought.
“The oddest of oddities isn’t as odd
As people believing that there is a god.”

The Who Jews and Muslims and Hindus and Buddhists
The Who Vegetarians, Wiccans, and Nudists,
The Who Presbyterians, Baptists, New Agers:
All spread the sad news on their cell phones and pagers.

A Who Evangelical fell to his knees
And he said, “Oh no, Horton! I beg of you, please!
We always have liked you. We all think you’re swell,
And we can’t stand the thought that you’re headed to hell!”

On Passwords

So, I thought maybe I’d spend a little time discussing password authentication. Skip to the end if you just want to see good and bad ways to come up with passwords.

An early bit of computer security reading that made an impact on me while I was learning the ropes as Ye Company Computer Fellow at The Adams Group, was Foiling the Cracker: A Survey of, and Improvements to, Password Security, by Daniel V. Klein. Based on research from 1989, the limits of computing power had already dramatically increased by the time I got my hands on it, and yet even now, nearly two decades later, the cautions and advice from this paper have already proved to age remarkably well.

In conducting his research for this paper, Mr Klein collected roughly 15,000 encrypted password hashes (from actual user accounts), and attempted to recover the original passwords via “brute force”.

An “encrypted password hash” is a unique, mathematical value that is generated from a user’s password, and stored for the purpose of later authenticating the user by verifying that phe knows per password. When the user enters the password, the very same mathematical transformation is performed, and the result is compared to the stored value. If they match, the password is the same (well, to be more precise, the password has only a one in millions-times-millions-times-millions-times… chance of being different).

The advantage of doing it this way instead of just saving the passwords themselves, is that if someone were to recover the file which contained all the passwords, they suddenly have access to every account represented in the file; whereas if only the encrypted hash is stored, all they have is a bunch of useless mathematical values, represented as strings of garbage text. There is no way to take the hash, and transform it back into the original password (for this reason, they are often called “one-way hashes”). The only thing you can do with a hash is to compare it to other hashes you can generate (from guessing what the password might be), to see if you’ve found the user’s password. (This tends to be faster and safer, though, than just trying the passwords directly on the system with which you’re trying to authenticate, as many systems have built-in time delays, or don’t let you try more than a few passwords in a given amount of time, and log every attempt for later forensic analysis.)

And that’s called a “brute force” password attack. When you take a few tens of thousands of your favorite password candidates, run it through the hash algorithm, and see if any of them match the hashes you have. If any do, you note down the passwords they came from and which accounts they belong to—you’ve just hacked them!

So Mr Klein got a large number of passwords, and ran a computer (or possibly more than one, I’m not sure) to just chug along, trying out passwords from a large dictionary he’d created of some couple-million passwords to try out (about 60,000 base passwords, the rest are various permutations and transformations of those). In a week’s time, he’d recovered more than 1 of every 5 passwords (3000 passwords). He recovered 368 passwords in just the first 15 minutes!

The very first thing that would be tried against a password, was 130 variations on the account name itself. A user named “Micah J. Cowan”, with a username of mrdude, would get password attempts like mrdude, mrdude0, mrdude1, mrdude123, mjc, mjcmjc, mcowan, MCowan, hacim, micahc, MjccjM, MICAH-COWAN, (mrdude), CowanM, etc. This is actually the technique that fetched him the 368 passwords in his first 15 minutes of processing. Ouch!

Other things that would be tried, were dictionary words. And not just Meriam-Webster. A relatively exhaustive dictionary of a large number of words: people names (real and fictional), place names, foreign-language words, words from the King James Bible, offensive words and phrases, etc, etc. Variations on all these words would also be checked, such as replacing letters with similar-looking digits (o -> 0, “ell” -> 1, z -> 2, etc); various capitalizations (“mIchael”, “miChael”, “MichAel”, etc); spelling them backwards, etc.

Thought you were clever with your password of “fylgjas” (guardian creatures from Norse mythology)? Or the Chinese word for “hen-pecked husband”? Think again—he caught ’em.

In addition to the techniques Klein describes in his paper, modern, readily-available brute-force password-crackers will also support things like exhaustive searches of all combinations of letters and numbers up through around six characters. Exhaustive searches of all combinations of all possible characters are also possible, but take a lot more time.

On the other hand, what with the power of large computer clusters, and cracker “bot-nets”, given a little time, attackers can readily search exhaustively for passwords of several characters longer than was previously practical. In fact, computer security expert Bruce Schneier has a more up-to-date description of password cracking software designed to run on computer networks, and advice on what passwords are easily cracked, and how to choose safe ones. These days, good cracking software typically recover over half of the passwords given it, rather than just the ~25% that Klein managed after a year’s worth of CPU time.

So, to close up, passwords that everyone should be avoiding, for any system they care about, are:

  • Any password shorter than eight characters. Passwords of arbitrary strings of letters and numbers up to six or 7 characters can be exhaustively searched given enough time and resources (32 CPU years were adequate in the days of Klein’s article: that sounds like a lot until you run into someone with a 128-CPU cluster and a few months to spare). Throwing in some punctuation marks will help for shorter strings, but really you’re best-off going for at least eight. And, don’t forget, if 7 characters is just within- or without-reach, where will it be in a few years, given the exponential growth of computer power?
  • Single words or names, no matter what language they’re from, or how you modify them. Write ’em backwards, add some numbers at the end, use funky capitalization: it doesn’t matter. If they can exist in a list somewhere, a password cracker can guess it.
  • My God, man, don’t ever pick a password based on your name, your account information, your girlfriend’s name, etc. You’re better avoiding your birthday or anniversary, too: these things can be exhaustively searched faster than you can blink.
  • Never use the same password for more than one site.

Practices that are recommended for choosing secure passwords include:

  • Building it from the initial letter of each word in a phrase: To be or not to be, that is the question becomes Tbontbtitq. This would be improved by using numbers in some spots, perhaps capitalizing an extra letter or two, and leaving in or adding in additional punctuation: 2Br!2b,tit?. (note the substitution of the letter r for or, ! for not, and ? for question). This technique can easily be used to produce random-looking passwords which are very hard to brute-force or guess. However, be careful not to choose easily-guessed phrases as the basis for your password; for example, the above phrase was intended only as an example. It is far too widely recognized to make a good basis for a password; I wouldn’t be at all surprised to discover there were password dictionaries out there that already have both Tbontbtitq and 2Br!2b,tit?. in them, along with other variations. John 3:16 makes another example of an attrociously poor choice for password derivation. The best would be to choose a phrase or sentence from a random spot in a relatively obscure book. For instance, flipping open my copy of Advanced Programming in the UNIX Environment, I find “Every process has six or more IDs associated with it.” That could be made into a decent password (though not any more, obviously, now that I’ve mentioned doing so).
  • Another good technique is to use two or three regular words together, especially if you use punctuation marks to separate the words; e.g., hooky$preheroic. This can make for easily-memorized, but hard-to-guess/bruteforce passwords. As already mentioned, single words, even with a large number of variations, make for easily-cracked passwords; but multiple-word passwords exponentially increase the difficulty of brute-forcing them. That’s assuming that you pick fairly random words, particularly, words that are random with respect to one another, and to yourself. For instance, tootie and frootie, or guitar and music, make horrible words to pair. And, if you know that I play piano and love Coca-Cola, even the three-word password coke-fiend-pianist may not be too much of a stretch for you. 😉

For Now

Criticizing Evolution

The following is reposted, with permission, from The Barefoot Bum; it makes some good points that I’d have liked to have made here at some time, except that he’s already done an excellent job of it, so why bother? It includes a list of several examples of both items that proponents of Intelligent Design believe that evolutionists believe or teach (but, in fact, don’t), such as radio-carbon dating; and items that they believe are true (but which, in fact, are false), such as the myth that evolution from one species into another hasn’t been observed. These are very widely spread myths in the creationist community, and it’s nice to debunk a few of the most common of them. Most of these items don’t have links or citations; however, you can find a wealth of information about them at TalkOrigins (which has a longer list, and citations to back up its claims). [Update: reworded the above to more accurately represent the list of creationist myths.]

I don’t understand why any individual amateur would choose to criticize evolution. Any amateur is hopelessly outnumbered, probably by a factor of 10,000 or 100,000 to 1. Scientists have been working on the various hypotheses and theories under the evolutionary paradigm for more than fifteen decades. Even if they were completely, egregiously wrong, the attempt to prove them wrong seems a Sisyphean task for any individual, much less an amateur. Of course it doesn’t help that organizations such as the Discovery Institute, Answers in Genesis and Harun Yahya have been so frequently caught in inexcusable sloppiness and outright lies. But amateurs do try to criticize evolution, so it’s worthwhile going over some basic points.First, The Barefoot Bum is a philosophy blog, not a science blog. Although I’m scientifically literate, I’m not a professional scientist: I’m a professional engineer and an amateur philosopher. Professional scientists such as PZ Myers, Shalini and the denizens of the IIDB Evolution/Creation forum (and many others) have forgotten more biology than ten people like me will ever learn. If you want to discuss evolution here, I’m much more interested in discussing things like scientific epistemology, metaphysical naturalism, and the ethical implications of evolution. Still, I am scientifically literate, and I’m willing to discuss the science of evolution.If you’re going to criticize what scientists say, it’s very important to criticize what scientists actually say, rather than what you want them to say. I understand that demolishing a straw man is easy and satisfying. But straw men are not only fallacious: evolution and its criticism have been around long enough that there is simply no excuse for misrepresenting the scientific position. Misrepresentation is justifiably characterized as a lie.

There’s also the pernicious practice of quote mining, taking a statement made by a scientist or philosopher out of context and thus changing its meaning to be critical of evolution. Any time an advocate of evolution seems to say something deeply critical of the endeavor, any reasonable person must be suspicious that something is amiss. Quote mining is lying.

I have better things to do with my time than correct lies about evolution. If you want to lie, do it on your own blog or in a more appropriate venue; I refuse to publish lies.

Here are some specifics:

Evolution is not a scientific theory about the origin of terrestrial life. The origin of terrestrial life is an interesting scientific field in itself (all the more interesting because the evidence is buried under billions of years of history), but it has nothing to do with evolution. Even if the first living thing were intentionally created by a space alien, a deity or the systems administrator of the computer we’re all inhabiting, evolutionary theory would not change at all.

No scientific theory in the field of evolution says that the characteristics of modern organisms arose by chance alone. All evolutionary theories discuss the interplay between chance changes to organisms and natural selection; natural selection is driven by physical law, the opposite of chance.

Yes, there have been instances of scientific fraud as well as honest mistakes. Science is an error-correcting endeavor, precisely because errors do arise. What “error” actually means and how errors are corrected is an interesting topic of philosophical inquiry, but Piltdown Man and Haeckel’s embryology are not by themselves probative of anything… except perhaps in the sense that scientists have actually discovered and corrected such errors.

Scientists have actually observed speciation.

Radiocarbon dating is accurate to only tens of thousands of years. Scientists employ other methods, including other types of radiometric dating, to establish ages on the order of mega- and giga-years. The validity of radiometric dating is established primarily by nuclear physics and quantum mechanics.

Charles Darwin was not baffled by the eye. His “bafflement” in The Origin of Species was a rhetorical device: he goes on to explain how the eye actually did evolve. This assertion is probably the most famous instance of quote mining. Nor did Darwin renounce evolution on his deathbed. This claim is an outright lie.

Regardless, science is not theology, and no scientist is an authority. Nothing in science is believed just because some scientist, however well-respected, has asserted it. Even Newton, Einstein, Darwin and Feynman had to show their work, and the idea stands or falls on its own merits, independent of the reputation of the person. Darwin himself made mistakes, and those mistakes have been discovered and corrected.

The attitude of scientists and scientific philosophy regarding the “supernatural” is not unique to evolution. I’m more than happy to discuss scientific philosophy, methodological and metaphysical naturalism, in as much (or more) detail as you wish, but philosophically, any argument concerning naturalism applies to all science, not just the sciences of biology, archeology, paleontology, genetics, ecology, etc. which adopt an evolutionary paradigm.

In general, I’m going to evaluate any criticism of evolution by first investigating what Talk.Origins has to say about it. I don’t demand that anyone accept Talk.Origins uncritically or at all, but you will save us both a lot of time if you examine their arguments before you comment, and address them within your comment.

And, lastly, the complaint that scientists and advocates of science tend to bury criticism in a flood of information is a non-starter. Rational people settle these sorts of arguments by evaluating the evidence. If there’s a ton of evidence against your position, boo hoo, too bad for you.

The Golden Compass… The Movie

Saw the movie with my daughter, Joy. She loved it, which is great for her. I positively hated it. As much as I found the book to be fairly blah, the movie is positively wretched. A cast loaded with stars could not even begin to save this nightmarishly ill-done movie. The film was quite grainy in parts, and felt like a jarringly disjunct collection of scenes—there was no flow to it at all. The acting was terrible, and since I have a lot of respect for some of the actors within it, I can only assume the directing (as well as the script) are to blame. This conclusion is all the easier to arrive at, as they both originate from the same person (Chris Weitz). I have not seen his other movies (which include American Pie), and after seeing this one, I doubt I’ll be rushing to do so anytime very soon.

There were several parts that were rather poorly explained; at one important part, where the girl Lyra and her daemon (a physical manifestation of her soul) were to be severed, so little information was given as to what was going on, that I doubt I’d have even known what was taking place, if I hadn’t already read the book.

I was also disappointed to find that the few characters in the book that had some small portion of depth to them, were made entirely one-dimensional in this movie. Probably the particulars of this depth would have been difficult to make work for the film, but at any rate it removed much of what small charm the book had. For instance, in the book, an attempt is made to poison Lyra’s “uncle”, Lord Asriel, by the schoolmaster of the scholarly university where Lyra has been raised, and who is something of a father-like figure to Lyra, which causes her some conflicting feelings about him. Later, a hint of the weighty decisions that would conspire to influence him to do such a thing is revealed, and indeed he is somewhat vindicated in the end for having made the attempt. However, in the movie, the schoolmaster is an entirely benevolent character, who righteously refuses to stoop to any such treachery, and so the attempt is made instead by a high-ranking official of the Magisterium (the “church-like” religious order, whose malevolence and self-servingly intolerant views and behaviors are the reason why the trilogy has garnered so much negative publicity from certain religious groups).

I had read that the film’s producers had decided to tone down any anti-religious establishment sentiments from the book, caving in to pressure from religious groups. However, I was surprised to find that, rather than this being the case, if anything it was more direct in its opposition to the story’s “church” than the book ever was (see above, for example). Perhaps they actually increased the “antagonism” against religious views in response to the disproportionate outcry against it.

The script was absolutely lacking in imagination. Most of it flowed from the book… exactly, except that the better parts were removed. One spot which I loved in the book, but was disappointed to find in place and untouched in the movie, was the fight between two anthropomorphic bears. It was a scene which involved a bit of deception on the part of the hero, Iorek, who pretended that his arm was injured so that he could use it in a surprise attack, finishing his enemy, Ragnar, with a strong blow that knocks his lower jaw clean off, to dribble blood from the neck as he dies in agony. The deception is made all the more impactful by the reader’s knowledge that, under normal circumstances, a bear can never be deceived, and so the fact that Ragnar could have fallen prey to it was proof of his demented reason. The fact that the “injured” arm, isn’t really, is completely lost in the movie, and one gets the impression that he simply “managed” to strike a savage blow with an actually severely-injured arm; and since both the deception and its underlying revelation are completely lost, it should have been removed entirely.

As for the jarringly grisly sight of Ragnar sans lower jaw… it was an inappropriately violent one. Shocking, not so much owing to its own violence, as to the fact that there was no other violence in the movie that came even remotely near it. Such a jarring contrast shouldn’t “just appear”, to no purpose other than to follow what was in the book; it should be used to some effect. The only possible resulting effect of this scene would be parents wondering why this image has now been unsanctimoniously slapped into the minds of its younger, more impressionable viewers.

The conclusion? As much as the world might really be able to use a new tale to capture the imagination of young ones, filled not with veiled religious allegories, but with notions intended to promote freethought and question religious ideology, Pullman is certainly no C S Lewis, and the world will, in my opinion, need to continue to wait for such an arrival. And thank God he’s not (hee hee), as a more laudable literary basis for this supremely unremarkable movie could only have made it the more tragic.

Ironically, rather than make good on the “clear threat” to religion and godliness that churches across America seem to believe it poses, this movie is unlikely to do much other than to strengthen the faith of their parishoners, by fulfilling their prayers that God would keep people out of the theaters, and allow the movie to suffer an abysmally disappointing economic defeat.