(Moderators: read both links in write-up completely before attempting to mod this post.) Blow-by-blow:
The Sharp Zaurus SL-5500 combines state-of-the-art Sharp technology and Sharp innovation, mmmmm, pointy...
...to deliver a unique and compelling PDA solution a) it's the only one like it, b) you need it...
The Sharp Zaurus SL-5500 offers everything from mobile communications to mobile multimedia; All in a convenient portable form.
keyboard integration and dual expansion [slots] deliver one of the most versatile and flexible PDA solutions on the market today. Ooooh, versatile and flexible. Next to that and the mobile multimedia and the mobile communications that make it a unique and compelling PDA solution, my only question is,
What's it do?
(beyond the palm stuff, obviously) -- m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must. email me (click my user info for addy) if you're interested.
the other day was several years ago. not sure win2k was even out yet:) above notwithstanding, I did hear the same woes on #linux several days ago: "why does my suse still fsck so long", with a response of "hey, just be glad that it cks out at all: you dont want to ask me what the worst that can happen with an inopportune power outage is...found that out the hard way." -- m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must. email me (click my user info for addy) if you're interested.
So the other day this microsurf's telling me about how NTFS has journaling, started taunting me about my eight-minute fscking those sixty gig puppies, and I admit it kind of had me kind of almost maybe a bit uncomfortable, not envious mind you, just a bit, mostly it was just a little hot in the room is all. I excused myself, saying I had to google, and that I would be right back. Five minutes later, I had myresponse. (And implemented, too! Download today.)
Moral of this story? Turn off those [domain] tags in your preferences if you haven't yet! It totally ruins my train of thought:(
-- m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must. email me (click my user info for addy) if you're interested.
google cache: " Tree Closes for Mozilla 1.0 The tree just closed in preparation for Mozilla 1.0, and so far, it's looking promising. What does the tree close mean? This time around, as drivers have been in control of the tree for the entire milestone, the actual process won't change, but drivers approval will begin to get harder and harder to get for a checkin. As we approach 1.0, we'll keep you up to date on current status and other interesting news. " Incidentally, at the time Google cached that, it had zero comments. That was fast.
Anyway, I'm kind of disappointed. This is like the Year 2000. I always pictured some cool technological advance when we hit the y2k figure, but we didn't suddenly have anything special. In the same way, I always thought that when Mozilla finally hit 1.0, it would be this super-stable, killer ap with special competition-eradicating I-Need-Thats that make any other alternative simply laughable. Instead, 1.0 is just a glorified 0.9.9.998 Oh well.
(On a side note, when did we all stop saying Un*x for Unix. I think 'taco was one of the first people I heard saying this...)
-- m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must. email me (click my user info for addy) if you're interested.
Before we go on, please note that the article talks about the "web", meaning html-like pages over http, as you can see from this sentence: "Web sites also face stiff competition from other online services". All the same, I think I like the kind of blatant misinterpretation of statistics that it uses to further its claim. Consider: a typical day, March 2000:
6 AM: Got up, had breakfast, brushed teeth, showered, shaved, got dressed etc.
7 AM: Signed on for 10 minutes to check email before work.
9-5: Worked.
6 PM: Got home, signed on for 170 minutes.
8:50 PM: Scarfed down some dinner in time to catch whatever's on at 9, watched TV till 10.
10 PM: Went to sleep.
a typical day, March 2001:
6:00 AM: Got up, had breakfast, brushed teeth, showered, shaved, got dressed etc.
7:00 AM: Signed on for 10 minutes to check email before work. (lousy spam).
9-5: Worked.
6 PM: Signed on for for 170 minutes.
8:50: Scarfed down some dinner and signed back on in time to reach the people just signing on after work in California (three hours before my Eastern time zone.) Stayed on 70 minutes.
10:00 PM: Went to sleep.
Now let's do a little math. Average time per online session, March 2000? 90 minutes. Average time per online session, March 2001? 83.3 minutes. Amazing. Just by replacing an hour and ten minutes of TV with an hour and ten minutes online, you've just reduced your average online session by 7 minutes, while increasing your time online by 38%. In other words, according to a survey by the Pew Internet & American Life Project in Washington, people averaged 90 minutes per online session. A year later, when the same people were polled, that number had dropped to 83 minutes. Remember, there are three kinds of statistics: lies, damned lies, and the kind of wanton abuse of mathematics that makes you waste fifteen minutes bitching about it on slashdot. Live and learn. -- m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must. email me (click my user info for addy) if you're interested.
my papa always said,..."if you can't beat 'em, join 'em.":)
Ximian Connector is a unique client software extension that allows Linux and UNIX users of the Ximian Evolution groupware suite to manage personal information and collaborate with Windows-based co-workers using Microsoft Exchange 2000
Note: I know hardly any of you will read to the bottom of this post, so here's a copy of my sig: -- m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must. email me (click my user info for addy) if you're interested.
Now then. Let the games begin. ........ First of all, here's a bit of a rant. Let me disagree strongly with Darko Kirovski, the "cryptography [...] researcher at Microsoft" (article) who created the prototype, when he says:
"I don't think you can create a password that is easily memorizable that is 20 characters long," Kirovski said.
Now, I'm just an average slashdot user. I've never worked with anything that is worth so much as protecting my keyboard from being TEMPEST-ed as I type my password. I'm certainly no cryptography expert. But even *I* know that you can create easily memorizable passwords 20 characters long, and, in fact, far longer.
First of all, let me introduce you all to diceware. Diceware, slashdot. Slashdot, diceware. (How do you do, how do you do).
Now diceware here is run by a guy who knows about security. He's paranoid. He doesn't just "come up" with passwords while trying to avoid using any obvious components -- oh, no, he generates them completely randomly, and accepts whatever he comes up with as his password. So randomly does he generate his passwords, in fact, that he uses casino dice rather than trusting any kind of hardware.
But wait, it gets better.
How does diceware work? Basically, you use dice to choose a group of short English words that, since they're words (or can be treated as words by a human, such as the "word" ijk), are easy to remember.
More specifically, you roll a die five times, and put the five numbers together and find the corresponding word. (For example, if you roll 2, 6, 3, 1, 5, you search the list for 26315 and find that your word is "Frank").
The only caveat is that before using this list, you should manually (or with a program of your own design) check to make sure 1) that no numerical combination is missing and 2) that no word is associated with more than one combination.
In other words, you shouldn't trust the guy who made diceware, and you don't need to. It's just the principal of the thing -- a list of unique items on a one-to-one ratio with a range of numbers, each of the items of which is easier to remember than a mere number. (But, because there are equally many of them, will be equally "random".)
Now let's do a bit of analysis together of how secure this is.
Since five die rolls can have 7776 possible combinations (6^5), each "word" has an entropy of just over 12.924 bits. (2^12.924 ~ 7776, so that many bits are necessary to represent each combination five die rolls can create).
Now, one "character", if we take it to mean an integer with values 0 through 255 inclusive, has entropy of 8 bits.
Therefore, every two diceware words correspond to three completely random bytes.
Now let's rip apart Kirovski's statement that you can't remember 20 characters. Before we do, let's point out that no one needs 20 characters, since even if you take a "character" to mean just any of the 94 ASCII values that a user can easily type, we'll even exclude the tab and space, this comes to (6.5545888 bits of entropy per one-of-94-characters * 20 characters=) 131.0917 bits of entropy. That's more than 128 bit encryption needs for a secure key! And this includes only the following characters: ! blah " this # lameness $ filter % really & sucks ' don't ( you ) agree * of + course , you - do . / 0 1 2 3 4 5 6 7 8 9 : ; ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~
Obviously, if you include more in the definition of "character", then the amount of entropy in 20 characters becomes ridiculous.
But for now, let's assume that Kirovski really did mean 20 characters, as I have defined them, or 128 bits of entropy. Is this "easily memorizable"? Sure is, if you use diceware. For each word, we'll roll a die five times and get 12.92 bits of entropy. This means we need 10 words to get 128 bits. Here are my results:[4] 65566 35115 24266 14326 54314 63345 41616 12265 44346 56243 I look these up in the word list, and get: "56 junk elba bleat lard wacky sermon annex one swept" as my pass-phrase. Is this "easily memorizable"? Sure is:
"56k modems are worse junk than what Napoleon had at Elba -- a bleating piece of lard is faster down an incline if you've given it a push, for chrissakes!!" together with the picture of a goat bleating in terror as it rides a chunk of lard down a hill. Also picture the goat in a Napoleon posture (one hoof inside vest) so you remember elba.[5]
"Wacko tries being a minister: comes up with wacky sermon about how we need to annex canada. I for one think it should be swept under the rug. (the idea advanced by the sermon or canada?:) )" Picture: arm stretching borders of alaska over canda.
It took me less than thirty seconds to come up with vivid pictures for this, then another minute to associate these sentences and pictures with the actual words (bleat for bleating, swept for sweep or sweeping) and if I remind myself of it in a few minutes, then in a few days, then in a week or two, I'll have it known forever. Compare that with memorizing:[6]
JLEwx;+?o9bH`"|6r%Bo And you see why diceware is a good idea. The fact that someone who is a supposed expert in this doesn't know about it is in my opinion inexcusable. (Of course, he might know that twenty characters' worth of entropy can easily be made to be memorizable, but his statement does not reflect this.)
Incidentally, it takes me between six and seven seconds to type "56 junk elba bleat lard wacky sermon annex one swept" carefully enough that it's accurate without my checking it as it appears on the screen (I just closed my eyes and did this five times in thirty-one seconds.) And more than twice as long to type the random 20-character word, if I look at the characters as they appear, even though I use every one of those non-alphabetic characters frequently enough to be able to "semi-touchtype it" (might not hit it on the first try, but I know where it is and I don't look at the keyboard -- in fact, I couldn't now because I use a weird international one. [shrug] But semi-touchtyping doesn't help you when you see *'s instead of the characters...)
As for how much security the average person needs (we're not talking 128 bits here): well, if you consider an 8 character random combinations of A-Z, a-z, and 0-9 that's 5.954196 bits of entropy per letter * 8 letters = 47.6335 bits of entropy, or less than four diceware words' worth. For example, 56 junk elba bleat. You don't even need spaces (although I find it easier to type with them) since no diceware word includes a space. Can you believe it, a simple thing like "56 junk elba bleat" being more secure than a completely random 8-letter mixed-case, alphanumeric word? Wow. Okay, I've run out of steam. That ends my diceware rant, and I'll address this whole nifty picture thing now. First let me offer these final notes, which didn't fit into my discussion above.
Note that the 7776 words diceware uses are all short. There are far more than that many common English words, but by including obscure shorter words and semi-words (like numbers), which are less common but equally memorable once you've thought about it / looked it up, the total typing is reduced. However, this leads to:
Be very sure to accept any words you're given. If you need to look up a word to know what it means, do so. By avoiding words you don't know (rolling again), you reduce entropy.
Don't change words. If I change "56" to "56k" above, and make that the word in my passphrase, it's not enough that I make sure 56k isn't already one on the list: I need to make sure that none of the other 7776 words are ones I might change to 56k if I roll them. In other words, just don't change words.
Okay. Rant ends here. ........ Back on topic: From the article: "The key -- images, which tend to make more of an impression on people than strings of text characters." This is true, but it is equally true that it is more difficult to uniquely identify member of a given set of pictures than it is to identify a member of a given set of words. Picture the face of the last high school English teacher that taught you. Now, this is a fine part of a password, because you can choose it randomly from a large list of objects (people you know), and you will remember that it's your password. (Or rather, it and a few more like it). That is, if I told you that of the 2000 people you know, the following eight faces, in that order, are now your password, you will have very little difficulty remembering them and their order. However, how will you make a selection 8 times from one of 2000 people? Supposing you know their names also, you can alphabetically list four at a time, doing a double-binary search (for example, A-M at the top, M-Z at the bottom, and the right side is the upper half of each of these ranges and the left side is the lower half). You now need to make 5.482892 selections to select each of your 8 faces. That's 43 mouse clicks, each one followed by scanning four faces. Of course, this is based on knowing the names associated with each face, and it would be easier just to type those in. In which case we're back to diceware. If you don't know their names, however, just how will you select from 2000 faces? Well, maybe you can mimic the binary search with a selection from characteristic skin color, eye shape, etc. If you spend a few hours learning "human facial classification", I bet you can select just about any face you recall in eight or nine mouse clicks. However, I doubt most people would be too keen on learning to input a bunch of characteristic features. (Even if the 2000 people aren't really people, but people from "Guess who?", who have either a large or small nose, either are wearing a hat or aren't, etc.[7]) The more specific method the article mentions, selecting a particular pixel range within a person's face, isn't something that people do on a daily basis (so much as memorizing and recognizing faces is), so I doubt most people could remember whether it's Mary's lower-right lip followed by where a dimple would be on her right cheek, then the middle of her left eyebrow, or the other way around. It's just not doable.
Okay, I need to go now. Enjoy the weekend, all. ~lts.
You can skip step (1) if you make a contract with yourself that if you ever roll a combination that for some reason isn't on the list, you will take the time to make word that is not on the list, and use that instead.
We'll note that hardly anyone uses the full ascii set, including control characters, in their passwords, but I suppose it's possible to use every character besides carriage return (and maybe even that), depending on the implementation.
There are only 96 keyable characters in the ASCII standard before all the international extentions and so forth, which include the tab and the space.
[4] If you want, you can follow along (and see that I didn't artificially select a particularly easy combination): #include "iostream.h" #include "stdlib.h" int main(int argc, char* argv[]) { cout << "Unseeded demo. NON-SECURE!" (You can add indentation, I remove it because of the lameness filter.)
[5] Napolean's last battleground, I guess. Famous palindrome: "able was I ere I saw elba".
[6] this example from unseeded: for(int i = 0; i < 20; i++) cout << char(rand() % 94 + '!'); cout << endl;
[7]On an aside, I figured out binary searching all on my own in playing Guess Who as a child. I figured out that the most efficient way of ending up with the opponent's person is, at each question, to pick a characteristic that only exactly half of my remaining choices had -- sometimes this involved making up questions like: "Okay, does your person EITHER have a hat OR a moustache (or both?). Yes or no?" (Actually, I soon realized that I could get an answer faster by saying "does your person have any of the following:", for that particular form of the question, but that doesn't apply to all boolean expressions I asked). -- m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must.
I'm sorry, but the record referred to (see the article) is on...high-bandwidth, ultra long-distance transmission[s]. We're not talking last-mile here, we're talking a distance of 4000 kilometers (2500 miles), roughly the distance between Orlando, Fla., and San Diego (article). That's a little different, wouldn't you agree?
-- m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must.
A quick run-down of what ORBZ is (i.e. was)
on
ORBZ Shuts Down
·
· Score: 5, Informative
ORBZ never came into as widespread use as it perhaps deserved, so a lot of slashdotters might be left wondering what exactly it is (was): The short story is that it is a replacement to the now-dead ORBS, which stood for "Open Relay Behaviour-modification System", and was basically a system of centrally "policing" open mail relays by occasionally testing them with scripts. Any system that failed the test eventually entered ORBS's "black list", which some mail admin's used to bounce email with a path through them. Well, that project died, so ORBZ was born: the "Open Relay Blackhole Zones". Now, it too, is dead. And we can go back to blocking the whole of china, rather than just open relays on it. shrug.
-- m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must.
Slashdot Mirror
(Moderators: read both links in write-up completely before attempting to mod this post.)
...to deliver a unique and compelling PDA solution
Blow-by-blow:
The Sharp Zaurus SL-5500 combines state-of-the-art Sharp technology and Sharp innovation,
mmmmm, pointy...
a) it's the only one like it, b) you need it...
The Sharp Zaurus SL-5500 offers everything from mobile communications to mobile multimedia;
All in a convenient portable form.
keyboard integration and dual expansion [slots] deliver one of the most versatile and flexible PDA solutions on the market today.
Ooooh, versatile and flexible. Next to that and the mobile multimedia and the mobile communications that make it a unique and compelling PDA solution, my only question is,
What's it do?
(beyond the palm stuff, obviously)
--
m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must.
email me (click my user info for addy) if you're interested.
the other day was several years ago. not sure win2k was even out yet :)
above notwithstanding, I did hear the same woes on #linux several days ago: "why does my suse still fsck so long", with a response of "hey, just be glad that it cks out at all: you dont want to ask me what the worst that can happen with an inopportune power outage is...found that out the hard way."
--
m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must.
email me (click my user info for addy) if you're interested.
Before I begin: click here if you're a "-1: off-topic" weilding stifler of discussions.
:(
[Note that this is read-only so far. Now say oooooh and back away from the moderate button.]
Now then, on to my story:
So the other day this microsurf's telling me about how NTFS has journaling, started taunting me about my eight-minute fscking those sixty gig puppies, and I admit it kind of had me kind of almost maybe a bit uncomfortable, not envious mind you, just a bit, mostly it was just a little hot in the room is all. I excused myself, saying I had to google, and that I would be right back. Five minutes later, I had my response. (And implemented, too! Download today.)
Moral of this story? Turn off those [domain] tags in your preferences if you haven't yet! It totally ruins my train of thought
--
m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must.
email me (click my user info for addy) if you're interested.
google cache:
"
Tree Closes for Mozilla 1.0
The tree just closed in preparation for Mozilla 1.0, and so far, it's looking promising. What does the tree close mean? This time around, as drivers have been in control of the tree for the entire milestone, the actual process won't change, but drivers approval will begin to get harder and harder to get for a checkin. As we approach 1.0, we'll keep you up to date on current status and other interesting news.
"
Incidentally, at the time Google cached that, it had zero comments. That was fast.
Anyway, I'm kind of disappointed. This is like the Year 2000. I always pictured some cool technological advance when we hit the y2k figure, but we didn't suddenly have anything special. In the same way, I always thought that when Mozilla finally hit 1.0, it would be this super-stable, killer ap with special competition-eradicating I-Need-Thats that make any other alternative simply laughable. Instead, 1.0 is just a glorified 0.9.9.998
Oh well.
(On a side note, when did we all stop saying Un*x for Unix. I think 'taco was one of the first people I heard saying this...)
--
m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must.
email me (click my user info for addy) if you're interested.
"Web sites also face stiff competition from other online services".
All the same, I think I like the kind of blatant misinterpretation of statistics that it uses to further its claim.
Consider:
a typical day, March 2000:
a typical day, March 2001:
Now let's do a little math. Average time per online session, March 2000? 90 minutes. Average time per online session, March 2001? 83.3 minutes.
Amazing. Just by replacing an hour and ten minutes of TV with an hour and ten minutes online, you've just reduced your average online session by 7 minutes, while increasing your time online by 38%.
In other words,
according to a survey by the Pew Internet & American Life Project in Washington, people averaged 90 minutes per online session. A year later, when the same people were polled, that number had dropped to 83 minutes.
Remember, there are three kinds of statistics: lies, damned lies, and the kind of wanton abuse of mathematics that makes you waste fifteen minutes bitching about it on slashdot.
Live and learn.
--
m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must.
email me (click my user info for addy) if you're interested.
my papa always said, ..."if you can't beat 'em, join 'em." :)
Ximian Connector is a unique client software extension that allows Linux and UNIX users of the Ximian Evolution groupware suite to manage personal information and collaborate with Windows-based co-workers using Microsoft Exchange 2000
--
m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must.
email me (click my user info for addy) if you're interested.
Now then. Let the games begin.
........
First of all, here's a bit of a rant. Let me disagree strongly with Darko Kirovski, the "cryptography [...] researcher at Microsoft" (article) who created the prototype, when he says:
Now, I'm just an average slashdot user. I've never worked with anything that is worth so much as protecting my keyboard from being TEMPEST-ed as I type my password. I'm certainly no cryptography expert.
But even *I* know that you can create easily memorizable passwords 20 characters long, and, in fact, far longer.
First of all, let me introduce you all to diceware. Diceware, slashdot. Slashdot, diceware. (How do you do, how do you do).
Now diceware here is run by a guy who knows about security. He's paranoid. He doesn't just "come up" with passwords while trying to avoid using any obvious components -- oh, no, he generates them completely randomly, and accepts whatever he comes up with as his password. So randomly does he generate his passwords, in fact, that he uses casino dice rather than trusting any kind of hardware.
But wait, it gets better.
How does diceware work? Basically, you use dice to choose a group of short English words that, since they're words (or can be treated as words by a human, such as the "word" ijk), are easy to remember.
More specifically, you roll a die five times, and put the five numbers together and find the corresponding word. (For example, if you roll 2, 6, 3, 1, 5, you search the list for 26315 and find that your word is "Frank").
The only caveat is that before using this list, you should manually (or with a program of your own design) check to make sure 1) that no numerical combination is missing and 2) that no word is associated with more than one combination.
In other words, you shouldn't trust the guy who made diceware, and you don't need to. It's just the principal of the thing -- a list of unique items on a one-to-one ratio with a range of numbers, each of the items of which is easier to remember than a mere number. (But, because there are equally many of them, will be equally "random".)
Now let's do a bit of analysis together of how secure this is.
Now let's rip apart Kirovski's statement that you can't remember 20 characters.
Before we do, let's point out that no one needs 20 characters, since even if you take a "character" to mean just any of the 94 ASCII values that a user can easily type, we'll even exclude the tab and space, this comes to (6.5545888 bits of entropy per one-of-94-characters * 20 characters=) 131.0917 bits of entropy. That's more than 128 bit encryption needs for a secure key! And this includes only the following characters:
! blah " this # lameness $ filter % really & sucks ' don't ( you ) agree * of + course , you - do . / 0 1 2 3 4 5 6 7 8 9 : ; ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~
Obviously, if you include more in the definition of "character", then the amount of entropy in 20 characters becomes ridiculous.
But for now, let's assume that Kirovski really did mean 20 characters, as I have defined them, or 128 bits of entropy. Is this "easily memorizable"? Sure is, if you use diceware.
For each word, we'll roll a die five times and get 12.92 bits of entropy. This means we need 10 words to get 128 bits.
Here are my results:[4]
65566 35115 24266 14326 54314 63345 41616 12265 44346 56243
I look these up in the word list, and get:
"56 junk elba bleat lard wacky sermon annex one swept"
as my pass-phrase. Is this "easily memorizable"?
Sure is:
Picture: arm stretching borders of alaska over canda.
It took me less than thirty seconds to come up with vivid pictures for this, then another minute to associate these sentences and pictures with the actual words (bleat for bleating, swept for sweep or sweeping) and if I remind myself of it in a few minutes, then in a few days, then in a week or two, I'll have it known forever. Compare that with memorizing:[6]
JLEwx;+?o9bH`"|6r%Bo
And you see why diceware is a good idea.
The fact that someone who is a supposed expert in this doesn't know about it is in my opinion inexcusable. (Of course, he might know that twenty characters' worth of entropy can easily be made to be memorizable, but his statement does not reflect this.)
Incidentally, it takes me between six and seven seconds to type "56 junk elba bleat lard wacky sermon annex one swept" carefully enough that it's accurate without my checking it as it appears on the screen (I just closed my eyes and did this five times in thirty-one seconds.) And more than twice as long to type the random 20-character word, if I look at the characters as they appear, even though I use every one of those non-alphabetic characters frequently enough to be able to "semi-touchtype it" (might not hit it on the first try, but I know where it is and I don't look at the keyboard -- in fact, I couldn't now because I use a weird international one. [shrug] But semi-touchtyping doesn't help you when you see *'s instead of the characters...)
As for how much security the average person needs (we're not talking 128 bits here):
well, if you consider an 8 character random combinations of A-Z, a-z, and 0-9 that's 5.954196 bits of entropy per letter * 8 letters = 47.6335 bits of entropy, or less than four diceware words' worth. For example,
56 junk elba bleat.
You don't even need spaces (although I find it easier to type with them) since no diceware word includes a space.
Can you believe it, a simple thing like "56 junk elba bleat" being more secure than a completely random 8-letter mixed-case, alphanumeric word? Wow.
Okay, I've run out of steam. That ends my diceware rant, and I'll address this whole nifty picture thing now.
First let me offer these final notes, which didn't fit into my discussion above.
Okay. Rant ends here.
........
Back on topic:
From the article: "The key -- images, which tend to make more of an impression on people than strings of text characters."
This is true, but it is equally true that it is more difficult to uniquely identify member of a given set of pictures than it is to identify a member of a given set of words.
Picture the face of the last high school English teacher that taught you. Now, this is a fine part of a password, because you can choose it randomly from a large list of objects (people you know), and you will remember that it's your password. (Or rather, it and a few more like it).
That is, if I told you that of the 2000 people you know, the following eight faces, in that order, are now your password, you will have very little difficulty remembering them and their order.
However, how will you make a selection 8 times from one of 2000 people? Supposing you know their names also, you can alphabetically list four at a time, doing a double-binary search (for example, A-M at the top, M-Z at the bottom, and the right side is the upper half of each of these ranges and the left side is the lower half).
You now need to make 5.482892 selections to select each of your 8 faces. That's 43 mouse clicks, each one followed by scanning four faces.
Of course, this is based on knowing the names associated with each face, and it would be easier just to type those in. In which case we're back to diceware.
If you don't know their names, however, just how will you select from 2000 faces? Well, maybe you can mimic the binary search with a selection from characteristic skin color, eye shape, etc. If you spend a few hours learning "human facial classification", I bet you can select just about any face you recall in eight or nine mouse clicks.
However, I doubt most people would be too keen on learning to input a bunch of characteristic features. (Even if the 2000 people aren't really people, but people from "Guess who?", who have either a large or small nose, either are wearing a hat or aren't, etc.[7])
The more specific method the article mentions, selecting a particular pixel range within a person's face, isn't something that people do on a daily basis (so much as memorizing and recognizing faces is), so I doubt most people could remember whether it's Mary's lower-right lip followed by where a dimple would be on her right cheek, then the middle of her left eyebrow, or the other way around. It's just not doable.
Okay, I need to go now. Enjoy the weekend, all.
~lts.
You can skip step (1) if you make a contract with yourself that if you ever roll a combination that for some reason isn't on the list, you will take the time to make word that is not on the list, and use that instead.
We'll note that hardly anyone uses the full ascii set, including control characters, in their passwords, but I suppose it's possible to use every character besides carriage return (and maybe even that), depending on the implementation.
There are only 96 keyable characters in the ASCII standard before all the international extentions and so forth, which include the tab and the space.
[4] If you want, you can follow along (and see that I didn't artificially select a particularly easy combination):
#include "iostream.h"
#include "stdlib.h"
int main(int argc, char* argv[])
{
cout << "Unseeded demo. NON-SECURE!"
(You can add indentation, I remove it because of the lameness filter.)
[5] Napolean's last battleground, I guess. Famous palindrome: "able was I ere I saw elba".
[6] this example from unseeded:
for(int i = 0; i < 20; i++) cout << char(rand() % 94 + '!');
cout << endl;
[7]On an aside, I figured out binary searching all on my own in playing Guess Who as a child. I figured out that the most efficient way of ending up with the opponent's person is, at each question, to pick a characteristic that only exactly half of my remaining choices had -- sometimes this involved making up questions like: "Okay, does your person EITHER have a hat OR a moustache (or both?). Yes or no?"
(Actually, I soon realized that I could get an answer faster by saying "does your person have any of the following:", for that particular form of the question, but that doesn't apply to all boolean expressions I asked).
--
m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must.
I'm sorry, but the record referred to (see the article) is on ...high-bandwidth, ultra long-distance transmission[s].
We're not talking last-mile here, we're talking a distance of 4000 kilometers (2500 miles), roughly the distance between Orlando, Fla., and San Diego (article).
That's a little different, wouldn't you agree?
--
m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must.
ORBZ never came into as widespread use as it perhaps deserved, so a lot of slashdotters might be left wondering what exactly it is (was):
The short story is that it is a replacement to the now-dead ORBS, which stood for "Open Relay Behaviour-modification System", and was basically a system of centrally "policing" open mail relays by occasionally testing them with scripts. Any system that failed the test eventually entered ORBS's "black list", which some mail admin's used to bounce email with a path through them. Well, that project died, so ORBZ was born: the "Open Relay Blackhole Zones".
Now, it too, is dead.
And we can go back to blocking the whole of china, rather than just open relays on it.
shrug.
--
m iso socially aware artistic geek pen-pal, m or f, in '1337 edu. jazz, poetry a must.