“NSA Prism: Why I’m boycotting US cloud tech – and you should too”

It is with great sadness that I have to agree with this article.

When I was growing up, we were taught that the US was the greatest nation on Earth. There was even some evidence that objectively supported it — the Manhattan project (and the fact that we were so collectively horrified at the fates of Hiroshima and Nagasaki that we had never again used atomic weapons on that scale)… the race to the Moon in the sixties… the semiconductor revolution in Silicon Valley, which was just getting underway as I reached my teen years.

There was also evidence that all was not well in the Republic. The Watergate scandal, the Kennedy assassination, the Iran-Contra affair, and God only knows what else. This, of course, was all played down whenever someone had the temerity to mention any of it.

All through the nineties I lived and worked a stone’s throw from Washington DC. I read a number of articles from both of the local papers (conservative and liberal), and I saw politics play out in a way that few people outside that area ever see. And what I saw emerging was ever-more-ruthless politicians bent on gathering ever-more power to themselves. Even people elected with the best of intentions got sucked into the trap and corrupted.

Since the turn of the century, I’ve seen privacy abuses by everyone from the governments to small companies. Honesty and integrity? If it’s the US government (or at least some parties in other countries’ governments), you might as well label every reassurance they offer as a convenient lie. Ditto any publicly-held corporation — even if they’re telling you the truth now, they will change their tune the moment it’s more profitable to do so (because publicly-owned corporations are evil by definition). Privately-held companies and individuals might tell you the truth, and have the integrity to stick to it, but you have to be suspicious there too, unless they explicitly provide proof.

The law? George Bush Junior ignored it whenever it was inconvenient, and Barack Obama has picked up that idea and enthusiastically run with it. Both should have been impeached before the end of their first terms. In a long life of being disgusted by politicians, I have never been as disgusted as I am now.

I wish this week’s NSA “PRISM” leaks were as shocking as they are appalling, but to anyone who has paid the slightest attention in the last few years, the only shocking thing about them is that some brave individuals had the cojones to leak them. The rumors I’m hearing about the government wanting to prosecute the news organizations that dared to publicize the information only reinforces my opinion that the US is headed down the easy path toward totalitarianism.

If you’re a US citizen, I urge you to fight this political corruption — voting out any politician who dares to publicly endorse the PRISM system is a good start. If you’re not, read the article and consider boycotting any tech company with access to your data that is subject to US law, and be sure to tell them why. If major companies stop giving campaign contributions to politicians who trample peoples’ privacy, those politicians will sit up and take notice. They certainly won’t pay attention to anything else.

“A Really Good Article on How Easy it Is to Crack Passwords”

Has anyone mentioned recently that you should use really strong passwords — or how hard it is to come up with them?

I use truly random passwords, generated (and kept track of) by LastPass, for most sites; for the ones that need to be remembered, I’ve got a pretty good password-selection algorithm (which I can’t describe or I’d have to change it). Essentially none of my passwords can be guessed, they’d have to be attacked by brute force. The bad part is that the vast majority of people use passwords that are weak to password-guessing, and that’s not likely to change because those are the only passwords they can easily remember. Worse, they use the same password on multiple sites, so when one site is compromised, many of the others they use will also be.

Is there a better way? No one has come up with one yet, but there might be.

Most current thinking on this subject focuses on trying to slow down password guessing. That does very little, because you can’t make a password algorithm too slow or the site itself won’t be able to check it.

Two-factor authentication can be used against this sort of thing, but it has limited applications, because it slows down access to the site and costs more to implement. It will never be used for more than a few sites, at least as it’s currently designed — at most, maybe your bank, your social media account, and your company VPN access, since those are the ones that are presently the most valuable targets. For run-of-the-mill sites, it’s just too costly and too much of a hassle.

Here’s an alternate thought: what about using a two-website authentication system?

  • The first site takes the password you provide (which may be very weak, or shared between multiple sites — it doesn’t matter) and uses it to create a decryption key, with which it decrypts some data (which was randomly generated and encrypted with your password when you created your account).
  • The second site uses the decrypted random bytes from the first site as your actual password and lets you in.

The only way mass-password-guessing attacks can work is if an attacker can get ahold of the password file for a site. Then programs on his own system guess common passwords and see if they match the verification data for the password. With this setup, he would need the password files from both sites in order to attack either. Assuming the two sites are on different machines, and managed by different people, that should be exponentially more difficult than stealing the password file from only one.

If he only has the password file from the first site, there’s no way for him to know what random bytes the site came up with, or what password was used to encrypt them, because there’s no way to verify them without the second site’s data. He can guess passwords all day long, but with no way to verify them except by contacting the second site (which could be detected with trivial work), it does him no good.

If he only has the second site’s password file, the passwords themselves are completely random data — he has nothing to guess, because the guessable passwords are only related to the random data by entries in the first site’s password file.

Any two sites with similar levels of traffic could set up an agreement where they’d be each others’ second site.

There are some potentially major problems to overcome with this design. The most obvious:

  • If either site is down, then neither can serve their users.
  • If either crashes and has to be restored from a backup, the other site would have to restore the password file from the same time, or any user that changed passwords between those times would be locked out.
  • Changing passwords might be interesting, in the sense of the ancient Chinese curse “may you live in interesting times.”

On the other hand, the system would provide a defense-in-depth that would be hard to beat, and would allow users to continue using their current weak, shared passwords without the problems presently associated with them.

Will anyone try it? I doubt it. No one expects their site to be compromised (except security experts), and if it is, the consequences to the site’s owner are generally negligible so there’s nothing to drive people to overcome the problems mentioned above. Then again, you never know. Maybe government regulations will drive some people to try it, someday. Maybe some site will realize their vulnerability and start looking for ways to reduce it (and if so, I hope they read this page). Maybe the general public will just generally get more security-conscious over time, or start demanding that the sites they use provide this level of security.

In any case, it’s an interesting idea.

“Up With Grups: The Ascendant Breed of Grown-Ups Who Are Redefining Adulthood”

What are “grups,” you might ask? It’s from the original Star Trek:

“Grups” is a nerdy reference to an old Star Trek episode in which Kirk and crew land on a planet run entirely by kids, who call grown-ups “grups.” All the adults have been killed off by a terrible virus, which also slows the natural aging process, so the kids are trapped in a state of extended prepubescence. They will never grow up. And they are running the show.

It seems that “grups” are taking over Earth now too:

This is an obituary for the generation gap. It is a story about 40-year-old men and women who look, talk, act, and dress like people who are 22 years old. It’s not about a fad but about a phenomenon that looks to be permanent.

It seems that forty-somethings wearing jeans and sneakers, refusing to shave (and proud of it), listening to iPods, playing computer games, quitting office jobs to work for themselves — generally refusing to do what their parents referred to as “grow up” — are becoming common enough that we need words to describe them.

(I almost qualify as one. I always wear jeans and sneakers, have worn a full beard for decades, listen to an iPod while walking or mowing the lawn, play computer games several times a week, have made my living working for myself from a home office for the last twelve years, and proudly wear a t-shirt that says “growing old is inevitable, growing up is optional.” I’m not quite as “hip” as the article describes though… I usually get up early these days, and there’s a lot of modern music that I hear that I don’t care for, for instance.)

The article is well worth a read, no matter what your age or “grupness.”

“An Autistic Mind Opens Mine (Can It Open Yours?)”

In the two years since I discovered that my condition had a name, I’ve learned a lot about autism. This article, from the blog that originally drew my attention to it, has a very good summary of it — and indirectly points out that, despite the challenges that it creates, a little autism can be a very good thing:

Grandin’s soapbox last night was that people with autism fall all along the spectrum, and that the limitations people with autism face range from terrible handicaps to barely any. TI and NASA are full of people on the spectrum, she joked (but wasn’t kidding). And she pointed out that Steve Jobs had personal hygiene issues early on, just as she did.

If you have any interest in autism or the brain in general, the article is worth a read.

“NASA-backed fusion engine could cut Mars trip down to 30 days”

I didn’t realize that we had the technology needed for fusion engines yet!

A common theme on this blog is science advances that were anticipated or inspired by science fiction, and this one is no exception. This fusion engine sounds very much like the fictional Lyle Drive mentioned at the beginning of Robert Heinlein’s famous work Stranger in a Strange Land, published in 1961:

The first human expedition to Mars was selected on the theory that the greatest danger to man was man himself. At that time […], an interplanetary trip made by humans had to be made in free-fall orbits — from Terra to Mars, two hundred fifty-eight Terran days, the same for return, plus four hundred fifty-five days waiting at Mars while the planets crawled back into positions for the return orbit. […]

A quarter of an Earth century passed before Mars was again visited by humans. […] Federation Ship Champion […] made the crossing under Lyle Drive in nineteen days. […]

It would be proper homage to a great master of science fiction if this as-yet-unnamed interplanetary drive were called the “Lyle Drive.” NASA: hint, hint. 😉

“The healing hands of guru Dabbs”

I’ve mentioned a couple times before that machines just seem to like me. Apparently I’m not alone:

The one thing I do have in my favour is fairy dust: I have the innate ability to correct computer problems, especially software issues, by magic.

Allow me to explain. Have you read in the more fantastical papers about individuals who are incompatible with modern electronics? You know, when they go near a computer, TV set or even a washing machine, the device starts acting up? Well, I’m the opposite: when I go near a computer that a user says not working properly, it mysteriously seems to sort itself out without me doing anything.

He writes tongue-in-cheek, but he may well be telling the truth about that.

More circumstantial evidence that there’s more to the universe than science presently admits… or perhaps that this can’t possibly be the real universe. 😉

“When Technology Overtakes Security”

Bruce Schneier, the well-known security expert (warning: that’s an extremely tongue-in-cheek encryption-geekery fan-site), has a new essay on his (real) site today, and it touches on a subject that I’ve talked about before: how at some point in the near future, technology will make it possible for single individuals or small groups to cause destruction on a massive scale.

As I said in that article, the only way you’ll be able to protect yourself at that point is by demanding that your government enforce a minimum level of mental health on its citizens… something that will produce a society that we would recognize, but would hardly believe possible today.

For those who have followed my own journey toward mental health with interest (I know there are at least a handful of you 😉 ), here’s an update.

My discovery of false beliefs has slowed to a trickle. In the last couple months I’ve only found two. One was related to self-esteem, and may well have been the original root of all my self-esteem issues. It was something so utterly ridiculous that I’d be embarrassed to describe it, and odd enough that I doubt anyone else would have it.

The other had nothing to do with self-esteem, but was making it difficult to do things that I wanted and needed to if they were at all repetitions of something I’d already done — and when you think about it, once you reach your twenty-fifth or thirtieth birthday (occasions I’ve long since passed), just about everything is repetitious in some way. I’m not certain that I’ve dealt with that one fully yet; I can’t trace it to specific memories like most of the others, I only know what must have happened, based on what I know about my parents and how I reacted to such things. We’ll see over the next few weeks whether that worked, there may be more to do on it.

Other than that, everything seems stable. I’m still far happier than I was before I started… not euphoric, but a deep happiness that persists regardless of my surface emotions. Nothing seems to keep me down for more than a day now (far better than a six-month major depressive episode, a black hole that I was sucked into on a regular basis for most of my first thirty years of life). I’ve even stopped taking antidepressants, which were the only things that kept me going before learning about false beliefs and how to eliminate them.

I’m able to do things that I would never have considered before. I’m still socially awkward, but I’m no longer anxious about it, and I’m sure I’ll be able to improve it when I get around to devoting some time to the problem.

Life still isn’t a bowl of cherries, but it’s improving rapidly. 🙂

“New nuke could POWER WORLD UNTIL 2083”

If this works as advertised, it could be the solution to all our power problems. I can’t see how or whether it could work (I don’t follow the bit that says “the fluid is then pumped into a graphite core to induce a reaction and generate heat,” given that the fuel is basically radioactive waste from conventional nuclear plants and isn’t supposed to have the kick to generate anything but waste heat), but if it does, we’ve got a winner.