A Personal Blog
Archive for July, 2004
Grrr @ PayPal
Jul 30th
Gah.
Just tried to make a payment for something using my PayPal credit card. PayPal declined the transaction. No biggie, it wasn’t an urgent purchase. So I login to my PayPal account and find that the money has already been debited, and has a status of “pending”.
So, I call PayPal up, sure that this can be straightened out. I mean, I’ve had a lot of really good experiences with PayPal support in the past. Never a negative one.
Yeah, I call them up and explain this to them. The response? “The transaction is being authorized. It will take 10 business days for this to clear.”
…
Yes, that’s right. The transaction will be declined. The funds are being “authorized” back to me. This will take 10 days. In the meantime, the online service (no, nothing like that :p) I’m buying can’t be bought because I don’t have enough cash in my account (shy by 30 bucks).
Gah!
System Administrator Appreciation Day
Jul 30th
Can’t believe I forgot to mention this! Today is SysAdmin appreciation day!
G’won, give your SA a huge, a mug and a free lunch! :-D
(for those who are wondering, yes, I observe the ‘secretary’, ‘boss’, etc days by doing this for my respective coworkers)
For a lark, here’s UserFriendly’s cartoon on the subject.
My ClipBlog
Jul 30th
Just highlighting a feature I’ve come to love at Bloglines: my ClipBlog. It’ll generally be a quick quote from what someone else has posted that has caught my eye. The byline should be description enough:
What I find interesting from business, tech, and whatever else hits my radar. Sometimes it’ll be messy, but then bugs on the windshield normally are.
There are already a few subscribers, but I thought I’d point it out since it’s something I use regularly (even when I’m not blogging).
Friday Time Waster
Jul 30th
Haven’t posted one of these in a while, but here’s a very cool time waster. My high score is 3500.
Don't Use a Password
Jul 30th
Here was me thinking there’d be nothing to blog about….
Just over two weeks ago, I wrote a completely idiotic blog post. Stupid in fact, about how to make simple, secure passwords.
Of course, one of my readers showed me my stupidity, and I thank him for it. He advocates passphrases.
Well, today an Incident Response Specialist (big head security dude) for Microsoft wrote a fantastic post outlining this in great detail.
In his first blog post evah (!!!) Robert Hensing (background available via Google) talks about passphrases in great detail.
Some really choice quotes?
Worse still, attackers (either automated or human) don’t even need to GUESS the password. There are hacking tools a-plenty that will let a miscreant sniff your network traffic to scoop out authentication material for the LM, NTLM and Kerberos protocols and then brute-force that material back into a working password. Sure you can protect the network with segmentation, encryption (IPSec etc.) and even 802.1x and I’m a big fan of all of these concepts, but really they just workaround an issue that you still need to address. The inherent vulnerability in your network which is – the password.
So here’s the deal – I don’t want you to use passwords, I want you to use pass-PHRASES. What is a pass-phrase you ask? Let’s take a look at some of my recent pass-phrases that I’ve used inside Microsoft for my ‘password’. “If we weren’t all crazy we would go insane“ (Jimmy Buffet rules) “Send the pain below!“ (I like Chevell too) “Mean people suck!“ (it’s true)
So why are these pass-phrases so great? 1. They meet all password complexity requirements due to the use of upper / lowercase letters and punctuation (you don’t HAVE to use numbers to meet password complexity requirements) 2. They are so freaking easy for me to remember it’s not even funny. For me, I find it MUCH easier to remember a sentence from a favorite song or a funny quote than to remember ‘xYaQxrz!’ (which b.t.w. is long enough and complex enough to meet our internal complexity requirements, but is weak enough to not survive any kind of brute-force password grinding attack with say LC5, let alone a lookup table attack). That password would not survive sustained attack with LC5 long enough to matter so in my mind it’s pointless to use a password like that. You may as well just leave your password blank. 3. I dare say that even with the most advanced hardware you are not going to guesss, crack, brute-force or pre-compute these passwords in the 70 days or so that they were around (remember you only need the password to survive attack long enough for you to change the password).
