Thursday, June 28, 2012

Yet another wacky security scheme

Passwords are easy to get wrong.  Trying to make people come up with "stronger" passwords just makes it worse.  Security questions just provide another avenue of attack, probably an easier one.  So, ladies and gentlemen, may I introduce to you: The security word.

"What is it?", you may later regret asking.

You give the site a "security word".  Later, they will ask you not for the word, but a few randomly selected letters, for example the second, fifth and eighth, and next time it might be the first, fifth and sixth (note to self -- lopado­temacho­selacho­galeo­kranio­leipsano­drim­hypo­trimmato­silphio­parao­melito­katakechy­meno­kichl­epi­kossypho­phatto­perister­alektryon­opte­kephallio­kigklo­peleio­lagoio­siraio­baphe­tragano­pterygon may not be the best choice for this exercise).

If you picked, say, security, and the system asks for the second fifth and eighth letters, you would give 'e', 'r' and 'y'.  If someone's looking over your shoulder, how much information do they have?  Let's fire up the old UNIX shell

$ grep '^.e..r..y.*' /usr/share/dict/words | wc -l

What this means is that there are 84 words in the dictionary on my system that have 'e', 'r' and 'y' in those positions, or about six bits of entropy.  Most of them are words like ventrohysteropexy and dextrogyratory that people are unlikely to pick.  The person who helped me set up the account in question recommended something "easy to remember".  Odds are it's "security".

If not, all an attacker has to do is guess the letters that the site asks for next time.  There's a good chance that at least one will be one the attacker has already seen.  There won't be a lot of choices for the unknown letters.  Without looking at the list, I'd bet that 'q' isn't on it and 'e', 't' and a few others cover most of the possibilities.  Even without having looked over your shoulder, an attacker would know just from the security word being English that certain letters are better to try in certain positions.

So basically you have another hoop to jump through that adds minimal actual security, but tries to create the illusion of strong security, while really just making the system harder to use.  Huzzah.

Wednesday, June 27, 2012

Where's the fire?

It's been a busy fire season in the Southwest, with hot, dry weather and an abundance of fuel.  While I'm generally skeptical about the world-changing potential of social media (ultimately, of the idea that a new technology is necessarily likely to have a great impact), that doesn't mean social media can't play a role.

One example is this fire map from esri (makers of geographic information systems (GIS) software).  Along with official data such as wind information from NOAA and fire perimeters from USGS, it includes layers for Flickr, Twitter, and YouTube activity.  The YouTube feature for some reason got stuck on the same video until I reloaded the page, at which point it worked fine.

The Twitter layer seems to be tagged by the location of the person tweeting.  For example, someone in Fort Collins tweeting a Denver Post story about the Waldo Canyon fire over a hundred miles away is shown in Fort Collins, not where the fire is.  To be fair, it's a lot easier to locate the person tweeting than to figure out from the contents of the tweet that it's really about something somewhere else.

All in all, esri's map seems useful to me mostly for the official information.  The social layer is interesting, but by no means essential.  Searching for "Colorado fire" on Twitter search turns up many more tweets, at least as relevant as those from the map.  Likewise for a YouTube search.  Neither of these searches directly maps the location of the footage, but this doesn't seem like a great obstacle.  Wildfires are quickly given distinctive names ("High Park fire", "Waldo Canyon fire") and you can easily search on those.

And of course wildfires would quickly be given distinctive names.  People need to tell them apart.  If I live in Colorado Springs, I don't care much about the High Park fire, but I care a lot about the Waldo Canyon fire.  As a side effect, it's easy to search for information about a given fire without consulting a map.

And what does such a search find?  Among other things, quite a few links to, and videos from, local newspapers and TV stations.

In short, what does a social-media-enhanced map and search space look like?  A fair bit like one without social media, at least in the context of events with wide interest where there are well-developed traditional media sources.

But broadcasting was never really supposed to be the strong point of social media anyway.