Monthly Archives: September 2008

A Note About Security Questions

I saw a post at Schneier on Security this evening that I wanted to highlight.  In light of the Palin email hack incident, Bruce Schneier discusses the “extra security questions” that various websites will ask you to verify your identity in case you’ve lost your password.  You’ve seen these: the things like, “What was your first high school mascot?”  As Schneier points out, these are the opposite of increased security.  In fact, they can make you more vulnerable, because they are usually quite easy to figure out.

Let’s see… Colin grew up in Green Bay, WI.  Even counting the parochial schools and allowing that he might live as far away from Green Bay as, say, a radius of one county in any direction, that will leave us what, maybe a dozen school districts and perhaps two dozen high school mascots to try?  Hmm… what is harder to guess: a 8-12 character password of letters and numbers (368+…+3612 = 4,784 million billion possibilities) to log in to my account, or a high school mascot (24 possibilities) to get the opportunity to pick the password to my account?  Even if I were from somewhere with a few more schools to pick from, say New York, the list is still, shall we say, “short” compared to the number of passwords an attacker does not have to guess.

Oh, and shucks… Looks like I just gave away the answer to “City you grew up in?”

Thinking about this reminded me of a related experience from a recent ordeal in opening a bank account.  Near the very end of the application, the bank pulled data from my credit report to “verify my online identity.”  Presumably, they were going to ask me questions that only I or someone with very intimate knowledge of my financial situation and history could know the answers to.  Well, two slight problems with that idea.

  • Problem the First: They had one of the answers wrong.  Believe me.  I took the test 7 times over several weeks, and surprisingly, I happen to know exactly what type (mobile, land line, pager, etc) of phone number the number I gave them was.  Their answer (whatever it was…) was wrong.  How do I know that I didn’t get one of the other questions wrong?  Well…
  • Problem the Second: They asked a question anyone could answer correctly:  “In what state was your social security number issued?”  This doesn’t seem so bad on first blush: after all, you’d need to know where I was born to know that.  Except for the slight problem that births are public record, so anyone who knew enough about me to forge a bank application but happened to lack my place of birth could readily guess and find out, and second: social security numbers are issued with the first three digits identifying the place they were issued in.  Oh, and the application just asked for that social security number, too… funny, that.

I’ll not claim to be the security wizard that Mr. Schneier is, but I do think it is a great idea to try to think things through, and hope I can encourage that for you as well.

For those security questions? I like answers like: “My high school mascot was a enT&)slelj3734lcnsf8a-1-&&+{”

You either trust yourself to remember your password, or you don’t.

Kernel Debugging Tip

I learned this the hard way yesterday. (Namely by running around the building borrowing parts from co-workers and trying various combinations until finally hitting on the solution…):

When kernel debugging (KD or WinDbg) over Firewire (IEEE 1394), it is essential to have a high-quality cable.  The cable should not be any longer than necessary, and should use heavier gauge wire than those cheap cables that you get for free with a firewire card or camera.

Also, the speed of firewire debugging >> the speed of serial debugging, so in spite of the strict requirements, it’s very much worth the effort!

Yellowstone Trip: Day 8: The Grand Tetons

So it’s been over a month now: I seriously need to finish up my narrative of Jared and my trip out west…

Day 8 was our last in Wyoming, but we made the most of it.  After waking up to our final “Super Start” breakfast at Jared’s dreaded West Yellowstone Super-8-without-a-pool, we piled all our possessions back in the Corolla and drove into Yellowstone for the last time.  Turning south at Madison Junction and again after Old Faithful, we stopped in for one last cascade, and then found ourselves crossing the Continental Divide at a quiet, peaceful little lake called Lake Isa.  In wetter seasons, this lake drains in both directions, and ultimately feeds into both the Pacific Ocean and the Gulf of Mexico!
Firehole River CascadesA Duck Swimming the Continental Divide

This way to the Gulf of Mexico:
Isa Lake Drains That Way to the Missouri, Mississippi, and Gulf of Mexico

And this (currently dry) way to the Pacific Ocean:
Isa Lake Drains This Way (In Wetter Seasons) to the Snake River, Colombia River, and Pacific Ocean

Shortly past the Continental Divide, we found ourselves headed out of the park and into a National Forest of some variety between Yellowstone and the Grand Tetons.  The park itself didn’t hold our attention too long, other than a brief stop at some fancy lodge to try (unsuccessfully) to find an official map, but the view of what was coming next certainly grabbed our eyes:
Grand Tetons Ahead

Arriving at the park with no map, we made a few pitstops through ranger stations and such before we finally got our bearings, and then just made our way lazily down through the park, stopping wherever the view was awesome enough 🙂  One great spot was on the shores of Jenny Lake, where we actually met a couple from UW-Madison who took a picture for us.  This was the same spot that I had seen a picture from my friend Ben Broerman earlier, which convinced me to make the trip to the Grand Tetons in the first place.  Pretty awesome view, plus they have a glacier!
Jenny Lake and the Grand TetonsJared and Colin at the Grand TetonsTeton Glacier

We had lunch at an outdoor BBQ type place, with a grill and lots of picnic tables.  It was a nice change to just be sitting outside eating off a paper plate instead of in a restaurant.  Fit the location very well, though it would have sucked if it were raining…

After leaving the Grand Tetons through the southern entrance, Jared navigated me a scenic route (Wyoming Hwy 20) through the Wyoming countryside into Idaho, and over to I-15, which led us away to Montana in the north.  Once again, taking the scenic route over the main highway really paid off in terms of awesome scenery, and frankly, the bug count was only going up in either case anyway:
Wyoming Highway 20We Have Bugs.Idaho

Idaho was mostly sage… sage and sky and then there was a really cool rainstorm, which we could see coming for miles and miles.  And possibly the highlight of the trip for Jared: We stopped at a rest stop in Montana to get a hotel reservation and, well, use the restroom of course.  Except that Jared saw a portable toilet sitting out behind the main restroom, so he decided he had to use that instead.  Turns out it was the cleanest, best-smelling portable outhouse he’s ever used… ask him about it sometime.
Nothing But Sage and SkyNow Approaching StormThe Best-Smelling Porta-Potty Jared Has Ever Stopped At

And after the excitement of the outhouse, it was straight on to Missoula, MT, where we walked a mile or two to supper and back, and then hung out around the outdoor swimming pool with our beers.  Not sure whether that was kosher, but the college guy running the hotel for the night didn’t seem to have a problem with it, so there you go.  We even got to lock up on our way out.  Good show, Missoula.