“It is a riddle, wrapped in a mystery, inside an enigma…”

“Turducken?”

— Chef Churchill

Dicing with passwords


Last year I posted a reference to Arnold Reinhold’s Diceware page, and included a copy of my favorite passphrase generator, which attempts to generate pronouncable nonsense words.

I’ve always been a big fan of pronounceable nonsense, even in the days when passwords were limited to eight characters, but I think it’s particularly useful for long passphrases. My problem was that it can actually be pretty difficult to get a good nonsense phrase out of the original table. So I made my own.

Now, the instinctive reaction to someone creating their own security tool instead of using one created by an expert is (or ought to be) an anguished cry of “Noooooo, you fooooool!”. This is a special case, though, because the beauty of the Diceware scheme is that the contents of the table don’t actually matter, as long as each cell is unique. You could fill the first column with colors and the rest of the cells with the names of different superheroes, and the resulting passphrases would contain just as much entropy.

So here’s my new favorite method of generating passphrases. Roll three six-sided dice (one to choose a consonant, two more to choose the rest of the syllable), repeat at least ten times, and assemble into a phrase.

  123456
B1aadagalanaz
K2eedegelenez
M3iidigiliniz
P4oodogolonoz
S5uudugulunuz
T6ayoyathethithoth

Update: Sorry if I didn’t make it clear. Split the results up with spaces to create two- or three-syllable “words”.

Also, a word on the relative strength of passphrases. Each syllable contains ~7.75 bits of entropy (log2(6*6*6)), so ten syllables produces a 77.5-bit passphrase, which is likely good enough for data that isn’t kept under lock and key 24x7 (e.g. login password on a laptop). See Reinhold’s FAQ on passphrase length for details. Note that the dictionary-based Diceware system requires longer passphrases to get the same strength (5d6 per word versus 6d6 for nonsense syllables).

Any questions?


How UN inspectors helped Iraqis:

Adnan Abdul Karim Enad’s relatives were shocked to see him clambering into a UN inspector’s jeep on January 25 clutching a notebook and screaming “Save me! Save me!” in Arabic. A UN inspector sat motionless in the front seat as Iraqi guards pulled the 29-year-old man out of the car and carried him away by his arms and legs.

How US troops helped Iraqis:

Amnesty International has learned that 'Adnan 'Abdul Karim Enad is safe and free. He and other detainees were said to have escaped from a prison in al-Ramadi, about 80 miles from Baghdad, after it was abandoned by prison guards in mid-April.

.Mac foolishness


So I decided to increase the iDisk storage on my .Mac account, mostly because I’m using the password-protected Public folder to share a largish database with some friends, and mounting DAV volumes is easy, convenient, and doesn’t involve bandwidth that I pay for. The fact that it autosyncs to every Mac I use is just a bonus, of course.

The problem? The confirmation screen for buying upgrades to your .Mac account includes your plaintext password. Sure, it’s a secure web form, but this is a receipt, and I print out receipts for online purchases. I suspect other people do as well.

This transaction did not involve changing a password, adding a sub-account with a new password, or anything similar, so why is my password being printed out? More significantly, why is .Mac storing plaintext passwords in the first place? This is an old security mistake, and anyone designing a service on top of Unix should know better.

Update: a few days later, they decided to bump disk storage for everyone and cut the price of bumping it further. Unfortunately, they also bounced a lot of email for a day with bogus “over quota” errors.

Update: well, that’s at least useful. The standard .Mac account now has a total of 250MB of storage, which can be divided up between email and iDisk however you like. My upgrade to 200MB of iDisk storage is now to a total of 1GB, divided evenly by default. I quickly cranked the email storage down to 50MB and put the rest into the iDisk. You still can’t safely sync it when you’re on a wireless network (your .Mac password is sent in the clear for non-SSL WebDAV), but it’s still a handy tool.

Oh, now this one’s just shameless


I hadn’t seen any good spam for a while, even when I indulged my curiosity and looked inside Mail.app’s Junk folder before wiping it clean. This one, however, stood out in the crowd.

Silly me, I didn’t even know the FDIC had an office in Beijing, much less that it was where they hosted their “ATM/Debit/Check Card Protection Program”.

It was, of course, sent to the email address that’s in my WHOIS records, which is not on file with any banking institution I do business with. Not that I’d have fallen for it anyway…

more...

Oh, the humanity…


Today’s musical question is “How Berkeley Can You Be?

In between the Commies, the America Last Coalition, the all-purpose wackos, and the people who think “bush” puns are actually funny, the true answer is revealed: Klingon cat-girls (no, I’m not going to host a copy of this picture here…). Says it all for me.

This company understands me…


The Evil That Is Sqyntz

Sqyntz are evil. Sqyntz are tasty. Sqyntz are addictive. And, fortunately, they’re low-calorie. Unfortunately, they’re also hard to find in stores. In the Bay Area, I’ve only seen them at Nob Hill and REI. And the way we go through them during gaming sessions, I buy an awful lot of overpriced little tins of the stuff.

So when I decided to write up a brief article in praise of the best darn sour candy on the market, I went to their web site to snag a picture of the tin. And I found an online store selling them by the six-pack, and they even had a flavor that I’ve never seen in stores. Cha-ching!

Update: they shipped promptly, but while I enjoy being able to stock up on Tropical Fruit Sqyntz at a discount, I am saddened to report that Orchard Blend Sqyntz aren’t nearly as good. They’re decent candy, but they’re just not irresistible.

Recent anime


Quick takes on stuff I’ve watched in the past week.

Kaleido Star, disc 4 — Damn, this show is so good that I’m afraid to say anything that might spoil it. Just don’t read the back-cover blurbs or liner notes, don’t watch the next-episode previews or the special features, and stay away from the episode list on ADV’s web site, because they love to spoil things for you. Worse, many of their spoilers are misleading or just plain wrong. I’ll be buying the rest of the series (eight more discs!). [update: ADV puts spoilers into their press releases, too! I was just looking at a list of release dates, and wham!]

R.O.D The TV, disc 2 — Things are building up nicely, and the paper is flying. Good work on developing the relationships between the characters. I’ll definitely buy the next disc.

Chrono Crusade, disc 1 — Good stuff. A sexy, heavily-armed teenage nun who fights demons in New York City during the Roaring Twenties, leaving a trail of destruction in her wake like a one-woman Dirty Pair. The most glaring flaw is some poorly-integrated 3D CGI, but they either got better at it quickly or I got used to it by the time I reached episode 4. I’ll definitely buy the next disc.

Galaxy Angel, disc 4 — Fluff. Fluffy McFluff, with a side order of Fluff. This show goes nowhere, and is proud to admit it. If you’re in the mood for old-school anime wackiness with modern production values and no pretense at continuity between episodes, Galaxy Angel is the show for you. There’s really not much difference between the four volumes, and no matter how much you learn about the characters, they don’t actually grow and change, so you can pretty much watch them in any order. I’ll buy the first disc of season two when it comes out, because I like fluff. And Mint is evil, in a good way.

Kiddy Grade, disc 6 — Eh. Not impressed.

Ikkitousen, disc 1 — I can’t describe just how much this show sucks. I’ve read the available manga volumes, as well as reviews of the fansubs, so I wasn’t expecting it to be good, but I thought it might at least be amusing, in a “she kicks high” combat-fan-service way. It’s not. It does manage to be about 70% less raunchy and 50% less poorly-plotted than the manga, but also at least 20% more sucky.

What really stood out for me is that it’s just sloppy, both in execution and translation. I expect Geneon to do a good job on their releases, but this back-cover blurb is actually representative of their care and attention to detail on this product:

Once again blood flows in the streets of Kanto. The eternal fate that has been handed down for over 1800 years is now being fought by ancient warriors who have been reincarnated into the students of the seven top schools. One such student, Hakufu Sonsaku, arrives on the scene and is rumored to be the legendary Shou Haou (The one who is said to be the one to defeat many in battle). But can this blonde airhead with the overly-endowed assets actually be the legendary Shou-Haou?

I originally figured it was just a case of putting the junior translator on box work (like the charming example in Hyper Police where the box-cover claimed a character “begins acting like a little child”, but in the actual episode he becomes a child), but no, the subtitles are just like it. And I have to say that the show doesn’t really deserve better. Anyone who thought that Agent Aika’s panty-flashing was obtrusive or that Mahoromatic was in some way misogynistic should stay far, far away from this turkey.

Actually, everyone should just stay away. This show makes Amazing Nurse Nanako look wholesome and well-written. I won’t be buying disc 2.

Next up: 7 of 7 disc 1 (fluff), 50 Years of Playmates (the Playboy box set), and something called Star Wars. I think it’s a comedy. Or maybe a tragedy, the way Lucas keeps pissing in his whiskey.

Next potential purchase: Gokusen disc 1.

“Obedience to the law is freedom”


In their continuing efforts to ban all forms of discrimination except anti-Americanism, the EU Commission has ruled that it’s illegal to reject potential roommates and tenants based on their gender, even if you’re, say, a battered women’s shelter.

It’s claimed the new ruling would also prevent insurance companies from offering lower rates to women, despite their longer lives and lower car-accident rates. ’Cause that’s sex-based discrimination, y’see, and any sort of discrimination is always wrong.

Coming soon, new laws prohibiting discrimination against ugly people who want to be cover models, fat people who want to be runway models, infants who want to drive backhoes, and grade-school dropouts who want to be doctors. Or at least EU commissioners.

It’s time for a movement to decriminalize “discrimination”. It is not inherently a dirty word, despite decades of negative associations. I discriminate dozens of times every day, and I’m damn proud of it. I discriminate against the restaurants that have given me food poisoning, against bad drivers when they suddenly realize they need to merge into my lane, against any store whose prices are too high or whose employees are rude, and, in my most shocking admission, I cheerfully discriminate against unattractive women when girl-watching or chatting up potential models.

I discriminate quite viciously when buying groceries. Not just by getting my steaks at Costco (the only place that cuts them nice and thick), my cocktail sausages at Dorothy McNett’s Place, or my bagels at the Safeway on Shoreline (where they don’t overbake them, and still have a decent selection at 11pm), but by spending most of my money at Nob Hill. Because they don’t use those stupid customer-tracking “savings” cards.

Okay, they also have the best-looking female employees, at least in my neighborhood. But I even discriminate against most of them when they offer to push my cart full of groceries out to my car. Only Danielle gets to do that…