If you don’t know what Heartbleed is, stop reading this right now and go change ALL your passwords. I’ll wait.

If I was a nefarious individual (or an employee of a clandestine American intelligence agency operating without any public oversight whatsoever) and I was in a possession of a large number of username and password pairs harvested during the bountiful Heartbleed season, I’d continuously run them against various free email services and social networks. After all, why not? There are still many people out there who do not think Heartbleed was a big deal, or that the are somehow immune to it by virtue of not being very tech savvy. There also exist people who have changed their passwords, but will revert back to their old standbys once they judge enough time has passed. And all of these people will likely be owned. The sad truth is that any password you have used while Heartbleed was in effect, is now forfeit forever. You can never, ever use it again. At least not unless you wish to keep that account under your control.

This is how it goes: if I know a password for one of your social networks, games or other bullshit accounts, chances are it is the same one you use for your primary email account. If I know the password for your primary email account, I literally own your life. I can reset any of your other passwords, I can look at your pay stubs, likely log in to your bank account, approve charges on your credit cards, cancel your utilities and etc. Just about everything you do online feeds back to your email, and uses email notifications to warn you about possible fraud, illicit access or misuse of your accounts. That email is protected by a single password and once I know it I can go in and proceed to lock you out of it. This is really bad.

In the real world, when we want to secure something and prevent other people from accessing it, we typically use a key. Assuming that your lock of a good quality and it can’t be easily picked, the benefit of using a key as an authorization/access method is fairly obvious: it is a physical token that is easy to control. You usually only have one or two keys, and they can’t be easily replicated without physically taking them to a locksmith. So as long as you keep your key safe, and don’t give it to anyone, your possessions are as safe (or at least as safe as the lock and safe integrity will allow them to be).

These are physical tokens. They are non-trivial to replicate without physical access. When you lose one, you know almost instantly that it is gone.

We also use combination locks, but they are inherently less secure. Sometimes that’s exactly what you need. For example, if you want a friend to get your textbook from your locker in the hallway you can just tell them your combination. Unfortunately, everyone else within the earshot will also know your combination at that point. This is partially mitigated by the fact that most of combination locks let you change their code. Unfortunately, if you don’t know someone might have overheard your combination, or even seen you enter it, you won’t be compelled to change it. This type of lock gives us the convenience of not having to carry around a key, and to easily grant others access in exchange for lessening of overall security. Instead of relying on a physical token that unlocks the door, you instead use a secret pass-code which can be overheard, guessed or even extracted from you via subterfuge. This is why combination locks age common on high school lockers, or bicycle chains, but your car or your house will typically use a key based lock.

This is a password/secret based security device. The combination can be stolen without you ever knowing. If someone knows the combination they can share it indiscriminately at virtually zero cost.

At the dawn on the internet age, we did not really have an affordable and logistically sound way to model physical keys, so we settled for password based authentication. It is functional, but not a perfect solution as evidenced by the fact people get their accounts “hacked” all the time. The fact that passwords get compromised so often is a feature of their design. They rely on a users doing something we humans were never really good at to begin with: retaining random codes in memory.

With the way our minds evolved, our memory is very referential. We rely on context cues for retrieval and management of our memories. We are good at remembering people, events and emotions and facts that tie into them. Unfortunately that does not help us with passwords, which to be secure must be completely random and devoid of context or emotional content. If your password is based around something or someone who is dear to you, then it will be both easy to remember and easy to guess. If you use words, you leave yourself vulnerable to a brute force dictionary attack. So not only do you need a password that is devoid of context, emotional investment, but also is unpronounceable and a complete gibberish.

If you only needed to remember a single completely random string, this wouldn’t be that bad but we all have dozens of online accounts. Ideally, you should use a unique password for each of them. If you re-use the same password on all the services, then a tiny coding mistake on one of them can potentially leave all of your online accounts wide open. So in an ideal world you would have to remember 20-30 unique random, unpronounceable complex passwords. And all of them should be more than 30 characters long if you want to stay ahead of the curve and make them difficult to crack via rainbow tables. This sort of mnemonic feat is something beyond the capability of any modern man.

This is simply not what we are wired for. And so, most of us have three or four favorite passwords that we re-use all over the internet. The savvier netizens have some sort of stratification in which they use the strongest, most complex password for their primary email / bank account, and then a number of lesser passwords for various other services. Most people however don’t do this, but instead rely on a kind of chronological password system. They have their current password which they use for all the important stuff, their previous password they use on things they could not have been bothered to change and old passwords they no longer really use, save for a few ancient accounts, and maybe as a throw-away password here and there. This is why Heartbleed is so scary. Because of it, all these three or four passwords are now more or less public knowledge and you’d be a fool to use them ever again.

Passwords are broken by design. They simply do not work for what we’re trying to use them. They have been a good compromise up until now, but it is time to move on. If we want even an illusion of security online, we need to start using physical keys again.

When I took an infosec course in college, I remember discussion we had about two factor authentication. It was a very good solution to the password problem. It works by combining a secret (something you know) with a physical token (something you have) and requiring both these elements to be used together at the same time. Knowing someone’s password is useless without also obtaining physical access to their token. Stealing someone’s token is useless without knowing their password. While it does not protect you from a MITM attack, use of a changing/rotating token can limit it’s the scope from permanently compromising the account to merely a temporary breach. It is really a perfect solution… Except it was logistically impossible.

Back then the only reliable way of implementing this scheme was to issue a user a little electronic, battery operated, key-chain token, with a tiny LCD that would display rotating numbers. It was something you did when you were a big technology company with a big security budget to blow: like Microsoft, IBM or Oracle maybe. The expense of creating, issuing, mailing, replacing and managing such devices was so mind-boggling that most banks and credit card companies refused to even consider it. It wouldn’t even be an option for all the fledgeling new free web services that were revolutionizing the way we did business online. It was a beautiful pipe dream: it would be amazing to have two factor auth on everything, too bad it will never, ever happen. And even if it would, how the hell would that even work? Would you even be able to strap 40+ RSA tokens to your car keys? Would men have to think about investing in man-purses or fanny packs to carry all those plastic tokens, cards and dongles? It wasn’t something that was affordable by the web companies or desired by their users.

RSA Tokens have always been and still are an industry standard. They’re good, but they are expensive to maintain, and users constantly lose them, forget them and generally hate to carry them around.

Fast forward to 2014 and we live in a completely different technological landscape. Most of the internet connected human beings who participate in e-commerce already own and always carry around perfect physical, internet-enabled tokens. Hell, they not just carry them – they treasure them. To many, these devices are cherished status symbols. I’m of course talking about cell phones.

An unique property of a cell phone that distinguishes it from other electronic devices is that it can receive phone calls and text messages. Unlike email, the SMS system is tied to a physical device. In most cases it is impossible to read your text messages without physical access to your phone, and any interruption service (due to interception) is likely to be noticed. So if I build a website that challenges you to enter a randomly generated security code after you enter the correct password, and then I text that code to your phone… Well, we just implemented 2 factor authentication for free.

Technically, this is a perfectly valid physical token for SMS based 2-Factor authentication. It’s probably pretty safe to assume that everyone who uses the internet regularly probably also owns a phone just like this, or better.

Actually, scratch that. It’s not free, because sending text messages costs money. Also, implementing a system that can send text messages merely to the few existing cellular networks (all of whom have price-fixing and non-competition agreements with each other but for some reason can’t make their networks work together) in US is already a major pain in the ass. But still, it is a viable option. And a one that has no barrier of entry and can be readily used by just about anyone who can operate a cell phone. Not even a smart phone mind you but a basic, flip phone even. But if you don’t have money or resources to implement and SMS based solution, and you expect your users to be savvier smart phone owners you can do it in software at little to no cost.

All you need is a phone app that implements the HMAC-based OTP Algorithm. Most modern phones (even the Blackberries) have enough processing power to run an app that can reliably generate a random security code every 30 seconds. The Google Authenticator app is only a one example, and there are many other, and they are all cross-compatible. If the user doesn’t like or trust Google they can choose an equivalent solution from one of the dozen other vendors. Implementing the challenge response on the server side for the HMAC-based OTP is so trivial it can be even shipped as a one-click install WordPress plugin.

Google Authenticator on iOS. Contrary to popular belief this is not a Gmail Login app, but a full implementation of the HMAC-based OTP algorithm and it will work with any service (including LastPass).

In the age of both the ubiquitous cell phone use, and rampant identity theft, two factor authentication is now so trivial to implement it would almost be foolish not to. To wit, most prominent online services already use it: Facebook, Twitter, Google, Yahoo, Microsoft, Tumblr. You name it. Most of these offer an option to use SMS and software based solution. All are disabled by default, but can be enabled at any time. And in the aftermath of Heartbleed it would be foolish not to use it.

Few months ago you could have made a compelling case why you might not need two factor authentication on your email, and I might have believed you. But then we’ve seen a live proof that a simple coding slip-up can compromise half of the internet in the blink of an eye, and that point is no longer valid. You need two factor authentication on everything you can. That is the only way to give yourself at least a fleeting chance against the next bug of this magnitude. It is also the only way to prevent someone from extrapolating your next password based on your last seven previous ones, which, as we established, must be assumed to be public knowledge now.

You’d be astonished to see just how many online services already implement 2-Factor Auth. You’ll probably be doubly astonished that almost none of them are financial institutions or banks. So while you may not be able to make the place which holds your money to be more secure, you can make sure that at the very least your email (which is the gateway to your bank anyway) is. So I implore you to at least consider it.

Now, if you want to maximize your security, this is probably what you should do:

• Sign up for a password manager such as LastPass or 1Password
• Use the password manager to generate 30+ character long, completely random passwords for everything.
• Secure the password manager with a 30+ character pass-phrase you can remember.
• Enable 2-FactorAuth for your password manager (possible for LastPass at least)
• Enable 2-Factor auth on all the services that support it, on the off chance that they get man-in-the-middled or in case your password manager is compromised.

This of course won’t make you 100% safe. Nothing ever really will. But it will ensure your identity is a little harder to steal. And that’s actually a good defense mechanism. Effort is the anathema to a black hat. Hacking is a low effort high profit kind of game, and it is much easier to move to the next guy who thinks he is invulnerable to Heartbleed than tackle someone who had enough foresight to click a button 3 times to enable 2 factor authentication.

I don’t remember anyone’s birth dates, I can’t memorize my own phone number but I can recall bunch of stupid passwords (that I don’t care about) from the top of my head. Why do they get stuck in my memory? Because they are way to simple. The super-secret password of some random guy on the street is usually the name of their wife, girlfriend, mistress, son or pet hamster followed by the year and/or purchase of birth of said creature. Or their favorite sports team – you know, the one they always talk about.

The most common passwords out there are not love, sex, secret and god or whatever else The Plague (that poseur) came up with in that one movie. No, the most common passwords are jenny57, john81, riders66, hunter2 and of course password123. Short, sweet, easy to guess, easy to remember, vulnerable to a dictionary attack, helpless against rainbow tables.

That’s just how it is.

Why? Because people don’t give a fuck. Identity theft is some shit that happens to “other people” and not you, so why would you even bother? No one outside our industry cares about passwords or security of their online accounts. No one!

Sometimes I wonder if “normal” people think me a creep, seeing how I am super secretive about my passwords and accounts. I have passwords on everything, I always lock my machine when I leave my desk. My behavior is probably setting off red flags everywhere. Being security conscious is just not a “normal” thing.

A “normal” thing is this:

“My password is hunter2 – I use that for everything including my bank, har, har, har. Don’t tell anyone!”

I always balk when they do that. Why would you tell that shit to anyone? Why would you jeopardize every online account you own? Why would you risk some dude getting their hands on all your hard earned money. You can tell that stuff to your wife, but not to some guy you work with, or are distantly related to. I know I’m a handsome, trustworthy and honest looking guy. Ladies tell me this all the time (usually right before they announce they prefer to be “just friends” cause I’m cool like that). But that is no reason to trust me with that vital information.

I also like this gem:

“But what could anyone do with my Gmail password? Read my spam? Hardy, hur, har, ha! Am I right?”

Yep, totally right. They wouldn’t be able to do nothing. They surely wouldn’t abuse the “I’m dumb and I forgot my password again” feature of every website in existence to issue password reset requests, that would collect in your inbox and give them access to everything you have ever signed up for. Nope, that would never happen.

And it’s not like you use that very same username and password to log into your bank, isn’t it? It’s not like your bank sends you emails with your bank account number and other useful info to that Gmail address, so that the bad guy would instantly know where to go to steal your money. No, that would be silly.

After all, you are not rich, important or interesting enough to warrant such attention. Identity theft only happens to those other people, but not you.

Ignorance, denial and stupidity do not change the fact that passwords are, and have always been a really stupid idea. No one in their right mind will actually come up with a long secure password that would not be vulnerable to a rainbow table attack because they are not going to remember them. It’s just not possible or practical. If you will force them to create such a password, they will write it on a sticky note and glue it to their monitor so they don’t have to look for it 17 times a day. If they don’t care about the security of their own personal email account that everything else they have ties into, they surely won’t care about the account on your service.

Of course there are things that are more secure than pass-WORDS. Pass-PHRASES for example are infinitely better, easier to remember, more robust and less vulnerable to all known attacks. But that boat has sailed a long time ago when everyone on the internet collectively decided that pass phrases can go fuck themselves in a corner while wearing a bowler hat.

Original source: http://xkcd.com/936/

No one uses pass phrases. Let me rephrase that, there is no service out there, that I know of, that encourages it’s users to use a pass-PHRASE instead of pass-WORD. Those services that even bother to force their users to employ more secure passwords, usually do it by telling people how many upper and lower case letters they should have, how many numbers, and etc. So what do people do?

They use JeNnY57, JoHn85, HunTer2 or if you are really strict passWord1@#. Still easy to guess, still vulnerable to a dictionary attack capable of capitalizing letters, and still included in every single rainbow table ever made. And of course users get pissed, because they can’t remember the exact capitalization they used so they end up gluing this one to their monitor as well. Wouldn’t it be more secure if they could use something like this instead:

My friend HamsterFace doesn’t wear his parachute pants on Tuesdays.

How much better is that than HunTer2? It’s way much better, that’s how. Let me count the ways:

• It’s goddamn long
• It has capitalization
• It has non-alphanumerics
• It doesn’t have any numbers, but look how fucking long and complex that is anyway
• It ought to be easy to remember unless HamsterFace will start wearing his stupid pants on Tuesdays

Now, tell me who will let you use an awesome pass phrase like that in their service?

No fucking one. That’s who. Be honest, that pass phrase wouldn’t work in your own service wouldn’t it? Cause you probably used VARCHAR(32) for the password field didn’t you? Cause, you know – we might run out of fucking bytes or something when we get seven billion users and become the new Facebook or something, right? No? You VARCHAR(64) then? Tough, it still won’t fit, cause that baby is 67 characters long.

Wait, stop. Rewind. Why are you not hashing and salting that entire thing? Why does it even matter how long the password is? It still will hash to a fixed byte value no? So why would you even care what the user types in?

Did you, per chance, decide to make the password character array variable with a fixed to save memory instead of using a string like a reasonable and non-stupdid person would? You know, in case your theoretical seven billion users all try to log in at the same time? Or is there some other contrived reason why you wouldn’t handle longer passwords? Was your hash function taking too long perhaps, so you decided to optimize it instead of not giving a fuck? I mean, users only log in every once in a while – if it takes a few seconds longer than usual page reload, that’s perfectly fine. No one cares, as long as everything else is fast. But you optimized it anyway, didn’t you?

You know what? I won’t deny it – I did it too. Not recently, not all of this, but I have created really, really, really stupid log-in schemes in the past. I’m just as guilty as the rest of the internet. We are all stupid like that. Premature optimization is like premature ejaculation – you don’t think it will happen to you, but then it feels good in the moment, and it just does. Afterwards you get terribly embarrassed, and you don’t want to talk about it when someone calls you out on it.

It happens to everyone – especially when you are young and inexperienced. I’m of course talking about premature optimization, not that other thing – that never happened to me… And never will cause I’m awesome at “the sex”. Like level 85 in it so fuck you. The point is we shouldn’t optimize to early.

Ideally password fields ought to be unbound, and allow as much crap as the user is willing to type in. If they want to paste the entire text of The Great Gatsby in there, let them. Why not? Giving your password a reasonable character minimum on the password field responsible and praiseworthy. Putting an upper character limit on it is… Beyond stupid. Let me use an analogy to explain to you just how stupid it is. Otherwise you might not get it, and I will have to explain again and we don’t want that.

If you are an American, and you went to high school sometime this century you probably had a locker with a cheap combination padlock. You also probably had that friend who would “prime” his padlock with the correct combination, so that he wouldn’t have to enter it upon returning. He would go to class, smoke a cigarette in the bathroom, then prance over to his locker, pull on the lock and it would just open. He could have not bothered with the whole padlock thing at all, and just leave the damn thing unlocked – but you know, stupid is as stupid does.

And then that one time some asshole stole all the shit from his locker, and he was outraged and baffled how this could have happened. A genuine genius, that friend of yours. I bet you can’t wait to see him at the reunion.

If you are not an American, go watch any High School related movie and/or TV show that was made in the US and you will see what I mean. Those lockers in the hallways – you put your books and your jacket an your illegal drugs in there when you go to class and write BASIC programs on your Texas Instruments calculator while the teacher drones about some shit you actually know more about than him. That’s what everyone does in High School, right?

The friend is the guy who always walks up to the main character while he is putting shit into the locker, and talks about really stupid stuff. The one with the dumb face. You can’t miss him – he is in every movie.

Are we all on the same page now?

Yes?

Good. Let’s continue.

When you put an upper character limit on your password field, you are actively encouraging your users to be that friend. And if you have other arbitrary restrictions then you are even worse than that.

Guess ho has the stupidest arbitrary character restriction on their passwords? Just make a wild guess?

Give up?

Banks.

Yep, the people who you trust with your money have the dumbest rules about what characters (and how many) you can use in a passwords that will protect your life savings from evil dudes from the internet. There was this great article out there aptly titled FUCK PASSWORDS where I found this here gem:

Fuck banks indeed!

Go read the entire thing – it’s funny, insightful and also humorous. As you can see, the author makes a clear case here: banks are pretty much the worst offenders when it comes to mind bogglingly stupid, arbitrary password restrictions. They should be the guys that insist that you use the strongest and most annoying passwords, but instead they force you to use short, and dumb ones.

Why? I don’t know. Perhaps their programmers suffer from that premature ejaculation optimization problem we talked about. Perhaps their back end is a legacy FORTRAN or COBOL system, and passwords longer than 10 characters just don’t fit on the punch cards. Perhaps their entire online thing was written by the 13 year old nephew of the CEO. Who the hell knows. There should not be any reason for these restrictions, and yet, here we are.

Compare this to Twitter which just cares that your password is longer than six characters. Any characters – mind you. Not just the nice ones. Not just plain ASCII with no spaces or symbols. Any fucking thing you want.

Compare it to Google or Blizzard who will let you use two factor authentication. You know what that means? That means that even if a bad guy guesses that your password is “hunter2” (you know, cause you told him at least twice) he still won’t be able to get in. He would also have to steal your phone / key fob, and guess your password at the same time. Which is way harder than breaking into your Chase account. They could break into your bank while sitting on their couch, eating Cheetos and calling people “fags” on Xbox live. To hack into your Gmail or WoW account they would actually have to:

1. Get the fuck up
2. Turn off Xbox
3. Put pants on
4. Wipe Cheetos stained paws on said pants
5. Leave mom’s basement
6. Locate your ass in this here physical realm
7. Steal a physical thing from your fucking pocket without you knowing
8. Then guess the password

Most of these guys don’t actually go through with any plan that requires them to do anything beyond step 5. I mean, if you actually have to go and interact with the dude you are trying to rob face to face, this thing becomes serious business. You might as well stay home and break into his bank instead.

I know this whole password bullshit seems like like something that was made up by Terry Pratchett or Douglass Adams for the sole purpose of being satirical and silly. Sadly it is not. It is real life. In fact, these two guys are not nearly as funny as you think they are – they are just good observers of how really, really stupid we behave as a species.

I swear, sometimes I feel like the few of us here, on the internet are the only fucking sane and coherent people left in this world. Everyone else is either to stupid to be a productive member of society, or just completely of their rocker. Then I remember it’s just the observer’s bias, and that we are just as bad as the rest of them. We just excel at being stupid in slightly different ways than they do.

And yet the world keeps on turning.

1. Prophylactics

You know how something always pops up in the bottom left corner of your computer telling you to update your Adobe this, or Java that, and you always click on the “go fuck off up a tree” button to make it go fuck off up a tree?

STOP FUCKING DOING THAT!

You see, most software being written these days is shit. Windows for example was always a Swiss cheese of exploitable security holes, each one the size of your mom (ie. huuuuge). Fortunately, in the recent years Microsoft somehow managed to get a little of their shit together and instead of being unbelievably incompetent they just became believably incompetent instead and as result their products became marginally better security wise. You still can’t throw a rock at their operating system without hitting some security hole, but luckily most script kiddies out there are too dumb and lazy to bother finding one. So they move to the next best target.

Unfortunately, most software being written these days is shit, so they don’t even have to look that far. Pretty much everyone is running Adobe products, and Adobe still didn’t get the memo about not sucking at security. So script kiddies and malware writers (the lowest, least skilled breed of code monkeys in the world) exploit the living shit out of their products instead.

Instead fucking wit Microsoft security holes, they send you malformed PDF document or Flash object which bugs out the corresponding Adobe plugin and runs arbitrary code on your machine. Good news is that we yell at Adobe all the time about shit like this, and they do fix most of it. The bad news is that since you never fucking update their products, you will get raped by random malware over, and over, and over again.

Update your Flash player, your Adobe Reader, your Java and any other internet facing plugin you might use regularly. In fact, whenever something asks you to upgrade to the latest version, do it. Better safe than sorry!

2. Protection

I know you are totally fucking busy all the time, and you don’t have time to deal with this computer stuff. I understand. Playing Angry Birds on your phone is a hard work, and I wouldn’t want to keep you away from it. But do you really think that running a copy of McAfee or Norton that expired and stopped updating 3 years ago, actually does anything?

Actually, scratch that. It definitely does something: it slows down your computer something fierce. But it is not really protecting you from anything. And when you try and run a virus scan with that long expired, compromised product in a feeble attempt to remove some nasty infection, it is not even funny. It’s pathetic.

Here is a sad truth: McAfee and Norton are no longer relevant security products. They are huge, and they have lots of money but every half competent malware making simian can run circles around them. This is basically chapter 1 stuff in the malware writers playbook: “making mockery out of Mcafee and Norton in 10 easy steps”.

If you don’t want to pay for an anti-virus solution, Microsoft Security Essentials is surprisingly decent for something that is owned and maintained by Microsoft. Oh, and pend a fucking 20 bucks on a full version of Malwarebytes. It’s a good product, and definitely worth that one-time investment. Combined with Security Essentials it can give you a fairly decent protection against threats designed to own McAfee and Symantec products on contact.

3. Worst Case Scenario

If all of the above fails (or if you chose to immediately ignore and forget all that I just said, like you always do), and you do get infected, please follow the instructions in my handy malware removal guide.

Better yet, sell your computer, buy a gorram iPad and fuck the hell off the PC platform because I’m sick and tired removing the same exact piece of malware from your machine every week. These nifty little hand-held devices are pretty hard to infect (though I’m sure you can figure out a way to do it – you seem to be a fucking expert at it) and require surprisingly little maintenance.

Do you share passwords for private systems/services with your significant others? By that I mean, does your spouse/companion/concubine/porcupine (or whatever) have access to your personal email / facebook account? A root level access to your personal laptop and all your files? Do you require that level of access from them?

Maybe this is how I was raised, but I would never, ever, ever even think of asking anyone for a password. I really think that no matter how close of a relationship you can have with another person, everyone needs to have a little bit of personal space and privacy. I would never open a snail-mail letter addressed to someone else, and by the same token I would never read someones email. In fact I get profoundly uncomfortable whenever someone tries to give me access to their email or to their computer.

In fact if I absolutely need to use someones computer I make a point of opening their browser in the icognito/privacy mode. Why? Because I do not want to accidentally stumble upon their browsing history, I don’t want to see their bookmarks or interact with their open sessions. Most people never log out of their social networks or email, so sometimes when you are at their computer you can type in the URL of a given service trying to log in, and suddenly get full access to their account. I am aware of that and I try to be very careful to respect the other persons privacy when using their machine. I would expect no less from anyone using my machine.

Unfortunately, a lot of people think this is weird. I don’t know why, but it is a very popular idea that personal privacy does not extend into the virtual spaces. They wouldn’t touch a dead-tree letter in a sealed envelope, they wouldn’t go digging in someones desk drawers but email, facebook and browsing history are a fair game. In fact, a lot of people will demand this level of access from their spouses or significant others.

The “if you don’t have anything to hide you won’t mind sharing passwords” argument is the chief weapon in the arsenal of the password sharers. I don’t think I have to convince anyone how stupid and contrived this notion is. It rides on a has a purely emotional undercurrent, and no amount of logical reasoning can actually undermine it. You can say that it is not about hiding but about personal privacy and trust, but this is hardly ever works. You are on a on a disadvantage arguing for privacy because the more you defend your position, the more it looks like you actually have something to hide. So it turns from a privacy argument to an interrogation where you are a guilty party concealing some embarrassing secret. And the only way to prove your innocence is to capitulate and hand over the keys to the kingdom.

To me, this is about trust. The very act of asking for access to private correspondence and/or files indicates a severe lack of it. It seems invasive, clingy and almost obsessive. But I am continuously surprised how many people think nothing of it. They freely share their passwords because they feel they have nothing to hide, and expect the same in return. It baffles me. But maybe it is just my upbringing – I was taught to value personal privacy of others. In my family everyone had their personal space, and going through someones desk drawers was almost unthinkable. You did not open other family members personal letters, you did not read their diaries, you don’t go snooping in their personal belongings… I just extend this notion to the electronic realm. Because let’s face it – no one writes letters long hand anymore, no one keeps a dead tree diary and no one keeps hard copies of embarrassing shit. All that stuff has been digitized. So the personal courtesy and respect for privacy should surely cover your hard drive and your online accounts, don’t you think so?

What is your stance on this? Have you ever asked anyone for their passwords? Have you ever been asked? What did you do?

Not so long ago I was visiting a certain large company and I really, really wanted to snap a picture of the number pads on their doors. Not because they were cool though. They were fairly standard actually. In fact, I was initially very impressed by how locked down the whole facility was. To get where I was going I had to pass through a security desk, a metal detector gate, and two key-code locked doors. Hell, even the restrooms in the building required you to punch in a code to get inside.

Then I got a closer look at the actual key pads next too each of the doors and noticed that some buttons were worn down more than others. In fact, it was the exact same 5 buttons on each door. I really wanted to take some pictures but I didn’t think it was appropriate, plus I thought that the security folks wouldn’t probably like some dude walking around taking pictures of their door locks. So here is a slightly exaggerated mock-up of what I have been seeing all over the building:

Do you see a pattern here?

The buttons 5-9, 0 and * were all shiny and new. All the other keys were faded out, scratched up and darkened from use. If the key-codes were rotated regularly, then the wear and tear ought to be evenly distributed across all the keys. The pattern like the one shown above could only be produced if the same code was used for a very long time without change.

Of course a wear patter on a keypad does not necessarily give away a password. It simply helps us to narrow down our key space. The only thing we know for sure is that the pass contains only 5 characters which are 1-4 and #. We can also assume that it is likely to be 5 characters long, but it does not need to be the case. Any number of the worn out keys can repeat any number of times without significantly altering the wear pattern potentially extending our password length. In either case, we do have a significant number of combinations that we would need to try to open this door.

But… What combination would you try first?

Personally, I’d start with the infamous Space Balls combination:

Why? Well, why not. If you never change the combination on your key locks, then chances are that you are also using the simplest and easiest combo you can think of. In this case it would be 1, 2, 3, 4, #. That ladies and gentlemen was exactly the code used in the building I was visiting.

This would be a major security problem if any of these doors were facing the street or publicly accessible parts of the building. Fortunately they were not. To get to any of them you still had to go past the security desk in the main lobby and walk through a metal detector gate. Only employees and authorized guests would actually get this far – so these security systems were mostly a nuisance for the people that worked there every day. That’s likely why no one ever bothered changing the combination, or at the very least replacing the key pads.

What is the lesson here? I guess it’s that applying too many access controls to a system may actually decrease its overall security. If you make your employees change their password every week, then they will end up writing it down on a sticky note and put it on their monitor. If you force people to get through 3 pairs of security doors just so that they can reach the hallway and use a restroom, the key combos for these doors will likely use the Space Balls numbers. And if you make people carry the RSA authenticator fobs with them they will likely attach them to their laptops. Oh, and they will also tape their user names and passwords to the back so that whoever steals their laptop has all the authentication information in a neat little package. People can be quite ingenious when it comes to circumventing security measures.

But this sort of thing only happens when you let people get away with it. What you need is someone in your organization whose job it is to look for security issues like the one I described above, and fix them. Such a person must be able to inspire fear, and be able to deliver massive amounts of pain, fire and brimstone onto anyone stupid enough to tape their passwords to the monitor or attach their RSA fob to their laptop. And your local NOC dwelling BOFH is probably not the best candidate for this position because while he probably enjoys whipping lusers into shape, things like wear and tear on key locks might be out of his scope of influence. But I guess that’s just my opinion.

In the comments let’s talk about other examples of secure systems that are secure in name only. Have you ever encountered worn down key locks? How about swipe card doors that are permanently wedged open using a door stop?

How about biometrics? Have you ever worked at or visited a facility that foolishly decided to use biometric identification? If yes, tell me about the massive amounts of failure that had to come out of that experiment. Do they still use it, or did they revert to something more sane?

McAfee Auto Renewal Page - Can't Disable This Feature

Um… So where is the opt out button? Oh, right – they don’t have one. Apparently you need to contact the customer support to disable it. Nice one McAfee! Well done!

I did as they said – I sent an email via their online form, and I got a confirmation in the mail the next day. Apparently they canceled the renewal service on both products on my account. The email said I can always log in and re-enable this feature.

I decided to double check it myself, but to my surprise the auto-renewal link was removed from the sidebar overnight. It’s now gone and I have no way of accessing this feature. I’m not sure what this means…

It’s possible that McAfee understood the error of their ways and removed the shady auto-renewal feature altogether? Or did they just hide the incriminating page so that their customers can’t easily check up on their status. Interesting…

Needless to say, I made a note in my calendar to remind me to watch my credit card statement next year to see if they really opted me out like they said or if they will charge me again.

Fortunately for these people I do have a good deal of experience with IT work. This post is my attempt to pass some of this arcane knowledge onto you. Despite the popular belief, removing malware is not some special skill that needs to be trained or gained via experience. I hardly ever actually hunt down the infections and remove them by hand. 90% of time, this stuff boils down to using the right set of tools, and applying a little bit of critical thinking to the task.

The Tools

Most of the nasty malware you will get infected with can be effectively removed with one of these tools:

1. Malwarebytes Anti-Malware (shareware – free to scan, resident protection costs $$)
2. Superantispyware.com (freeware)
3. Combofix (specialist tool)

How did I pick these tools? I didn’t pick them at all. The vocal anti-malware community of the internets picked them. I didn’t look at any polls, benchmarks or critical reviews. I use these tools because I know they work. How do I know they work? Because I’ve seen it and because they are recommended in every single security related thread on the internet.

You see, there are dozens of message boards out there dedicated to helping people clean up their infected machines. Users go there and post their symptoms and the resident experts give them recommendations and guide them through removal steps. Do you know what is usually the first step they recommend?

You guessed it – install Malwarebytes, run a scan, post your log file in the reply. Repeat for superantispyware.com. Between the two of them, these applications can remove just about anything. Very few trojans or worms can withstand this tag team. If they do, you can usually go for broke and use ComboFix which is sort of a last resort measure.

Most of the time it will clean your computer off the nasty infection. Every once in a while however it will hose the OS while trying. It will forcefully delete infected system files other anti-malware tools are affraid to touch with a blatant disregard for system stability. This makes it effective, but a bit of a lose cannon. That’s is why it forces you to install the Recovery Console prior to actually performing an aggressive scan.

The Procedure

There is no magical procedure. You should simply follow your common sense. This is what I usually recommend doing:

1. Boot into Safe Mode With Networking
2. Get rid of Temp files (where malware likes to hide) using ATF-Cleaner or CCleaner
3. Install and update Malwarebytes and run a scan
4. Install and update Superantispyware.com and run a scan
5. Repeat 1-2 times until you get a clean log on both
6. If you can’t remove some infections, or you still see the symptoms reboot into normal mode
7. Run ComboFix
8. If you still can’t remove the infection find it’s name
9. Fucking google it!

The last step is crucial – I can’t emphasize it enough. Unless you are extremely unlucky and you got hit by a brand new variant of the malware, someone already went through this crap. It is more likely than not that you will find a forum or blog post somewhere with detailed removal instructions. Or in worst case, you will find links to more specialized tools that may or may not work against the crapware you are facing.

That’s it. That’s how I get rid of 90% of the crap people get infected with.

It’s so easy, even a caveman could do it!

This has been going on since my freshman year. So 4 years of college, 2.5 years of grad school, and it will now be close to 2 consecutive years of being an adjunct. And every semester they surprise me with a brand new level of organizational stupidity. It’s always a different branch, different school, or office that does this. But it’s always entertaining. This semester the WTF moment was delivered by the Office of Academic Advising. Before I show you their email, let me give you some background.

Academic Advising likes to track the progress of students on academic probation. In the past, half way through the semester they used to send all faculty little envelopes with paper forms to be filled out. You got a separate envelope for each course your were teaching, and inside you had a short questionnaire regarding the progress of the 2-3 students in that class who were on probation. Since I’m using a general requirement course that must be taken, I always had at least 3 of these forms to fill out for each class. They were really short, 1 page things that asked about student’s grades, whether or not they turn in their work on time, whether or not they attend the class regularly and etc… It usually took me few minutes to fill them out, put them in an inter-office envelope and drop them in the Computer Science Department’s outbox.

This semester the Office of Academic Advising decided to modernize the process and have instructors fill out the forms online. That’s a good thing, right? Wrong. Please read the email they sent me:

Dear Colleague,

Each year, The Center for Academic Advising & Adult Learning administers the Student Academic Monitoring Program (STAMP). As part of the STAMP program, academically at-risk students are identified and faculty members are asked to assess the student’s performance in class. Comments submitted by faculty are then used by advisors to determine appropriate intervention strategies and support services for students. In an effort to increase the efficiency of the program, STAMP will be administered entirely online this semester. The list of students in your course(s) who are included in the Student Academic Monitoring Program this semester will be available on NetStorage, the University’s secure drive. To access your list, follow the instructions listed at the bottom of this email.

Once you’ve accessed the list, go to [URL redacted to prevent stupidity] and complete a form for each student on your list. Submission of the form by faculty will automatically generate an email to the student. This email will include ONLY the quantitative information supplied by the faculty (eg. number of absences, approximate grade in the course, assignments submitted on time, etc.). Qualitative information submitted in the Comments section will be viewed only by advisors.

Your honest evaluation of these students at mid-semester plays a key role in our efforts to assist them and to ensure their retention at the University. Please submit the online STAMP forms no later than Monday, November 3rd.

Thank you in advance for your cooperation.

Sincerely,

Center for Academic Advising & Adult Learning

Instructions:

1. Go to NetStorage
2. In the username box, enter your NetId (eg. smithj)
3. In the password box, enter your password
4. Click OK
5. Click on DriveF@GROUPS
6. Open the CAAAL folder
7. Open the STAMP folder
8. Open the FACULTY folder 
9. Open the spreadsheet that corresponds to the first letter of your last name
10. Sort the spreadsheet by faculty_name (column A) to find your name. Your students will be listed in column C.

TLDR: we are lazy, and you should do all the work from now on.

So the office of Academic Advising dumped their list of students on probation into bunch of excel worksheets, then put those worksheets on a network share.

Our mission, should we choose to accept it is to weed through these spreadsheets, locate the students who attend out classes, then go and fill out a generic blank online form for each of them:

Can you see the problems with this new scheme? Obviously it’s a pain in the ass to do. I’d much prefer to fill out my paper form and be done with it. But there are more jarring issues here.

For one, any faculty member, adjunct, graduate student teaching a class and God knows who else can go and download all these spreadsheet and get access to a list of students on academic probation and their student ID numbers. Upon merging and sorting all these files you can easily re-create class schedules for all these students. I don’t know about you but to me this is way to much personal information being accessible to way to many people. I’m pretty sure this is a privacy violation, and there is probably a rule against doing precisely this sort of thing somewhere on the books.

Second issue is that, as far as I can tell anyone can go and fill out that blank form. There doesn’t seem to be validation of any type so I could fill out forms for students that are not in my class. In fact, I could fill out this form for students who are not on probation, or who don’t even exist.

Not to mention the fact that different people will put different things into the free-form input boxes labeled “Course Name” and “Course Number”. Why? Well, let me give you an example. One of the courses I teach can be identified as follows:

• CMPT 109-36: Fluency in Technology

There is also a “call number” associated with this course which is a unique numeric identifier students use when registering and then promptly forget. The question is, which part of the above is the course name and which one is the course number? Does the course number only CMPT 109 or do I need to specify the section number CMPT 109-36. Also how do I input this information into the box. I can think of several ways to do it:

• CMPT109-36
• CMPT 109-36
• CMPT-109-36
• CMPT-109 36
• CMPT10936
• CMPT 10936
• CMPT 109 sec. 36

And etc.. I think you can see the pattern here. All of the above are somewhat valid annotations and I have seen people use most of these variations at different occasions. This effectively means that sorting and aggregating on the Course Number column in the database will not produce any useful results. The data that they will get in this form will be absolute shit, and will require to be tabulated by hand just like the paper forms were. All they really doing is eliminating the printing, mailing, hand sorting and scanning/data entry part of the process by offloading all the work onto the instructors. Not cool.

I’m being told that this new method is a slight improvement though. Apparently, in the past these spreadsheets used to be emailed from one department to another without any encryption. So at least this time around they have them locked behind some sort of user authentication screen and you must access them via SSL. :P

Of course a if you manage miss the joke completely you can still enjoy the movie as a campy, off-beat fun ride. Everyone wins. End result is a cult classic loved by computer professionals and clueless people alike – often for very different reasons. Few others have ever accomplished anything similar. In most cases any attempt to portray “hacking” on the silver screen ends up in a massive load of epic fail. As an example I give you a scene from the movie Swordfish:

Can anyone explain to me what is going on in here? Cause to me it kinda looks like this guy is playing some sort of 3d puzzle game. He is typing on the keyboard like a madman, cursing, jumping around and etc… In the meantime his (obligatory) multiple screen rig is showing some funky animation depicting cubes of shimmering code falling into place, scrolling text and lots of blinking lights. It’s silly!

Most Hollywood movies depict hacking this way. Some sort of abstract, incomprehensible activity that apparently involves a lot of frantic typing without using a space bar. But it doesn’t need to be this way. Here is a hacking scene from the matrix. Watch closely on what shows up on Trinity’s monitor:

Did you catch it? You can clearly see the characteristic output of Nmap (a very popular port scanning tool), and then exploits the very real, but also very old ssh vulnerability to take control of the remote system. This depiction was so realistic, that the British Computer Society felt compelled to release a joint statement at the time, urging movie goers not to attempt to emulate it.

To a lay person both scenes would look equally incomprehensible and cryptic right? In both cases we see characters type stuff on the keyboards, and see some scrolling commands and text output that is really not essential to the story. The Hollywood produces usually assume that since an average person doesn’t know the first thing about hacking they might as well make the activity visually pleasing.

The thing is that people do know how hacking looks like. Anyone who uses their computer for more than browsing Myspace and chatting on AIM knows that what you see in the Swordfish scene (or the scenes from the Hackers movie for that matter) are totally fictitious. Unless you are a lumberjack and live in a log cabin in a middle of a forest with no electricity you probably know a programmer, sysadmin, or an IT guy of some sort. Or at the very least you may know that computer whiz kid from the neighborhood who fixes your laptop whenever you infect it with to much spyware.

There is a certain way computer interfaces look, and there is a certain flow to a typical computer operation. I think that most movie goers these days realize that “hacking” into a computer system involves activities such as running programs, typing in commands, and for example looking stuff up on the internet. Most people realize that this whole “typing really fast, to control some 3d animation on the screen” thing is incredibly silly. In fact I have seen it parodied, joked about and made fun of in mainstream media well outside the usual geek circles.

So why does Hollywood insist on insulting our intelligence this way? Why do they show us shiny animation assuming that we wouldn’t understand what was going on in the first place. Some people will probably argue that showing “real hacking” would be irresponsible. I would naturally laugh, and explain the concept of full disclosure to these people. Think about this logically:

1. No one says that Hollywood needs to show new, cutting edge zero day vulnerabilities
2. Besides, a zero day vulnerabilities would be old news long before the official move premiere
3. Including an old vulnerability in a blockbuster movie would possibly make people nervous and force them to finally patch their systems – so it would be a benefit for everyone
4. No one says you need to show a step by step tutorial – what Matrix did was perfect – they made up a script with a made up name, and then stated it is exploiting the ssh crc32 vulnerability

Showing just glimpses of real exploits, or inessential bits of code is not irresponsible, or dangerous. It is no more dangerous than showing your average episode of Myth Busters on TV. After all, Myth Busters use real physics and chemistry principles to make things blow up like every week. You know – the stuff you could look up in your high school physics/chemistry book – they use that stuff. How is using basic, common knowledge computer science and computer security principles to do privilege elevation or remote exploits any different?

All I’m asking is this: if your movie revolves around hackers, hacking, security exploits or programming, please, please, please hire a technology consultant and for god’s sake listen to him. Ask him to write down a list of technical jargon terms the characters should know, and pointers on their usage. Have him write sample lines the characters could say while hacking/programming. Have him work with the post-production team to create appropriate visuals. That’s it! One guy, few hours of work. Whatever you will need to pay this dude is probably insignificant to the amount of money you spend for the CGI, pyrotechnics and the stunt work.

Seriously, if you know nothing about computers why do you think you can write and/or direct a good movie about hackers and/or programmers? When you are making a movie about police men, soldiers, firemen, lawyers or salesmen you probably bring in a specialist who explains to you and the actors how the things are done in his profession, makes sure you use an appropriate lingo, and don’t make huge blunders. No one seems to be doing that for computer related stuff though. It seems that it is easier to just make stuff up instead.

I initially wasn’t going to comment on this, but people keep asking me for my opinion and I figured I should put together something more eloquent than “Palin got pwnd by /b/. She should totally invest in a dog.” And preferably something that is not as politically charged.

Let’s start from the top. Once upon a time, Gov. Palin had a Yahoo email account. Note that I’m using the past tense here. She no longer has it, because a /b/tard heard about it and took it over in 5 minutes. How was this feat of extremely 1337 hacking on steroids performed? From the horse’s mouth:

rubico 09/17/08(Wed)12:57:22 No.85782652

Hello, /b/ as many of you might already know, last night sarah palin’s yahoo was “hacked” and caps were posted on /b/, i am the lurker who did it, and i would like to tell the story.

In the past couple days news had come to light about palin using a yahoo mail account, it was in news stories and such, a thread was started full of newfags trying to do something that would not get this off the ground, for the next 2 hours the acct was locked from password recovery presumably from all this bullshit spamming.

after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

As you can see, there was no hacking done here. In fact, the very act of taking over Palin’s email required no computer knowledge, and no skill. Hell, it didn’t even required intelligence. All it required was the ability to type in the word “palin” into google search box. Anyone in the world could have done this. It just happens that it was done by /b/ and for LULZ but it could have been just as easily perpetuated by someone with a much more malicious agenda to either monitor, intercept or forge Gov. Palin’s work related messages.

The obvious point of failure here is of course the password recovery system. Almost all online services use one of these, because remembering strong passwords is difficult and using weak passwords is dangerous. It is an age old problem, and the solution is to force people to use strong passwords, and allow them to go through a recovery process involving easy to remember questions in case they forget. Most services won’t actually allow you to reset your password on the spot, but instead will send a temporary password or a confirmation message to the email you used to the email you used to sign up for the service. So if someone tries to recover your Facebook password for example, and correctly guesses the name of your first dog and your zip code they still won’t get access to the account. Instead you will get an email notifying you about the recovery attempt. Not the most secure solution, but it works.

Of course in case of Yahoo mail this is apparently not the case which sort of makes sense. Requiring someone to use an email address sign up for another email account is a bit silly. As a result Yahoo apparently relies solely on the very insecure personal questions to verify your identity. These questions may often work for a private person. After all, how many people in the world know the zip code of your mom’s house, the name of your high school crush and the name of that pet goldfish you flushed down the toilet when you were 11. Even if you blab about yourself constantly, there is only a limited number of people who could potentially know these things – and these are the people who know you personally, and who you can track down slap around if you find out they have tried to read your email. This changes when you become a public person and you have your own detailed Wikipedia entry that gets vandalized 5 times a day. The flaw that is inherent to the password recovery system becomes a gaping security hole.

The lessons here are twofold:

1. Using a free email account when you are a public figure puts you at risk, even if it is purely for personal use. You really want to invest into something more robust. It’s fine if you want to keep your public email, and your private email separate but you should really look for a more professional solution. Perhaps something where you can confirm your identity by giving out the CC number associated with your account, and it’s security number. After all, that’s something a random /b/tard won’t be able to find on wikipedia.
2. We need to carefully reexamine the way we use the password recovery mechanisms. It’s obvious that Yahoo’s solution is very vulnerable to a common sense, logic based attack. This is unacceptable, and needs to be fixed for Yahoo and all the other services which use a similar recovery method.

The problem with password recovery is a serious one, because there is really no easy way to make it more secure. Let’s remember that the only reason people use this feature is because they can’t remember their 6-8 character password. If you make the recovery questions to obscure or complex, people will forget them as well. This is why most free online services insist that you sign up with a valid email address where they can send you a password recovery confirmation. The only way to ensure that you are not giving away the password to a bad guy is to hand over the job of confirming your identity to someone else – your email provider. Of course if you are trying to be a primary email provider for people who already have, but don’t want (or don’t know how) to use their ISP provided emails you don’t really have that option.

How do we resolve this? First off, don’t do what yahoo did. When you are a free online service, always deffer the job of confirming identity when attempting password recovery to someone else. This way, when account gets compromised it is not your fault. The easiest way of course is to require you user to sign up with a valid email account. But not necessarily – you can also become an OpenID consumer. Everyone and their mom is an OpenID provider these days, but no one ever wants to be consumer. However, using OpenID logins is a perfect way to defer trust to another entity without asking the user for another email address.

This way security issues cluster around popular OpenID providers, some of which are paid services (eg. Live Journal) which can ask the user to verify their CC# upon password recovery. Better yet – if you are a public figure you can roll out your own OpenID provider solely responsible for authenticating you, and only you on bunch of online services. If you forget your password you simply visit or call up “Joe” the guy who maintains your OpenID server and ask him to reset it for you. If someone hacks your account, you can personally kick Joe’s ass, and then fire him.

Of course there are many issues with actually implementing OpenID in a way that works. If you trust the wrong OpenID provider for example, you may find yourself overrun by spammers. Not an ideal solution, but a solution nevertheless. It does seem to work for Stackoverflow for example.

If you don’t want to defer authentication to someone else, and you want to remain free do something like Google did for Gmail registration – ask your users for a phone number and send them a text message with a security code when they try to recover a password. It is almost like a poor man’s two factor authentication. There are of course usability issues with this scheme as well – problems with sms transports across networks, and other random stuff. I’m not saying everyone should do it – I’m just saying it is a more secure option than asking for the name of a person’s dog. At least in theory.

At the very least, we should revisit the questions and answers the recovery process is using. Obviously things like DOB, zip code and spouse name are very easy to find out for a potential attacker. Perhaps a different kind of questions would be in order. Perhaps something among the lines of:

You’re in the desert, you see a tortoise lying on its back, struggling, and you’re not helping. Why is that?

Only don’t use a known quote, because 80% people who watched/read Blade Runner will invariably answer this one with “what is a tortoise?” and that’s not exactly what you want. Simply ask a personal question, and assume that the answer for a given question doesn’t change. Perhaps something among the lines of:

“You are walking in the park, alone. It is cloudy day but it is not raining. You smell wet leaves. What are you thinking about?”

Again not perfect, but it may trigger some rather personal memories, or incite a trivial response among the lines “better get home before the rain”. We would probably have to test this type of questions on a group of users, and then have them try to recover their passwords 6 months later and see if they are able to use the same responses. Also it would be interesting to see if this sort of emotionally charged questions prompt similar answers from many people. I have a hunch that the above question would end up with many responses among the lines of “I think of her/him” but again – it would take some testing. Assumption is that these questions would be harder to defeat by looking them up, but since we are all emotionally wired in a similar way they may be easy to guess by intuition alone.

Those are my 3 ideas. Feel free to suggest your solutions to the password recovery issue in the comments. Maybe there is a better way to do this.

Is it Gov. Palin’s fault that she got pwnd? Yes and no. Yes, because she should have known better than to use Yahoo. No because this would not have happened if it wasn’t for the un-elegant kludge that is the “password recovery question” mechanism employed by Yahoo. She is not the only person who had their account compromised this way – it’s just that content’s of most people’s Yahoo inbox is not a matter of national security and thus we don’t hear about it on the news.

The interesting thing is what will happen to the kid who did this. What’s his name? David, was it? Yes, it was David. Will he get a slap on the wrist, or will he be made an example of? Will he spend some quality time in a federal prison or will he get off with a fine, some community service and a nasty smear on his daddy’s reputation. Or will he doge all punishment by a small margin due to insufficient evidence?

What do you think?