greg hughes - dot net

Jesper M. Johansson, Ph.D., ISSAP, CISSP is a Security Program Manager at Microsoft. The second part of his three-part article on the use of passwords vs. passphrases was recently published.

The Great Debates: Pass Phrases vs. Passwords

• Part One - coveres the fundamentals of passwords and pass phrases, how they are stored, and so on
• Part Two - discusses the relative strength of each type of password, and use some mathematical approaches for illustration
• Part Three - offers some conclusions and guidance on how to choose passwords and configure a password policy

In this installment, he looks at three arguments for the use of pass-phrases:

• Claim 1: Users Can Remember Pass Phrases
• Claim 2: Longer is Stronger
• Claim 3: Pass Phrases Can Have More Randomness

This is a great read, worth the time for anyone who works in the security field or in IT operations and security. I am looking forward to the third installment, as well. Jesper has a powerful way of cutting to the heart of the arguments and coming out the other end of the conversation with good facts in tow.

Every now and then a company comes along that Just Gets It^TM.

Google is one of those companies. I have been playing with the new Google Desktop Search beta application, which is a locally-installed program that indexes content on your local computer and allows you to search it, in-line with other Google searches.

It might take a minute to realize the utility of this. Bear with me. Then use it and see for yourself. This is (as Scott world say) pure sex.

Once you install Google Desktop, any Google search can then include your local desktop/machine search in-line, as shown above. You can also do a desktop-only search, and you can choose to disable the ability to show Desktop Search results on Google Web Search result pages. Google states that your personal search results and data are kept private from Google.

What can you index on your desktop machine? Google Desktop is able to index the following items so that you can search for them:

• Outlook email
• Outlook Express email
• AOL IM 
• Word
• Excel
• PowerPoint
• Text and other Web history
• Secure pages (HTTPS) in web history

Find out more on the Google Desktop “About” page, or see more screenshots here. Also available are the Getting Started Guide and a page dedicated to privacy questions and concerns.

I've been using it for a couple of hours, and already I can tell that this is not something I will not be giving up any time soon. I am adding this to my little box of tricks.

Want to try? Jump over to http://desktop.google.com and install the small app, and you'll be on your way. If you have thoughts or comments after trying it, feel free to share them here, and be sure to let Google know.

There's an interactive guide online that will quickly and easily help you determine what needs to be done to upgrade your TiVo. Add a hard drive or two, replace your original drive with a bigger one, whatever.

This is a lot better than what I had when I took my 20-hour Series One TiVo and did my hack, ending up with two 120GB drives in it. It works great and records things for me every day (and will likely never run out of space). I had to piece together software and instructions, and walk my way between the lines in certain areas. Anymore it's much easier, so just go here for help.

Once you choose your TiVo model, hard drive options and a few other items needed to provide accurate instructions, the interactive guide provides you a clean, usable, well-written set of directions and links to required software specific to your needs as well as other resources like picture guides.

The site: http://tivo.upgrade-instructions.com/step1.php

(from hackaday.com)

I'm sitting here now with a pain in my lower back, the result of a discogram procedure performed today on three lower bask discs. No pictures this time, but if you want to know what the procedure is there's info and a picture here.

I was prepped for this one by my doc to be ready for a very painful experience. A discogram is a procedure where he runs needles into the disc that is known/suspected to be the problem, as well as two others above it, one of which looks a little iffy but not as bad as the primary suspect disc, and another that looks normal and healthy. He then fills each up with fluid and a small amount of blocking agent "dye" that can be photographed on a CT scan after the procedure is completed.

Thing is, if you have a herniated disc and you pump fluid into it to blow it up/inflate it, that means the fluid will likely push the herniated portion harder into the problem area. That hurts, a lot much of the time. and that's what they want. That is how they verify the pain, and that if they choose to do surgery, they know exactly where the problem lies.

They can also look at the CT scan images and see where the dye flowed, which gives them an even better idea what they're up against and what kind of surgery - if any - is the best bet for the injury.

So anyhow, today was my day. I live about an hour or a little less northwest of Portland. The doctor who specializes in my back problem that I was referred to by my local doctor is in Salem, which is about an hour south of Portland. So, my friend Broc showed up at my place last night, made my guest bedroom useful, and got up early with me and drove me to Salem. He ate McDonald's and got coffee while I listened to him heckle me with tales of morning caffeine and food. I would not be able to eat or drink anything until after the procedure, and I was starving. And another thing - for me to not have coffee by 8am is unheard of.

The nurse was great this time - a little local anesthetic and the IV was right in (not like the last time at a different place...) and all I had to do was wait.

They got me into the room and on the table, and prepped my back. I heard the doctor come in.

And then the next thing I know, I was in the recovery area.

That's it. I have no freakin' clue what happened in the operating room, except that they did what they needed to do and I was not knocked out. But I swear to God, other than a vague recollection of a short painful stabbing experience with nothing solid to attach it to, I don't remember anything at all - it's like I jumped ahead an hour or so and that time never existed. I've never experienced that. Very strange.

Man - I hope I didn't say anything mean, stupid or embarrassing! :P

At any rate - we'll wait a couple weeks, let my back return to normal (I am a little more than just uncomfortable right now), I'm taking a trip, and when I get back it will be time to meet with the doc, once he has had time to review the results and consult with his partners, and see what if anything he can do to help.

Verdict: Expected severe pain, missed the whole damn thing in my memory, sore now but completely manageable - just a side effect of increasing the pressure and an expected consequence. The people were better than just good - they were thorough and terrific to me during the prep and after, and I have to assume they didn't tattoo me anywhere I can't see or something while I was "out of it." Doctor Olson and crew gets an A+ in my book.

Past related writings:

• Back with a vengeance (stick a needle in my spine remix)
• Stick a needle in my spine, part two
• Stick a needle in my spine

Windows XP Media Center Edition launched this morning, with support for high-def TV, multiple tuners, and lots of other cool stuff.

• Microsoft Windows XP MCE web site
• Michael Creasy's blog entry with details

Some confusion over licensing, and earlier claims that it would be sold at retail. I think OEM's will have better access, but not so sure about being able to purchase a copy all on its own...

Heat scans are now showing greatly increased temperatures at the surface in the volcano crater and earthquakes are occurring at about one every five minutes. Scientists are saying this shows magma is much closer to the surface, and gas measurements also support this.

When I woke up this morning and was getting ready for work, I looked out the front window, from which I can see the mountain, and saw a column of steam lifting out of the crater. This was the first time I have been home at a time when clouds were cleared and something was happening.

I shot a couple of pictures, and will try to get around to transferring them from the camera to the computer and uploading soon.

Click on over to hear what Eric has to say with regard to a sneak peek of KSSX, his Internet radio station call letters. As he describes, RSS is likely going to be the final link in making distribution of multimedia content in an automated fashion a realistic (meaning relatively seamless) experience and possibility.

"The radio station YOU design?"

Woah... Gonna be cool.

I picked up a copy of a documentary film on DVD today from Best Buy called FarenHYPE 9/11, which is a response film that was made to take a critical, factual look at the Michael Moore film, Farenheit 9/11.

If you watched the original Michael Moore movie and cared at all about it (whether you liked it or hated it, doesn't matter), you owe it to yourself and everyone else to watch this documentary. You'll see people from the Moore movie talking about how they were misrepresented in the original film. Much of what Moore presented in Farenheit 9/11 is examined, critically reviewed and corrected in this film.

Seriously - there are two sides to every story, and Moore's story was such an exaggeration and misrepresentation of many facts, the FarenHYPE 9/11 DVD should be mandatory viewing. It is inexpensive - only about $11 at Best Buy, and you can order it from Overstock.com as well.

You don't necessarily have to be a Bush supporter to accept that Michael Moore flat out lied and twisted events to meet the requirements of his agenda. This is in no way an attept on my part to change your mind with regard to a voting decision - that's all yours.

It's the best $11 I've spent in quite some time.

One more time: regardless of your opinion of the Moore film and it's content, be sure to see FarenHYPE 9/11 - Once you see it, I think you'll understand why I'm so adamant.

Anyone who wants to borrow my copy, let me know.

And now, back to your regularly scheduled programming...

The volcano's seismic activity built back up again after dropping off a few days ago, and finally released more steam at about 7am today.

The advisory is still at Level 2 and earthquakes are not as frequent as they were before. A second dome, or “blister” has been pushing up next to the one formed in the crater in the 1980's. The old dome was formed between 1980 and 1986. The new dome has been formed over the past couple of weeks, and is already bigger than the one formed in the 80's.

Jared Hudgins a scary-smart dude I met at GnomeDex, as is Brandon Watts (another person I had the good fortune of meeting there). They could always be found together, which makes sense since they both traveled across the country from Georgia or some place around Atlanta. Both of these guys write for Lockergnome (and do a great job of it). Both are way younger and way smarter than me, and my purpose in writing this entry (yes, I do have a reason) is to call out two things:

• First, that Jared just posted his first audioblog - so go listen to it. Oh, the world is changing so fast...
• Second, I'm going to go out on a limb and predict that both Brandon (who has already authored his own programming language) and Jared are going to be people you'll hear about in a big way sometime in the future (and no, I don't mean in an 11-0'clock news kind of way). Dream big, make it happen. If you happen to be reading this in 15 or 20 years, please remind me and we'll see if I was right.

I missed this when it was originally released, but Microsoft recently kicked a new PowerToy for Windows XP that lets you fine-tunes the ClearType settings in Windows. It puts an applet in your control panel, so you don't have to find the obscure setting in the display properties dialog mess. It also lets you set the Cleartype settings across all machine accounts and provides much finer control over the ClearType settings.

If you've never turned on ClearType, you really don't know what you're missing. It's unfortunate that most Windows XP users don't have it turned on and have not experienced the benefits.

Whether you have a CRT, flat-panel, or notebook monitor, ClearType can greatly improve the way Windows displays text on the screen, and can make using a computer easier on your eyes.

Why use ClearType?

Just look at the screen clips below (made with another PowerToy for the Tablet PC - the Snipping Tool).

Which would you rather read on your screen? With or without ClearType?

Without ClearType:		With ClearType:

You can click here to go to the XP PowerToys page, and look for the link to download the "ClearType Tuner PowerToy."

The new SANS 2004 Top 20 list of critical Internet security vulnerabilities is out. It's actually two top-10 lists, one for Windows and one for UNIX:

Top Vulnerabilities to Windows Systems

W1 Web Servers & Services

W2 Workstation Service

W3 Windows Remote Access Services

W4 Microsoft SQL Server (MSSQL)

W5 Windows Authentication

W6 Web Browsers

W7 File-Sharing Applications

W8 LSAS Exposures

W9 Mail Client

W10 Instant Messaging

Top Vulnerabilities to UNIX Systems

U1 BIND Domain Name System

U2 Web Server

U3 Authentication

U4 Version Control Systems

U5 Mail Transport Service

U6 Simple Network Management Protocol (SNMP)

U7 Open Secure Sockets Layer (SSL)

U8 Misconfiguration of Enterprise Services NIS/NFS

U9 Databases

U10 Kernel

Click the play button to listen:

Prologue: After speaking with several respected people in the field about the term PodCasting in preparation for writing this article, I have changed my stance slightly from where I started and from what I wrote below. I decided to place this change-of-heart statement up top, with a quick explanation, but not to alter what my original post looked like, since my change of heart is primarily one of acceptance. So, while I accept current naming conventions and what-not, I still believe what I say below is relevant.

In the words of one respected collegue from the industry:

"... It's certainly a sexy term, and although technically inaccurate (see, --casting implies sending from-- we aren't broadcasting from an iPod), the media seems to love it, people associate '-pod' with the success of the iPod, and that's a good thing. It's good because now bigger radio folks are doing it. We the people are doing it. This whole thing has stickiness, and got that stickiness in record time. I say, let's just revel in it. It can't hurt."

- Eric Rice

Ok, I can do that. Fair enough, and good advice.

 - greg

[How exactly do you describe the process of hanging up a call with someone when you're not actually talking on a traditional telephone anymore? Hmm...] I just got off the Internet with Chris Pirillo. He and I were engaged in an instant messaging session, which branched off to email, and which we then took over to Skype. Chris then used the Skype audio and some kind of hacked-together recording device to create an interview MP3 that he will, undoubtedly, edit (I sure hope he edits it, heh...) and post to his web site at some point in the near future. Personal internet broadcasting hard at work.

We talked about something we both think is great and interesting, but about which we share a similar gripe:

The term "PodCasting" - I know it is catchy and sticky and has already taken off, so I wouldn't expect any kind of change to happen, but regardless, it's just the wrong name to use. Why? Because this new wave of technology use is not actually about iPods (it works with pretty much any MP3 player), yet it sounds like it is all about iPods. It's not about the playback device (again, any MP3 player), it's about the communication medium and the content being distributed. It's about the convergence of several smaller pieces of cool technology, and the interest of a relatively small but rapidly growing group of people whose influence has the potential to create something very, very big. But to say the iPod is the platform is to limit the market and the potential of what's happening -- in my opinion.

Now, please understand -- I don't have any kind of problem or dislike toward Apple's iPods, or the technology, or the idea that people are enabled to communicate to an Internet audience their own opinions, ideas, news, music or what-have-you. In fact I think all those things are great. It's the name that kills me. If you like iPods, that's fine (I think they're great, too), but to call the iPod the platform in this context is just plain-old-flat-out confusing and wrong.

When Chris and I started our conversation this morning, I sent him an email with an admittedly hot-under-the-collar tone complaining about this supposed "revolution" (I don't see it quite that way) and the "podcast" name that's been attached to this "phenomenon" (another over-stated term I think - let's see what happens before we actually attach names like that).

Then we decided, well heck - let's talk about it by creating a personal internet broadcast (yes, you're right, I am intentionally not using that term) of our own.

You see, we love the technology. We love the medium. We love the gadgetry of it all and the idea of enabling people to communicate and express themselves in new ways - and to make it easier for people to do on both ends.

Both of us even plan to create content and use the technology ourselves.

It's just that damn name.

If you have users who need to learn how to do things in SharePoint Portal Server 2003, you'll want to check out the new SPS 2003 Training Kit. The users can either see how to perform tasks, or they can do the steps themselves, while being guided through the processes.

"This training kit has been specifically designed to ensure that SharePoint Portal Server users can effectively use the capabilities of the product to better share information, collaborate with others and find relevant information and resources within their organization. The training has been developed keeping in mind the unique need of the beginners and advanced users with easy to understand content that can be accessed either as a self paced study guide or as a quick reference guide. Learn how to perform everyday tasks like collaborating on documents, setting up efficient meetings and searching for relevant information and resources."

Download Link:
http://www.microsoft.com/sharepoint/downloads/components/detail.asp?a=631

Chris apparently really needs something to do - but it's good for us when he's having a slow day - this is freakin' hilarious...

• The channel 9 guy's apartment tour