Monday, June 27, 2005

Steel Battalion ControllerI got a wild hair a week or two ago and picked up a Steel Battalion game and uber-controller on eBay.

Oh. My. God.

Wow...

This game - and it's incredible game controller setup (detail here, image at right) - is pretty darned cool.

At lineofcontact.net, they essentially say that Steel Battalion and Steel Battalion: Line of Contact are both "daunting games to be a novice at, even for very experienced gamers." That's an understatement. 

Line of Contact is the XBOX Live multiplayer sequel to the original single-player game: "The level of complexity entailed in the game is on a par with PC based massively multiplayer role playing games, but with a challenging controller interface, live voice-based communication and a stiff penalty for inattentiveness (eject or lose your pilot)."

Line of Contact Screen-ShotIt's an awesome simulator game, where you "pilot" a futuristic vertical tank (VT - basically like in Mechwarrior) and the controller has (get this) something like 40 freakin' buttons, and they all actually work! Mastering this game will be nearly impossible. So sweet!

I hooked it all up this evening, and immediately failed to make the thing drive very well, so I focused instead on shooting the heck out of stuff. And since I did not eject in time, my player got completely wiped out. Yep - you have to eject if your VT gets shot up bad enough, in order to keep your player alive and available for the next round. Talk about simulators, heheh...

If you've never seen this game, especially if you like simulators, you should check it out any chance you get. Heck - Call me and drop by (if you happen to be in the Middle of Nowhere anytime soon), I'll let you play this one.

It's a great addition to my pile of Microsoft XBOX stuff.



Add/Read: Comments [1]
Tech | Random Stuff | Geek Out
Monday, June 27, 2005 8:20:19 PM (Pacific Standard Time, UTC-08:00)
#  
 Saturday, June 25, 2005

Uh oh – GoogleFight is something I’d already forgotten about, somehow… http://www.googlefight.com

Someone make it stop. Three of us are here are running battles to see who wins, Greg Hughes or Brandon Watts? Matt Hartley or Brandon Watts? (by the way, Matt’s blog here and Brandon’s blog here) Hmmm…

More fights:

Heh…



Add/Read: Comments [1]
Geek Out | Humor | Random Stuff
Saturday, June 25, 2005 3:04:56 PM (Pacific Standard Time, UTC-08:00)
#  

What is WeatherBug? As a piece of software, it puts the weather on your desktop. It’s live, updating every two seconds. NOAA doesn’t do this – they update every 15 minutes at best. As a company and a bunch of people, here is how they describe themselves:

“WeatherBug is the ultimate geek-ified company. We are about creating cool and fun technology, teaching children, and saving lives.”

RSS weather feeds accessible by ZIP code will be available in July – that will be cool. They will also be shipping WeatherBug for the Mac.

Controversy – because what would a good conference be without it? Lots of discussion here at Gnomedex about the presentation in which this company is being highlighted. About how WeatherBug used to have spy/adware, but that was a long time ago, and now it doesn’t – Seriously. It doesn’t. Also, the fact that I am writing about their product at all (actually I am mostly interested in the 2–second differentiator) is exactly what some people are complaining about here, because Steve Rubel (according to some of the crowd) used this presentation as a vehicle to do PR for one of his clients. So what. Decent example of PR, short time to fill, interesting info.

Whatever. Heh. I still like the every-two-second data update thing. That’s sweet.



Add/Read: Comments [3]
GnomeDex | RSS Stuff | Tech
Saturday, June 25, 2005 2:05:43 PM (Pacific Standard Time, UTC-08:00)
#  

If you live around Portland, Oregon or somewhere kinda-sorta nearby so you can get here, and if you're interested in coding, put the PDX Code Camp event on your calendar. It's free, but you need to register so they can plan for you to be there.

What is Code Camp?

Code Camp is a new type of community event where developers talk with—and learn from—fellow developers. All are welcome to attend and speak. Code Camps have been wildly successful, and we’re going to bring that success to Portland.

An original Code Camp organizer, Thom Robbins, wrote a six-point manifesto: Code Camps are (1) by and for the developer community; (2) always free; (3) community developed material; (4) no fluff – only code; (5) community ownership; and (6) never occur during working hours.

What can I expect at the Portland Code Camp?

Two full days of talking about code with fellow developers, on the scenic Reed College campus. Sessions will range from informal “chalk talks” to presentations. There will be a mix of presenters, some experienced folks, for some it may be their first opportunity to speak in public. And we are expecting to see people from throughout the Pacific Northwest region.

To create a little structure, we’ve proposed a variety of one- and two-day tracks including Hobbyists, Mobile and Tablet PC, Architecture and Patterns, Databases, Web Development, Client Development, Games Development, Tools, Methodology, XML and Web, and “Alternative Lifestyles” (Ruby on Rails, Python, Squeak, etc.)

Watch this site for more details and schedule as we firm things up.



Add/Read: Comments [0]
Geek Out | Tech
Saturday, June 25, 2005 1:18:14 PM (Pacific Standard Time, UTC-08:00)
#  

Microsoft's released a new build of their Microsoft Antispyware beta software. Several improvements are included. The expiration date for the beta software is also extended through the end of the year. Download here.

From the MS web site description:

In this second beta refresh (Build 1.0.614), we’ve made other enhancements to the detection and removal capabilities, including improved Winsock LSP removal capabilities and support for long descriptions of categorized software. In addition, we have also extended the Windows AntiSpyware beta expiration date to December 31, 2005.

Existing users of the beta (Builds 1.0.501 and 1.0.509) will receive a software update that extends the expiration date and includes the enhancements to the detection and removal capabilities. The second beta refresh is also available for download through this site.



Add/Read: Comments [0]
IT Security | Tech
Saturday, June 25, 2005 12:53:38 PM (Pacific Standard Time, UTC-08:00)
#  

Microsoft’s announcement yesterday about support for RSS built into Longhorn has been followed up with the posting of the actual specification.

Overview

The Simple List Extensions are designed as extensions to existing feed formats to make exposing ordered lists of items easier and more accessible to users.

The term “list,” as used in this document describes an ordered collection of items with similar properties. For example, a photo album may be described as a “list of photos.”

And it’s licensed under a Creative Commons Attribution-ShareAlike License, which is cool.



Add/Read: Comments [0]
GnomeDex | RSS Stuff | Tech
Saturday, June 25, 2005 11:06:34 AM (Pacific Standard Time, UTC-08:00)
#  

Phillip Torrone (often known simply as “pt”) is a geek’s geek. He’s been showing various hacks and stuff between presentations here at the Gnomedex conference.

This guy could do a conference on his own if he wanted to. He’s funny, likable and has lots of fun ideas. I like the hands-on kind of things, the practical stuff. Not that all of it’s actually practical or anything, but even if it’s just goofing around, it’s nifty.

He’s done a few 15–minute demos showing all the stuff you can do with a hacked Playstation Portable. He showed how you can modify a eBook reader with new firmware to break the bad DRM they put on it back in the day, so it can be a usable device today. He even has an old-skoool analog phone (with a mechanical bell and all) that has GSM phone guts built in, and there’s more to come.

But hey – you don’t have to be here to see this cool stuff. You can see pt’s stuff in/on Make: magazine (an O’Reilly thing), and there’s a Make:blog site, as well. I am subscribed to both. Highly recommended. If pt is publishing, it’s cool and fun. You should go there.

Check it out: [Magazine (subscribe) | Podcast | Blog]



Add/Read: Comments [0]
Geek Out | GnomeDex | Tech
Saturday, June 25, 2005 10:44:14 AM (Pacific Standard Time, UTC-08:00)
#  
 Friday, June 24, 2005
Dean Hachamovitch of Microsoft is presenting here right now. They are showing Internet Explorer 7 for the first time in public.

Longhorn <3 RSS. They are betting big on RSS. Throughout Windows, RSS is there. For end users as well as developers. They've done some extensions.

Syndication is powerful and amazing, Dean says. Microsoft has figured that out. Nowadays RSS feeds are everywhere. Microsoft is working to get on the train.

First "Browse," then "Search." Now, "Subscribe."

On Build 5087 of Longhorn, first IE7 public view. If there's a feed on a page, IE7 let's you click an orange button to preview the feed, and then you can parse through it for content using search.

One button is used to either bookmark a page or subscribe to a feed - depends on context of what your viewing.

Search RSS results in MSN search. Nice.

By the way, this build of IE7 is nice and clean. Not too shiny. But IE7 is a bit of an aside in this presentation - its all about the RSS extensions.

Common feed lists: Sync your aggregator's feed list with the system list.

Platform: Goal is to take care of a lot of the complexity in the platform to simplify it for both the developer and the end user.

RSS entended - calendars. For each event, create an item and enclose an icalendar item (.ics file). Subscribe and you've got a calendar set up in outlook that you can view side-by-side. The idea here is to provide a common feed list at the platform level, and making every application aware and capable of consuming. Apps can understand and deal with RSS feeds. ICS files are understood universally by calendaring apps - its not just for Outlook.

Another example: Photoblogs. Provide the platform plumbing to allow consumption of the content - title, text, image enclosure. They made a screen saver slide show using this, which captions each image in a rotation. The platform handles things like handling the network traffic, parsing and subscribing.

Lists: Microsoft's approach to lists is one where I have different types of lists where the list type has class-a meaning. Extentions to RSS allow a publisher to define a feed specifically as a list, and to describe the data in that feed.

Example: Wish list at an online store. Amanon wish lists with RSS feeds. I want to subscribe to it. If I do that, and the list changes (like the list owner removes items, re-orders thems, etc), RSS today can't handle that. The new extention (one tag) allows the needed functionality.

Using namespace extensions you can add metadata (like EXIF, book info, etc). But how do you know what to do with that new data once you have it?

If a content publisher declares certain item types appear in a list, I should be able to filter and sort on certain data. Simple controls allow the web service to define how the data is experienced. This is a little hard to understand, until you realize all the content manipulation is all on the client, and you can munge the list any way you want as a developer.

I think its obvious how this will work into, say, SharePoint. That will be cool.

And the Simple List Extensions specification, which extends RSS 2.0 will be open and licensed under a Creative Commons license. Anyone can use it anywhere. Nice.

http://blogs.msdn.com/ie/ for more, and today at noon the spec will be available to view.

Code will be in developers' hands at PDC 2005.


Add/Read: Comments [0]
Friday, June 24, 2005 10:23:13 AM (Pacific Standard Time, UTC-08:00)
#  
 Thursday, June 23, 2005

I have a dog that's such a spaz he can't even remember how to play fetch. I have a cat that apparently thinks she's a dog. She plays fetch incessantly with this stupid play mouse. I throw it, she runs, she gets it, she brings it back drops in in front of me, and stares at me til I throw it again. She gets all upset if I don't.

Wash. Rinse. Repeat. It never stops.

What a weirdo.



Add/Read: Comments [4]
Random Stuff
Thursday, June 23, 2005 6:39:50 AM (Pacific Standard Time, UTC-08:00)
#  
 Tuesday, June 21, 2005

I don't actually know Lee, but hey - he's going to Gnomedex, lives in Seattle, and he's throwing a party at his place on Thursday afternoon before it starts. He invited the entire Intarweb, so he must be cool. Just doing my part in viral marketing. 

Should be interesting. Eric seems to think so, too. Heh...



Add/Read: Comments [0]
GnomeDex
Tuesday, June 21, 2005 9:43:39 PM (Pacific Standard Time, UTC-08:00)
#  

I'll be heading up to Seattle on Thursday (one of my favorite cities and a quick 2.5 hour drive from my place) where I'll be catching up with all sorts of friends and people I have not seen for some time at Gnomedex 5.0, a confluence of geeks from around the world.

Email me if you'll be there and want to meet/catch up - greg@greghughes.net - or call me on my cell - 503-970-1753. I'm arriving Thursday afternoon at around 4 or so.

It's going to be quite a get-together this year - the schedule looks like the makings of a great show, and I hear there are some as-yet unannounced things that should gain some attention.

I'll be blogging some of the fun stuff that happens there. With so many interesting and cool people from so many interesting and cool places/companies, I'll have to fill this weblog up just to be able to remember it all when it's over with.

Podbot_geffectsInteresting Gnomedex link of the day: Podcasting ROBOT to be released at Gnomedex

Heh. Cool if real, funny even if not.



Add/Read: Comments [0]
Geek Out | GnomeDex | Random Stuff
Tuesday, June 21, 2005 8:57:35 PM (Pacific Standard Time, UTC-08:00)
#  

MSN Local is live, and it's interesting: http://search.msn.com/local

The MapPoint visuals are pretty much what you'd expect, and the satellite imagery, at least in the are where I live, is not as good a Google Maps (not even close). Looking forward to more from Virtual Earth later this year.

In other news, a comparison of Technorati, Google and Yahoo! Search. (via Jeremy Zawondny)



Add/Read: Comments [0]
Tech
Tuesday, June 21, 2005 6:33:00 AM (Pacific Standard Time, UTC-08:00)
#  
 Sunday, June 19, 2005

My friend and coworker Scott Hanselman has updated his Ultimate Developer and Power User Tools List for 2005. All techies and geeks (especially developers) should check it out:

http://www.hanselman.com/blog/ScottHanselmans2005UltimateDeveloperAndPowerUsersToolList.aspx

Scott's list is close to famous, and for good reason. He's quite the ultimate power user. I sometimes stand over his shoulder to watch him work (he tells me he's twice as productive when I watch, is that weird or what? Heh...), and so I get to see him use all these tools in terific ways now and then.

Head on over and see what I mean.

One of these days I am going to publish my list of IT and security tools. It is a completely different list, but still interesting and useful.

Hmmm... Anyone know of a good blog posting tool for the Blackberry that would interface MT/Blogger APIs using the GPRS connnection? That would definitely make my list. Emailing this entry from a 737 (on the ground, so don't start with me) is cool, but a richer interface would be nice.



Add/Read: Comments [0]
Tech
Sunday, June 19, 2005 8:44:53 PM (Pacific Standard Time, UTC-08:00)
#  

I'm in the Bay Area, flew down here yesterday to surprise my dad for Fathers Day. Yes, it worked - he was suspicious I think, but he was surprised.

I've had calls today from a number of my "other" kids, and that's truly made my day. I'm lucky to have all these great people in my life. I'm not worthy. But I'm grateful.

Oh, and here are some links for dads and their kids, for your amusement and entertainment. Dads, use these to amaze your kids - they'll make you a "cool" dad, for sure.



Add/Read: Comments [0]
Personal Stories | Random Stuff
Sunday, June 19, 2005 4:07:07 PM (Pacific Standard Time, UTC-08:00)
#  

Gnomedex starts this Thursday evening in Seattle, and it promises to be a great time. Chris and Ponzi are wearing themselves thin getting ready. Lots of cool stuff planned.

Big announcements and a confluence of super-smart people. Gonna be a good one. Definitely not a snorer...

Be there and be square, as they say.



Add/Read: Comments [0]
GnomeDex | Random Stuff | Tech
Sunday, June 19, 2005 10:22:37 AM (Pacific Standard Time, UTC-08:00)
#  
 Saturday, June 18, 2005

Darn it all! I'm wishing I was in Ohio this weekend. Why? Because this weekend is the Duct Tape Festival and it's taking place in Avon, Ohio.

Everything duct tape. I mean, what could be better than that???

Check it out at http://www.ducttapefestival.com



Add/Read: Comments [0]
Geek Out | Random Stuff
Saturday, June 18, 2005 6:14:29 PM (Pacific Standard Time, UTC-08:00)
#  
 Friday, June 17, 2005

Berry411screenBerry 411 is a cool Charityware app you run on your Blackberry handheld. I've been using it for a sort time, and it's already super-useful.

Berry 411 installs an icon on your start page that gives you quick access to yellow pages, white pages, Google, movie times, weather, encyclopedia, and Froogle results.

You can dial any phone number directly from the display or add it to your phone book. The results are formatted to fit the Blackberry screen.

Skip the web browser and clunking around entering addresses to find information - this is a power tool for anyone with a Blackberry. Not sure how I missed this one over the past few months, but sure am glad I found it.

Phillip Bogle (blog), the author of Berry 411, has some other useful apps vailable for download, too. I'll need to see if Scott knows about AddToPath. And BerryBloglines is cool.

What you can do with Berry 411:

To find something, type what you are looking for and click the trackwheel. You can select from the following types of searches:

  • Yellow Pages let you find local businesses by name or category.
  • White pages searches residential listings.
  • Google searches Google, with results conveniently formatted for the Blackberry.
  • Encyclopedia searches reference information at mobile answers.com.
  • Movies displays local movie times. Enter the name
  • Weather displays the local weather forecase.
  • Shopping displays Froogle shopping results. Eventually I will add online reviews and local shopping results where available.


Add/Read: Comments [0]
Mobile | Tech
Friday, June 17, 2005 12:46:45 PM (Pacific Standard Time, UTC-08:00)
#  
 Wednesday, June 15, 2005

My coworker Jeff (gotblog?) sent me an email this morning pointing out that Microsoft has released it's WinXP add-in that lets you view and work with RAW images right in the OS as a natively viewable fomat.

"The Microsoft RAW Image Thumbnailer and Viewer is a free "PowerToy" for Microsoft Windows XP that provides the ability to view, organize, and print photos captured in RAW image formats from supported digital cameras."

Download here (47.7MB file)

And don't miss this related whitepaper if you're interested in working with RAW photos in Windows:

Whitepaper: Viewing and Organizing RAW Images in Windows XP



Add/Read: Comments [2]
Tech
Wednesday, June 15, 2005 6:47:25 AM (Pacific Standard Time, UTC-08:00)
#  
 Sunday, June 12, 2005

You've seen it before, over and over and over again: PowerPoint presentations that contain practically every word pouring out of the presenter's mouth, slides that digitally drone on and on and on and...

PowerPoint, when used well, can be a useful, powerful (hmmm) and productive tool. But more often than not, it's a bane of our existence, putting us to sleep with completely forgettable blocks of useless text and gratuitous effects.

I have seen PowerPoint used as that proverbial, metaphorical screwdriver, where the proper tool would instead be a hammer. I've seen attempts at web-site designs done in PowerPoint (by the way - that still doesn't work people). I've seen it used over and over - by a wide variety of people trying desperately (and with good intentions, I am sure) to create something outside their area of expertise - using it to do things for which it simply was never intended.

But even when PowerPoint is used what is was meant for - creating slides for presentations - it can be painful to see how people use it. It's a software tool and requires some level of technical understanding to be sure, but technical expertise in using the program is not the most important part of the job.

PowerPoint has become a crutch, and more often than not it's damaging the patient. It's the loaded gun in the hands of the untrained shooter. It's the '79 Cadillac being driven by the nine-year-old who learned by watching mommy.

Kathy Sierra gets this. She understands, and she wrote about it to try (I assume) to make a difference in how it's used in the world. If you use PowerPoint, regardless of your expertise of years of experience you should read her post and take it to heart.

I've also been reading Cliff Atkinson's new book, "Beyond Bullet Points," and it's a great book for learning how to put together effective presentations "that inform, motivate and inspire." Recommended.

PowerPoint's a great program, to be sure. But it's only a good tool when put in the hands of someone who knows how and when to apply it. Kathy's post should be mandatory training. We license drivers... Maybe we should come up with a test and a license for PowerPoint users?



Add/Read: Comments [1]
Random Stuff | Tech | Things that Suck
Sunday, June 12, 2005 12:51:24 PM (Pacific Standard Time, UTC-08:00)
#  

Million-slide1

Marshall Brain, creator of How Stuff Works and other successful ventures, presented to a group of college students recently on the topic "How to Make a Million Dollars." He received a number of requests to provide the presentation afterward, so he published the slides and typed up the presentation online.

And it's quite good. He distills the options down to the stuff that matters, and as usual his style helps to carry the message. Click the image to get his presentation.

[via Jeremy Zawodny]



Add/Read: Comments [0]
Sunday, June 12, 2005 5:55:29 AM (Pacific Standard Time, UTC-08:00)
#  
 Saturday, June 11, 2005

More and more as time goes on I am asked about how to securely configure and use computing systems, whether they be Internet sites, online financial services, wireless networks, home and business computers, physical homes and businesses, or what have you. Since my role in that area has not changed too much, I have to assume the uptick in questions comes as a result of a desire by people to get more secure, which is a good thing.

Someone named Jim wrote me the other day and asked about my philosophy on passwords. I get this specific question often enough, I thought I would write about it here:

Hi Greg,
I posted a question on the PCWorld forum and your name came up regarding my question.  My issue was regarding passwords.  I am a Realtor and our main access to the MLS is starting to require password changes monthly.  This is not that difficult but along with all the other passwords I have to use each day it is getting to be a bit of a headache and I think it's time that I get my act together once and for all and get passwords under control.  I asked for opinions on software and also philosophy.  I'd like to hear your opinion.  Thanks and I'm looking forward to reading your response.

Preamble

My name is Greg, and I am an IT and security professional. It's been more than six months since I last created a traditional password. They say it's a disease, and so I am here to share my experience, strength and hope so that you, too might recover from the ravages of insecure computing and inadequate safeguarding of information.

Or something like that. Ok, now let's get serious. I'll share what I do as well as one computer program that I have found can help.

Philosophy

My password philosophy varies based on the system in question, to be perfectly honest. I use passphrases as much as possible, meaning passwords in the form of natural sentences or phrases including things like spaces, normal capitalization and punctuation. That makes them easy to remember, yet tends to keep them complex enough to meet stringent security requirements.

As a general rule, passwords or passphrases should be at least 8 characters in length, preferably longer (I tend to go with 13 or more characters, and you're going to see how easy that can be in a minute). They should also always include at least three of the following four characteristics:

  • Upper-case alpha characters (A-Z)
  • Lower-case alpha characters (a-z)
  • Numeric characters (0-9)
  • Punctuation or other special characters (!@#$%&(*?>< etc.)

In addition, the rotation period for expiring passwords in a secure environment should be no less than every 60 days, and preferably less. Using too frequent of a rotation tends to result in self-defeating problems with the whole process: People who have to change their passwords every 15 or 30 days, for example, have a tendency to write them down and stick them in their wallets, or to use less-than-secure passwords. That's bad.

Another common problem is passwords expiring at inopportune times. I expire passwords in intervals of 7 days. Why? Simple - If you set passwords to expire say every 42 days, someone whose password expires on a Monday will always expire on a Monday, which avoids the problems of expirations falling on weekends or other difficulty days.

I think you'll find that most experts will agree with the above recommendations.

Maintaining passwords and passphrases securely - helpful software

Switching gears to management and storage of multiple passwords for various systems, one simple rule that should be obvious is often set aside, but should always be followed: Do not use the same password in multiple places or systems unless the system is built to support doing so for you. Great, you think... How am I supposed to manage that many passwords, especially if I am always moving around and use more than one computer, or if I use a laptop? Well there are several tools and methodologies that can help.

RoboForm is a software passkey management program that's grown up quite a bit over the past few years. It not only secures and stores passwords, it even fills out logon forms for you. Last year they created and started testing a version that installs on a USB key called RoboForm Portable, or Pass2Go. It's surprisingly not well-known, but it works pretty well. Your passwords are secured on a USB key with Triple-DES encryption. So for most all purposes (maybe not national security secrets, but hey you know what I mean) it's quite secure, and you can install it right on the USB key/drive and run it from there (you can even put the portable version of Firefox on there if you want and tie them together). Using the USB drive to run the RoboForm Portable program means nothing has to be installed on the client computer. If you lose it, it's encrypted and locked with your master password. Note, too, that there are RoboForm add-on's not just for USB keys, but also for Palm and Windows Mobile devices. So you get to choose, and all of the beat the proverbial Post-It note for security and convenience.

But none of that matters if you can't solve the real problem

But the real problem with passwords is that people forget them all the time, so they do things like use the same password everywhere, or they write them down somewhere and don't secure them, not to mention the fact they can't remember them. You end up with either an insecure system or a help desk that's dying just trying to unlock accounts and administratively change passwords. That's no good.

The fact of the matter is that the simplest way to remember passwords is to use ones that you can naturally relate to. Just as important, they need to be complex and secret enough to be sufficiently secure. This can be done. For example, I have a cat named Cleo. So, I might think about using passwords and passphrases like:

Cle0IsMyKat!
Cleo is my Cat!
cleoizmykittykat
Cleo get off the freaking furniture darnit!

You get the idea. Now, since these passwords and passphrases are often set to expire frequently and I don't want to forget them, I always try to think seasonally - incorporating things that are happening in my life at the time. When creating a new passphrase, I don't ask myself "What can I type that I will remember in ten minutes?" Instead, I think "What's happening in my life between now and the end of next month?" For example, if I had to create or change a passphrase or password right now, I might do something like:

Fireworks on July 4th are so cool...
Woah dude like check out the freakin fireworks dude!
FireworksOnJuly4thAreSoCool...
Woahdudethosefirew0rkzaresokool*
Pow bang boom! Oh wow did you see that?

Of course, I won't actually use anything like those, now that I have posted them here (hey trust me - people have done much stupider things). But by making a passphrase meaningful during it's lifetime, I can remember it quite easily (Well, usually anyhow - it can take a little getting used to). By the time the next password-change rotation comes around, I'll just think of something else I can remind myself of for the next 30 or 45 days.

You're probably starting to get the idea of how passphrases work from the examples, and it's also probably becoming clear that I am a proponent of them. They're easy to remember and - this is important - easier to type than munged up words where you replace letters with numbers and convert everything to hacker-speak. They are also quite long and more complex. And more complex means more difficult to guess or randomly replicate, which means more secure. And on top of that, you can actually remember and accurately type it. Not a bad deal, really.

There's no perect answer - some unthinking person with no concern for security will throw in a wrench

Note that not all systems where you can create passwords will let you use spaces in the password field, and some will even limit how many characters you can use.** So, sometimes you have to adjust the way you create your passwords and passphrases to work within arbitrary limits set by arbitrary (non-security-oriented) decision makers.

** Note to security departments everywhere: Get more involved in the app and interface design phases. Just because a DBA somewhere says my online banking password needs to be truncated at 8 characters to save disk drive space doesn't mean they're right. Security reviews need to happen at design time, and then as a part of every step along the way.

By the way, to go off on a bit of a tangent - Jim's original question illustrates exactly why a well-secured and well-designed unified authentication systems can be so valuable, where it makes sense. For consumers, that means something akin to Passport or one of the unified authentication systems out there. In a business computing environment it more often means using something like a Windows domain or Novell directory to have a single set of credentials that you can protect, but which will allow you to access multiple systems. To provide additional security, you don't necessarily want to break an authentication system up and require multiple passwords, because then you're defeating the whole purpose of the unified system. Instead, you might start adding additional factors of authentication to those specific systems where you need extra authentication or authorization protection (RSA SecureID is one great example of how to add another strong factor of strong authentication in an environment where security is very closely managed).

But Dr. Johansson's the one who's really got it covered...

For more information in the philosophy department, I'd point you at Jesper M. Johansson's work on passwords vs. passphrases:

The Great Debate: Pass Phrases vs. Passwords

  • Part One - covers the fundamentals of passwords and pass phrases, how they are stored, and so on
  • Part Two - discusses the relative strength of each type of password, and use some mathematical approaches for illustration
  • Part Three - offers some conclusions and guidance on how to choose passwords and configure a password policy

I've rambled a bit, but I hope that helps. I have a lot more to write on the subject of authentication security, but that will have to wait for another time.



Add/Read: Comments [0]
IT Security | Safe Computing | Tech
Saturday, June 11, 2005 9:56:24 AM (Pacific Standard Time, UTC-08:00)
#  
 Friday, June 10, 2005

A new beta version of Technorati - the web-based service that "brings you what’s happening on the web right now" - is available at http://beta.technorati.com/, and it looks darn nice. I like the new look and user interface (the search "options" feature is great for new users), and it seems to work quite well. You can learn what's new on the Technorati beta weblog.

Support for tags, more search options, personalization and watchlists are some of the new functionality in the beta version.

Technorati is currently tracking 11.1 million sites and 1.1 billion links. That's a lot. Tons of information to be had, and not it's easier than ever to do.



Add/Read: Comments [0]
Blogging
Friday, June 10, 2005 4:43:25 PM (Pacific Standard Time, UTC-08:00)
#  

An email list I am subscribed to had a quick thread that pointed to a conversation about FeedDemon and the fact that a user didn't want to use IE as the default embedded browser inside of FeedDemon. That's fine, but the problem is that someone suggested he actually abandon his favorite RSS reader (meaning FeedDemon) and try another one.

The recommendation was (in my opinion) premature. Why? Because FeedDemon can in fact use the Mozilla engine as it's embedded web browser, and you can find out how here.

And by the way - if there's something you wish was in FeedDemon for the future, Nick listens. Go to the FeedDemon forums and just ask.



Add/Read: Comments [0]
RSS Stuff | Tech
Friday, June 10, 2005 1:19:15 PM (Pacific Standard Time, UTC-08:00)
#  

There is an interesting post describing the exploit of a weakness in MD5 via collisions, with a reproducible real-world example. The authors computationally found the collisions and were able to reliably and predictably produce two completely different postscript documents with the identical MD5 checksum. Their use-case story revolves around maliciously capturing a digital signature and using it for something other than it was intended. In the story, the MD5 checksum is relied upon to validate the authenticity of a document. The researchers wanted to show how this flaw could possibly be used in the real world.

"Recently, the world of cryptographic hash functions has turned into a mess. A lot of researchers announced algorithms ("attacks") to find collisions for common hash functions such as MD5 and SHA-1 (see [B+, WFLY, WY, WYY-a, WYY-b]). For cryptographers, these results are exciting - but many so-called "practitioners" turned them down as "practically irrelevant". The point is that while it is possible to find colliding messages M and M', these messages appear to be more or less random - or rather, contain a random string of some fixed length (e.g., 1024 bit in the case of MD5). If you cannot exercise control over colliding messages, these collisions are theoretically interesting but harmless, right? In the past few weeks, we have met quite a few people who thought so.

"With this page, we want to demonstrate how badly wrong this kind of reasoning is! We hope to provide convincing evidence even for people without much technical or cryptographical background."

Once again, security by obscurity defeated. Interesting read and might make you think. If anyone has comments on their test or process. I'd be interested to hear.



Add/Read: Comments [0]
IT Security | Tech
Friday, June 10, 2005 5:51:03 AM (Pacific Standard Time, UTC-08:00)
#  
 Thursday, June 09, 2005

For those with a tastefully colorful sense of humor, here's some tech news. It looks like a new MP3 player in the shape of a toy bear has been released...

Bear01

Controls are located on the little blue arms and on its head, but(t) what's the best thing about it? To sync with your PC, you just hook up to it's USB rectum:

Bear02

Nice. Classic. Sure makes ya wonder, though. What were they thinking? Heh.

(via the Raw Feed)



Add/Read: Comments [1]
Humor | Random Stuff | Tech
Thursday, June 09, 2005 10:39:45 PM (Pacific Standard Time, UTC-08:00)
#  
 Tuesday, June 07, 2005

Microsoft has released their Windows Server Update Services (WSUS) product, which is a replacement for Software Update Services (SUS). The server solution acts as an in-house patch management and deployment solution for your networked Windows machines and core applications.

What's New in Windows Server Update Services:

  • More updates for Microsoft products, in more categories (Windows XP Professional, Windows 2000, Windows Server 2003, Microsoft Office XP, Office 2003, Microsoft SQL Server 2000, Microsoft SQL Server 2000 Desktop Engine [MSDE] 2000, and Microsoft Exchange Server 2003, with additional product support over time) 
  • Ability to automatically download updates from Microsoft Update by product and type
  • More language support for customers worldwide
  • Maximized bandwidth efficiency through Background Intelligent Transfer Service (BITS) 2.0 (BITS 2.0 is not installed by Update Services and is available on Microsoft Update)
  • Ability to target updates to specific computers and computer groups
  • Ability to verify that updates are suitable for each computer before installation—a feature that runs automatically for critical and security updates
  • Flexible deployment options
  • Reporting capabilities
  • Flexible database options
  • Data migration and import/export capabilities
  • Extensibility through the application programming interface (API)

This new release is ten-fold better than the old SUS product, and if you are responsible for deployingpatches reliably and verifably across your company, this is something you must at least try. It will save time, improve your comtrols, and generally help you sleep at night.

Oh - and it's free to download. Just install it on a Windows 2000 SP4 or Windows 2003 server - your existing CALs cover it.



Add/Read: Comments [0]
IT Security | Tech
Tuesday, June 07, 2005 3:20:54 PM (Pacific Standard Time, UTC-08:00)
#  

Too bad there's not a Windows Mobile device that truly rivals Blackberry's form-factor for durability and real-world practical power use (yet, that is) (in my humble opinion, that is), but I can continue to hold out hope for better PocketPC's now.

Why? Because the Windows Mobile OS (2005 version) will soon be getting a messaging security and feature pack update that will enable "push" technology for instant delivery of all your Exchange 2003 info (email, contacts, calendar, etc) to your Windows Mobile 2005 powered device. Exchange 2003 SP2 will enable the functionality on the server side.

So half my concerns about the PocketPC/SmartPhone editions of Windows Mobile will be alleviated - namely the always there, immeidate delivery story.

Funny thing... I was having coffee with a Microsoft friend just the other day. He asked me why I was still using a Blackberry (common question from my Microsoft acquaintances), and I didn't have to say much. My first argument was the lack of real-time push.sync (which we both knew was coming on with the next Exchange update and the Mobile update). He agreed with me in one respect, though: RIM got the form-factor figured out when they built these Blackberry things - nailed it right on the head. RIM's keyboard rocks, plain and simple.

Good going for the Windows Mobile team. Lord knows that whole Blackberry Connect thing has never really panned out (it's supposedly Blackberry software that runs on the Windows Mobile OS, but it's really not materialized anywhere to speak of).

But about those devices running Winodws Mobile... They need to be improved to really make them work and hold up. My idea? Simple. Microsoft doesn't make the hardware (they keep reminding us of this, and it's become more of an excuse than a reason over the past couple years, guys), but they do have some control and impact in that area. Microsoft should exercise some release management and licensing control over the hardware manufacturers - Perhaps they should specify some quality and usability requirements and license the OS first to those manufacturers that actually produce a better product. that meets some stringent requirements for usability, reliability, durability, performance and battery efficiency.

Important message to all companies looking to do handheld QWERTY keyboards: You might want to consider where you're going to spend your "innovating" funds. You might be best served to simply pay RIM however much they ask to use their keybord. Like, as in their actual keyboard, not some knock-off, lumpy chicklet version like on several of the Windows Mobile powered devices I have used in the past, or the river-rockish Treo keyboard (yuck). Just buy the technology from RIM - Their's ain't broke, nothing to fix or improve.

At any rate, looks like the possibilites continue to change and grow, and Microsoft's made a good move here. Glad to see it's coming to pass.



Add/Read: Comments [0]
Mobile | Tech
Tuesday, June 07, 2005 5:52:28 AM (Pacific Standard Time, UTC-08:00)
#  

I was super busy all day yesterday, so I didn't get to update about the Tablet PC stuff that was announced by IBM. The news is everywhere, so I am just providing a few detail items that matter...

First of all - A link to the IBM/Lenovo PC Institute's webcast from Monday (which is available til the end of June). They spend a lot of time talking up TabletPC's in general (Tablet PC's for beginners), discuss what they saw in the Tablet PC market that people really wanted, and show off their new X41 model.

Too bad it's 1024x768 though. That's going to have to change at some point. But I can live with that, my Acer Tablet that I've been using for some time now is 1024x768... I like the resolution of the Toshiba (yes I have used that one as well), but not the screen image quality. We can still dream.

And finally, here are the two models that were given actual online catalog prices and remain listed on the IBM/Lenovo SKU list that I mentioned last week. And hey, what happened to the others that were on there, and where's the $1899 model everyone's quoting press releases on?

X41 TABLET PENT M LV 758 (1.5) 12 WAXGA 256 40GB BG XPT 8C
LENOVO 18662GU
$2,199.00
 
X41 TABLET PENT M LV 758 (1.5) 12 WAXGA 512 40GB BG XPT 8C
LENOVO 18666GU
$2,399.00



Add/Read: Comments [0]
Tablet PC | Tech
Tuesday, June 07, 2005 5:39:36 AM (Pacific Standard Time, UTC-08:00)
#  
 Sunday, June 05, 2005

Ok, time for a random pet-peeve post. I don't do these often, but I figure maybe I can change the whole world if I post this, so here goes:

People, listen up. If you learn only one grammatical/spelling/language rule this year, please make it this one... It will improve your sales figures, professional development, ability to earn promotions and recognition at work, and your general status in the community. Seriously.

Loose is a four-letter word.

Now, allow me to explain...

  • Loose = loos = adj/adv, meaning not tight, fastened, restrained, rigid, bound, etc.
  • Lose = looz = verb, meaning to fail in, or to fail to retain possession (opposite of win or find)

I can't even begin to tell you the number of emails, blog entries, letters, and even printed and online professional news articles (who's copy-editing these days anyhow?) I've read where members of the Hooked-on-Phonics generation (dat's Huhked-ahn-Fonikz fer yoo membrz) use the incorrect word in a variety of sentences.

Examples of improper use of "loose" in a sentence:

  • "Joe is such a looser. I can't believe that guy."
  • "If you don't try hard enough, you'll loose the game."

Examples of correct use of "loose" in a sentence:

  • "He's got a screw loose in his head."
  • "Your seatbelt is looser than mine."

I could also easily list a variety of colorful uses of both words in the same sentence - but I won't. Use your imagination and post a comment if you feel so inclined.

How have you seen these words (or others) completely butchered? Any funny examples?



Add/Read: Comments [4]
Random Stuff | Things that Suck
Sunday, June 05, 2005 2:59:44 PM (Pacific Standard Time, UTC-08:00)
#  

It became obvious last week that the IBM Tablet PC was most definitely real. Now it appears IBM/Lenovo will hold a webcast to introduce their X41 Tablet PC to the world, probably on Monday (possibly Tuesday since the URL includes 07June in the address?).

Lenovo/PC Institute: Complimentary Tablet Webcast
06 Jun
IBM Business Partners
Customers

Description: Be sure to tell your Business Partners and customers about this complimentary Webcast on the one-of-a-kind features of the new ThinkPad X41 Tablet!

This Webcast will feature:

  • A demonstration of ThinkPad X41 Tablet
  • The new Lenovo CEO and VP of Marketing explaining Tablet's importance in the marketplace
  • Microsoft, Dendrite and Siebel discussing Tablet OS and ISV strategy
  • Customers, including MIT and Harvard Medical School, as well as IBM’s Healthcare and Life Sciences GM, discussing Tablet's use in the public sector

Replay available through June 30, 2005.



Add/Read: Comments [0]
Tablet PC | Tech
Sunday, June 05, 2005 1:23:47 PM (Pacific Standard Time, UTC-08:00)
#  
 Saturday, June 04, 2005

eWeek says Microsoft will release a security roll-up for Windows 2000 this week. The roll-up package replaces Windows 2000 SP5, which was recently scrapped. You'll need to have SP4 already installed to apply the rollup. It will be available via Windows Update, SUS, et al.

It's scary how time flies...Windows 2000 is five years old now - wow... Speakimng of which, mainstram support for Windows 2000 ends on June 30th, when the OS goes in to "extended support" mode (which means you pay for support pretty much no matter what).

Information from Microsoft's web site to answer questions people have asked in email and elsewhere:

Windows 2000 Server and Windows 2000 Advanced Server support dates:

  • Mainstream Support ends June 30, 2005
  • Extended Support ends June 30, 2010

Mainstream support includes:

  • Incident support (no-charge incident support, paid incident support, support charged on an hourly basis, support for warranty claims)
  • Security update support
  • The ability to request non-security hotfixes

Extended support includes:

  • Paid support
  • Security update support at no additional cost
  • Non-security related hotfix support requires a separate Extended Hotfix Support contract to be purchased. Per-fix fees also apply.
  • Microsoft will not accept requests for warranty support, design changes, or new features during the Extended support phase.
  • Extended support is not available for Consumer, Hardware, Multimedia, and Business Solutions.

Complete Windows lifecycle dates are listed here. Other products also listed here.

Not running on Windows Server 2003 yet? Make the move now and you'll be glad you did - if you haven't tried it, you seriously don't know what you're missing. Not to mention the fact that most every substantial future network security enhancement from Microsoft will rely on the back-end of Windows Server 2003.

And for those still on NT4 - Your version expired long ago, and it's replacement is entering the old folks' home. Time to get with the program and secure your little world.



Add/Read: Comments [1]
IT Security | Tech
Saturday, June 04, 2005 9:48:19 AM (Pacific Standard Time, UTC-08:00)
#  
 Friday, June 03, 2005

Blogjet_mainscreenI use BlogJet to post nearly all my weblog entries - it's a great client-side application that connects to pretty much every blog package you can think of. So, you can write your blog posts locally, include and resize images, format to your heart's content, etc., and then post to your weblog software when you're ready. You can also edit your blog posts. I'm writing this post in BlogJet now - so this would be a BlogJet post about BlogJet.

It'll also record audio, check spelling, and insert "what's playing" info. It creates context menu items that allow you to "BlogJet This" and adds a web browser action button.

Anyhow, BlogJet is cool and awesome. You can get the v6.1 Beta 1 version here.

For complete BlogJet info, go to http://blogjet.com/

 



Add/Read: Comments [2]
Blogging | Tech
Friday, June 03, 2005 10:17:48 PM (Pacific Standard Time, UTC-08:00)
#  

Blogging is reaching new heights. While Scoble's blogging from the seat of an airliner with WiFi on a trip to Europe on his way to a geek dinner (sounds like fun), a group of 20 police officers and companion climbers are slowly but steadily audioblogging their way to the rugged summits of Denali in Alaska (20,320 feet) and Humphreys Peak in Arizona (12,634 feet).

Using a satellite phone in Alaska and mobile phones in Arizona, the officers are calling in to a special phone number at audioblog.com, which immediately posts their voice recordings to the Climbers' Weblog at copsontop.com.

Both teams will strive this weekend to summit the mountains as a memorial to honor the lives, service and sacrifices of police officers Eric White and Jason Wolfe, both of the Phoenix, Arizona Police Department. Officers White and Wolfe were killed in the line of duty on August 28, 2004, while searching for a suspect who had just shot another man in the chest.

The officers are members and representatives of Cops on Top, a non-profit organization of police officers and others who execute memorial expeditions to remember peace officers killed in the line of duty. The audioblogging technology enables the teams to document their progress in real time, and to reach the families and friends of those fallen officers who are honored on each expedition.



Add/Read: Comments [0]
AudioBlogging | Blogging | Helping Others | Tech
Friday, June 03, 2005 8:25:11 PM (Pacific Standard Time, UTC-08:00)
#  

From The Raw Feed - Apparently they've finally found a way to completely eliminate the Blue Screen of Death in Windows Longhorn:

Make it red.

Red

Now, why didn't someone think of that earlier?



Add/Read: Comments [1]
Humor | Random Stuff | Tech
Friday, June 03, 2005 3:58:40 PM (Pacific Standard Time, UTC-08:00)
#  
 Wednesday, June 01, 2005

Microsoft just announced that Office 12 files will all be XML-based.

XML: It's not just for InfoPath anymore... From Microsoft Watch:

The new Word, Excel and PowerPoint formats will be designated as .docx, .xlsx and .pptx , respectively. Microsoft is referring to the family of new formats as "Microsoft Office Open XML Formats."

Microsoft is committing to publish the forthcoming XML formats and make them available under the same royalty-free license under which the current Office 2003 file formats are. Licensees will be able to integrate these formats into their servers, applications and business processes "without financial consideration to Microsoft," according to the Redmond software vendor.

Awesome - this is big news, and while some will undoubtedly scoff, this is a great move in a good direction. Integration, integration, integration - EXCELLENT!



Add/Read: Comments [1]
Office 2003 | Tech
Wednesday, June 01, 2005 8:34:05 PM (Pacific Standard Time, UTC-08:00)
#