I got a wild hair a week or two ago and picked up a Steel Battalion game and uber-controller on eBay.

Oh. My. God.

Wow...

This game - and it's incredible game controller setup (detail here, image at right) - is pretty darned cool.

At lineofcontact.net, they essentially say that Steel Battalion and Steel Battalion: Line of Contact are both "daunting games to be a novice at, even for very experienced gamers." That's an understatement. 

Line of Contact is the XBOX Live multiplayer sequel to the original single-player game: "The level of complexity entailed in the game is on a par with PC based massively multiplayer role playing games, but with a challenging controller interface, live voice-based communication and a stiff penalty for inattentiveness (eject or lose your pilot)."

It's an awesome simulator game, where you "pilot" a futuristic vertical tank (VT - basically like in Mechwarrior) and the controller has (get this) something like 40 freakin' buttons, and they all actually work! Mastering this game will be nearly impossible. So sweet!

I hooked it all up this evening, and immediately failed to make the thing drive very well, so I focused instead on shooting the heck out of stuff. And since I did not eject in time, my player got completely wiped out. Yep - you have to eject if your VT gets shot up bad enough, in order to keep your player alive and available for the next round. Talk about simulators, heheh...

If you've never seen this game, especially if you like simulators, you should check it out any chance you get. Heck - Call me and drop by (if you happen to be in the Middle of Nowhere anytime soon), I'll let you play this one.

It's a great addition to my pile of Microsoft XBOX stuff.

Uh oh – GoogleFight is something I’d already forgotten about, somehow… http://www.googlefight.com

Someone make it stop. Three of us are here are running battles to see who wins, Greg Hughes or Brandon Watts? Matt Hartley or Brandon Watts? (by the way, Matt’s blog here and Brandon’s blog here) Hmmm…

More fights:

• Hotdog vs. Hamburger
• Jason Calacanis vs. Chris Pirillo – a close one
• God vs. the Devil – Phew!!!

Heh…

What is WeatherBug? As a piece of software, it puts the weather on your desktop. It’s live, updating every two seconds. NOAA doesn’t do this – they update every 15 minutes at best. As a company and a bunch of people, here is how they describe themselves:

“WeatherBug is the ultimate geek-ified company. We are about creating cool and fun technology, teaching children, and saving lives.”

RSS weather feeds accessible by ZIP code will be available in July – that will be cool. They will also be shipping WeatherBug for the Mac.

Controversy – because what would a good conference be without it? Lots of discussion here at Gnomedex about the presentation in which this company is being highlighted. About how WeatherBug used to have spy/adware, but that was a long time ago, and now it doesn’t – Seriously. It doesn’t. Also, the fact that I am writing about their product at all (actually I am mostly interested in the 2–second differentiator) is exactly what some people are complaining about here, because Steve Rubel (according to some of the crowd) used this presentation as a vehicle to do PR for one of his clients. So what. Decent example of PR, short time to fill, interesting info.

Whatever. Heh. I still like the every-two-second data update thing. That’s sweet.

If you live around Portland, Oregon or somewhere kinda-sorta nearby so you can get here, and if you're interested in coding, put the PDX Code Camp event on your calendar. It's free, but you need to register so they can plan for you to be there.

What is Code Camp?

Code Camp is a new type of community event where developers talk with—and learn from—fellow developers. All are welcome to attend and speak. Code Camps have been wildly successful, and we’re going to bring that success to Portland.

An original Code Camp organizer, Thom Robbins, wrote a six-point manifesto: Code Camps are (1) by and for the developer community; (2) always free; (3) community developed material; (4) no fluff – only code; (5) community ownership; and (6) never occur during working hours.

What can I expect at the Portland Code Camp?

Two full days of talking about code with fellow developers, on the scenic Reed College campus. Sessions will range from informal “chalk talks” to presentations. There will be a mix of presenters, some experienced folks, for some it may be their first opportunity to speak in public. And we are expecting to see people from throughout the Pacific Northwest region.

To create a little structure, we’ve proposed a variety of one- and two-day tracks including Hobbyists, Mobile and Tablet PC, Architecture and Patterns, Databases, Web Development, Client Development, Games Development, Tools, Methodology, XML and Web, and “Alternative Lifestyles” (Ruby on Rails, Python, Squeak, etc.)

Watch this site for more details and schedule as we firm things up.

Microsoft's released a new build of their Microsoft Antispyware beta software. Several improvements are included. The expiration date for the beta software is also extended through the end of the year. Download here.

From the MS web site description:

In this second beta refresh (Build 1.0.614), we’ve made other enhancements to the detection and removal capabilities, including improved Winsock LSP removal capabilities and support for long descriptions of categorized software. In addition, we have also extended the Windows AntiSpyware beta expiration date to December 31, 2005.

Existing users of the beta (Builds 1.0.501 and 1.0.509) will receive a software update that extends the expiration date and includes the enhancements to the detection and removal capabilities. The second beta refresh is also available for download through this site.

Microsoft’s announcement yesterday about support for RSS built into Longhorn has been followed up with the posting of the actual specification.

Overview

The Simple List Extensions are designed as extensions to existing feed formats to make exposing ordered lists of items easier and more accessible to users.

The term “list,” as used in this document describes an ordered collection of items with similar properties. For example, a photo album may be described as a “list of photos.”

And it’s licensed under a Creative Commons Attribution-ShareAlike License, which is cool.

Phillip Torrone (often known simply as “pt”) is a geek’s geek. He’s been showing various hacks and stuff between presentations here at the Gnomedex conference.

This guy could do a conference on his own if he wanted to. He’s funny, likable and has lots of fun ideas. I like the hands-on kind of things, the practical stuff. Not that all of it’s actually practical or anything, but even if it’s just goofing around, it’s nifty.

He’s done a few 15–minute demos showing all the stuff you can do with a hacked Playstation Portable. He showed how you can modify a eBook reader with new firmware to break the bad DRM they put on it back in the day, so it can be a usable device today. He even has an old-skoool analog phone (with a mechanical bell and all) that has GSM phone guts built in, and there’s more to come.

But hey – you don’t have to be here to see this cool stuff. You can see pt’s stuff in/on Make: magazine (an O’Reilly thing), and there’s a Make:blog site, as well. I am subscribed to both. Highly recommended. If pt is publishing, it’s cool and fun. You should go there.

Check it out: [Magazine (subscribe) | Podcast | Blog]

I have a dog that's such a spaz he can't even remember how to play fetch. I have a cat that apparently thinks she's a dog. She plays fetch incessantly with this stupid play mouse. I throw it, she runs, she gets it, she brings it back drops in in front of me, and stares at me til I throw it again. She gets all upset if I don't.

Wash. Rinse. Repeat. It never stops.

What a weirdo.

I don't actually know Lee, but hey - he's going to Gnomedex, lives in Seattle, and he's throwing a party at his place on Thursday afternoon before it starts. He invited the entire Intarweb, so he must be cool. Just doing my part in viral marketing. 

Should be interesting. Eric seems to think so, too. Heh...

I'll be heading up to Seattle on Thursday (one of my favorite cities and a quick 2.5 hour drive from my place) where I'll be catching up with all sorts of friends and people I have not seen for some time at Gnomedex 5.0, a confluence of geeks from around the world.

Email me if you'll be there and want to meet/catch up - greg@greghughes.net - or call me on my cell - 503-970-1753. I'm arriving Thursday afternoon at around 4 or so.

It's going to be quite a get-together this year - the schedule looks like the makings of a great show, and I hear there are some as-yet unannounced things that should gain some attention.

I'll be blogging some of the fun stuff that happens there. With so many interesting and cool people from so many interesting and cool places/companies, I'll have to fill this weblog up just to be able to remember it all when it's over with.

Interesting Gnomedex link of the day: Podcasting ROBOT to be released at Gnomedex

Heh. Cool if real, funny even if not.

MSN Local is live, and it's interesting: http://search.msn.com/local

The MapPoint visuals are pretty much what you'd expect, and the satellite imagery, at least in the are where I live, is not as good a Google Maps (not even close). Looking forward to more from Virtual Earth later this year.

In other news, a comparison of Technorati, Google and Yahoo! Search. (via Jeremy Zawondny)

My friend and coworker Scott Hanselman has updated his Ultimate Developer and Power User Tools List for 2005. All techies and geeks (especially developers) should check it out:

http://www.hanselman.com/blog/ScottHanselmans2005UltimateDeveloperAndPowerUsersToolList.aspx

Scott's list is close to famous, and for good reason. He's quite the ultimate power user. I sometimes stand over his shoulder to watch him work (he tells me he's twice as productive when I watch, is that weird or what? Heh...), and so I get to see him use all these tools in terific ways now and then.

Head on over and see what I mean.

One of these days I am going to publish my list of IT and security tools. It is a completely different list, but still interesting and useful.

Hmmm... Anyone know of a good blog posting tool for the Blackberry that would interface MT/Blogger APIs using the GPRS connnection? That would definitely make my list. Emailing this entry from a 737 (on the ground, so don't start with me) is cool, but a richer interface would be nice.

I'm in the Bay Area, flew down here yesterday to surprise my dad for Fathers Day. Yes, it worked - he was suspicious I think, but he was surprised.

I've had calls today from a number of my "other" kids, and that's truly made my day. I'm lucky to have all these great people in my life. I'm not worthy. But I'm grateful.

Oh, and here are some links for dads and their kids, for your amusement and entertainment. Dads, use these to amaze your kids - they'll make you a "cool" dad, for sure.

• Visions Of Uhh Something - Cool optical illusion trick that will make them freak.
• Buy these T-Shirts together - "Geek - Son of Geek" shirts for dads and sons.
• The Sith Sense - Vader will read your mind - Star Wars and interactive 20 questions, fun fun fun.
• Creative Windows Error Messages - Geek out with the kids (but review the web site linked for PG-13 or other content before clicking).
• For the guys only - write your name in the snow - You gotta admit, this one is addictive. And it's funny. And it's cool.
• Subservient Chicken - Self-explanatory, or if not, click the link because you're missing something important.
• Subservient Stickman - Because every good internet phenomenon needs a sarcastic, sick sequel.
• Scariest Damn Thing I Ever Heard - You can save this one for when the holiday music starts later in the year. We all need a good one on standby for our arsenal.

Gnomedex starts this Thursday evening in Seattle, and it promises to be a great time. Chris and Ponzi are wearing themselves thin getting ready. Lots of cool stuff planned.

Big announcements and a confluence of super-smart people. Gonna be a good one. Definitely not a snorer...

Be there and be square, as they say.

Darn it all! I'm wishing I was in Ohio this weekend. Why? Because this weekend is the Duct Tape Festival and it's taking place in Avon, Ohio.

Everything duct tape. I mean, what could be better than that???

Check it out at http://www.ducttapefestival.com

Berry 411 is a cool Charityware app you run on your Blackberry handheld. I've been using it for a sort time, and it's already super-useful.

Berry 411 installs an icon on your start page that gives you quick access to yellow pages, white pages, Google, movie times, weather, encyclopedia, and Froogle results.

You can dial any phone number directly from the display or add it to your phone book. The results are formatted to fit the Blackberry screen.

Skip the web browser and clunking around entering addresses to find information - this is a power tool for anyone with a Blackberry. Not sure how I missed this one over the past few months, but sure am glad I found it.

Phillip Bogle (blog), the author of Berry 411, has some other useful apps vailable for download, too. I'll need to see if Scott knows about AddToPath. And BerryBloglines is cool.

What you can do with Berry 411:

To find something, type what you are looking for and click the trackwheel. You can select from the following types of searches:

• Yellow Pages let you find local businesses by name or category.
• White pages searches residential listings.
• Google searches Google, with results conveniently formatted for the Blackberry.
• Encyclopedia searches reference information at mobile answers.com.
• Movies displays local movie times. Enter the name
• Weather displays the local weather forecase.
• Shopping displays Froogle shopping results. Eventually I will add online reviews and local shopping results where available.

My coworker Jeff (gotblog?) sent me an email this morning pointing out that Microsoft has released it's WinXP add-in that lets you view and work with RAW images right in the OS as a natively viewable fomat.

"The Microsoft RAW Image Thumbnailer and Viewer is a free "PowerToy" for Microsoft Windows XP that provides the ability to view, organize, and print photos captured in RAW image formats from supported digital cameras."

Download here (47.7MB file)

And don't miss this related whitepaper if you're interested in working with RAW photos in Windows:

Whitepaper: Viewing and Organizing RAW Images in Windows XP

You've seen it before, over and over and over again: PowerPoint presentations that contain practically every word pouring out of the presenter's mouth, slides that digitally drone on and on and on and...

PowerPoint, when used well, can be a useful, powerful (hmmm) and productive tool. But more often than not, it's a bane of our existence, putting us to sleep with completely forgettable blocks of useless text and gratuitous effects.

I have seen PowerPoint used as that proverbial, metaphorical screwdriver, where the proper tool would instead be a hammer. I've seen attempts at web-site designs done in PowerPoint (by the way - that still doesn't work people). I've seen it used over and over - by a wide variety of people trying desperately (and with good intentions, I am sure) to create something outside their area of expertise - using it to do things for which it simply was never intended.

But even when PowerPoint is used what is was meant for - creating slides for presentations - it can be painful to see how people use it. It's a software tool and requires some level of technical understanding to be sure, but technical expertise in using the program is not the most important part of the job.

PowerPoint has become a crutch, and more often than not it's damaging the patient. It's the loaded gun in the hands of the untrained shooter. It's the '79 Cadillac being driven by the nine-year-old who learned by watching mommy.

Kathy Sierra gets this. She understands, and she wrote about it to try (I assume) to make a difference in how it's used in the world. If you use PowerPoint, regardless of your expertise of years of experience you should read her post and take it to heart.

I've also been reading Cliff Atkinson's new book, "Beyond Bullet Points," and it's a great book for learning how to put together effective presentations "that inform, motivate and inspire." Recommended.

PowerPoint's a great program, to be sure. But it's only a good tool when put in the hands of someone who knows how and when to apply it. Kathy's post should be mandatory training. We license drivers... Maybe we should come up with a test and a license for PowerPoint users?

Marshall Brain, creator of How Stuff Works and other successful ventures, presented to a group of college students recently on the topic "How to Make a Million Dollars." He received a number of requests to provide the presentation afterward, so he published the slides and typed up the presentation online.

And it's quite good. He distills the options down to the stuff that matters, and as usual his style helps to carry the message. Click the image to get his presentation.

[via Jeremy Zawodny]

More and more as time goes on I am asked about how to securely configure and use computing systems, whether they be Internet sites, online financial services, wireless networks, home and business computers, physical homes and businesses, or what have you. Since my role in that area has not changed too much, I have to assume the uptick in questions comes as a result of a desire by people to get more secure, which is a good thing.

Someone named Jim wrote me the other day and asked about my philosophy on passwords. I get this specific question often enough, I thought I would write about it here:

Hi Greg,
I posted a question on the PCWorld forum and your name came up regarding my question.  My issue was regarding passwords.  I am a Realtor and our main access to the MLS is starting to require password changes monthly.  This is not that difficult but along with all the other passwords I have to use each day it is getting to be a bit of a headache and I think it's time that I get my act together once and for all and get passwords under control.  I asked for opinions on software and also philosophy.  I'd like to hear your opinion.  Thanks and I'm looking forward to reading your response.

Preamble

My name is Greg, and I am an IT and security professional. It's been more than six months since I last created a traditional password. They say it's a disease, and so I am here to share my experience, strength and hope so that you, too might recover from the ravages of insecure computing and inadequate safeguarding of information.

Or something like that. Ok, now let's get serious. I'll share what I do as well as one computer program that I have found can help.

Philosophy

My password philosophy varies based on the system in question, to be perfectly honest. I use passphrases as much as possible, meaning passwords in the form of natural sentences or phrases including things like spaces, normal capitalization and punctuation. That makes them easy to remember, yet tends to keep them complex enough to meet stringent security requirements.

As a general rule, passwords or passphrases should be at least 8 characters in length, preferably longer (I tend to go with 13 or more characters, and you're going to see how easy that can be in a minute). They should also always include at least three of the following four characteristics:

• Upper-case alpha characters (A-Z)
• Lower-case alpha characters (a-z)
• Numeric characters (0-9)
• Punctuation or other special characters (!@#$%&(*?>< etc.)

In addition, the rotation period for expiring passwords in a secure environment should be no less than every 60 days, and preferably less. Using too frequent of a rotation tends to result in self-defeating problems with the whole process: People who have to change their passwords every 15 or 30 days, for example, have a tendency to write them down and stick them in their wallets, or to use less-than-secure passwords. That's bad.

Another common problem is passwords expiring at inopportune times. I expire passwords in intervals of 7 days. Why? Simple - If you set passwords to expire say every 42 days, someone whose password expires on a Monday will always expire on a Monday, which avoids the problems of expirations falling on weekends or other difficulty days.

I think you'll find that most experts will agree with the above recommendations.

Maintaining passwords and passphrases securely - helpful software

Switching gears to management and storage of multiple passwords for various systems, one simple rule that should be obvious is often set aside, but should always be followed: Do not use the same password in multiple places or systems unless the system is built to support doing so for you. Great, you think... How am I supposed to manage that many passwords, especially if I am always moving around and use more than one computer, or if I use a laptop? Well there are several tools and methodologies that can help.

RoboForm is a software passkey management program that's grown up quite a bit over the past few years. It not only secures and stores passwords, it even fills out logon forms for you. Last year they created and started testing a version that installs on a USB key called RoboForm Portable, or Pass2Go. It's surprisingly not well-known, but it works pretty well. Your passwords are secured on a USB key with Triple-DES encryption. So for most all purposes (maybe not national security secrets, but hey you know what I mean) it's quite secure, and you can install it right on the USB key/drive and run it from there (you can even put the portable version of Firefox on there if you want and tie them together). Using the USB drive to run the RoboForm Portable program means nothing has to be installed on the client computer. If you lose it, it's encrypted and locked with your master password. Note, too, that there are RoboForm add-on's not just for USB keys, but also for Palm and Windows Mobile devices. So you get to choose, and all of the beat the proverbial Post-It note for security and convenience.

But none of that matters if you can't solve the real problem

But the real problem with passwords is that people forget them all the time, so they do things like use the same password everywhere, or they write them down somewhere and don't secure them, not to mention the fact they can't remember them. You end up with either an insecure system or a help desk that's dying just trying to unlock accounts and administratively change passwords. That's no good.

The fact of the matter is that the simplest way to remember passwords is to use ones that you can naturally relate to. Just as important, they need to be complex and secret enough to be sufficiently secure. This can be done. For example, I have a cat named Cleo. So, I might think about using passwords and passphrases like:

Cle0IsMyKat!
Cleo is my Cat!
cleoizmykittykat
Cleo get off the freaking furniture darnit!

You get the idea. Now, since these passwords and passphrases are often set to expire frequently and I don't want to forget them, I always try to think seasonally - incorporating things that are happening in my life at the time. When creating a new passphrase, I don't ask myself "What can I type that I will remember in ten minutes?" Instead, I think "What's happening in my life between now and the end of next month?" For example, if I had to create or change a passphrase or password right now, I might do something like:

Fireworks on July 4th are so cool...
Woah dude like check out the freakin fireworks dude!
FireworksOnJuly4thAreSoCool...
Woahdudethosefirew0rkzaresokool*
Pow bang boom! Oh wow did you see that?

Of course, I won't actually use anything like those, now that I have posted them here (hey trust me - people have done much stupider things). But by making a passphrase meaningful during it's lifetime, I can remember it quite easily (Well, usually anyhow - it can take a little getting used to). By the time the next password-change rotation comes around, I'll just think of something else I can remind myself of for the next 30 or 45 days.

You're probably starting to get the idea of how passphrases work from the examples, and it's also probably becoming clear that I am a proponent of them. They're easy to remember and - this is important - easier to type than munged up words where you replace letters with numbers and convert everything to hacker-speak. They are also quite long and more complex. And more complex means more difficult to guess or randomly replicate, which means more secure. And on top of that, you can actually remember and accurately type it. Not a bad deal, really.

There's no perect answer - some unthinking person with no concern for security will throw in a wrench

Note that not all systems where you can create passwords will let you use spaces in the password field, and some will even limit how many characters you can use.** So, sometimes you have to adjust the way you create your passwords and passphrases to work within arbitrary limits set by arbitrary (non-security-oriented) decision makers.

** Note to security departments everywhere: Get more involved in the app and interface design phases. Just because a DBA somewhere says my online banking password needs to be truncated at 8 characters to save disk drive space doesn't mean they're right. Security reviews need to happen at design time, and then as a part of every step along the way.

By the way, to go off on a bit of a tangent - Jim's original question illustrates exactly why a well-secured and well-designed unified authentication systems can be so valuable, where it makes sense. For consumers, that means something akin to Passport or one of the unified authentication systems out there. In a business computing environment it more often means using something like a Windows domain or Novell directory to have a single set of credentials that you can protect, but which will allow you to access multiple systems. To provide additional security, you don't necessarily want to break an authentication system up and require multiple passwords, because then you're defeating the whole purpose of the unified system. Instead, you might start adding additional factors of authentication to those specific systems where you need extra authentication or authorization protection (RSA SecureID is one great example of how to add another strong factor of strong authentication in an environment where security is very closely managed).

But Dr. Johansson's the one who's really got it covered...

For more information in the philosophy department, I'd point you at Jesper M. Johansson's work on passwords vs. passphrases:

The Great Debate: Pass Phrases vs. Passwords

• Part One - covers the fundamentals of passwords and pass phrases, how they are stored, and so on
• Part Two - discusses the relative strength of each type of password, and use some mathematical approaches for illustration
• Part Three - offers some conclusions and guidance on how to choose passwords and configure a password policy

I've rambled a bit, but I hope that helps. I have a lot more to write on the subject of authentication security, but that will have to wait for another time.

A new beta version of Technorati - the web-based service that "brings you what’s happening on the web right now" - is available at http://beta.technorati.com/, and it looks darn nice. I like the new look and user interface (the search "options" feature is great for new users), and it seems to work quite well. You can learn what's new on the Technorati beta weblog.

Support for tags, more search options, personalization and watchlists are some of the new functionality in the beta version.

Technorati is currently tracking 11.1 million sites and 1.1 billion links. That's a lot. Tons of information to be had, and not it's easier than ever to do.

An email list I am subscribed to had a quick thread that pointed to a conversation about FeedDemon and the fact that a user didn't want to use IE as the default embedded browser inside of FeedDemon. That's fine, but the problem is that someone suggested he actually abandon his favorite RSS reader (meaning FeedDemon) and try another one.

The recommendation was (in my opinion) premature. Why? Because FeedDemon can in fact use the Mozilla engine as it's embedded web browser, and you can find out how here.

And by the way - if there's something you wish was in FeedDemon for the future, Nick listens. Go to the FeedDemon forums and just ask.

There is an interesting post describing the exploit of a weakness in MD5 via collisions, with a reproducible real-world example. The authors computationally found the collisions and were able to reliably and predictably produce two completely different postscript documents with the identical MD5 checksum. Their use-case story revolves around maliciously capturing a digital signature and using it for something other than it was intended. In the story, the MD5 checksum is relied upon to validate the authenticity of a document. The researchers wanted to show how this flaw could possibly be used in the real world.

"Recently, the world of cryptographic hash functions has turned into a mess. A lot of researchers announced algorithms ("attacks") to find collisions for common hash functions such as MD5 and SHA-1 (see [B+, WFLY, WY, WYY-a, WYY-b]). For cryptographers, these results are exciting - but many so-called "practitioners" turned them down as "practically irrelevant". The point is that while it is possible to find colliding messages M and M', these messages appear to be more or less random - or rather, contain a random string of some fixed length (e.g., 1024 bit in the case of MD5). If you cannot exercise control over colliding messages, these collisions are theoretically interesting but harmless, right? In the past few weeks, we have met quite a few people who thought so.

"With this page, we want to demonstrate how badly wrong this kind of reasoning is! We hope to provide convincing evidence even for people without much technical or cryptographical background."

Once again, security by obscurity defeated. Interesting read and might make you think. If anyone has comments on their test or process. I'd be interested to hear.