Tuesday, August 23, 2011

Spies Like Us makes Austin Powers cheaper?

I just noticed that the Austin Powers collection has some odd pricing on Amazon. The Blu-Ray edition of the Austin Powers series is $20.49 right now. The regular DVD version is $10.99. However, the collection of the first three Austin Powers moves plus Spies Like Us (no, I have no idea why) is $9.99. So the studio will effectively pay you $1 if you're buying the Austin Powers movies to also watch Spies Like Us. Interesting...

Saturday, August 13, 2011

Passwords and XKCD

I feel as if I'm walking into a trap. Randall Munroe is sort of a folk hero among geeks, and when I saw his recent comic about password strength, I was, at first, thrilled. Here's someone who knows how to communicate to the masses exactly what they need to know: they choose poor passwords, and could just as easily (or easier) choose strong passwords that they could remember.

I understand where he's coming from, and he's right on some level, but let me explain to you what the layman heard:

If your password is a space-separated list of four English words, no one will ever be able to crack it!

Sadly, there's even solid proof that that's the case. Here's the first example I've seen of a "password" generator based on his approach: XKCD Password Generator.

All I can say is /facepalm.

OK, so those of you who might not get what's going on, here, this is what he's saying:

When you try to make a very strong password, your first inclination is often to try to maximize the complexity of the password from a human perspective. This works very well if you're willing to memorize, say, 13 completely random characters from all over your keyboard. However, most people can't reasonably memorize such a password.

So what most people do is try to come up with something that's difficult to "read" but follows an easy-to-remember pattern. As Randall correctly points out, this is a losing game, and often results in passwords which are relatively easy to guess using simple attacks.

However, his approach is to choose your password from a list of about 17,592,186,044,416 possible passwords made up of four English words. That's a pretty strong password compared to a lot of the kinds of passwords people typically use, but if you're comparing it to the gold standard (randomly selected characters from all of the 95 characters you can type on the typical U.S. keyboard), then you would only need about a 7 character password to make up the same number of possible passwords. 7 character passwords became relatively trivial to crack when I was still new in this industry, and now even 10 character passwords are looking shaky, just in terms of what it takes to crack the perfect password.

So, is Randall right? Well, yes, sort of. However, the best approach would be to combine all of the best strategies for passwords that are easy to remember, not allowing your attacker to know what kinds of passwords to try. Throw in one really odd word to your four. Change up a common saying. Make your password something that's fun to type. Take a simple phrase and censor it out by replacing a word to two with asterisks in a way that makes it sound funny. Combine the first name of a character with part of a quote they're famous for. Draw some ASCII art.

All of these are individually fairly weak strategies, but when you're creative about every password, it's nearly impossible to use any one scheme's weaknesses against you. If you are a target, specifically, this is a strong defense. If a large number of users are being targeted, then there's a larger problem you have to solve, and more attention to detail may be required to solve the problem.

Here are some examples of pass-phrases that you might use. Think of your own clever ways to twist up the keys on your keyboard and be unpredictable. There are still many useful ways to attack your passwords, but it's going to be much harder than if you choose a simple four-common-word password.

  • "David had a little ham..."
  • "d00dz, it's full of stars!"
  • "CaPsLoCkWoNtHeLpYoU"
  • "10qpalzm -- qwerty"
  • "dayO dayayayO, dayl1te come"
  • "<-- I'm with them -->"
  • "Are doomed to repeat it who fail to learn from history those"
  • "[(@)(@)(@)(@)(@)(@)(@)]"
  • "I'm mad as **** and I'm not going to **** it any more!"
  • "Q-36 Explosive Space Modulator Marvin"
  • "Just one uncommon lexeme"
  • "!!1 thousand X yes!!"
  • "._-*-_.o0O*!"
  • "Star Wars of the Roses vs. Kramer"
  • "Sufficiently large values of +/-n"
  • ">->O XKCD O<-<"

Monday, August 8, 2011

The Tea Party Recession

So, phrases like "there is a lot of forced liquidation" and "it's only one rating agency; if others follow that would be a bigger problem," (from The Wall Street Journal) are making me grind my teeth today. This is not because the economy is breaking in a fundamental way that we have not seen in my lifetime, but because, and I say this with a fondness for conservatism as an ideal, this entire fiasco is a politically manufactured event that resulted from, as Sen. McConnell put it, placing the number one priority on making sure Obama is a one-term President. I'm not saying the Republicans wanted to trigger a depression, which we might be on track for, now; but I am saying that you don't set a political goal as priority number one as the country slowly extracts itself from a recession.

Let me also be clear that I wasn't entirely against the idea of using the debt ceiling as a wedge. We've known for over a decade now that we needed to control certain elements of our spending that were out of control, and instead of controlling that spending we increased it over the last 10 years and instituted a series of deep revenue cuts which magnified the problem. Then, when recession hit, we spent our way out of it, further rubbing salt in the wound. We needed a political wedge, but when a reasonable plan, or at least an excellent start to one was worked up by Boehner and Obama, that should have been where we planted the flag. Yes, we still needed more work, but it was the first time I'd heard someone admit that we needed "both parties taking on their sacred cows." That quote is from Obama's address to the nation. Boehner was, at one point, willing to discuss such a radical plan, not because it was good politics for either party, but because it was good governing and the kind of compromise that benefits the nation.

The Tea Party, however, forced his hand. A compromise could be seen as Obama "winning," and first-term Tea Party Republicans would almost certainly be in jeopardy in their first re-election bids. They would never sign on to such a deal.

Revenues were a sore point because many had signed oaths that they would not raise taxes, and even closing tax loopholes was seen as a violation of that pledge, regardless of the fact that massive tax cuts constituted a defacto increase in spending which it was impossible to account for without pillaging critical services.

Now, we have S&P saying that Washington's unwillingness to address revenue shortfalls was central to their downgrading U.S. debt. I've addressed, previously, why such a move was disastrous and why it was critical that we avoid it. Yet, here we are. The Tea Party and revenue oaths brought us here, and there's no contingency plan. In a decade or two, we'll recover from this. We might see very hard times until then, but we'll recover. Americans are resilient in the face of adversity, but I just wish we hadn't been forced into that adversity in the first place.

I'm a moderate who really lives on the Democratic side only by virtue of a handful of social issues. And yet, here I am: forced to view the current batch of Republicans as, quite literally, the enemies of the value of my currency. I would really like them to think about that, but I doubt it's going to happen.

There's a pattern to the Obama Presidency. Health care legislation was an omen. Obama compromised deeply out of the gate, scuttling the plan for a single-payer system on-par with Canada or the U.K., where health care costs are around half of what we spend in the U.S., per capita, for far less coverage. Instead, he proposed an extremely conservative, market-driven, insurance-based approach where existing insurance companies would control most of the system (for an excellent, point-by-point rundown of the health care legislation, see PBS's breakdown, which I've discussed previously in early 2010). So, what did conservatives, knowing that health care is actively bankrupting the U.S., do in response? They pledged to repeal this icon of socialism (!), with no alternative plan for the future of health care in the U.S., which would return us to a state where we would be the only wealthy nation that didn't have a comprehensive approach to health care.

The pattern is that Obama tries to compromise, but the goal of his opposition isn't legislative. Whatever line he draws in the sand, no matter how deep into conservative territory it is, that is the battle line, and Republicans are not allowed to cross it, even if they would have done so before Obama got there. That's not governing. That's not even effective politics. It's just mindless antagonism.

As a result, there's only one thing to call the resulting recession (or depression or whatever this becomes): The Tea Party Recession. This is the outcome that the Tea Party fought for. This is the tearing down of the status quo that they desired. It might well achieve the goal of Obama being a one-term President. We might end up with President Romney (essentially the architect of the heath care plan we ended up with) as a result. But ultimately, this economic result must be the sign that they carry along side their other political slogans. They need to own this result because they fought for it.

As a side note, we're not going to solve this problem until we reform voting in the U.S. Plurality voting (where everyone gets to vote for one option and the largest number of votes for any one option wins) is broken. It's been demonstrated mathematically and in practice that it forces a two-party system. If we want to get away from polarizing politics, we need strong parties that represent the spectrum of views held throughout America. We need to dump our polarizing voting system and institute something like an approval voting system (where everyone votes for every option they like, and the largest number of votes for any one option wins). There are other options to be sure (from Instant Runoff Voting to much more esoteric systems), but which option we choose isn't the concern. Changing the voting system is not a solution, but it's the right first step. If we did that, the Tea Party would be a vocal fringe that the Republicans wouldn't be saddled with. There would actually be a Socialist Party on the left, and compromising with centrist Democrats wouldn't be seen as a slippery slope toward the far-left, because there's a political buffer there.

The next step, of course, is to change the way we seat members of Congress, but a more party-representation model is probably not going to be helpful until we first address voting.

So... can we start working on this? Can we move the ball forward now that the current system has been proven poisonous?

Monday, August 1, 2011

The Android App experiment has failed

My experiment was this: spend 3-4 months doing Android App development, and see if I could make enough profit to justify continuing down this road of freelance development, professionally. The answer is no. The hard fact of the matter is that in 1 month of active use of my first free app, it has made back 1/25th of the money that I sunk into advertising it. Also, in a little under a week, with $50 sunk into advertising, my first for-pay app has 3 installs at $1 each.

While I'm sure that I could continue to put out apps and would eventually see more revenue than this, it is increasingly unlikely that I will see revenue on which I could make a living wage.

Failure is part of life, and I've learned a new programming language and a fairly complex platform in the process, so I don't feel the last 3 months have been a waste, but now is the time to go back to work and start making some money again. I'll leave my apps out there and submit bug fixes from time to time. Who knows. Maybe at some point, there will be a surge of interest...

Budget Control Act 2011: A quick read (part 1)

Here's some points that come immediately to mind on reading the text of the compromise bill that's being pushed to end the debt ceiling fiasco (for which I seriously hope there is a price to be paid for everyone in Congress who decided that political points were important enough to hold a gun to the economy over):

  • SEC. 251. ENFORCING DISCRETIONARY SPENDING LIMITS. / (a) ENFORCEMENT /(1)
    SEQUESTRATION: This appears to be a cut-and-paste from an existing law.
  • (3) MILITARY PERSONNEL: I'f I'm reading this right, the idea is that, should the president use existing authority to exceed set spending levels to pay military personnel, there's an automatic debit against all other segments of government. An interesting idea. In practice, I'm not sure how it will work.
  • Then there's a lot of implementation detail including who reports the numbers to whom.
  • (A) EMERGENCY APPROPRIATIONS; OVERSEAS CONTINGENCY OPERATIONS / GLOBAL WAR ON TERRORISM: This section seems to exempt budgetary items that Congress and the President agree on labeling as being for military contingencies and the "War on Terror". Which, in practice, probably means the military budget is off the table. That probably renders much of this legislation fairly toothless for anything but reducing entitlements.
  • CONTINUING DISABILITY REVIEWS AND REDETERMINATIONS: It looks as if this section sets hard-caps on how much Social Security expenditures can grow by, effectively applying a tourniquet to the failure of the Social Security Trust Fund (funny story, that trust fund was already spent by forcing it to buy U.S. Bonds, so had we refused to raise the debt ceiling, and had to choose whose bonds to pay off... Social Security would have been one of the parties hoping they wouldn't get defaulted on). The hard-caps on Social Security growth are 623 million in FY 2012, 751 million in 2013, 924 million in 2014, 1.1 trillion in 2015, 1.2 trillion in 2016, 1.3 trillion in 2017, and 1.3 trillion ongoing each year through 2021. There's a similarly large amount that's specified as a cap on fraud and abuse control expenditures.
  • (D) DISASTER FUNDING - This section sets some guidelines on what disaster relief is, how to measure what a reasonable amount of money to spend on it is, and exempts that amount from automatic adjustments.
  • This bill says that it replaces and repeals "Section 275 of the Balanced Budget and Emergency Deficit Control Act of 1985"
  • Also that, "Sections 252(d)(1), 254(c), 254(f)(3), and 254(i) of the Balanced Budget and Emergency Deficit Control Act of 1985 shall not apply to the Congressional Budget Office." That might be a formality of replacing that law, but more reading would be necessary to determine that.
  • (d) EMERGENCIES IN THE HOUSE OF REPRESENTATIVES: Interestingly, this section locks in a definition of expenditure increases which includes revenue reduction (e.g. tax cuts). This is a good thing, as it's impossible to control costs without including a measure of what the available funds are and how they are constrained at the same time.
  • (e) ENFORCEMENT OF DISCRETIONARY SPENDING CAPS: This section basically says, "you have to comply with these rules, or your bill can't even be debated."
  • SEC. 106. SENATE BUDGET ENFORCEMENT: If I'm reading this right, the Senate Committee on the Budget needs to submit a balanced budget. So, perhaps (and I'm not 100% on this), the preceding sections deal with the laws that set out exceptional conditions under which the budget can be modified, and this section sets out the requirement that you have to start balanced?
  • TITLE II—VOTE ON THE BALANCED BUDGET AMENDMENT: This section just says that there needs to be a vote in the November-December timeframe on a balanced budget amendment. The only thing that scares the daylights out of me, here, is that the "join resolution" is essentially rammed through as a matter of procedure. What does this mean? It means that no matter what the House and Senate pass titled, "Joint resolution proposing balanced budget amendment to the Constitution of the United States," a joint resolution has to be formed. In theory this is a normal part of lawmaking where the House and Senate versions are merged, but this section strips out some of the controls over how broad and sweeping that reconciliation can be, and how much control anyone has over what goes into that "compromise." In theory, nothing new can get tucked into it, but in reality, there's no real controls here, and we're talking about our Constitution! The states still need to ratify whatever mess comes out of Congress, but there's no chance to edit the Amendment after this stage.


OK, that's it for now. I'll try to digest the rest late tonight or tomorrow.