Why your favorite web site’s password strength meter is full of hooey

Dave Farquhar security , , ,

What happens when you talk three password crackers into doing their worst to a leaked database of 16,000 passwords and then talk to them about it?

You learn a lot, and we can learn a lot from their experience as well. “qeadzcwrsfxv1331” isn’t a good password. Neither is “Philippians4:13.” Neither is “correcthorsebatterystaple.” Neither is “Qbesancon321” or “Qbe$@ncon321.” Password guessing has too much intelligence built into it now.

And not only that, by continuing to use the password “popcorn,” you make it easier for those guys to guess other passwords too. Read more

What keeps a good security guy from turning to the dark side

Dave Farquhar security , ,

I’m reading the excellent Blackhatonomics right now. And one thing I read in it reminded me of a question that someone asked me last year. I was probably the third or fourth guy with an advanced security certification he’d met, and he asked me one day what it is that keeps us from turning criminal.

I said, “Well, for one thing, good guys have much longer careers.”

I didn’t cite a specific example, but Blackhatonomics cited the case of Albert Gonzalez, the infamous hacker convicted of breaking into TJX, Dave & Buster’s, and others. His crime spree, which ended when he was captured in 2008, netted him $2.98 million.

He was convicted in 2010, and had to give back what was left of his fortune, and now is serving 20 years in a minimum-security prison.

I like my approach better. Read more

Another month, another go-to LED bulb

Dave Farquhar Saving money , , , , , , , , ,

LED lighting seems to change constantly. I read about Cree’s LED bulbs a good 12-18 months ago and they sounded too good to be true. In a way, they were, because you couldn’t buy them anywhere. The wait is finally over–they’re finally available, though only at Home Depot. I tried out their 800-lumen (60W equivalent), 2700K, 9.5W bulb, which currently costs about $13. It’s a good bulb that lives up to the hype.

Read more

Remembering Private McAdow

Dave Farquhar Genealogy ,

I had numerous ancestors who fought in the U.S. Civil War. On my mom’s side, one of my direct ancestors was a Union spy during the war. He was captured three times. We joke sometimes that he was better at escaping from Confederate prisons than he was at being a spy. He survived the war and lived a long life.

On my dad’s side, Dr. Isaac Proctor Farquhar put medical school on hold and became Private Isaac Proctor Farquhar, like many of his brothers did. The elder Farquhar brothers who were already doctors became officers in the Union army, while the younger Farquhar brothers became infantry. All survived, came home to their families and resumed their productive medical careers.

James Washington McAdow did not. Read more

Replace a microwave over the range

Dave Farquhar DIY

It’s not hard to replace a microwave over the range.

When I bought this house 10 ½ years ago, it had an undercabinet microwave in the kitchen. I don’t know if the previous owners told me how old it was or not. It was an Ewave, which is a brand Magic Chef uses when they don’t want to put the Magic Chef brand on it. So it was a budget manufacturer’s lowest-tier microwave. It was a little temperamental but mostly worked, so I can’t complain about it all that much.

But it got worse over the last couple of months. The right keypresses registered about half the time when you used the keypad. We decided to replace it just as soon as we could. Finances have been tight this year, but fortunately we got a sale right around the time we were able to afford to get one. We picked up a low-end Whirlpool microwave on special for $50 below retail, which essentially meant we got a Whirlpool for the price of a Magic Chef. It’s bigger than our Magic Chef was, and gets better reviews than the current Magic Chef appliances. I recommend basic appliances from reputable makers. Microwaves are no different, but I’d rather buy a new one on sale than a used microwave.

Installation is the hardest part, but it’s easier than it first appears. Read more

Use Audacity to sneak an extra podcast in each week

Dave Farquhar security ,

If you don’t mind your podcasts sounding like chipmunks, you can shave 10-15 minutes off their length by loading the MP3 into Audacity before sneakernetting it to your car. Simply download and install Audacity, install LAME for MP3 support, then, when you download your podcast, load it into Audacity, select the “Effect” menu and choose “Change Speed,” then enter 20% and click “OK.” You may need to experiment a bit. Then save the file to your MP3 player or USB media and you’ll have it for when you’re on the go.

The benefit, of course, is that if you can keep up with it, those 60-minute podcasts drop down to more like 45-50 minutes, so in theory, if you listen to five of them per week, you can get a sixth one in.

Farewell to a St. Louis Christmas tradition

Dave Farquhar Toy trains , , , , , , , , ,
Farewell to a St. Louis Christmas tradition

I saw something sad in the papers this week: Macy’s is closing its downtown St. Louis store, the former flagship Famous-Barr (or Famous and Barr, if you’re old enough) store.

And that means this past Christmas was the last Christmas for the American Flyer storefront Christmas layout. Read more

Deconstructing my conversation with “Computer Maintenance Department”

Dave Farquhar security , , , , , , ,

My tell-all about my encounter with “Computer Maintenance Department” was a little heavy on the jargon yesterday. It occurs to me that explaining what some of the terminology means, and the problem with their reasoning, may be helpful. I’ve also heard a few questions through various channels, and I think those are worth answering. Read more

This “Computer Maintenance Department” sure doesn’t know much about computer maintenance

Dave Farquhar scams, security , , , , , , , , , , , , ,

“Peggy” from “Computer Maintenance Department” (1-645-781-2458 on my caller ID) called again. Lots of people are aware of these phone calls. They call, make vague claims about receiving a report that your computer is running slow and giving you errors, and are very careful not to say who they are or who they work for. Usually I just do whatever I can to get them off the phone.

But after having lunch with some other computer security professionals last week, a couple of them talked me into finding out how these guys operate. So I fired up a PC that turned out to have a real, legitimate issue. After resolving that issue myself, I turned the caller loose on my semi-functional PC so I could see what these scammers actually do. He had me connect to Teamviewer.com and run their remote access software. I followed his instructions, watched him connect, then slyly unplugged my network cable.

When my network connection dropped, “Peggy” quickly transferred me to a “senior technician” who used the name “Roy.” Read more

How to help the tornado-struck community of Moore, Okla.

Dave Farquhar Uncategorized

I’ll put what I was going to write about this morning on hold for a few days. I was writing about something that disappoints me, but it’s nothing compared to a mile-wide tornado hitting the town you live in, which is what happened to 55,000 residents of Moore, Oklahoma yesterday.

Now, aside from a year or so in Ohio as a toddler, I’ve spent my entire life in Tornado Alley. There are seven states that get more tornadoes than Missouri, but only seven. Oklahoma gets more than any state other than Texas. I know the drill, and even my three-year-old knows it. When the sirens blare, everyone goes to the basement, and I turn on one of the weather channels to see what’s going on. I even have a battery-operated TV that I can use if the power goes out. It happens several times a year, and we’re used to it.

What we’re not used to is the bad stuff happening. That happens every year too, somewhere, but you never really get used to that. Read more