Password pain

ChannelInsider bemoaned bad password policies and practices late last week.

It’s a problem. Security (unfortunately) is my specialty, so I know it’s a problem. But it’s going to get worse before it gets better.There was an old User Friendly cartoon where a helpdesk operator spitefully changed an annoying user’s password to something like !Qoh&32;[ or something like that. Unfortunately, we’ve gotten to the point where the industry-standard password policy requires users to have passwords like that–only twice as long.

Let me tell you about one of my clients. Their policy is especially draconian. The passwords have to be at least 15 characters long and have two uppercase, two lowercase, two numbers, two special characters, and two umlauts (OK, no umlauts required), but then they add some other restrictions on top of that. These restrictions make the passwords considerably harder to remember, but they also significantly reduce the number of possible passwords (which is why I won’t disclose the restrictions–and no, I won’t disclose the name of the client either). So the end result is that the passwords look really secure, but really aren’t any more secure than the 8-character passwords they were using a few years ago that had fewer restrictions.

There are several unfortunate results to this situation. One is that it takes several days to come up with a decent password. As a result, passwords get passed around. “Does anyone have a password that works right now?” is a common question I hear. Yes, passwords get passed around. Or, slightly less worrisome, they become collaborative works. Someone hands over a slip of paper with something cryptic like 1977-22@MINal.296 written on it and wants to know why the password policy rejects it. If the first person can’t figure it out, someone else looks at it.

Personally, I think if that password had more umlauts, it would probably get through the policy. But that’s just me.

And then the password age keeps getting ratcheted down. It takes almost 30 days to memorize these stupid things. But by then, the passwords expire and the whole cycle starts over again.

Ultimately the solution is going to be ever longer and ever more complex passwords with ever-shorter lifespans. Maybe 32 characters long, with four upper, four lower, four numbers, four special characters, and four foreign language characters (stuff you have to type by hitting ALT and a four-digit keycode on the numeric keypad). I hesitate to say this, because someone’s going to think that’s a great idea and adopt it. So maybe I should patent the idea to prevent that from happening.

And the result will be ever greater resentment, more password sharing, more passwords on sticky notes attached to keyboards and monitors, and even greater willingness to exchange a password for a piece of chocolate.

Loosen the restrictions a bit, cut users a bit of slack, educate them on the importance of good passwords, and the result can only be greater security. Until then, things are only going to get worse, on all fronts.

It’s too bad Secure Channel didn’t think of all that.

Something to try when ERD Commander’s Locksmith doesn’t work

So maybe you’re like me and you’re administering a system that fell off its Windows domain, and the system was built by your predecessor’s predecessor, the local administrator account was renamed, and nobody has any clue what the account name or password is.

And you try ERD Commander because it worked in the past, but not this time…Usually the Locksmith works. But in this case, it didn’t, and of course everyone wanted the server back online an hour ago. We tried everything else we could think of for about three days, including downloading some things that I was sure would get me a visit from a security officer. Nothing worked. At least when I got the visit from the security officer, he just wanted to know why there were repeated attempts to log in with certain accounts.

“I was trying to hack into my own server and it seems I’m not a very good hacker,” I said. Duh.

So I found myself standing at the server with another sysadmin, having used my last idea. “I don’t suppose you have any ideas?” I asked. “I figured if you did, you would have said so by now, but…”

He shook his head.

Finally, I had one last idea. I asked him what he set the password to when he used ERD Commander.

“Password,” he said. “To make it easy to remember.”

Aha! A light went off. This system was hardened to require stronger passwords than just an 8-character alphabetic password. I had a hunch that was what was keeping us from being able to log in using our hacked account.

So we booted off the ERD Commander CD yet again, connected to the Windows installation, located what we were pretty sure was the renamed local adminstrator account, and I reset it to the standard mixed-case special character password we use for the local admin accounts.

We held our breath, rebooted, and tried to log in.

Success. Finally.

So if ERD Commander isn’t working for you, try using a stronger password to satisfy your local system policy.

And just in case you’re wondering why a computer falls off a domain, computers have usernames and passwords just like users do. Occasionally the passwords get reset. If for some reason the domain controller thinks a member computer’s password is one thing, and the member computer thinks it’s something else, you end up with a computer that says it’s on the domain, but can’t authenticate against it. The solution is to log in with a local administrator account, then either run NTDOM.EXE from the Windows Support Tools, or remove the computer from the domain and add it back in. You can just put the computer in a workgroup, ignore the dialog box that says you have to reboot, then add it to the domain, and then reboot.

A first look at Mozilla Firefox 0.9

I upgraded to Mozilla Firefox 0.9 today. My initial impression is pretty good, with one caveat.

If you’re running an earlier version and haven’t upgraded already, make a backup of your profile first. I upgraded from version 0.8 without uninstalling version 0.8 first, and lost my saved passwords and bookmarks. What I lost isn’t anything I can’t type in again or find again but it was annoying.

But that’s pretty much where the problems end.This new version feels faster than the old one did. It also seems a bit more stable, but a few hours of messing around isn’t enough of a test to declare something stable or not. I’m also not about to assume that any other living human being’s browser habits resemble mine.

I did notice that memory usage has a tendency to go back down as I close tabs. That’s an improvement–that didn’t always happen with older versions.

The ultimate test is going to be leaving it open for about a week of heavy use. Older versions tended to not like when I did that–memory usage would balloon and over time the speed would degrade. We’ll see how this version handles that torture test.

Since I had to go back and re-customize it, I can tell you the tweaks I make to the browser. Maybe you’ll like some of them too.

First, I type about:config into the address bar to bring up all the hidden options.

I set network.http.pipelining to true, and network.http.pipelining.maxrequests to 100. This speeds up page rendering, at the cost of occasionally mangling a page. (This happens most frequently when I visit Slashdot, ironically.) Reloading usually clears it up. The problem happens infrequently enough that I live with it–I like the speed.

I set image.animation_mode to “none”, since I find animated GIFs distracting. Try browsing with image animation turned off and I’ll bet you’ll wonder how you ever lived without it. You can also set the string to “once” if you like animation. That way you can still see the animation but it doesn’t continue to loop while you’re trying to read.

I set browser.popups.showPopupBlocker to false. I don’t care to know when Firefox has blocked a popup–these days it’s pretty safe to assume that every site up there sent you a barrage of popups.

I set browser.blink_allowed to false. Few people use the dreaded blink tag anymore, especially since it was a proprietary Netscape tag that few others implemented. It doesn’t hurt anything to disable it just in case someone used it somewhere.

Since you can never have too much screen real estate, I customize the toolbars as well. If you go to View, Toolbars, Customize, you can drag the icons and menu items you use wherever you want. Drag things you don’t use down to the bottom. For example, if you never use the Go and Help menus, drag them down to get rid of them. I drag the address bar up to the top, next to the Help menu. Since I don’t use anything else on the navigation and bookmarks toolbars (I use keyboard shortcuts), I turn those off, which opens up lots more screen real estate. If there are some icons you use, you can drag them up to the menu bar and turn off those toolbars to save some space. It’s cheaper than a bigger monitor and takes up less space on your desk.

And as much as we tend to live in our web browsers these days, it’s almost as good as having a bigger monitor, isn’t it?

Introducing the Silicon Underground Portal

Tonight, as I was preparing for my upcoming mission trip (read: doing laundry and waiting around on it), I started messing with a piece of software called bk2site.
Like most cool software, it’s included with Debian. RPMs and tarballs are available if your distro of choice lacks it. Its purpose is to take your Netscape/Mozilla/Galeon bookmarks file and a few RSS feeds of your choice and make a site out of it, much like the Yahoo! of many years ago before its size got out of hand.
Read more

How I set up Greymatter for Weblogging

How I set up Greymatter for Weblogging. First things first: I’m sure everyone’s asking how much hardware you need. I’m using a Pentium-120 with 64 megs of RAM, and it’s plenty fast most of the time. It takes a little while to regenerate all the templates, but other than that it’s mostly sitting idle. Any Pentium-class machine should be plenty. I’d be hesitant about using a 486 because the templates will take an awfully long time to rebuild. Remember, Greymatter’s written in Perl, and Perl’s an interpreted language. Interpreters are slow for the same reason emulators are slow–the translation is real-time.
But Greymatter offers advantages. You can control your destiny. You have total control over your site–it’s running on your Linux box. And you’re free from FrontPage’s tyrrany. Did I hear cheers? Most importantly for me, I set the clock. I can set the clock ahead a couple of hours, make my post at 10 p.m., and it’ll be dated the next day. That can only mean… The return of the infamous Farquhar Time Machine. I can start sleeping in again! Or go to work earlier… Hey, I can start sleeping in again!

Anyway, I had the Pentium-120 already configured with Mandrake 7.2, but I discovered Mandrake 7.2 in high security mode doesn’t seem to allow Web traffic from the outside world. So I installed Mandrake 7.2 again in low-security mode. I used a server installation. The only things I really cared about were Apache and Perl, but I didn’t feel like de-selecting everything. Both will be in there by default. I think Perl’s part of the Development group during installation. I’m not sure what group Apache is in. I don’t recommend running XFree86 on your server. Those memory resources are better used for server purposes. Oh, and one last thing: Don’t use DHCP. Give your Web server a local, static IP address.

Once I was up and running, Apache wasn’t running by default, so I dinked around with a cp /etc/rc.d/init.d/httpd /etc/rc.d/rc3.d/S45httpd so that Apache would start on boot. Then I started Apache by executing /etc/rc.d/rc3.d/S45httpd start. Of course there are plenty of other ways to accomplish the same thing. It was close to midnight and I just wanted the thing open to the world at that point.

Then I pointed my Web browser at the server’s address, and my embryonic Weblog came up.

It won’t happen that way for you, because I already had Greymatter installed and configured before I did all that. In other words, I did things bass-ackwards. You should do it differently. Get Apache working right first. It’s less frustrating that way.

With Apache installed and running, point a Web browser at it. You should see some kind of Apache welcome screen–it’ll vary based on your Linux distro, but it’ll basically be some kind of show-off screen. You see it? Great. You don’t? Get Apache working. How? I dunno. Make sure it’s running, first of all. Type the command pidof httpd. You should get a couple of numbers. Maybe a lot of numbers. If all you get is a blank line, then Apache’s not running. If it’s running but not responding, you’ve probably got a problem with the configuration file. The default configuration file for Apache, unlike the default configuration of a lot of programs, does work reasonably well. The defaults will certainly do for a Weblog. Start with the default config, get it working, then get fancy later.

Working? Great. Open up port 80 on your DSL router and point it to your server’s address. Don’t expose any other ports. This improves security immensely. Now go to www.grc.com and run Shields Up!, then Probe My Ports. Port 80 should be open. If it’s not, either your Linux box is too secure (I wish I could offer some advice there but I don’t know much about un-securing a Linux box) or your router’s not forwarding the port right.

By default, in Mandrake at least, Apache puts its HTML files in /var/www. So, first, clear out /var/www/html. Next, I put all of the Greymatter files in /var/www/cgi-bin. Then I created directories named Archives in both /var/www/cgi-bin and in /var/www/html. The documentation is pretty good about what files need permissions of 755 and what needs 777 (yuck!) and what needs more restrictive settings, like 644 or 666.

As an aside, the archives directory being chmodded to 777 makes me nervous. That means that if I install Greymatter to a server that shares space with someone else, the entire world can see that directory. They can’t manipulate anything inside there as long as the files inside have more restrictive permissions, but I always cringe every time I see anything with 777 permissions. I knew people in college who’d just chmod everything to 777 because then it meant everything just worked all the time. Unfortunately, anyone who had telnet access to the machine could then go into that directory and change anything. I’m not as concerned about that, since I don’t share this PC with anyone. But 777 still doesn’t give me warm fuzzies. Unix ain’t Christianity. In Unix, 666 is ok (but 644 is much better), and 777 is a hacker’s delight, and therefore, pure evil.

After you chmod all your files, assuming your server is at 192.168.1.2, go to http://192.168.1.2/cgi-bin/gm.cgi. Greymatter should pop up. Go to the configuration screen and run down the line:

Local log: /var/www/html
Local entries: /var/www/html/archives
Local CGI: /var/www/cgi-bin
Website log path: /
Website entries path: /archives
Website CGI path: /cgi-bin

Set the other stuff the way you want it. Now hit Save Configuration. Now, immediately run Diagnostics and Repair. This will ensure that all files are where they need to be and permissions set correctly. If it can’t find something, do what you have to to satisfy it.

Now you’re ready to start editing templates and adding entries. You’ll need to exercise your HTML skills for that, or rip off someone’s templates. I didn’t look too hard, but I’m sure there are people out there offering Greymatter templates. If you have to, use an HTML generator to draw what you want, then take the code and put it in the template. I know HTML, so I coded mine by hand. That’s why they’re still sparse. The basic layout is there; I need to flesh it out. And I haven’t entered every template yet myself.

Now, for backups and stats… Backups are easy. I use the command tar -c /var/www >/home/dave/backup.tar. It only takes a second. You can compress the tar file and throw it on a floppy with the mcopy command. Or if Samba’s also configured and running, backup to a network-accessible directory and pull the file over to another machine.

For stats, I use LiveWebStats, but I don’t like it. Any Apache log analyzer will work.

There’s one other issue with Greymatter. It sends passwords plaintext, and thus, they’ll show up in your logs. So don’t make your stats public, at least not your referrers. If you’ll have remote editors, you need to consider that vulnerability–an editor’s password can potentially be intercepted.

Setting up Greymatter is a lot of work, but it’s a one-shot deal. You make your design, then it’s content-driven. Change your design, and it applies to the whole site. Nice. And when you publish, you only publish your new stuff.

But overall, I like Greymatter an awful lot.

Tiny assembly language Windows utilities

Tiny utilities. While I was debating whether to go buy a copy of Extreme Power Tools, I thought I remembered seeing a couple of programs similar to what they offer. So I went hunting and found other stuff, of course.

People tend to get annoyed if you just link to their files, so I linked to the pages that contain links to the files. Some of these pages get pretty heavy, so use your browser’s search function if you have trouble locating the file. Also, there are a few files on one of these pages that can be misused, such as buffer exploits and a program to reveal hidden passwords in dialog boxes. Whether they were intended to be misused, or to demonstrate insecurity, I’m not sure. That said, there are some other utilities on these pages that didn’t seem too useful to me, but they may be useful to you. I don’t want to throw out the baby with the bathwater, so here are a couple of dozen free utilities, linked using proper netiquette.

The listed file sizes are the size of the executable, not the download. The downloads are larger because they include additional files, usually source code.

Files from http://titiasm.cjb.net :

Memory Info. Want to know how much memory your system is using? Here ya go. This is faster than running Norton SysInfo or Microsoft System Monitor. 5.5K.

EdPad. Assembly language Notepad clone. Unfortunately it lacks search/replace. See TheGun for a closer NotePad replacement. 16K.

Resolver. A tiny utility to match Website URLs to IP addresses, and vice-versa. 4.5K.

Files from http://spiff.tripnet.se/~iczelion/source.html :

MP3play. A minimalist MP3 player. Also capable of playing WAV. MID, RMI, AIF, AU, and SND files. Supports playlists. Hint: Right-click in the program window to access its features. 10K.

Also includes miniMP3, a 3.5K player that just plays a single file you specify.

WordEdit. An RTF word processor/help file editor in assembler. Aside from being able to read Word 6 documents, it would make a fabulous WordPad replacement. Includes multiple-level undo and redo, font and color support. Major features missing from a full-blown word processor: spelling/grammar and print preview. Delete the included file splash.dll to eliminate the splash screen and long boot delay. 112K.

FileMan. A graphical two-pane file manager, like Norton Commander. 87K.

Clipboard. Intended mostly as a demo program, but it’s useful beyond its original design. Intended use: Put it in your Sendto folder and you can send file paths to the clipboard from a right-click on the file. Nice. But additionally, having a large object on the clipboard can slow down your system. Some programs ask when you exit if you want to clear it. Others don’t. This program pastes the command-line parameter you feed it to the clipboard, so a shortcut to this program that passes a single-character argument effectively clears your clipboard. Neat, huh? 2.5K.

EWCalc. A scientific calculator. Additionally, it’ll do decimal/hex/octal/binary conversion. 30.5K.

PlayCD. A simple CD player. 7.5K.

QuickBar. A lean replacement for the MS Office toolbar. 20K.

HTTP Downloader. Feed it an url, and it downloads a file through HTTP, like Unix wget. 20.5K.

TheGun. A slightly enhanced replacement for Notepad. Edits large files, includes Ctrl-A hotkey for select all, and includes search/replace. Source not included. 6K.

QuickEdit. A more full-featured editor, includes HTML-to-text conversion and strips carriage returns. Download includes TheGun and a quick-and-dirty textfile viewer. Source not included. 27K.

Files from http://www.rbthomas.freeserve.co.uk/:

Screen savers. I hate screen savers, as everyone knows. Normally I use blank screen. This package includes a 6.5K 32-bit assembly language replacement for blank screen. (Microsoft’s blanker is 16-bit!) The others in the package prove that even when written in assembly, graphics-heavy screen savers eat up far too much CPU time.

RWave. Records and plays back WAV files. A suitable replacement for Sound Recorder. 5.5K.

Timer. This program isn’t a substitute for a common utility, but it’s useful for me. I’ve never gotten around to getting a timer for my kitchen. Now I can let my computer do the job. If your apartment’s as small as mine, or if you have a computer in your kitchen (why? Never mind. I don’t want to know.) yours can too. 31.5K.

More for less, but who wants it? And David Huff reports the P4 prices will plummet today. I thought I mentioned that, but maybe not. The 1.7 GHz model will launch at the insane price of $350 (Intel had planned to launch it at $700 or so). Margins? We don’t need no stinkin’ margins! Intel’s definitely running scared.

Enough of that. Time to take a hint from Frank. What else is there in life? I realized one night last week that I hadn’t gone record shopping in a long time, so I hit the local used shop. The pickings were a bit more sparse than usual, but I’d written down a couple of longshots to look for and I found them, along with a couple of surprises. First I found Starfish, by The Church, which features the track “Under the Milky Way,” a mainstay of ’80s radio and compilations. That’s probably the standout track, but for a band usually considered a one-hit wonder, it’s a really good album.

The other big surprise was Look Sharp!, which was Joe Jackson’s 1979 debut. I was surprised to find it’s mostly a guitar-bass-drum album. Jackson’s a piano player–and a darn good one. Jackson’s piano appears, but he’s rarely playing the lead instrument. The tracks that everyone remembers (“Is She Really Going Out With Him?” and the title track) are definitely the best parts of this album, but it was a strong effort. I can see where his following came from. But it was weird hearing him do what amounts to punk rock with a dose of literacy.

The first longshot was an album I’ve been looking for used for years: Doolittle by The Pixies. The Pixies are very much an acquired taste, but I acquired it. How to describe them? Dark, usually. Weird, always. This was generally regarded as their best album.

And the last longshot was Oyster by Heather Nova. Who? Yeah, I know. I once saw her mentioned in the same context as Aimee Mann and Dot Allison, so I kept an eye out. I think the comparison to those two is a bit shallow. Yes, the three of them are all blonde, female, and write their own songs, and both Nova and Allison play guitar (so does Mann, but she’s mostly a bass player). I recognized “Walk This World” as a song that got a fair bit of airtime on alternative radio about five years ago. Like Allison, her lyrics can get a bit suggestive sometimes, though there are plenty of people who get more so. Compared to Madonna, they’re both tame. But comparing them to an MTV-manufactured pop star is heresy, so I’ll stop now. The variety of styles Nova dabbles in on the album surprised me. Some tracks are dreamy and atmospheric reminiscent of Allison’s band One Dove, but right in the middle of the album is some pure hard rock in the form of a song called “Maybe an Angel.” Somehow that song avoids being over the top like a lot of hard rock does, and it’s far and away the best song on the album. And I’ve thought about those Allison-Mann-Nova comparisons. She’s dreamy and atmospheric like Allison, and often introspective like Mann, so maybe that’s the basis. At any rate, I’ll be keeping an eye on her, and not just because she has a really cool name.