You are viewing cinnicat

One thought sparks another that meets another spark that resembles another that continues one that seemed to go nowhere and so on and so on.

It all makes sense from far enough away.
Current Month
May. 11th, 2011 @ 05:43 pm Still alive
Current Location: Washington, DC
Current Mood: complacentcomplacent
Since I've posted here, I've had surgery to fix an ulcer on the bottom of my foot by removal of a foot bone and existed for a year with mainly Facebook updates.

I have also had a grand time exploring PHP programming with a forum I took over for my gaming group at I'm the type who when I find something that annoys me, I build to make it easier for myself. This typically makes it easier for the others who use the forum as well. :)

I did a lot of work in Washington DC for the Army last time I posted last year. I am currently doing a lot of work for the State Department in DC.

So yes, still here, still around.
Apr. 14th, 2010 @ 09:34 am How IT Security helps the hackers
Current Location: Arlington, VA
Current Mood: contemplativecontemplative
Today, it was reported the latest research that says what lots of us have known for awhile: the required password-changes don't help security. As the report likened it, the practice assumes that the thief who makes a copy of your house key will wait a few months before trying the lock. Right... we all know the delay for password-usage is a day, at most, sometimes seconds if you fall for a phishing scam.

Yes, I can hear the cry now, that it limits the usefulness of stolen passwords to a timeframe. Surely that's a separate question, I must ask. A stolen password is usually changed by the hacker to allow time for whatever activities and review of the stolen data, without interference by the original owner. The hacker can easily keep changing the password themselves to comply with the automation if the proper owner doesn't report the problem. Again, a nonsesical practice with little benefit in reality.

The report does a rough estimate that the American population using computers with such policies earn some average of $16 billion/minute. It goes further to note that security measures assume that users have no value on time spent, else there would be some showing that over 16 billion is saved annually for just one minute of time spent changing and resetting passwords...which there isn't.

Ok, I'll go further now: password requirements. The practice of passwords following certain required formats, such as at least one upper case, one number, six characters, etc. actually *helps* hackers when these rules are known..and most of them are easily available or can be assumed. Obvious? Picture a program designed to crack your password (which follows your company's requirements of at least one lower, one upper, one special, one number and six characters minimum). Will the program need to bother to check 'aaaaaa'? No, of course not, if the hacker knows that your company doesn't allow such 'easily' guessed passwords! This eliminates all combinations of at least six all-lower-case combinations, perhaps 14% of the possible combinations by some quick calculations. Factor in other six-character combinations that don't satisfy your company's rules...and the brute-force method isn't looking too hard to do at all. Heck, eliminating words in the dictionary only helps the cracker program once it knows that requirement, more items it can dismiss out-of-hand. You can't use 'mYPass', why should the hacker spend time trying it?

Now, of course, these requirements were meant to get users to have a broad range of values, so that each character of your password could be one of (26 lower, 26 upper, 32 special, 10 digit) = 94 characters, which makes it hard to 'guess', assuredly. Most users, when given a free choice, put in simple and easy to remember values without regard to outside security. The rules are there to force such users to create broad values. But these same rules also limit that range, which is a security vulnerability. It also allows typical human nature to create a value that satisfies the minimum necessary of the rules: one digit, one upper-case letter, exactly six or eight characters, etc. This also makes a hacker's task easier, the percentage of people who go above and beyond is very low. And exceptions? The hacker can be rest assured the company's Security IT will guarantee the rules specified, ensuring only a fraction of the total available combinations need be checked. In a company full of 8-character passwords with digits and special characters, the person with 'mywork' as a password is probably the safest from automated attacks against that company.

My suggestion? These 'requirements' limit all users to the same standards. I would randomly assign some variant of the rules to each user. This user needs to use 6 characters, one digit. That user needs eight, but 3 digits, one upper-case. This other user needs 6 again, but two upper-case, no minimum of digits. This would be randomly assigned to the user and persist for that user, the actual restrictions only easily known to IT Security and the user him/herself.

With that, the hacker doesn't know any range to limit their cracker programs, which penalizes them with searching the entire tree of passwords rather than the one branch current Security IT points out for them.

This makes sense? Currently, I think so. :) At least, it removes the implicit crutch many cracker programs can use these days. So yay!
Mar. 17th, 2010 @ 10:03 pm Tampering in Forum's Domain
Current Location: Alexandria, VA
Current Mood: pleasedpleased
I recently took over hosting the website for the LARP's I am in, starting really from scratch and learning as I go. It has been educational, with starting and copying in both a phpBB forum and a MediaWiki database. Even with GoDaddy's hosting center making it easy to do the initial install (and it still took me three tries with the automatic configuration :( ), I explored a little bit to see what actually makes this software run.

Wow. I think I understand it.

To celebrate, and because my fellow players started comparing cute avatars of our fantasy characters, I built a small mod for the forum to display the avatars and allow the players to update them. Took a little time and I started with something a bit similar to get the feel of it all...but it worked.

Ok, first flush of confidence! I added to it, allowing folks to indicate a basic status in the gallery of avatars. One player asked me later to worry why my avatar was grayed out. I had used the same background color for both missing and deceased characters as appropriate for the game. That's me if you go to that link, the Delphinan.

So what do I do next? I wasn't planning anything until I started using multiple accounts on the forum, and discovering how long it took to check one account, log out, log in on the other account, go back to the first, etc. How did the players with three or more accounts/characters do it? There was even an older thread in the forums I inherited discussing some sort of switch capability, though it seemed a hairy problem.

I started hacking...putting a note on the boards that I was the cause of the strange messages others were seeing. At the end of a few hours, I had it. Each member could now specify what other accounts could jump to their account without logout/login steps...then the display would provide a link to each of the character accounts you could jump into. I liked the new ease of use I had built-in, what before took quite a few seconds and several trips now became simple.

Now the yay. One of the players was very very pleased and said something that made my day today:

Renatasia Tygart (5:34:51 PM): I'm very extraordinarily happy with the hack you did.
Renatsia Tygart (5:34:57 PM): It's making my life a lot easier.

Thank you!
Feb. 26th, 2010 @ 04:55 pm When the Cat's Away...
Current Mood: annoyedannoyed
Well, drat it all, I can't go! My flight is at 6am that morning! :(

For those who want to see the Pixies (with Alexander):

Sunday February 28, 2010 — 8:00pm
The Hub Collective
1819 23rd Street
Sacramento, CA 95816
$6-$15 suggested donation
Don't miss the accompanying bake sale!
Jan. 2nd, 2010 @ 08:11 pm Look up!
Current Location: Somewhere...up!
Current Mood: goodgood
Happy New Year (and Happy Mew Purr if you enjoy the pun)!

Flying home from Minnesota now, and I mean that literally. This airline provides (non-free, but available) wi-fi for in-flight internet access. And this is the proof.

We'll be landing in less than an hour, then need to get luggage, find the car, pay for two weeks economy parking, maybe some dinner, then home to rejoin the cats we left behind. There is much looking forward to feline snits and then purrrs. Thanks satyrlovesong and her progeny for looking after them!

Also, I am happy to see the temperature at home is a comfortable and livable positive number. Today's forecast for Minneapolis was a high in the negatives.....yikes!

Planning on games day tomorrow, after crashing a bit. Fortunately, I don't leave for work until Tuesday this week so I don't need an early night Sunday. Huzzah!

Yes, I'm fallen into stream-of-conciousness writing the last few posts. Bad habit, but easy on the brain unfortunately.
Dec. 27th, 2009 @ 02:04 am The Spirit Incarnated
Current Location: Apple Valley, MN
Current Mood: satisfiedsatisfied
So, decided to see Avatar today. :)

The plan was to go see some of lady_cinnicat's friends here in Minnesota, then catch the 3:45pm IMAX 3D show. Unfortunately, we didn't take our leave until 3:30pm. Being the intelligent sort, we decide to not rush and just get the 7:00pm show, and hey, we can stop by the theater and get tickets now. Good thing we did, we discovered that 3:45pm had been sold out since the morning, 7:00pm was just sold out and 10:15 was selling quickly. We snarfed up the 10:15pm show.

There followed a period of quiet and happy shopping for games, mp3 players and dinner with the in-laws.

Then 3 hours of 'Wow'. Avatar is good. Yes, predictable, but the graphics and realization of the alien world is simply high-sugar eye candy. We almost forgave the theater for showing the pre-show ads along with the first five minutes of the movie. :) For the prices we charge, we want ad-free! :) There was applause when the extra video feed finally cut out.

Sadly, lady_cinnicat got the better show. Remember that 3D part? My left eye couldn't get enough detail to get that effect with the theater glasses. Fortunately, my right eye could at least get the 2D effect with the glasses. I thought at first without the glasses I would go, but the 3D imagry means that everything on-screen shows in several overlapping images to be interpreted by the two eyes through the eyewear. That's confusing to watch, so I happily retreated to monocle-vision.

Avatar is good. 3 hours, but good. And as a fan of anthropomorphics and transformation stories, it is good fare I can recommend.
Dec. 17th, 2009 @ 11:21 pm Long time to home
Current Location: Sacramento, CA
Current Mood: crankycranky
Got to the Kearney, Nebraska airport at 12:30pm Central time. Got off the plane in Sacramento at 10:30pm Pacific time. Yes, that's 12 hours.

Waiting for lady_cinnicat to arrive. She just called, getting onto the freeway. She'll probably want dinner. Don't want to think about 8am appointment and everything else tomorrow.

*sigh* I get annoyed at coworkers for continually kidnapping me for long dinners, when we carpool? What part of 'I want to go to the hotel, I have things to do' says that it is okay to go to a restaurant? The only time I got to go back early on this assignment was when I was visibly ill. Last night I finally got up and walked to the hotel nearby, grabbing my computer out of the car at 10:00pm while they continued to plan a late-night geocaching. This is how clueless they are: one asked after I gave back the keys after getting my bag out of the car if I wanted to go check out the cache outside the restaurant. Gah.....

Yah, the work schedule is getting to me today.
Dec. 12th, 2009 @ 10:40 pm Dickens 2009
Current Location: Davis, CA
Current Mood: chipperchipper
Dickens or Dinner?Collapse )

Yay, Dickens Faire!

Had a good time with everyone else who went (kit1508 and others), got some bangers, did some shopping (including a wand with belt holster as I start looking at next halloween far far too early). I also decided to upgrade my black bowtie to something more dickens-y. And the good shopkeeper helped me pick out a vest, chavet (?) and pin to replace the plain black look. I think it looks pretty good, and so did others.

Met up with Hilary while I was out there, good to see her again and glad she is doing better now. Will have to keep in touch more often.

I liked the gambling palace there, and was doing well. I gave a friend four chips to play and he let it ride a few times, curious about it. I got back quite an amount and cashed it in for a small prize or three,

Sadly, we got there too late to get seating at the tea room; which goes to show how important it is to get there early. We did get tickets to the tasteful, saucy, and inneuendo-filled French Postcards show. Always a treat, and funny too.

About the only distasteful part was all the rain! We had to wait in line about 20 minutes in the rain to get tickets for which I fortunately had a couple umbrellas in the car as our late arrival also meant we parked in the back of the main partking lot. I understood other groups of friends arriving after us had to park behind the building and hike around in the dismal weather. The rain also made the trip home a bit nervous, but got there safe and sound.
Dec. 2nd, 2009 @ 05:05 pm Middle of it all
Current Location: Sidney, NE
Current Mood: lazylazy
Current Music: "Dryad's Promise" - Tricky Pixie
And this month, Sidney in the great state of Nebraska! Well, at least I'm not flying here for work. No, I get to fly to Denver, then car pool to Nebraska. Oh joy. At least we get to leave mid-day on Thursday for the 2.5 hour drive back to Denver. If I can get out of driving, nice time to read or use the Playstation Portable, yes? Well, I do get time afterwards, my available flights are in the evening so there's a 4 hour wait at least. Mega-surf time. I think I'll try the United Red Carpet Club, someplace to crash maybe.

Or massage. My shoulder has been feeling better and moving better, but I still get stiff and tense, and Denver Airport has a mini-spa...

It's been three weeks working here. They managed to get me remote VPN access yesterday. The badge to get into the building and the wireless access to use my laptop will take a little longer, evidently.

Managed to get out of jury duty until mid-January. Something about starting a new assignment in Nebraska the start of the following week.... :)

Thanksgiving was good, no one can starve when five sisters (my mother and my aunts) conspire to each cook dinner and bring it to one house. Yeah, leftover turkey is is the lasanga.

Getting to be time to get my cataract looked at in my other eye. This work assignment meant I had to give up ('postpone') my Christmas vacation and that means I will have two extra weeks at some point. Might be a good time to get my foot also taken care of. *sigh* Though lounging does sound *really* tempting. I am upset that this postponement happened, and will not be happy if raises are again 'postponed'. I did really well last year and not seeing much of a link to good performance. Perhaps I should look at something else, but what pays enough locally that can handle me (and vice-versa)?

Games go well, been having folks over on Sundays, and doing LARPs and boardgames on Fridays. I need to start ramping up my plots from being mostly solitaire and figure an angle to get more folks involved *before* the big 'stop the consequences-laden action' push at the end. There usually is one, on the assumption that affecting people is bad. :)

The cats are fine. George and Shadow are demanding more attention from me, while Sammy continues to worship lady_cinnicat. We're taking the whole kaboodle in for the vet this the same time. Oy vey...

lady_cinnicat still has good and not-so-good days with her arthritis, but enjoys her addiction to World of Warcraft. She is disappointed that I will be working when we fly to Minnesota this Christmas (at least I got to work remotely in this deal), but is excited about seeing snow for the holidays. We'll be bringing Dominion, a card game that we surprising got her father to playand that he liked.

Time to start holiday shopping. If I have them, get those wishlists updated. :)

And lucky me, I just got a $5 lottery scratcher to yield $50. Cool.
Nov. 1st, 2009 @ 02:13 am Happy Halloween!
Current Location: Davis, CA
Current Mood: accomplishedaccomplished
For your viewing pleasure, the Corporate Pirate:

I did manage to sign a credit card receipt with an 'X' of the knife today.  :)  Arrrr!  And a Happy Halloween ye have had too!