Linkbait II

In this second round of Linkbait, I’ve got a bunch of political or economical articles to kick things of.

This eerily reminds me of Shadowrun – not in a good way:

“The new texts reveal that TPP negotiators are considering a dispute resolution process that would grant transnational corporations special authority to challenge countries’ laws, regulations and court decisions in international tribunals that circumvent domestic judicial systems.”

In other words, corporations would get the ability to bypass national courts. Its not at all surprising that this trade agreement is negotiated behind closed doors, where 100% transparency would be in order.

Speaking of making laws, here’s a nice german example where more transparency would also help the matter. Also I like the cynical formulation here:

“Die Verbände von Zeitungs– und Zeitschriftenverlegern, BDZV und VDZ, gaben nur eine dürre gemeinsame Erklärung heraus, die sich liest, als seien ihre Sprecher mit Waffengewalt dazu gezwungen worden, sie zu formulieren, und hätten den Zugang zum Presseverteiler nur im Tausch gegen mehrere Konjunktive herausgerückt.”

Found in an article about the german “Leistungsschutzrecht”.

The Melting North

Back to more global discussions: Don’t you also agree that the melting artic is an awesome opportunity? No? Well, that’s what Shell thinks. And they’ve set up a big-ass campaign to convince others. With headlines like this:

For hundreds of years, explorers have battled the Arctic.
Today, we’re finally winning.

One activist group figured they could to something about that, and produced this fake PR fail video. Its pretty well done, but still a fake, as this making-of also shows.

Those PR and counter-PR campaigns are rather useless if you actually want to get to know what’s going on in the Artic. More by chance I found a special about that exact topic in The Economist (read it on the plane to SF). The full special can be read online, starting with “The Melting North”. There’s seven more articles in that series – the links are somewhat hidden in a popup menu above the main header (look for “Special report: The Arctic”).

Keep in mind that The Economist, let’s say, isn’t sceptic of capitalism. In this case I think that’s actually a healthy perspective, as you’d want to understand the perspective of companies like Shell.

Closing Videos

If you’ve came this far, you’ve deserved something kick back and watch. To start, someone explains how to use an Abacus. Its in german though. In particular the division, close to the end, is really interesting:

Watch Dogs Gameplay Trailer

And one more video, a gameplay trailer for “Watch Dogs”. This is pretty much the most impressive video game trailer I’ve seen in a long time. And not just because it shows actual gameplay (instead of pointless prerendered scenes). The game seems to be an open world game with plenty of gameplay options, in a setting that looks like a bit like a mixture of Neuromancer (aka pure Cyberpunk, not the Shadowrun fantasy mashup) and Daniel Suarez’ Daemon/Freedom duology (which I can’t recommend enough). Especially the last scene, where other agents are “activated” to help the main character, seems to be heavily inspired by the Darknet.

Talk Checklist

There’s a new page on this site, the Talk Checklist. It’s just that: A checklist to go through when preparing a talk for meetups or conferences. It also includes a few bullets that could help with creating the outline for the talk and the actual execution.

As the page itself also says: This is a checklist I started 2011 to use whenever I prepare a talk, and to update after I learned something new. If you have ideas for further improvements, let me know. Just keep in mind that it should be kept as a checklist, details must live elsewhere.

I’ve published that now to contribute something to weareallaweso.me. As a meetup-co-organizer I’m generally looking for speakers, and that site has plenty of information that hopefully encourages more people to get involved at meetups and conferences.

Linkbait I

While I like Facebook for its private groups features, the public sharing sucks. Unless I send something to a friend directly, its likely that they don’t see it or don’t bother looking at it, if the title isn’t extremly linkbaitly. So, to stop complaining, I’ll try and post good stuff here, maybe with a monthly iteration.

Longer reading

To start, cracked.com on 6 Ridiculous Lies You Believe About the Founding of America. Yeah, they know how to do linkbaity titles, but its also an entertaining and somewhat informative read. As Marcus points out in a comment below, the article is very questionable in various aspects (read his comment), but most of all is in essence stolen from Howard Zinn’s “A People’s History of the United States”. So go read that instead.

An in-depth explanation of how SSDs work on arstechnica.com. Its pretty long, so read at least the introduction, where the author compares the introduction of 3D accelerated graphic cards to SSDs.

The Video Section

Somehow I ended up with a bunch of videos to share. Here they are in order of length.

Reverse-engineering Prodigy’s “Smack My Bitch Up”, then making a Making Of in Ablteton out of that – really impressive stuff on two levels at once.

No embed in this case, but very much worth watching (about 13 minutes): Hans Rosling talking about Religion and Babies, along with a few interesting related conclusions. I you’ve never heard of Hans Rosling before, you should also watch his previous TED talk.

A comparison of the first Mega Man game and Mega Man X (19 minutes), with a lot of focus on how especially Mega Man X does a great job of teaching you the game in the first intro stage, without ever telling you what to do or what button to press.

Full concert of Metallica playing at Rock am Ring, more than two hours and a great set.

Security Trolls

Here’s how I imagine a security troll works: Google for “md5” or “sha1”. Look for blog posts that discuss those hashing algorithms in some security context, like storing passwords or checking file integrity. Then post a comment that’s barely more than this: “md5 is insecure!”, replacing “md5” accordingly. Make sure to never add anything useful, like details, context or alternatives.

Pretty simple, isn’t it? So what’s wrong with just saying that “md5 is insecure”? Isn’t it true? Hasn’t md5 failed in all kinds of ways?

Sure, but does that matter? If you need a hashing algorithm to secure your root SSL certificates, yeah, don’t use md5, use a better algorithm like SHA-256 where its not as easy to produce hash collisions. If you store passwords (which you shouldn’t), use a really slow algorithm to hash the password, along with a salt, like BCrypt (more below) – Jeff also recommends this (at the end of his post).

But if all you need is a simple checksum to verify that the files you got from your FTP server aren’t corrupted by network traffic, and speed is really important, then md5 might be the right choice, as its really, really fast. Which is exactly the reason why it sucks for passwords, because you can brute force a 7 character password on a modern GPU in a few minutes.

If you’ve read this far, you hopefully don’t think that I’m anything near an authority on these questions. Yet in my experience, finding someone who really knows about this stuff and getting him to share his knowledge in a useful way is really tough. Here’s an example of that.

How To Throttle Login Attempts

Back in 2009, I posted a question on Stack Overflow about throttling login attempts. The question came up after reading another one of Jeff’s posts, which didn’t really provide any answers about properly implementing the throttling. What I was looking for, which may not have been made clear by the question, was an algorithm which would do this properly: Do you filter by user session? By IP address? A mix? A fixed increment, or an expontential one?

Basically, my assumption was: Someone must’ve implemented this before and figured out a good approach. One that holds up in a security audit. I’m fine with reimplementing the actual solution, but I really don’t want to reinvent the wheel in this security-sensitive context. Screwing it up might mean that regular users get pissed off because they get kicked out the system for a typo in their password while logging in. And with a product that is just getting started, putting security over user experience is a pretty bad deal. I’m fine with jumping through a few hoops to get into my online banking account, but logging into this random site should really be as simple as possible, as far as username/password logins go anyway.

Since I posted it, the question has got more then 3,000 views. So I’m certainly not the only one interested. Too bad there’s still no satisfying answer…

Advanced Trolling with BCrypt

I’ve mentioned BCrypt before: It’s a hash function specifically designed for passwords, and you’ll find it recommended in various places. The unfortunate aspect: The Wikipedia page on the topic is pretty thin, only providing  an overview, the algorithm and implementation links, but nothing about the usage context or its limitations. In other words, if you see someone like Jeff recommending BCrypt, then try to research more about it, you almost feel like you’re getting trolled again. Why is this one function supposed to be any better than other hash functions? Why does the Java implementation include a salt generator, where the salt is stored inside the resulting hash? Are there more security issues in that implementation, like the pre-0.3 character encoding one? Without the knowledge of a cryptographer, how can we evaluate if this function is any better then md5? Here’s hoping for less security trolls, for more useful security evangelism, like OWASP is providing (even though their Password Storage Cheat Sheet mentions BCrypt only on the side).

For a little bit of further reading, including a mislead comment about md5 and salting, here’s an old chat log about the same topic. Or read an XKCD comic on passwords.