Security Trolls

Here’s how I imagine a security troll works: Google for “md5” or “sha1”. Look for blog posts that discuss those hashing algorithms in some security context, like storing passwords or checking file integrity. Then post a comment that’s barely more than this: “md5 is insecure!”, replacing “md5” accordingly. Make sure to never add anything useful, like details, context or alternatives.

Pretty simple, isn’t it? So what’s wrong with just saying that “md5 is insecure”? Isn’t it true? Hasn’t md5 failed in all kinds of ways?

Sure, but does that matter? If you need a hashing algorithm to secure your root SSL certificates, yeah, don’t use md5, use a better algorithm like SHA-256 where its not as easy to produce hash collisions. If you store passwords (which you shouldn’t), use a really slow algorithm to hash the password, along with a salt, like BCrypt (more below) – Jeff also recommends this (at the end of his post).

But if all you need is a simple checksum to verify that the files you got from your FTP server aren’t corrupted by network traffic, and speed is really important, then md5 might be the right choice, as its really, really fast. Which is exactly the reason why it sucks for passwords, because you can brute force a 7 character password on a modern GPU in a few minutes.

If you’ve read this far, you hopefully don’t think that I’m anything near an authority on these questions. Yet in my experience, finding someone who really knows about this stuff and getting him to share his knowledge in a useful way is really tough. Here’s an example of that.

How To Throttle Login Attempts

Back in 2009, I posted a question on Stack Overflow about throttling login attempts. The question came up after reading another one of Jeff’s posts, which didn’t really provide any answers about properly implementing the throttling. What I was looking for, which may not have been made clear by the question, was an algorithm which would do this properly: Do you filter by user session? By IP address? A mix? A fixed increment, or an expontential one?

Basically, my assumption was: Someone must’ve implemented this before and figured out a good approach. One that holds up in a security audit. I’m fine with reimplementing the actual solution, but I really don’t want to reinvent the wheel in this security-sensitive context. Screwing it up might mean that regular users get pissed off because they get kicked out the system for a typo in their password while logging in. And with a product that is just getting started, putting security over user experience is a pretty bad deal. I’m fine with jumping through a few hoops to get into my online banking account, but logging into this random site should really be as simple as possible, as far as username/password logins go anyway.

Since I posted it, the question has got more then 3,000 views. So I’m certainly not the only one interested. Too bad there’s still no satisfying answer…

Advanced Trolling with BCrypt

I’ve mentioned BCrypt before: It’s a hash function specifically designed for passwords, and you’ll find it recommended in various places. The unfortunate aspect: The Wikipedia page on the topic is pretty thin, only providing  an overview, the algorithm and implementation links, but nothing about the usage context or its limitations. In other words, if you see someone like Jeff recommending BCrypt, then try to research more about it, you almost feel like you’re getting trolled again. Why is this one function supposed to be any better than other hash functions? Why does the Java implementation include a salt generator, where the salt is stored inside the resulting hash? Are there more security issues in that implementation, like the pre-0.3 character encoding one? Without the knowledge of a cryptographer, how can we evaluate if this function is any better then md5? Here’s hoping for less security trolls, for more useful security evangelism, like OWASP is providing (even though their Password Storage Cheat Sheet mentions BCrypt only on the side).

For a little bit of further reading, including a mislead comment about md5 and salting, here’s an old chat log about the same topic. Or read an XKCD comic on passwords.

Gamers: Like rats in a trap

This is the second guest post on this blog, this time by my friend Marcus Kästner.

Naive me. I thought that DRM was dead – but then, I’m a music consumer mostly. They’ve tried their best, these major labels, and people like me showed them the finger. In the process of this battle, music distribution widened and independent platforms, in some cases the artists themselves, started offering their music. This battle for liberation is far from over, considering the titans like iTunes are still around. But in one thing, we’ve won: the music that we buy is to a satisfactory level “ours”, meaning, we can listen to it where we want, on the platform that we choose and we can sell cds, dvds, and lps to others. Considering this background, I’m asking myself: Why did DRM prevail in other media? Why is it even dominating the gaming industry in particular?

Give me steam!

The key factor to the answer is Valve’s Steam. Valve came out in the middle of the 90s and produced one of the major titles of video game history: Half-Life, still surviving to this day through the Counterstrike mod. With Half-Life came a unique key, that players had to enter before they could play, but even though the keys had to be correct to play on the internet, offline players could just copy the game and use a key generator to play it. Also, keys were not personalized, you could trade them, sell them or use as many as you like.

Even though I do think that Valve made quite a fortune with Half-Life, it obviously wasn’t enough for them: “Damn you, second hand market!”, they thought and with the release of Half-Life 2 came Steam, quoting Wikipedia: “a digital distribution, digital rights management, multiplayer and communications platform”, basically securing that the customer-game relation became 1:1, meaning by online registration the customer gains the “right” to play a game, but once activated not the right to resell it. Again quoting from Wikipedia, Steam has become awfully succesful in that:

As of January 2012, there are 1504 games available through Steam, and 40 million active user accounts. The concurrent users peak was 5 million on January 2, 2012. Although Valve never releases sales figures, Stardock, former owner of competing platform Impulse, estimated in 2009 that Steam had a 70% share of the digital distribution market for video games.

First encounter

I don’t play a lot of games anymore. I was, back then, when the market was a bit more liberal, but first the lack of contemporary technology and then disinterest led me away from the hype of the new games and the race for ever more polygons. I’m fine with that. I sometimes have a quick read of game magazines when I’m at my friends’ homes and I see the same games I played 10 or 12 years ago, just mildly looking better (or so their designers think). I only stumbled upon Steam when I got a promotional copy of Mount & Blade: Fire and Sword and had to activate it on Steam.

I was seriously appalled. Here I had a game, fully functional and now I had to install another program, make an online account on this dubious platform? I had to discuss this, but my friends who had used it since Half-Life 2 and were by now (by all means) familiar with the system, couldn’t see my point. Was I fighting windmills? Or were they just indifferent to the real threat of DRM?

The broad response

There is a lot of criticism on Valve’s platform. Yet, this criticism, as far as I see it,  stays completely inherent. Along my stroll around the internet, I found complaints about features, prices and the difficulty of age restrictions, but no strong criticism of the system itself. A lot of current discussions revolve around whether EA’s Origin or Steam should be used and so on, but the question they should ask is: What can we do so that we don’t have to use any of these?

The DRM platforms are taking more and more control over games and gamers and everyone is just opening their purses, allowing companies to control their personal data and sell, or rather: lease a product to them that they can’t handle the way they want. I kept questioning, wanting to understand how and why this happened. How come these people stood for the “freedom of information” on the internet and at the same time were avid users of Steam?

Lured into the cage

Needless to say, these platforms work very efficiently – and this is what most users would say if confronted by the question: Why do you use them? I cannot deny it and won’t! And I don’t need to. If effenciency was the key factor in determining the quality of a system, I wonder why we prefer democracy over dictatorship, the latter being much more efficient in ways of decision-making and control. But where are the ethics, the justice, the freedom?

The users of Steam gave it away for “one click” that buys the product, for automatic updates and savegames in a cloud; generally: for the bits of cheese that lay in the cage; and while eating it, the trap spun. Now mother Steam is there to feed them. And coming back to the lack of appropriate criticism: I think many Steam users wished every game was available there, that they could stay in the cage for as long as they liked. Does that sound horrifying? Wake up! Time to leave the cage!

Why using Steam? Oh, because you think you have to!

There still are some games you can get via conservative (meaning: good ol’) ways of distribution or via direct distribution – take Minecraft for example (I hope it’ll stay like that). Or go out and find some classics in a store. I often wonder about the cheap prices for used games. A few weeks ago I bought Civilization II for 1€ (about $1) – hours and hours of entertainment for the price of a Snickers bar! You even get a load of great games for free these days. Ever tried abandonia.com? Or buy games on GOG.com. I love their motto: “Forget activations or malicious DRM – every game on GOG.com is 100% DRM-free. You buy it. You own it” – hell, yes!

For too long, the gaming community has stayed silent. The gamers let themselves be trapped like rats in a corporate cage. The protests against the music industry have shown what strength lies in the defiance of the individual against the mighty industry. So, hands up! Who’s with me?

Update, 13th of June 2013

We‘re one year into the future and – alas – nothing much seems to have changed. Quite the contrary, with the release of the next generation consoles and especially the new Xbox (called “One”, since in their opinion you’ll only be needing that one console for any form of entertainment, which is creepy enough), we’re on our way to the next step of company control over customers. I hate to see that, it leaves me bitter and cynical. How desperate and needy are we to receive our share of redundant entertainment that we give up on our basic rights, our freedom?

Just a few days ago, a certain Edward Snowden blew the whistle to reveal a broad espionage program the NSA runs to read through our online communication. The shocking revelation rightfully outraged internet users all around the globe and yet, I wonder how many of these people will buy the new Xbox and simply won’t care about their personal data and information being collected, analyzed, and used for commercial purposes or worse. German Wikipedia states that the new Xbox must be connected to the internet at least once in intervals of 24 hours and if you don’t manage to achieve that, you lose all your games library. That’s the stuff you guys have been waiting for, I know. A console that bullies you – and you’re even paying for it.

Just use the alternatives, goddammit!

“Stop playing games, then”, I hear people say, but I’ve played a lot of games during the past year and it was thanks through comments like Enes’ below that I felt motivated to use the platform “Good Old Games” a lot for buying games online. Their service is great: You get installers that function perfectly and even with old DOS games, plus bonus material such as original handbooks, sheets, and maps as PDFs, and the occasional soundtrack. It’s so comfortable and yet without any restrictions and certainly no DRM. I’ve downloaded and played jewels such as Fallout 2, Master of Orion 2, and the phenomenal Gabriel Knight series which I somehow missed back in the days. And all of these for a price of 5 to 10 Dollars per game – excellent!

I hope GOG will continue to thrive and attract more and more companies to their platform. Just the fact that it’s growing shows, that companies can trust their customers. I could install my games on any other machine, even share them with friends, but whenever we talk about games on GOG, everyone just buys them themselves. Already, you can buy some new games there, though most of them are indie productions, which is great too, but I’d like to see some of the big ones there (I’d sure like to play Bethesda’s Skyrim at some point, to be honest, but I can live without it).

I don’t want to advertize for them and I’m surely not bought: As of yet, I haven’t seen a similarly appealing approach on the internet, so I’ll continue recommending GOG to others. Please use the comments below if you know of any alternatives. After all, the lack of competition seems to have been one of the main reasons for DRM to spread out in the first place.

Epilogue

I encountered a lot of incomprehension after writing the first part of this text and those people will probably be estranged by this following rant, as well. I’m not an expert in technology and this was a purely emotional approach. I know I made some people who read this uncomfortable, but to make a difference, you sometimes have to be uncomfortable. If you’re using Steam, you may as well do so and I won’t judge you. I was provoking you, because I thought you deserved better.

Meanwhile, the cage grows bigger, and it doesn’t matter what metal it’s bars are made of – it might even be a gilded cage, comfy and snug – it still is a cage. You might be sitting in there, thinking, “Ah, heck, I could still leave if I wanted to. Look, it’s just a cage with an open door”, but one day, the door might be shut, locked, and the key thrown away. And all of that for some polygons. Seriously, you might want to read a book instead. And don’t you get me started on ebook readers…

The author is a German historian and web developer, blogging on juhublog.de (German language), heizi.musicnerds.org, and barbariana.com (both English language).

You can like this post on Facebook or +1 on Google Plus

Facebook and Google Plus Pages

While I’d still like to see RSS make a big comeback, rather few people use it today, compared to subscribing to feeds via Facebook or Google Plus. To accomodate that, I’ve created pages on both platforms that will get updated along with entries on this blog.

Consider subscribing to one of those if you want to know when there’s new content available here. Or course the RSS feed still works, too.

Motional desktop and the last tweak

This is a guest post by my friend Tobi, on how to create a fancy custom animated desktop wallpaper. —Jörn

Ever wondered if it is possible to create an animated background for Windows 7, since ActiveDesktop has been removed? The answer is: YES, IT IS.

Lets start with the last tweak and then putting the results to the desktop. With last tweaks I mean to put pictures with alpha channels to your movie. All you need for that is Avisynth, a “tool for video post-production”. You can edit your movie and play it with a media player without having any temporary files.

© Copyright dreamscene.org - All rights reserved.

Here is a short sample of what I have done to place a transparent picture as overlay in a movie located at the given x / y coordinates – from beginning till end:

wmv = DirectshowSource("Test.wmv",fps=24.665)
png = ImageSource("Test.png")
pnga = ImageReader("Test",pixel_type="RGB32").ShowAlpha(pixel_type="RGB32")
Overlay(wmv,x=545,y=-20,png,mask=pnga) 

All files are located relative to this .avs.

After this you have to convert and store the video with Free Video Converter by simply dragging the avs file into the videos space of this application.

Now it is time to put the video on your Windows 7 desktop. There are six simple steps to provide this functionality to Windows 7:

  • Download (DreamScene)
  • Copy the DreamScene.dll to %systemroot%\System32
  • Copy the DreamScene.mui to %systemroot%\System32\de-DE
  • Copy the DreamScene.mui to C:\Windows\System32\en-US
  • Execute the Dscene.reg
  • Restart Windows

That’s it.

If you want to have some nice precreated movie desktops check out dreamscene.org.