Monday, January 25, 2010
More Computers for writers: hacking 99
Sigh
Reading another book where a writer has used the already egregiously wrong stereotypes of about computers to show a character who is supposedly a computer expert. In this case, a (airquotes)hacker(airquotes).
First off, hacking is in some ways ridiculously easy and in other ways quite complex. I can't even begin a 101 level discussion. From what I've seen most writers would be lucky to reach the remedial level. What they are right now is woefully ignorant. It's every computer user's right to be ignorant about their computer. I happen to believe that users have every right to expect their computers to simply freaking work without putting their security at risk. That is, alas, not reality.
But if you're writing a story that includes computers, please. TV and movies are simply not a resource you can rely on.
So here's some horrifically high level facts about hacking. Consider these jumping off points for your research. I am leaving out massive amounts of information. LOTS!
If you're going to write a book about a hacker, then please subscribe to 2600. As mentioned in a previous post, it's quite possible you can't get to that website at work, even though it's not dangerous to your computer. 2600 will quickly educate you on the mentality of people who do this sort of thing for good, evil or neutral. Every word of the magazine is a clue and reference material. EVERY FREAKING WORD!
Hacking is not what you think. It's not the stereotype you read in the newspapers, see on TV or hear about anywhere else in mainstream media. Seriously.
Criminal hackers are a different matter as nowadays it's often organized crime, but 2600 will educate you about that too.
It's not enough to know there's such a thing as a firewall and that there are ways to get around one (or perhaps more accurately, through one).
It's not magic. There are programs written specifically to exploit known vulnerabilities. Some of them have good purposes (penetration testing for example) but, like anything, such programs can be used for evil. And some were written specifically to do bad things.
It is possible to write your own.
The key point is the bad person is not just jumping on the internet and looking at web pages and then stuff just happesn. They are firing up programs that look for open ports and then sending commands to those ports that will accomplish evil things.
If a website was put together without considering security, then there WILL be commands from a web browser that can get you into a server. That, by the way, is typically the goal. The bad person wants to get from the computer serving up the webpage to the server that has the database, or to the domain controller or some other internal server.
SQL Injection, for example, involves tacking on certain commands to the end of a browser URL that will open up the database. From there, on a server that was not set up with thought to security, you could get to many other servers internal to a company.
Also, please remember that it's unlikely that a hacker will be using a Windows computer to do evil. It's fairly certain he or she will be using one of the flavors of Unix/Linux. The reason is beyond the scope of this post, but I think we could stop at, it's a matter of pride. It's possible. Of course.
An accomplished hacker, one whom you hope to portray as evil and/or heroic is going to have a customized set of tools and scripts, some of which he/she has likely written on his/her own.
Such a person could sit at a random computer and accomplish evil things. But they'll be using telnet or the command prompt -- that person would have to be VERY GOOD INDEED because they will have had to memorize really a lot of arcane commands. Or they could plug in their flash drive containing their toolset.
A evil person could sit around looking for websites vulnerable to SQL Injection, for example. But there are easier ways to find the low hanging fruit.
What they're not doing is jumping onto the World Wide Web and bypassing firewalls [waving of hands in magical incantation].
I am flying at a high level here, OK? There are also many many other ways to do evil than what I describe here. This is incredibly basic.
The Internet depends on a series of protocols -- rules that have been agreed upon regarding how one computer communicates with another computer. There are many different protocols. Here are 4 common ones:
FTP
HTTP
SHTTP
SSH
You should recognize the second protocol: http
If you don't, look up at the top of your browser. If you're reading this directly from my website, you should see http://www.carolynjewel.com etc. You could substitute ftp.carolynjewel.com (And I suppose you could try to guess the login and password set for ftp services at carolynjewel.com.) If you did that, you would not see my lovely website because websites are written for the rules of the http protocol. ftp does not understand the rules for http. To do anything you would need to know the commands for ftp or be using an ftp shell program that will send those commands for you. Once you've guessed the login and password for my ftp site.
Each protocol has been assigned its own port number. There are a set of agreed upon port numbers for each of a series of internet protocols. They are cleverly called The Well Known Ports. You can see the list here: IANA List of Well Known Ports
Side Note: The port numbers tend to be assigned in pairs of ports called TCP and UDP. If you care, traffic sent over the TCP port gets a return acknowledgment. I sent this. Yup, I got it. Traffic send over UDP is not acknowledged. I sent this.
The http protocol has been assigned the Well Known Port of 80.
FTP is 20
Microsoft SQL Server is port 1433
Your email is almost certainly being sent over port 25 (Simple Mail Transfer Protocol or SMTP).
So there you are at your computer. Your computer could send traffic over any and all of the ports using any of the agreed upon protocols. If you want, you can think of the ports as doors that reside on your computer. Corresponding doors exist on any other internet connected computer.
But certain doors (ports) may be locked on your end, from the inside (you can't get out that door) or from the outside (others cannot get into your door.) It's also true that on any other computer, certain ports may or may not be open from the inside or outside.
You are on the World Wide Web, looking at www.carolynjewel.com. That's because your computer sent an http request to carolynjewel.com over port 80 that said, please show me the page at carolynjewel.com
carolynjewel.com responds to your http request by displaying my home page to you over port 80 on your computer.
Now, suppose you have a firewall. A firewall is designed to stop traffic from going out and/or coming in. For your firewall, you have to decide which doors are open to outgoing and incoming traffic.
Side Note: What if you don't have a firewall? Then anything can go out and ANYTHING can get in. If you don't have a firewall installed, you should be worried.
If you don't have SQL Sever installed on your computer, when someone comes to your computer from elsewhere on the internet and wants inside via port 1433 nothing will happen. But what if you do? Anyone from the outside can talk to your SQL Server. Uh oh.
Now, suppose your firewall blocks all OUTGOING traffic on port 80. Will you be able to see anything on the World Wide Web?
No, you will not.
Your request to see carolynjewel.com will never get to the server that hosts my website.
Now suppose your firewall blocks all INCOMING traffic on port 80. Will you be able to see anything on the World Wide Web?
No, you will not.
Your request to see carolynjewel.com will reach my server and my server will say, you betcha. Here's the page. The page will be sent to your computer over port 80 but port 80 on your computer will be CLOSED so you can't see it.
If incoming and outgoing traffic is blocked over port 80, then the WWW is dead to you.
So practically speaking, nobody blocks port 80 because then you can't see any lovely webpages. And what would be the point of that?
Suppose, though, that you had an internet connected computer whose only job was to receive and serve up FTP related commands. In that case, you might set up a firewall to block port 80. Unlikely, but possible.
But there are all these other ports that can provide a way into an internet connected computer. Hackers know this. The information is COMMONLY known. It has to be otherwise the internet wouldn't work as designed.
You need a firewall to keep out the folks who scan for open ports. There are some high value, if you will, ports that will have juicy stuff on the other end. Since each port is allotted to a defined protocol, what you do when you find one that's open depends on what port it is.
You can, if you like, think of the protocols as different languages. If I only understand French, it does no good to speak to me in Chinese. I will never understand.
So, suppose I am port 1433 (SQL Server). If you send traffic to port 1433 that is designed for FTP (port 20) nothing happens. But if you send traffic to port 1433 and you speak SQL Server to it .... ooh la la. You will get an answer. If you are a good person, then hey. But what if you are bad? What if you are looking for the information in the SQL Server database on the other end of that open port 1433? That is not so good.
One of the things hackers do is scan for open known ports. When they find one, they will execute an attack known to work against whatever is at the other end of that port. (It's more complicated than this, OK? There are things you can do to protect against that. etc.)
I think if I keep going, brains will asplode.
Reading another book where a writer has used the already egregiously wrong stereotypes of about computers to show a character who is supposedly a computer expert. In this case, a (airquotes)hacker(airquotes).
First off, hacking is in some ways ridiculously easy and in other ways quite complex. I can't even begin a 101 level discussion. From what I've seen most writers would be lucky to reach the remedial level. What they are right now is woefully ignorant. It's every computer user's right to be ignorant about their computer. I happen to believe that users have every right to expect their computers to simply freaking work without putting their security at risk. That is, alas, not reality.
But if you're writing a story that includes computers, please. TV and movies are simply not a resource you can rely on.
So here's some horrifically high level facts about hacking. Consider these jumping off points for your research. I am leaving out massive amounts of information. LOTS!
If you're going to write a book about a hacker, then please subscribe to 2600. As mentioned in a previous post, it's quite possible you can't get to that website at work, even though it's not dangerous to your computer. 2600 will quickly educate you on the mentality of people who do this sort of thing for good, evil or neutral. Every word of the magazine is a clue and reference material. EVERY FREAKING WORD!
Hacking is not what you think. It's not the stereotype you read in the newspapers, see on TV or hear about anywhere else in mainstream media. Seriously.
Criminal hackers are a different matter as nowadays it's often organized crime, but 2600 will educate you about that too.
It's not enough to know there's such a thing as a firewall and that there are ways to get around one (or perhaps more accurately, through one).
How do the bad guys Do Bad Stuff?
It's not magic. There are programs written specifically to exploit known vulnerabilities. Some of them have good purposes (penetration testing for example) but, like anything, such programs can be used for evil. And some were written specifically to do bad things.
It is possible to write your own.
The key point is the bad person is not just jumping on the internet and looking at web pages and then stuff just happesn. They are firing up programs that look for open ports and then sending commands to those ports that will accomplish evil things.
If a website was put together without considering security, then there WILL be commands from a web browser that can get you into a server. That, by the way, is typically the goal. The bad person wants to get from the computer serving up the webpage to the server that has the database, or to the domain controller or some other internal server.
SQL Injection, for example, involves tacking on certain commands to the end of a browser URL that will open up the database. From there, on a server that was not set up with thought to security, you could get to many other servers internal to a company.
Also, please remember that it's unlikely that a hacker will be using a Windows computer to do evil. It's fairly certain he or she will be using one of the flavors of Unix/Linux. The reason is beyond the scope of this post, but I think we could stop at, it's a matter of pride. It's possible. Of course.
An accomplished hacker, one whom you hope to portray as evil and/or heroic is going to have a customized set of tools and scripts, some of which he/she has likely written on his/her own.
Such a person could sit at a random computer and accomplish evil things. But they'll be using telnet or the command prompt -- that person would have to be VERY GOOD INDEED because they will have had to memorize really a lot of arcane commands. Or they could plug in their flash drive containing their toolset.
A evil person could sit around looking for websites vulnerable to SQL Injection, for example. But there are easier ways to find the low hanging fruit.
What they're not doing is jumping onto the World Wide Web and bypassing firewalls [waving of hands in magical incantation].
Understanding Firewalls
I am flying at a high level here, OK? There are also many many other ways to do evil than what I describe here. This is incredibly basic.
The Internet depends on a series of protocols -- rules that have been agreed upon regarding how one computer communicates with another computer. There are many different protocols. Here are 4 common ones:
FTP
HTTP
SHTTP
SSH
You should recognize the second protocol: http
If you don't, look up at the top of your browser. If you're reading this directly from my website, you should see http://www.carolynjewel.com etc. You could substitute ftp.carolynjewel.com (And I suppose you could try to guess the login and password set for ftp services at carolynjewel.com.) If you did that, you would not see my lovely website because websites are written for the rules of the http protocol. ftp does not understand the rules for http. To do anything you would need to know the commands for ftp or be using an ftp shell program that will send those commands for you. Once you've guessed the login and password for my ftp site.
The Well Known Ports
Each protocol has been assigned its own port number. There are a set of agreed upon port numbers for each of a series of internet protocols. They are cleverly called The Well Known Ports. You can see the list here: IANA List of Well Known Ports
Side Note: The port numbers tend to be assigned in pairs of ports called TCP and UDP. If you care, traffic sent over the TCP port gets a return acknowledgment. I sent this. Yup, I got it. Traffic send over UDP is not acknowledged. I sent this.
The http protocol has been assigned the Well Known Port of 80.
FTP is 20
Microsoft SQL Server is port 1433
Your email is almost certainly being sent over port 25 (Simple Mail Transfer Protocol or SMTP).
Really Simple Example
So there you are at your computer. Your computer could send traffic over any and all of the ports using any of the agreed upon protocols. If you want, you can think of the ports as doors that reside on your computer. Corresponding doors exist on any other internet connected computer.
But certain doors (ports) may be locked on your end, from the inside (you can't get out that door) or from the outside (others cannot get into your door.) It's also true that on any other computer, certain ports may or may not be open from the inside or outside.
You are on the World Wide Web, looking at www.carolynjewel.com. That's because your computer sent an http request to carolynjewel.com over port 80 that said, please show me the page at carolynjewel.com
carolynjewel.com responds to your http request by displaying my home page to you over port 80 on your computer.
Now, suppose you have a firewall. A firewall is designed to stop traffic from going out and/or coming in. For your firewall, you have to decide which doors are open to outgoing and incoming traffic.
Side Note: What if you don't have a firewall? Then anything can go out and ANYTHING can get in. If you don't have a firewall installed, you should be worried.
If you don't have SQL Sever installed on your computer, when someone comes to your computer from elsewhere on the internet and wants inside via port 1433 nothing will happen. But what if you do? Anyone from the outside can talk to your SQL Server. Uh oh.
Now, suppose your firewall blocks all OUTGOING traffic on port 80. Will you be able to see anything on the World Wide Web?
No, you will not.
Your request to see carolynjewel.com will never get to the server that hosts my website.
Now suppose your firewall blocks all INCOMING traffic on port 80. Will you be able to see anything on the World Wide Web?
No, you will not.
Your request to see carolynjewel.com will reach my server and my server will say, you betcha. Here's the page. The page will be sent to your computer over port 80 but port 80 on your computer will be CLOSED so you can't see it.
If incoming and outgoing traffic is blocked over port 80, then the WWW is dead to you.
So practically speaking, nobody blocks port 80 because then you can't see any lovely webpages. And what would be the point of that?
Suppose, though, that you had an internet connected computer whose only job was to receive and serve up FTP related commands. In that case, you might set up a firewall to block port 80. Unlikely, but possible.
But there are all these other ports that can provide a way into an internet connected computer. Hackers know this. The information is COMMONLY known. It has to be otherwise the internet wouldn't work as designed.
You need a firewall to keep out the folks who scan for open ports. There are some high value, if you will, ports that will have juicy stuff on the other end. Since each port is allotted to a defined protocol, what you do when you find one that's open depends on what port it is.
You can, if you like, think of the protocols as different languages. If I only understand French, it does no good to speak to me in Chinese. I will never understand.
So, suppose I am port 1433 (SQL Server). If you send traffic to port 1433 that is designed for FTP (port 20) nothing happens. But if you send traffic to port 1433 and you speak SQL Server to it .... ooh la la. You will get an answer. If you are a good person, then hey. But what if you are bad? What if you are looking for the information in the SQL Server database on the other end of that open port 1433? That is not so good.
One of the things hackers do is scan for open known ports. When they find one, they will execute an attack known to work against whatever is at the other end of that port. (It's more complicated than this, OK? There are things you can do to protect against that. etc.)
I think if I keep going, brains will asplode.
Labels: Ack, computers, Hacking
posted by Carolyn @ 1/25/2010 06:04:00 PM Permalink
Friday, January 15, 2010
More Computers For Writers
I'm reading a really great book right now -- not a romance by the way -- with a major plot point that involves computers.
Someone is blackmailing people with surreptitious photos of them engaging with prostitutes. The photog has a digital SLR camera and emails the photos to his partner in crime (PIC). He then deletes the photos from his computer. The computers described, by the way, are all running a Windows Operating System (OS), that's pretty clear.
The hero is in possession of the PIC's computer but is questioning the photog at his house in full sight of the photog's computer and camera. I'm not sure because the scene is actually unclear, but I believe the hero removes the memory chip from the SLR and hands it to someone else while he reviews the photos in the camera's memory.
Stop
I have big issues with the camera thing, since my experience is that a professional quality SLR takes such HUGE file-size photos that you can't store anything on the camera itself. But while my Nikon D80 is a high end SLR, I'm not familiar with the kind of SLR pros use, so maybe this is right. I doubt it, but whatever.
The photos the hero hopes to find are not on the SLR (and I'm thinking, doh! They're on the memory card you took out and then the photog explains how he deletes the photos from the computer and emails the best ones to his PIC.
I am now thinking, cool! This is going to be easy. Make the guy login to his email program and check his email sent items folder.
But no. They push aside that computer, go get the PIC's computer and find where the PIC saved off the emailed photos because the photog says, hey, I bet my PIC never renamed my photos. After which the author describes a file naming convention that contains characters that are illegal in a Windows OS.
Full Stop
What the F? Number one, most people are clueless about their computers. There is nothing wrong with that other than the pain that inevitably arises from owning a computer with an OS that is actively hostile to people who just want the damn thing to work.
So, people, if this guy has deleted the photos, they are surely in the trash file. The hero is supposed to be someone clueful and any fool should have thought of that.
But not to even think of looking in the guy's email program? Come on. The stupid photos are there. There was no freaking need to fetch the recipient's computer.
Sigh
As an author, if you write a story in which someone is supposedly being all tricky and geeky about computers, please please please check with a REAL geek.
Please note, I am flying at a high level once again. There are nuances and details I'm skipping. This is informational only -- if you're looking for facts for your writing, please dig deeper and consult multiple sources.
In a Windows OS, you cannot name a file any darn thing you want. There are certain characters (most of them are puncutation) you are not permitted to use. You can use multiple periods, though. If you try to use them, the computer will return an error to the effect that you can't name your file in that manner.
On any computer it is REMARKABLY hard to delete all traces of a file. The trash file is the blindingly obvious place to look, but there are other places to look as well as known methods for recovering deleted drives. Now, this story does not (yet) involve a computer forensics specialist so I'm not griping that the hero doesn't know this.
But here's some interesting things:
To well and truly wipe a hard drive, you have to degauss it. Three times. There's a military spec program that will do this. It will wipe a hard drive, rewriting ALL the bits and bytes three times. Even then I bet there's a way to get around that. For more info, you can google
When Windows deletes a file, it's not really deleting it. Let me say that again: Windows doesn't actually delete a file when you tell it to delete a file. All it does is overwrite the first character of the file name with a 0. Presto, to the OS, it's deleted, but on your hard drive, it's still there. And unless the OS happens to write another file to the exact same location it will stay there.
In case you think encrypting your computer is enough, all I can say is in the face of a skilled and determined geek, au contraire mon frere. But it's still the best thing you can to do to protect your data.
As a side, side note to that, encrypting your hard drive is only as secure as your password. If you tape it to your computer or nearby or use a weak password you might as well not have bothered.
Turning off your computer is also no guarantee that everything in volatile memory is gone. It's not. You can recover that, too. And if you get to a computer quickly enough (the time is longer than you think) you can reconstruct what was going on before it was turned off. Google
A really fun and interesting resource is 2600. I subscribe because there's all kinds of crazy-cool stuff in it. If you're at work, don't be surprised if you can't get to the site. Some companies block it. (I am laughing at that - because any good computer person will get there anyway -- Not that I ever looked at 2600 when I worked for an employer who blocked the site -- in a half assed way. Really.)
Here's some password thoughts for you. Since I am a Database Administrator (DBA) I can tell you from personal experience that the MOST UNBELIEVABLY common passwords are:
password
12345
54321
password123
[Your name]
[curse words]
[keystrokes in the horizontal or vertical order of appearance on a standard keyboard]
Any DBA can tell you it's astonishing the bad passwords people pick. And disappointingly nasty. Some people are just crude.
An experienced computer person probably has a 40% chance of flat out guessing your password. Because they'll run through the unbelievably common passwords. If that person knows a few things about you (your spouse, your birthday, your kids names or pets) bump that to 60%. Heck, if they're just sitting at your desk, they'll probably pick up enough to make some darn good guesses.
But what if your password isn't unbelievably obvious? Check this out: How Long Will your Password last? A few examples: If you chose a password of numbers only: a 2 digit password will be cracked instantly.
Oh, you say, who picks a password that lame? You'd be surprised.
Let's say you pick a 9 digit numeric password. On a crappy desktop, your password will be cracked in 28 hours. If you're the government using a great computer, it's instantaneous.
Letters are a little better, right? A five letter password (in the same case -- all upper or all lower) will be cracked in 20 minutes on a crappy desktop machine. If you double the length to 10, then it's 447 years. Unless you're the government in which case it's 39.5 hours. At 20 characters, even the government will need 631 billion years. Excluding words in the dictionary, of course, since those will be cracked in the first round . . . So, is YOUR password that long AND not in the dictionary?
Check out that link, once you've checked out the footnotes so you understand the chart (easy!!!) I hope you will go change your banking password.
Possibly NSFW because of the curse words: Top 500 Worst passwords I rest my case. There's a lot of people who are picking passwords they'll remember (understandable) instead of a password that's not so lame it can be cracked instantly.
Of course, it's possible to just install some malware and get passwords sent to you.
Alas.
But true.
I won't keep going even though I could.
Someone is blackmailing people with surreptitious photos of them engaging with prostitutes. The photog has a digital SLR camera and emails the photos to his partner in crime (PIC). He then deletes the photos from his computer. The computers described, by the way, are all running a Windows Operating System (OS), that's pretty clear.
The hero is in possession of the PIC's computer but is questioning the photog at his house in full sight of the photog's computer and camera. I'm not sure because the scene is actually unclear, but I believe the hero removes the memory chip from the SLR and hands it to someone else while he reviews the photos in the camera's memory.
Stop
I have big issues with the camera thing, since my experience is that a professional quality SLR takes such HUGE file-size photos that you can't store anything on the camera itself. But while my Nikon D80 is a high end SLR, I'm not familiar with the kind of SLR pros use, so maybe this is right. I doubt it, but whatever.
The photos the hero hopes to find are not on the SLR (and I'm thinking, doh! They're on the memory card you took out and then the photog explains how he deletes the photos from the computer and emails the best ones to his PIC.
I am now thinking, cool! This is going to be easy. Make the guy login to his email program and check his email sent items folder.
But no. They push aside that computer, go get the PIC's computer and find where the PIC saved off the emailed photos because the photog says, hey, I bet my PIC never renamed my photos. After which the author describes a file naming convention that contains characters that are illegal in a Windows OS.
Full Stop
What the F? Number one, most people are clueless about their computers. There is nothing wrong with that other than the pain that inevitably arises from owning a computer with an OS that is actively hostile to people who just want the damn thing to work.
So, people, if this guy has deleted the photos, they are surely in the trash file. The hero is supposed to be someone clueful and any fool should have thought of that.
But not to even think of looking in the guy's email program? Come on. The stupid photos are there. There was no freaking need to fetch the recipient's computer.
Sigh
As an author, if you write a story in which someone is supposedly being all tricky and geeky about computers, please please please check with a REAL geek.
Please note, I am flying at a high level once again. There are nuances and details I'm skipping. This is informational only -- if you're looking for facts for your writing, please dig deeper and consult multiple sources.
In a Windows OS, you cannot name a file any darn thing you want. There are certain characters (most of them are puncutation) you are not permitted to use. You can use multiple periods, though. If you try to use them, the computer will return an error to the effect that you can't name your file in that manner.
On any computer it is REMARKABLY hard to delete all traces of a file. The trash file is the blindingly obvious place to look, but there are other places to look as well as known methods for recovering deleted drives. Now, this story does not (yet) involve a computer forensics specialist so I'm not griping that the hero doesn't know this.
But here's some interesting things:
To well and truly wipe a hard drive, you have to degauss it. Three times. There's a military spec program that will do this. It will wipe a hard drive, rewriting ALL the bits and bytes three times. Even then I bet there's a way to get around that. For more info, you can google
degaussing a hard drive
When Windows deletes a file, it's not really deleting it. Let me say that again: Windows doesn't actually delete a file when you tell it to delete a file. All it does is overwrite the first character of the file name with a 0. Presto, to the OS, it's deleted, but on your hard drive, it's still there. And unless the OS happens to write another file to the exact same location it will stay there.
In case you think encrypting your computer is enough, all I can say is in the face of a skilled and determined geek, au contraire mon frere. But it's still the best thing you can to do to protect your data.
As a side, side note to that, encrypting your hard drive is only as secure as your password. If you tape it to your computer or nearby or use a weak password you might as well not have bothered.
Turning off your computer is also no guarantee that everything in volatile memory is gone. It's not. You can recover that, too. And if you get to a computer quickly enough (the time is longer than you think) you can reconstruct what was going on before it was turned off. Google
computer forensics volatile memory
A really fun and interesting resource is 2600. I subscribe because there's all kinds of crazy-cool stuff in it. If you're at work, don't be surprised if you can't get to the site. Some companies block it. (I am laughing at that - because any good computer person will get there anyway -- Not that I ever looked at 2600 when I worked for an employer who blocked the site -- in a half assed way. Really.)
Passwords
Here's some password thoughts for you. Since I am a Database Administrator (DBA) I can tell you from personal experience that the MOST UNBELIEVABLY common passwords are:
password
12345
54321
password123
[Your name]
[curse words]
[keystrokes in the horizontal or vertical order of appearance on a standard keyboard]
Any DBA can tell you it's astonishing the bad passwords people pick. And disappointingly nasty. Some people are just crude.
An experienced computer person probably has a 40% chance of flat out guessing your password. Because they'll run through the unbelievably common passwords. If that person knows a few things about you (your spouse, your birthday, your kids names or pets) bump that to 60%. Heck, if they're just sitting at your desk, they'll probably pick up enough to make some darn good guesses.
But what if your password isn't unbelievably obvious? Check this out: How Long Will your Password last? A few examples: If you chose a password of numbers only: a 2 digit password will be cracked instantly.
Oh, you say, who picks a password that lame? You'd be surprised.
Let's say you pick a 9 digit numeric password. On a crappy desktop, your password will be cracked in 28 hours. If you're the government using a great computer, it's instantaneous.
Letters are a little better, right? A five letter password (in the same case -- all upper or all lower) will be cracked in 20 minutes on a crappy desktop machine. If you double the length to 10, then it's 447 years. Unless you're the government in which case it's 39.5 hours. At 20 characters, even the government will need 631 billion years. Excluding words in the dictionary, of course, since those will be cracked in the first round . . . So, is YOUR password that long AND not in the dictionary?
Check out that link, once you've checked out the footnotes so you understand the chart (easy!!!) I hope you will go change your banking password.
Possibly NSFW because of the curse words: Top 500 Worst passwords I rest my case. There's a lot of people who are picking passwords they'll remember (understandable) instead of a password that's not so lame it can be cracked instantly.
Of course, it's possible to just install some malware and get passwords sent to you.
Alas.
But true.
I won't keep going even though I could.
Labels: carolyn geeks out, computers
posted by Carolyn @ 1/15/2010 06:21:00 PM Permalink
Tuesday, December 15, 2009
Geek Alert! Info forAuthors
I'm reading this really good book in which the heroine is all computer geeky, which is fun. The author, at one point, has her heroine visiting a facility described as cutting edge, technology-wise, including computers. The author then casually mentions that the employee workspace (not IT employees) has computers and servers sitting around.
Ka-Thunk!
That's the sound of Carolyn falling (briefly) out of this otherwise extremely excellent book. I forgive the author because the rest is so good.
So I'm going to explain, at a very high level, about servers so you won't make that mistake. If you need specifics, Google around for more targeted info. I have left out details so as not to be hopelessly confusing. Or befriend someone in your IT department.
Employee workspace with computers? You betcha. Gotta have that.
Employee workspace with servers sitting around? No. Sorry. In a corporate environment there would NEVER be a server anywhere but in the server room. (See slight exception below).
What's a server room you ask? Oh, what's a server? Well, it's a computer. Doh.
Hmm. Maybe an analogy will help. This applies to medium to large companies, OK? Companies with an IT budget of more than $200,000K a year -- or way way more.
Your desktop computer is a Toyota Corolla. A server is a Lamborghini.
A basic Windows PC costs <$1,000.
A basic server costs about $30,000 (If your needs are limited, otherwise, $100,000 wouldn't be unusual.
A server room is a climate-controlled room dedicated to housing servers.
The server room should have controlled physical access so that only authorized people can get inside. Why? Because you don't want your data or equipment walking out the door or worse.
Climate-controlled means it's freaking cold in there. You need a coat if you're going to be in there for very long.
Why? Because servers generate a lot of heat and hot servers shut down and your business ceases to function. Server rooms tend to be noisy. Often the AC is quite loud. The network guys will get paged if the server room temp gets too high (68 might be a warning level. 75 is reason to panic. at 8o, meltdown is immanent if not already happening.)
A lot of companies house certain servers in colocation facilities. These COLO facilities rent out server racks and provide some tech support, the climate control and the physical access control etc. You bring your own servers and put them in the racks yourself. Corporate IT personnel remotely administer the servers from wherever.
But many companies have at least some subset of servers on-site.
Servers do NOT have monitors. There might be a desk(s) in the server room with monitors and keyboards so you access the servers from there. Or, there might be a monitor/keyboard tray in the server rack that pulls out so you can pull up the monitor and access the servers in that rack.
This picture shows what looks to be a fairly modest sized server room. Over on the left there, toward the bottom, those 3 beige things are older severs. Note that they are labeled. The vertical thingees (there are 4 in each of the 3) to the right side of the beige servers are the hard drives. They come out -- if one is broken, for example-- and you can put a new drive in. To the bottom right, you can see two narrow black box thingees. They are also servers, but different ones. There's another beige server underneath the two black ones.
Here's an example of why you need physical access control (and also of how it can fail any way). Someone at a company once removed a server drive, replaced it with another drive and walked away with a copy of the corporate data. The multiple drives (depending) contain redundant data -- they all have the same data. That way if one drive fails, your data is still up and running.
There are all different looks to servers and server rooms. Things can look all mismatched like this picture, or homogeneous. It depends on your budget, who you decided to buy from and what your needs are.
Server racks usually look like very tall cabinets. They usually have doors. You open the doors and see a stack of servers with blinking lights. They should also be labeled so you know which one is which in case you have to access the physical box (to add drives, memory or even (ack!) restart the box.)
The BACK of a server rack has ethernet cables that run from the network cards (most servers will have more than one network card) to a router or switch and usually from the router or switch to a patch panel. (Flying at a high level here!)
Those cables can look like a spaghetti nightmare (in which case someone should be fired) Or they can be neat and orderly and tied down.
Here's a flickr grouping of various server room photos if you're curious about the variety.
But you can see that a server looks NOTHING like your desktop computer. You *could* configure a desktop computer as a server -- but that's not what you'd typically see in a corporate environment. Except in the room where IT personnel sit. Then you'd see workstations configured as servers for testing and development but, pray God, not production end-user equipments. Geeks like me play with those.
So, no high-falutin' cutting edge company will have servers sitting around in an area open to non-IT personnel. Really. They generate heat and need to be kept cold. They wouldn't sit flat on a desk. They're made to be inserted into a rack. Would *you* want to be the one who accidentally knocks the $100,000 server off the table? Or watch it fall off the table during an earthquake? I don't think so.
So, that's it.
Ka-Thunk!
That's the sound of Carolyn falling (briefly) out of this otherwise extremely excellent book. I forgive the author because the rest is so good.
So I'm going to explain, at a very high level, about servers so you won't make that mistake. If you need specifics, Google around for more targeted info. I have left out details so as not to be hopelessly confusing. Or befriend someone in your IT department.
Employee workspace with computers? You betcha. Gotta have that.
Employee workspace with servers sitting around? No. Sorry. In a corporate environment there would NEVER be a server anywhere but in the server room. (See slight exception below).
What's a server room you ask? Oh, what's a server? Well, it's a computer. Doh.
Hmm. Maybe an analogy will help. This applies to medium to large companies, OK? Companies with an IT budget of more than $200,000K a year -- or way way more.
Your desktop computer is a Toyota Corolla. A server is a Lamborghini.
A basic Windows PC costs <$1,000.
A basic server costs about $30,000 (If your needs are limited, otherwise, $100,000 wouldn't be unusual.
A server room is a climate-controlled room dedicated to housing servers.
The server room should have controlled physical access so that only authorized people can get inside. Why? Because you don't want your data or equipment walking out the door or worse.
Climate-controlled means it's freaking cold in there. You need a coat if you're going to be in there for very long.
Why? Because servers generate a lot of heat and hot servers shut down and your business ceases to function. Server rooms tend to be noisy. Often the AC is quite loud. The network guys will get paged if the server room temp gets too high (68 might be a warning level. 75 is reason to panic. at 8o, meltdown is immanent if not already happening.)
A lot of companies house certain servers in colocation facilities. These COLO facilities rent out server racks and provide some tech support, the climate control and the physical access control etc. You bring your own servers and put them in the racks yourself. Corporate IT personnel remotely administer the servers from wherever.
But many companies have at least some subset of servers on-site.
Servers do NOT have monitors. There might be a desk(s) in the server room with monitors and keyboards so you access the servers from there. Or, there might be a monitor/keyboard tray in the server rack that pulls out so you can pull up the monitor and access the servers in that rack.This picture shows what looks to be a fairly modest sized server room. Over on the left there, toward the bottom, those 3 beige things are older severs. Note that they are labeled. The vertical thingees (there are 4 in each of the 3) to the right side of the beige servers are the hard drives. They come out -- if one is broken, for example-- and you can put a new drive in. To the bottom right, you can see two narrow black box thingees. They are also servers, but different ones. There's another beige server underneath the two black ones.
Here's an example of why you need physical access control (and also of how it can fail any way). Someone at a company once removed a server drive, replaced it with another drive and walked away with a copy of the corporate data. The multiple drives (depending) contain redundant data -- they all have the same data. That way if one drive fails, your data is still up and running.
There are all different looks to servers and server rooms. Things can look all mismatched like this picture, or homogeneous. It depends on your budget, who you decided to buy from and what your needs are.
Server racks usually look like very tall cabinets. They usually have doors. You open the doors and see a stack of servers with blinking lights. They should also be labeled so you know which one is which in case you have to access the physical box (to add drives, memory or even (ack!) restart the box.)
The BACK of a server rack has ethernet cables that run from the network cards (most servers will have more than one network card) to a router or switch and usually from the router or switch to a patch panel. (Flying at a high level here!)
Those cables can look like a spaghetti nightmare (in which case someone should be fired) Or they can be neat and orderly and tied down.
Here's a flickr grouping of various server room photos if you're curious about the variety.
But you can see that a server looks NOTHING like your desktop computer. You *could* configure a desktop computer as a server -- but that's not what you'd typically see in a corporate environment. Except in the room where IT personnel sit. Then you'd see workstations configured as servers for testing and development but, pray God, not production end-user equipments. Geeks like me play with those.
So, no high-falutin' cutting edge company will have servers sitting around in an area open to non-IT personnel. Really. They generate heat and need to be kept cold. They wouldn't sit flat on a desk. They're made to be inserted into a rack. Would *you* want to be the one who accidentally knocks the $100,000 server off the table? Or watch it fall off the table during an earthquake? I don't think so.
So, that's it.
Labels: computers, details, servers
posted by Carolyn @ 12/15/2009 05:33:00 PM Permalink
Saturday, October 17, 2009
Drive by Post
Deadline panic is in full force.
Ack!!!!
That is all.
Oh, and when I bought MacFang (because I suspected my Dell laptop was nearly End Of Life) I gave the Dell to my son. Today, the Dell's hard drive failed.
Well, ok that's bad for him because he was using it a lot. But when it went to turn on his desktop, nothing. Apparently, the video card has failed. On his desktop, that's built into the motherboard. Sigh.
He has a paper due end of the month so I'll be buying him a new laptop. If I have the cash. I need to call my accountant Monday to find out how much estimated tax I have to send to Uncle Sam.
Ack!!!!
That is all.
Oh, and when I bought MacFang (because I suspected my Dell laptop was nearly End Of Life) I gave the Dell to my son. Today, the Dell's hard drive failed.
Well, ok that's bad for him because he was using it a lot. But when it went to turn on his desktop, nothing. Apparently, the video card has failed. On his desktop, that's built into the motherboard. Sigh.
He has a paper due end of the month so I'll be buying him a new laptop. If I have the cash. I need to call my accountant Monday to find out how much estimated tax I have to send to Uncle Sam.
posted by Carolyn @ 10/17/2009 09:33:00 PM Permalink
