Password Strength

There is a lot of out-of-date advice on choosing an appropriate password strength. Many rely on an old password strength meter tool called zxcvbn. The general advice is still sound: choose items randomly, pass phrases are easier to remember, etc. But how complex should your password be? This all hinges on how many hashes a password cracking GPU can do per second. See here for hashcat run on an NVIDIA RTX 4090. I’m seeing 8G hash/sec for PBKDF2-SHA256 (1 iteration). This card costs $1700 today. For context, peak Bitcoin hashrate is 300 quintillion (3e20) hash/sec, which comes at enormous costs in specialized hardware and energy.

For someone to generate 1 trillion hashes/sec, they would need 125 cards costing a reasonable $212K. A 13 character password or 6 Diceware words would take 350M years to crack. Ok, so 1 quadrillion hashes would cost $212M and 350K years to crack. The entire Bitcoin network at peak capacity would need 1 year to crack this password. But add 1 word to your passphrase (or 2 chars to password) and it takes 9000 years (or 4000 years for password).

So what’s a good minimum password strength? If hashing power doubles every year, then it would be 1000x faster in 10 years. Assume a hacker goes from 1Th/s to 1 quadrillion. Then a 4 word Diceware pass phrase or a 9 char password can be cracked in a month. That’s merely 53 bits of entropy. You can add another word or character if you still feel nervous, or get a security key. I think once an attacker determines you’ve used a good enough password they will move on to other targets.

Password Managers

The discussion about the security breach at LastPass shows that most people don’t really understand cryptography. In a well-designed system, your encrypted password database (aka vault) is absolutely secure. You could send your vault directly to hackers around the world just to taunt them. You could leave your vault in an open S3 bucket or a public cloud drive. It really is impossible to break a vault.

Of course, you need a good password. My password is 100 bits of entropy (which means 2^100 possibilities). For a master password, a passphrase is easier to remember and quite strong. There are many online generators, or you can use Diceware or EFF word lists with some dice. If you want to get fancy, you can randomly change a few characters to add 10bits of security per edit. In the case of 1Password, they add a “secret key” to your password to add 128bits, making even a terrible password ludicrously secure. But how many bits is enough? The chart at the bottom here shows the cost to crack passwords. A 67 bit password costs $100B, 84 bits is $16 quadrillion!

Once you have a good password, everything else becomes security theater. Key stretching is a way to slow down password crackers by adding some bits for free: 100k iterations adds 16bits, 1M adds 19bits. Nice, but unnecessary for a good password. Some complained that LastPass’s iterations was too low, but they are really complaining about a mere ~3 bits. This must run in reasonable time on the slowest browser using supported algorithms, i.e. PBKDF2. That’s why none use Argon2.

The primary weakness in all software, including password managers, is if an attacker modifies the client-side apps. For example, last week PyTorch accidentally included a malicious package that uploads a computer’s passwords and other info. An attack at any point in the software development and deployment cycle could compromise the entire vault. AFAIK there are bandaids for parts of the process (reproducible builds, restricted sandbox, open source+audits) but nothing is fool-proof.

Here’s how to build a relatively secure password manager. Use Signal (or Telegram, Whatsapp, etc) as a secure, distributed append-only database transaction log. Lock down client-side apps so they only have access to Signal and nothing else. Create a group chat for all your devices. The apps can check the log for any updates to the database. It can send out encrypted updates to other devices. Sharing with other people is as easy as creating a group chat with them. All communication security has now been pushed to the messenger app. If someone hacks Signal they’ll get a stream of encrypted messages.

You can’t prove the client-side app is secure, but you can limit the damage it does. App sandboxes on iOS and Android are good (so far). If malicious code gets in there, it has no means of communicating outside of the chat groups you’ve setup. It might try to create a new share group with the attacker, but this can be mitigated by forcing users to go to Signal to create new groups. Terrible UX, but the extra work forces people to check.

All the rage against LastPass is missing the point. Every service could be hacked. The point of security is you don’t care if a service gets hacked. If someone has a weak password, nothing can help them. It would be nice to warn people, but we all know most people don’t care. I can’t even get my family to improve their passwords. The only real criticism is LastPass revealed too much in the database, like URLs and stuff. That’s enough for me to switch to another product. But I expect all password managers to get hacked and I don’t care.

ELI5: Capability-based systems

This post on capabilities says there isn’t a “good, basic introduction to capabilities”, then proceeds to write 13,000 words of incomprehensible gibberish. Having spent some time reading about capabilities I can say this is actually the least bad explanation I’ve yet seen. This community could write a 100 page manual for a toaster that would confuse a physicist.

Continue reading

Replace your iPhone battery

If your old iPhone feels slow and sluggish, it might be because the battery is too old. Replacing it will improve the performance of your iPhone instantly.

A post on Reddit said that iOS will purposely slow down a phone when the battery shows substantial wear. I have a 3 year old iPhone 6+. I measured the battery condition using coconutBattery from my Mac. The battery was down to 75% of design capacity after ~750 cycles. I then ran Geekbench for iOS. The benchmarks were about 1000 for single-core performance, and 1800 for multi-core. They should be 1460/2459 respectively. Finally, I installed CPU DasherX on my phone. Down towards the bottom it reports the CPU frequency. It said 839MHz for my phone, but it should be 1400 MHz.

I went to a local place to replace the battery for $50. Now all my numbers are as they should be. The phone works perfectly well. I almost bought a new phone because this one had turned sluggish. I just saved myself $800 for a phone I didn’t need.

Blockchain for Dummies

Japan is a country that does nearly everything well, including handling luggage for trips. Traveling from New York City to Kyoto, I handed my bags over to the curbside skycap at the airport and strolled inside. By the time I checked-in to my hotel in Kyoto, the following entities had custody of my luggage: JFK airport, American Airlines, Narita airport, Yamato delivery, Japan Railway, a delivery truck, and my hotel. After a long trip my bags were waiting for me in my room.

Imagine a distant future where most cities in the world are capable of this miraculous feat. How might I check the status of my luggage? There is no central entity that can collect all this information from every airline, airport, hotel and delivery service in the world. We need a decentralized method for collecting information about luggage that does not depend on any central server.

If my luggage is damaged, who will pay for repairs? Assume the last company to have my bag is responsible, unless they can produce a picture proving the bag was already damaged when they took custody. Now every company will take a picture of my bag when they get it and when they hand it off to the next company in the chain. This picture can be attached to the status messages collected for my bag. But an unscrupulous company may try to change the picture in the status message, or change someone else’s picture to blame them for the damage. We need a secure system that prevents anyone from tampering with the data.

How will I choose the right delivery company to get my luggage to my hotel? There may be many companies that serve different areas of a city, handle different types of bags, and have different delivery schedules. I want my luggage delivered by 10pm to a ryokan on the outskirts of Kyoto for less than $10. The delivery companies should have software that dynamically bids for each bag based on the latest exchange rate between dollars and yen. I don’t care who delivers it, but I do want proof that someone has my bag. We need a smarter system that allows companies to write custom software for this data collection network.

Necessity is the mother of invention. For reasons I don’t fully understand, some people have long wanted a form of digital currency that is not controlled by governments nor corporations. No one could build such a system until a mysterious genius published a paper describing Bitcoin, the first digital currency. Today (May 2017) the total value of all Bitcoins is $25 billion! Since it’s inception in 2009 no one has been able to steal from the Bitcoin network, demonstrating the incredible security of this novel system. In 2013 Ethereum was proposed as a programmable network using Bitcoin’s core ideas. More importantly, the underlying technologies in Ethereum and Bitcoin, specifically blockchains and smart contracts, can be used to implement a luggage delivery network.

In the near term, blockchains and smart contracts are useful when there is already a decentralized network of companies who want to exchange information. This means there is no trusted central company or government that can gather all the data for the network. Currently these companies share their data in an ad-hoc way that error-prone and inefficient. This includes networks such as supply chains, health care records, financial products, housing, diamonds, and many more. Each of these is a billion to trillion dollar market vertical.

In the medium term, there are many companies and government agencies currently serving as a trusted central authority that could be replaced by blockchain and smart contract technologies. Blockchains are particularly useful in countries with corrupt or ineffective governments. Birth, marriage, and death certificates. Licenses to practice medicine, real estate, and massage therapy. Patents, land and car titles, and approvals for drugs.  In the private market, the roles currently played by Visa (credit cards), the DTCC (financial product ownership), and Experian (credit reporting) could be replaced by blockchains. Energy companies can be supplanted with rooftop solar/wind generation and a blockchain to coordinate energy distribution. These agencies and companies are a drag on profits and progress because they are a bottleneck in their respective networks.

In the long term, many different blockchains (e.g. health, finance, government) can be combined to create new services across networks. It’s difficult to imagine the possibilities, but people have come up with some wild ideas. For example, decentralized companies with just-in-time labor. Decentralized and fully automated venture capital funds (see the DAO). The craziest idea I can think of is a self-driving car that bids $20 to have the traffic lights turn green on its route to get to the airport on time. Although by then it’s likely we’ll have flying cars or jetpacks instead.

Some form of blockchain and smart contract technologies can replace many of today’s centralized systems. These are very early days in the technology. It’s really only existed for 8 years. These technologies still need to be improved in every dimension: performance, security, privacy, expressiveness, flexibility. I remember the “Internet” in the early 1980s. No one then could have imagined what we have today, nor the trillion dollar economy built on it. The only constant is the crazy people on Usenet are now on Reddit. Someday they’ll have flamewars on a blockchain.

Surface Pro 4 Review

As my family’s tech support guy, I purchased and configured some computers for family members. I bought a Surface Pro 4 (i5, 8GB, 256GB) with a keyboard on sale for $1000. I’ve had a chance to use it for nearly a month. My overall impression is that the Surface Pro 4 falls short of good in most dimensions. I’m writing this review using the Surface.

Software

Windows 10 support for the Surface is painfully bad. The constant glitches make it frustrating to use. Just now the touchpad wouldn’t recognize a tap so I could fix a spelling error. And then the taskbar wouldn’t pop up when the pointer goes to the bottom of the screen. It frequently doesn’t recognize the keyboard when attached. I have to randomly touch things hoping it will connect. Sometimes the computer wakes up and freezes. It sometimes gets confused when switching between tablet and computer mode. I’ve had Windows Hello go into a cycle of locking the screen, turn off the screen, come back on and recognize my face, then go back to my desktop. Over and over! The touchpad forgets my settings when I log in, but remembers when I just open the Settings app. It does not “Just Work” like an iPad. Windows 10 is a usability nightmare.

The battery drains quickly. I haven’t timed it, but it definitely lasts far less than both a MacBook and my 2013 MacBook Pro. Occasionally Windows 10 will tell me that Edge uses less battery than Chrome, but Edge is unbelievably slow. I’ve been using this Surface for a month, so all the indexing and scanning it might do on a new machine is long finished. Microsoft really needs to focus on energy consumption.

The Surface Pen is utterly useless. Drawing on a screen is a niche task. For most users the only place you might use it is with OneNote. Microsoft, in their infinite wisdom, provides 2 versions of OneNote with different feature sets. You write your notes, but only OneNote 2016 can convert handwriting. You can draw diagrams, but only OneNote app can convert shapes. Even there it’s stupid. It converts squares and circles into nice shapes, but it doesn’t do anything with lines. They also support converting math equations. It took me a dozen tries to get “3 X 3” recognized. Surely it would be easier to type for all these use cases.

Finally, touch support is terrible. (Just now I took off the keyboard and the screen froze. I had to sleep and wake up to get it going again.) The onscreen keyboard isn’t as smart as iOS. I turned on spell checking, add a period on double space, etc. The on screen keyboard isn’t doing any of that in Chrome nor Edge. It sometimes does the right thing when I search in Windows. Just typing this paragraph in Chrome using the on screen keyboard has been frustrating. When I position the cursor near the bottom of the text, the keyboard pops up and hides the text I’m editing. Just now the keyboard goes up and down as I type for no damn reason. I have to tap the text again and again to get the keyboard. The whole thing is just terrible.

Hardware

The Surface feels like a premium product. No plastic, very solid build, good construction. It is comparable in quality to a Macbook Pro. The screen is excellent. The speakers sound good to me. The cameras seem quite good. Certainly the front-facing camera looks much better than my Macbook Pro. WiFi has been working great so far. I like the magnetic power plug, and magnetic holder for the pen. Thus far the fans haven’t come on, so it’s very quiet. Finally, the weight is really nice for a laptop.

On the other hand, the combination of a tablet and a laptop means both suffer. The tablet is just too big and heavy to use as comfortably as my iPad (1.7 vs 1 lbs). As a laptop, the kickstand is awkward to extend, and it is definitely not stable on a lap. The keyboard actually has nice key travel and feel, but it is wobbly and bouncy when typing. The touchpad is tragic compared to a Mac. Seriously, how can the combined efforts of the PC industry not create an acceptable touchpad? Finally, the Surface gets warm even as I’m typing in this review. That’s not good for a tablet.

Conclusion

When everything works, the Surface Pro is not bad. When things don’t work, I’ll toss it aside and use any Apple product instead. As a reasonably competent programmer, it took me a long time to resolve some quirks. There are still several I haven’t fixed. When I post issues to the Microsoft forums, the bots there invariably suggest I reboot, and then reinstall the OS.

I don’t believe it’s in Microsoft’s DNA to actually do anything well. Everyone knows that Microsoft ships half-baked broken crap in version 1. Then they spend years fixing some old issues and adding new broken features. If you must have a Windows device and you have low expectations, then I suppose the Surface Pro is no worse than any other PC hybrid. Nevertheless, I’m considering returning this computer and demanding my relative buy a conventional Windows 10 laptop. I think the tablet/laptop support is totally broken in Windows 10. I’m hoping a simple laptop won’t have so many bugs. I’ll reconsider when the Surface Pro hits version 10.

Macbook Review

I purchased a 12″ MacBook to setup for a relative. I got the low end 2016 model (m3, 8GB, 256GB) on sale for $1050. They will be using the laptop for light computing tasks: browsing, email, some office work. No video processing, maybe some photo editing. TL;DR: The MacBook is surprisingly good

The quality of the hardware is as good as we expect from Apple. They deserve to earn a premium for the high-end parts and the solid construction. The screen is excellent. The sound is pretty good. The touchpad is absolutely terrific. It really feels like it’s moving! The MacBook is very lightweight and feels good in my hands. I don’t mind that there’s only 1 USB-C port, but 2 would be better. Battery life has been awesome. The computer never gets warm doing light tasks. It’s basically a very fast iPad in a laptop form factor.

And then there’s the keyboard. Apple has a history of being the first to remove essential features from computers. This time it’s key travel. When I tried the MacBook at the Apple store last year, I really hated the keyboard. After using it for a month, I can now say I don’t hate it. It’s tolerable, but not great. The key travel is 0.5 mm. Compare that to the excellent keyboard on a Thinkpad Carbon X1 at 1.86 mm travel. The new 2016 MacBook Pro keyboard uses the same design but increases travel slightly to 0.55 mm.

I really like everything about the MacBook except the key travel. Compared to the Surface Pro 4 with i5 processor, the MacBook feels more responsive and faster. I haven’t run any developer stuff on it, but for regular tasks the m3 chip is surprisingly good. I’d really like to try the MacBook with an i7.Fortunately, Asus copied Apple with the Asus Zenbook 3. The Asus supports a more powerful i7 processor, 16GB RAM and the key travel is 0.8 mm. The only downside is the screen is 1080p. I haven’t seen this in a store yet, but the specs look great.

If you can learn to like the keyboard, the MacBook is a great laptop for everyone except those needing high-performance.

 

Notes on Backups

My normal routine for data storage and backups has been ad-hoc and stupid. I use Windows File History and CrashPlan for Mac to backup computers to a home desktop. Other important data is stored on various cloud services. Unfortunately my 8 year old machine is starting to fail, so it’s time to solve this issue.

Continue reading

Write Fewer Tests in Python

Sqlite has 1000X more code for testing than in actual source code! That’s phenomenal, but it’s common for companies to have 5X-10X more testing code. This seems like an area that programming languages and development tools should tackle. That is, think of ways to reduce the huge amount of extra code written for testing.

As an experiment, I wrote a simple Skiplist in Python 3.5 in a stream-of-consciousness burst of sloppy coding. I used pylint to catch many obvious mistakes. It’s about as good as any decent IDE. After some back and forth I had code that could be loaded into the interpreter.

I next used hypothesis to write tests using the unittest library. This tool is a Python implementation of QuickCheck, a brilliant library for automated property based testing. Consider the following code to test insertion into a skiplist:

@given(nums=lists(integers()))
def test_insert_integers(self, nums):
    sorted_nums = sorted(nums)
    self.assertEqual(0, len(self.skip))

    for i in nums:
        self.skip.insert(i)

    for i in sorted_nums:
        self.assertIn(i, self.skip)
    for i in self.skip:
        self.assertIn(i, sorted_nums)

    self.assertEqual(len(nums), len(self.skip))

The given decorator tells hypothesis to generate random lists of integers to feed into this function. The function inserts all elements into the skiplist and asserts some properties. hypothesis was able to find lots of interesting bugs in my code by printing a small example that caused the error. Unfortunately, hypothesis doesn’t play well with unittest because this single test method actually runs lots of tests. So it doesn’t run setUp and tearDown correctly. But that’s easy to get around for now.

The next step was to use Python 3.5 type annotations and mypy to do static type checking. You can either write unittests to check all this, or let the tools handle it for you. The type annotations are a bit verbose, and the syntax for adding type declarations for fields is atrocious. Nevertheless, it works really well and caught a few corner cases in untested code. There is a problem, though. I can’t find a way to add constraints on generic types. In my code, I want to say the generic type T must support the __lt__ operator. Right now it seems to work somehow.

Finally, I used PyContracts to write design-by-contract style code. It allows one to write additional constraints on your code. For example, in choosing how many levels a skiplist has, I added a constraint to the constructor @contract(max_level='>0') which verifies the input. I didn’t see many opportunities to add contracts to my code because it’s supposed to allow nearly anything, like a list. While contracts in .NET are fantastic, PyContracts are good enough. Though it needs to play better with 3.5’s typing syntax.

Despite all this I found a bug that could only be discovered by a code review. Searching through a skiplist is supposed to be O(lg n). However, I had failed to begin each level’s search where the previous level left off. So my search was correct, but O(n). How could a test discover bugs that give correct results? It’s really a performance issue that would only be revealed for large N.

Overall using types, contracts and hypothesis seems to catch quite a few errors. The only minor issue is it would be nice if all these things cooperated better. For example, if I state the type of a function parameter then both the contracts and hypothesis should use this information. if I add a contract, then hypothesis should use that to craft random input more efficiently. What techniques could I add next to better test my code?

I Lost My Wallet in El Segundo

Actually I lost my wallet in Venice, CA, but no one wrote a song about that. So what do you do if you lose your wallet while traveling? I had no government ID, no credit/debit cards and no cash. Nothing. Luckily I was traveling with a friend, but if I were alone I’d be screwed. Credit cards were sent to me in 2 days. They would not send debit cards to me, only to my home address.

To get through the TSA without ID it helps to have anything that confirms your identity. I had my new credit cards. FYI: I had a copy of my passport, but they didn’t want copies of anything. Tell the TSA agent you have no ID. They will call a supervisor over. It took a while for the guy to show up, so go to the airport early. You put your name/address on a document. Then they call some other office, give them your info and they ask some questions. I was asked for the last 4-digits of my home phone. Then my previous address (I didn’t remember the zip code). They asked for the name of a close relative. I offered my dad’s name. Then they asked for his birthday. I don’t remember anyone’s birthday; however, it happened to be my dad’s birthday and my phone alert had gone off that morning. I only remember his age because he hit a milestone the previous year. So some quick math and I had his birthdate right. I went through security and then had more checking. They did a quick pat down, the bomb residue test on me and my luggage. They didn’t search anything. Although I look like a terrorist, the whole thing was fine.

In the future, I need to pack some backup. I should leave a debit card in my luggage so I can get cash and buy things. For some reason the TSA guy asked for that, so it might be a more legit form of identity. If you look at the list of valid ID, I only have a passport but I don’t carry it for domestic travel. It might be worth getting a Global Entry card as a backup ID. Alternatively, maybe the state will give me another non-driving ID even if I already have a driver’s license. I can just leave that in my luggage.