Explainer

Every piece of information the government or military processes has a classification level assigned to it.

Currently, the federal government lists four levels of clearances that are associated with classification levels.

The other level is “No Clearance”.

Information that is classified as “Confidential” could cause damage to national security if disclosed. Note the weasel word “could”. The definition will often add “without authorization”.

This is the “lowest” classification. There are really two other levels below this.

There is For Official Use Only (FOUO) which is sometimes called Sensitive Unclassified.

This is information that anybody working at a government site might be exposed to. It may not carry any markings. So if you were to see a list of SSN, you don’t have to be told that those are Sensitive Unclassified or FOUO.

This is the same in the health care industry or data processing industry. By this, I mean that there are laws in place that protect people from sharing my personal information. My doctor can’t share my health information. I can’t share your name or email information, if I collect it via a credit card payment.

This doesn’t mean that people aren’t stupid. At one government installation I used to work at, they had a recycling program for paper. You could take used printer paper home to use for projects and stuff. Think of using it in the bottom of a bird cage.

The head of the installation put an end to it when he picked up something at a local shop, wrapped in used paper. The paper was from the installation and had SSN plus wages printed on it.

By the time I got to the installation, we had industrial shredders. Every piece of paper that would have gone in the garbage was fed through the shredders.

What does this mean in terms of the DOGE team? If they are properly employed and tasked to do the work they are doing, they have all the clearances they need to see FOUO and Sensitive, Unclassified material. They don’t need a clearance to see and work with that data.

As soon as we move to information that is classified, certain things become true. First, it is supposed to be marked.

This is one of the issues with the Hilary emails. She had information on her private server that had no markings, which came from classified sources. Those classified sources were marked.

In addition, she was informed that the source of that information was classified, and the information was classified, regardless of markings.

In other words, if I observe a weapons test and I see something that I know is or will be classified, I must treat it as classified. Even if it is not “marked”.

So information is classified. It is classified by level. Just because you have a clearance, it doesn’t mean that you have access to the information.

You must also have a need to know.

I, personally, got racked over the coals by one Army Officer and then got to watch our security officer rake him over the coals. The difference being that the Army Officer could have had lots worse happen to him.

He was in an area that implied he had a clearance. I knew he had a clearance. I even knew what level he had. It was higher than mine, at the time. He asked to see some classified information and I refused.

For this, I was raked over the coals by this officer. I told him that I had to have confirmation from my security officer that he had a need to know.

He stormed out, came back with my security officer. He explained. The security dude asked if the officer had it right. I said “yep.” The security dude then ripped the officer a new one.

The army officer had to have a need to know. He did. But I don’t get to make that determination. Only authorized people can do that. One such authorized person was my security officer.

Above Confidential is Secret, above that is Top Secret, and above that is Top Secret, Sensitive Compartmented Information.

To be granted any clearance, you need to be vetted. That requires you to fill out several invasive forms. These are then used to start a background check. How through these background checks are depends on the level of clearance being requested.

Your clearance doesn’t belong to you. It belongs to the entity that wants you to have a clearance. That entity must have a clearance. The entity requests that you be granted a clearance. Your entity then gets the paperwork from you which is then handed over to the investigators.

When you are granted your clearance, your entity will be informed. Your entity will have a security officer at the least and may have an entire office dedicated to handling clearances.

My entity was Cray Research. Once their security office was informed I had received my clearance, they informed the security office where I was employed. At that point, I had a clearance. And nobody would have given me a bit of classified information.

The people I worked directly with were told I had a clearance by their security office. The people I worked indirectly with I told. They then verified with their security office.

When I left that government installation, my clearance still existed. It was “owned” by Cray Research. My clearance didn’t mean anything because I wasn’t at a government installation.

When I went to different government locations, where I had a need to know, my security people sent the proper security magic to the locations where I was going. This allowed me to see what I had a need to see.

When I left Cray Research, my clearance still existed. Cray Research no longer owned it. Somebody in the government had control over it.

When I joined a different company, they put in a request for my clearance, and it was granted because it already existed.

Ok. Done with me.

What this means is that the people that DOGE is using could have had clearances because of other projects they had worked. When they started working for DOGE, their clearances were either transferred to DOGE or their entity informed DOGE of what clearances they had.

So this nice young man of 20 or so wants to inspect a computer system at CFPB. The administration says, “Hell no, you don’t have the clearances to see our systems because you might see our data.”

The young man calls his security office and has them transmit the clearances to CFPB security. “Call your security office, they will verify that I have the clearances to access the systems and the data.”

The administrator, having lost the first battle, says, “You don’t have a need to know.”

The young man presents the orders he has been given him by the boss of CFPB and that is satisfied, after verification.

That’s how clearances work.

Now, the current NPC talking point is that this young man is unelected, reports to Elon, and as such will access data he shouldn’t and then use it or leak it.

When you hear this, you should translate it to: “Are you saying the FBI and other agencies can’t do a background check? That this young man with clearances shouldn’t have them? What agency or person are you accusing of granting a clearance to somebody that can’t be trusted?”

Yeah, I’ve about had it with Democratic(NPC) talking points.

This is the section of the 14th Amendment which says that the children of former slaves and former slaves are citizens of the United States.

This needed to be done because before the slaves being freed, they were not citizens. The defeated southern states were investigating how to disenfranchise former slaves.

It was ratified on July 9, 1868.

Text and this Nation’s historical tradition of regulation

When evaluating a modern regulation, when the Constitutions plain text covers an individual’s conduct, the Constitution presumptively protects that conduct.

In this case, “Is the child of an illegal alien born in the United States a United States citizen?”

The plain text of the Constitution clearly covers the individual’s conduct, becoming or acting as a US Citizen.

Since the plain text covers the conduct, the government must demonstrate that the regulation is consistent with this Nation’s historical tradition of regulation.

What is the regulation?

This is fairly simple. You are a US Citizen if your mother or father is a US Citizen. You are a US Citizen if your mother or father is a lawful permanent resident when you are born.

Being whelped on US grounds does not make you a citizen.

Is this interpretation consistent with giving former slaves citizenship?

Yes. Former slaves were naturalized (I Believe). So they were citizens.

Their children were born to citizens or lawful permanent residents.

What does “and subject to the jurisdiction thereof” mean?

We know what it meant in 1898. In March of that year, the Supreme Court issued their opinion in —United States V. Wong Kim Ark, 169 U.S. 649 (1898). This is barely 30 years from the ratification of the Amendment.

Wong Kim Ark was the child of Chinese parents. Those parents were NOT naturalized and were subjects of the Emperor of China.

When Wong Kim was 17 years old, he took a trip to China. He returned with no issues. He claimed to be a US Citizen.

In 1894, four years later, he took another trip to China. This time, when he returned, he was not allowed to disembark. Instead, he was detained.

The District Court for the Northern District of California found that Wong Kim Ark was a US citizen by virtue of his birth and had him released. The government appealed to the Supreme Court.

This is preciously the question the new EO brings forth.

That’s old time speak for “plain text” and “historical tradition of regulation”.

So a child must be born not only within the country, but within the “ligeance” of the country. If they are born of an occupying entity, then they are citizens of the occupying entity, not the country within which they are born.

When everything is said, the Supreme Court in 1898 found that if you were born of parents that were here legally, you were an American citizen.

Is that the end?

Not really, the issues are that of an invading force, or people that are here illegally. Do they have the same birth right as a child born of people here legally?

There is a strong argument to be made that illegal aliens do not gift their whelp with American citizenship merely by pushing them out while on US soil.

It is clear that if they were members of an invading army, their children would not be American citizens.

Standing

Mr. Wong Kim Ark was a person who claimed to be a US Citizen by birth. When the state refused him entrance to the United States, he was able to file a case arguing that he was a citizen and should be granted internee.

The state argued against him.

This means that Wong Kim had standing. The case was about him.

Now consider the current situation. Jose sneaks across the border with his wife Maria. Maria got knocked up by somebody, either north or south of the border, it doesn’t matter.

Maria and Jose show up at the hospital emergency room, where they are given “free” health care because they have no intention of paying for it.

Maria whelps Jose Jr.

Jose and Maria are handed a birth certificate for Junior. They are told they are the proud parents of an American Citizen.

You’re in the next bed and you hear that another illegal has their anchor baby.

You file suit claiming that the Fourteenth Amendment doesn’t grant citizenship to foreign invaders.

The case is dismissed. You have no standing.

This is correct.

Who has standing?

The child, the parents, and the state.

If the state isn’t challenging the granting of citizenship and the parents are not, and the child isn’t, then there is no suit.

What does the EO change?

The EO says that if you are not here legally, whelping a child here doesn’t grant that child citizenship.

If Jose wants Junior to be a citizen, he needs to file suit. The state can now argue against birthright for invaders.

If Jose loses, he better stop. If he appeals, then the circuit court will hear the case. And the state will again argue invaders don’t get to make citizens.

If the loser of that case appeals again, it will be before the Supreme Court.

At which point we will have our second opinion on birthright citizenship being granted by the 14th. It might not turn out the way that the left thinks it should.

First, Mark Smith is a lawyer. I am not. Much of the “inside baseball” I’ve learned from listening to Mark and others like him on YouTube.

His analysis of many cases is spot on. Many times his analysis guides mine. I enjoy listening to him. To put it differently, I enjoy him attempting to “make [me] the smartest person in the room.”

One of his early videos was describing how the Roberts court handles grants of cert.

As he explains it, once a case gets to the point where it will be considered for cert, it will be distributed for conference. This means that it will be discussed by the Justices at a particular conference. Those conferences normally happen on Friday.

The court will then issue their “Orders” on the following Monday. Well, that is the day it is normally published.

The orders list consists of mostly of one or two lines, case such and such petition for something is denied. There are long lists of denied, a shorter list of granted.

In addition to the short statements from the Court as a whole, there will sometimes be statements by the Justices regarding denial of cert in a case. These can be considered dissenting opinions.

If a case has been conferenced, there are three options for the case going forward. The case can be denied cert. The case can be granted cert. The case can be relisted.

If a case is relisted. Which means to be distributed for conference the next week. That will not be in the orders. It will show up in the case docket later in the day.

If a case is not listed in the orders, after it has been conferenced, it can mean one of two things (IANAL), it can mean that the case is relisted, and we’ll read it in the docket later in the day, OR it means that cert was granted but one or more Justices needs time to write a statement.

As I said, the orders are normally given on the Monday following the conference.

Occasionally, there will be a misc. orders issued on the Friday of the conference. These are grants of cert.

Why is this important in tea-leaf reading?

The Supreme Court has a term that runs from the first of October to the end of June the next year.

In general, the Court will issue opinions in the same term as they hear oral arguments on the case.

Oral arguments must take place before the close of the term, while leaving the Justices enough time to write their opinion. Consider that the Heller opinion was nearly 157 pages in length, 60 lines per page, 10 words per line.

That makes the Heller opinion around 90,000 words in length. It was written by multiple justices, but still, that is two Novels.

It is 90 long Chris articles. Ally, our writer, will write 3700 words a day when creating the first draft. She will spend a month writing a 50,000 plus word book. Then she starts editing.

This means that if they expect it to be a long opinion, they need to have 45 or more days to write it. That 45 is an S.W.A.G by me.

This puts a fairly hard deadline for oral arguments.

From the time a case is granted certiorari, the clock is running. The petitioners have 45 days to file their brief. The respondents have 30 days to file their brief. The Petitioners have 15 days to file their reply. A total of 90 days.

To give the justices 45 days to ponder and write, oral arguments must happen on or before May 16, 2025.

Putting a more concrete number on this, it took 118 days from oral arguments in McDonald to the date the Court issued their opinion.

This implies my guess of 45 days might be a bit short. Bruen was heard in November and the opinion was issued on June 23rd.

Regardless, if we are going to have an opinion this term, we are running out of time. To hit the May 16th deadline, the Court must grant cert before February 15th.

120 days was this last Thursday, January 16th.

Wolf?

Mark explained to us that we wanted three cases conferenced on the 10th of January. This happened. Good for Mark.

He explained that we would like to see cert granted January 13th, but we should expect the cases to be relisted.

He posted a video on the 10th or 11th telling us that a miscellaneous order had granted cert in three cases on the 10th. This was bad news for the Second Amendment. These cases were being given a jump start on getting things done before it was too late for this term.

On Monday afternoon, two cases were relisted. The case that was in an interlocutory state was denied cert. There was another Second Amendment case that dealing with taxes on firearms that was also denied cert.

This was precisely what Mark had predicted.

On the 17th, our two Second Amendment cases were conferenced for the second time. In the evening, a miscellaneous order granting cert in four cases was issued.

Mark posted another video telling us this was bad news for our Second Amendment cases.

I’m sticking with Mark V1. So far, the situation is progressing as he predicted. This matches my predictions (IANAL).

I refuse to panic or even worry over the weekend. Monday morning, I will read the orders. I expect to see nothing regarding Snope and Ocean State Tactical. Later in the evening, I will check the docket for those two cases, and I expect to find them relisted.

This is on track. We are doing well.

January 27th is the day we need to be paying attention to. That will be the day orders are issued for the conference held on the 24th. If the cases are relisted for a fourth time, I’ll be nervous.

Just remember, it isn’t over until the fat lady sings.

Ally came to me the other day upset about the TikTok case. One of her issues was that the AP was reporting that they couldn’t report more because it was “sealed”.

I found this to be unusual and went to the source to find out what is going on. What I found was somewhat different.

Ally pointed out that what I sent her, the docket, wasn’t something she understood.

This is a non lawyer’s take on reading dockets.

What is “The Docket”?

The docket is a record of a case. It contains the identifying information about the case as well as providing information on what court, panel, or judges will be hearing the case. It is relatively brief.

The biggest part is the “Proceedings and Orders”.

The Header

The header identifies the case.  In addition, it helps track the case back in history as it moved through different courts.

The title is the parties to the suit. The short title would be TikTok v. Garland. The date the case was docketed with the Supreme Court was December 18, 2024. The case comes from the D.C. Circuit Court. In the circuit court it had a case number of 24-1113.

The first entry tells an interesting story. The first is that this case was submitted to the emergency docket, sometimes called the shadow docket.

When a case is placed on the emergency docket, it is assigned to one justice. Each justice is assigned a set of lower courts that they “supervise.” In this case, the D.C. Circuit Court is supervised by Chief Justice John Roberts.

The party petitioners are TikTok and ByteDance. They have “filed a motion” which is legal speak for “asked for something.” What they have asked for is an injunction against the enforcement of <q>Pub. L. No. 118-50, div. H (2024)</q>. This is the “Protecting Americans from Foreign Adversary Controlled Applications.”

In other words, they want the courts to stop the banning of TikTok.

To pull the information about motion, I read the “Main Document”. On the website, this is a link to the PDF of the document.

Because this case was put on the Emergency Docket, they are not asking the court to decide on the merits of the case, instead they are asking for an injunction until the Supreme Court has made their final decision regarding the ban.

Entry two says that they have also requested that the court hear the case, on its merits.

The next three entries are briefs by different groups of people called “Friends of the Court”, or “amicus curiae”. These are not parties of the case but instead are people who want to stick their two-cents in.

These briefs must be filed by a lawyer who is a member of the Supreme Court bar. In some situations, the people filing amicus briefs must get permission first.

What is a brief?

Simply put, it is a written argument. The person or group that files the brief feels that they have something important to say that might change the Court’s mind.

These briefs are all going to be arguing that the Supreme Court do something.

The respondents will often not argue at this point. To argue that the Court not hear the case is to make the case more important. Since the Court prefers to take cases that are important in the broad scheme of things, arguing that the Court not hear a case is arguing for the case to be heard.

On December 18th, the application, as 24A587 on the emergency docket, was referred to the Court.

This is the Court’s normal Wednesday conference.

The Justice discuss the cases which have been referred to them and decide as a group what they are going to do.

There is a deadline of January 19th for them to issue an order or opinion.

Things Happen

The petition is granted on the 18th. This means that the case went from not existing within the Supreme Court’s system to being granted cert in 2 days.

This is what “Emergency Docket” means. It has to happen now.

Now this particular case is on an expedited track. The Justices have given a word limit on the briefs. We will see later that there are “Certificate of Word Count” attached to many filings, stating they are within the limits set by the Court.

The time is also shortened. All the primary briefs are to be filed by December 27th. This is only 9 days after the granting of cert.

The court also says when oral arguments are happening.

The court also consolidated two cases. This is why we went from 24A587 to 24-656. The two original dockets were 24A587 and 24A656.

While the court said that oral arguments were on the 10th of January in their order. The official order is “SET FOR ARGUMENT at 10 a.m., Friday, January 10, 2025.”

Things Start Moving

We start to see the Amicus briefs start to arrive. They have until 1700 the 27th to get their briefs in.

We can tell that the people interested in this case have already prepared their briefs and are submitting them within a few days.

Our first entry is an order from the clerk of the court. They are telling the filer that they didn’t do it right. The submitted their brief with a word count, but the proof of service was incomplete.

The clerk will not accept the brief until the deficiencies are resolved.

Many Briefings and Orders

Outside the amici briefs, we have a “request”, which is Supreme Court speak for “order”, to the circuit court for a complete record. There is an “appendix” which is the compendium of all the briefs filed in the lower court(s?).

While the cases are combined, both petitioners request to argue separately. It will happen on the same day, one after another.

When reading these entries, the notation “(Distributed)” means that the filing has been given to the justices.

Many briefs are filed. The justices met and on the 31st granted the petitioners motion to argue separately.

All the replies were submitted on time.

One of the amici managed to mess things up so badly that they didn’t get their homework in on time. They asked the Court for an exception, the Court said, “no”.

Interesting Entry

This is the record of the cases before the D.C. Circuit Court. The records came in to parts. One part is open to the public, they other is sealed.

Sealed information can include things like financial details, personal identifying information (think SSN), or the identity of undercover or human sources. It can also include methods that the state doesn’t want public.

The Supreme Court can decide to unseal those records, but it isn’t going to happen. There is no need.

The Oral Arguments

The quick way to find out what happened on the 10th is to read the transcript.

If you want to spend 2 hours listening, you can listen to the oral arguments

What’s going to happen?

On the 17th, the Court has its next conference. They will discuss the cases referred to them, the cases distributed to them seeking cert, and cases where oral arguments have been heard.

They will come to a conclusion.

Once they decide, they need to write the opinion. If any justices are dissenting, they have to write their dissent.

Justices can write concurrences as well. This is when the justice agree with the opinion, but not the reasoning of the majority opinion.

Once all the opinions are finished, the opinion of the court will be released.

If the justices know that it will take longer to write the opinions than they have, they can issue an injunction. The injunction will put everything on pause until the Court can issue their opinion.

Where to From Here?

The path from here is working backwards. Given the circuit court and the docket number for that court, you can look up the docket on the Circuit Court’s website.

Of course, this doesn’t always work. To answer this, we use Court Listener to look up the case at the circuit court. The link I’ve given takes you to this case.

Within the circuit court docket, we find the same type of docket. Part of what we will find is a reference to the district court case.

All the oral arguments at the circuit level are available on the web. It can be difficult to find. Court Listener is your friend there as well.

Go have some fun reading documents.

David Snope, et al., Petitioners

There are places where I feel sorry for The People. People in California seem to have gotten what they wanted. The people of Illinois, not so much.

The lower court of the State recently issued an order in favor of The People, but not of the Second Amendment.

This was a win. The people of Cook County no longer have to pay a tax on guns and ammo. Well, that is what the state supreme court said, and the lower court, but not Cook County. They are continuing to collect taxes.

So how is this a win?

It is a win because the plaintiffs, the good guys from Guns Save Life, got what they wanted. The courts have ruled that the county may not legally collect the tax. For perspective, they filed their lawsuit in 2015, the case was closed on January 10th, 2025.

The state was actually arguing that the supreme court of Illinois had ordered the case dismissed because it was “moot”, while the county is still collecting taxes.

Why is that?

Because the case was filed as both an unfair tax and a Second Amendment challenge. The “unfair” was a challenge under the Illinois “uniformity act”.

Well, the lower court decided that it was absolutely ok to tax guns and ammo. I don’t think the judge ever read —United States V. Wong Kim Ark, 169 U.S. 649 (1898) where the Supreme Court found that taxing ink used by a newspaper was a violation of the First Amendment.

The lower court also found that the taxes were uniform enough.

This was appealed. On appeals, the intermediate court agreed with the lower court. This was appealed to the Illinois supreme court.

There, the tables turned in favor of the good guys.

But not in the way you might think.

The court waved their hand at the Second Amendment challenge, likely because they had read the above cited case. They said, “We don’t need to consider the Second Amendment issue because this tax doesn’t withstand the uniformity challenge.”

The supreme court then continued with instructions on how the state (Cook County) could change their low to make it safe under the uniformity clause.

The court issued an order to the lower court “for entry of summary judgement in favor of the plaintiffs.”

This should have been a done deal, in thirty minutes. Instead, the lower court sat on the damn case for four more years. This gave the state time to modify the tax law and to claim the issue was moot.

Finally, the lower court did as instructed and entered summary judgement in favor of the plaintiffs, the good guys.

The court addressed the Second Amendment challenge as such: the supreme court didn’t bother to hear anything about the Second Amendment, it is moot in this situation.

Thus, The People won, but in winning did not get a Second Amendment win.

Oh, Cook County is refusing to stop collecting the tax.
LAWLESS: Despite court rulings striking down their Gun & Ammo Tax, Cook County says they’ll continue collections

John of www.GunsSaveLife.com was kind enough to post a link back to us and to quote The Game is On! SCOTUS update

He expressed a bit of skepticism.

John is skeptical because nobody knows what is going to happen in Supreme Court conferences.
It is all “reading the tea leaves”.

The black box which is Supreme Court conferences has visible inputs. Status of the case, briefings on the case, circuit split, time after the last Supreme Court opinion on the subject and a few others.

For output, we have “Denied”, “Denied with statement”, “Granted”, “relisted” and “rescheduled”.

Why the justices decide on which output is a guess. Some people are good at those guesses. Mark Smith has a good record. I don’t have a record to stand on. We know historically that “rescheduling” happens when the justices want to see multiple cases at the same time. We know that under Roberts, cases that are relisted are almost always granted cert. and those that are not have some procedural issue with them, not merits issues.

Cases that are denied Cert generally have nothing said about them. Think of it as spending 30 minutes trying to convince your parents to do something, and at the end of that they say “no”. That’s how most denial of cert goes. Nobody cares when cert is granted. It is going to happen.

When one or more justices feels strongly that cert should have been granted, they will write a statement to go along with the order list. Occasionally, a justice will write a statement explaining to the petitioner why cert was denied so that they can address the issue.

We saw several statements from Justice Thomas on why they were not granting cert on Second Amendment challenges that were in an interlocutory state.

My wife read my article on passwords and “got it”. Which is nice. I was attempting to explain how password crackers use rule sets to modify input dictionaries to create more guesses from a single word list.

I decided to see how much things have advanced. To say I was shocked would be an understatement.

In 2013, the game “Battlefield” was hacked and the entire password database was captured.

This is not the major security threat you might instantly leap to, but it is bad.

Stealing Passwords

I worked in the Systems Group at my University. We were tasked with all software maintenance, installations, upgrades, and in house improvements to the operating system.

The systems group had taken the original manufacturer’s operating system and extended it to the point where it was no longer the same operating system. Having done this, we gave back all the code we had written to the manufacturer, who incorporated what they liked into their next release.

We had developed a long term backup plan. This plan was three tiered. We took daily backups of the entire file system. This was a rolling tape backup. There were 30 days of daily backups performed before the first tape was overwritten.

We also performed weekly backups. There were 52 weeks of weekly backups. So a total of 82 backup sets.

In addition to this, we did end of term backups. These were done just after the term ended. These tapes were kept.

What this meant was that if your file were to live for at least 24 hours, you would be able to recover to any particular day in the past 5 weeks of your file.

If your file were to exist over a weekend, you could recover that file to how it was on the weekend it was dumped for the past year. And if your file were to exist over the term break, it would exist for the lifetime of the storage. 9 track tapes now being dead, I’m not sure what the University did to preserve those old tapes.

In addition to these backups, we took a separate backup of the “password” file once a day. There were 30+ days of password file backups.

That is the setup. The actual story:

We used to give tours of the machine room. The operators enjoyed bragging about the quality of our backup system.

One of these tours, a little monster took one of the password backup tapes and put it in his backpack. He walked out of the machine room with that tape. Nobody noticed the missing tape for the next 30 days.

Said monster took that tape over to the engineering department, where they had their own 9 track tape drives. He read in the file.

He was presented with 10s of thousands of clear text passwords.

This had financial implications because we sold computer time.

We changed our policy to always encrypt the password file before it was written to tape. I have no idea if that encryption standard was any better than Sunday comic page ciphers.

No more Plain Text Passwords

The number of times somebody in a movie has gotten the idiot to give them somebody else’s password is astronomical. The truth is that most passwords are stored in an “encrypted” format. We don’t have access to your password.

We can reset your password, but we can’t tell you what it is because that isn’t recorded.

At the university, they were still storing passwords in plain text. They only encrypted the password when it was written to tape.

Modern systems store that password in an encrypted format. The old method was what is called “descrypt”.

The first two characters of the encrypted password is the “salt” and the rest is the DES hash of the password. This is NOT the same as encrypting your password with a secret and then being able to decrypt it with that same secret. Instead, we use your password to encrypt a given, known, piece of text. The encrypted result is what is stored.

When you provide your password, we encrypt the same text string with your password. If the resulting text matches what we have stored, you have proven you know the password.

Here are a couple of hashed passwords: SD2PFyBHY1oUY, q5M9nJsU/JSwI, sTd5NrAIMrisU, 8MbLuguRAeo92, $1$OcbNKu2y$l9faj.aCWodfonXiSlgnV0, $1$hh765lOJ$lrZ4jkCtUkG3qPBuFJQ/2., $5$2W0fdlfY.a/iXErF$xbzHcX8CfPc89vJkxsiC/BjDmqxI20Yk.Vj9OLL/6e2, and $5$HxfQ9B30d8GdmyPo$J6FWaeGKSez2cLbw3cktvaYgPvsTFaXdMzYp4yDcQjD.

These are all hashes of the same password, “hello world!”

Slow Them Down

Storing passwords in plain text is stupid. But computers are faster than you think. Thus, we want to slow down the speed at which computers can make guesses.

We do this by using a salt.

Consider the situation where you had 74,577,451,608 guesses you wanted to try. If you were to create the hash for each of those guesses, it might take you a bit of time. In the end, you would have them all. Now it is only seconds to look up the hash in a database/file and get the plaintext password used to generate that hash.

To fight this, we use the salt. The salt modifies the hashing process such that for any given password, there are many possible hashes to represent that password.

As shown above, even when using the same “hashing algorithm” we got many results.

This is to slow the guessing of passwords down.

And the results

In 2013, the game “battlefield” was cracked. They escaped with around a 1/4 million password hashes. These are not clear text, you can’t just type them into an account and get in, they are still “protected”.

I used a starting source of 184,000 known passwords. To this, I added an American and a British word list. I didn’t bother to get name lists for a total of 282,000 unique test words.

In the simplest case, with no salt applied, that is 184,000 * 282,000 different combinations to test.

In 2 minutes and 50 seconds, on my medium GPU and medium CPU, we tested 74,577,451,608 different passwords against 282,546 password hashes.

We were able to guess 7.30% of the passwords, or, 30943 passwords.

That is more than enough to make money.

And you can see how bad they can be.

What we are talking about is “authentication.” Authentication is the method of confirming that you are who you say you are.

There are three methods to determine authentication:

1. Something only you know
2. Something only you have
3. Something unique about you

In the old days, when people carried checkbooks with them and wrote checks for things, you would be asked to prove your identity before you could use a check. Proving your identity was a process where a person would first authenticate your identification card, and then they would verify that the identification card matched you.

A state issued identification card will have different aspects about it that should make identifying fakes easier for the trained person. In the those olden days, they would often have your Driver’s License number be a SoundEx of your last name. SoundEx was a simple encoding method that could be generated from a name.

If the SoundEx didn’t match the DL number, it was a fake.

For the most part, people trusted DLs. They were relatively difficult to fake, and it was often easy to spot fakes.

This is an example of something you have, your DL, and something unique about you. Your picture and description.

Computer Authentication

Computers authenticate you with the use of two pieces of information, the first is your “name”. The second is your password.

Your name can be an email address or a username. While the pair, username and password, are required, only the password is a secret. Or should be a secret.

In a perfect world, this would be good enough. In this imperfect world, see Password Security/Password Managers

We will assume that your password is strong and will not be cracked in this century.

What we want to protect against is people stealing your username and password. Be that by phishing or by tricking you, or by lifting your keyboard to read your password on a PostIt note.

We need to improve our overall security posture by adding something besides “something only you know” to the equation.

Biometrics

This is just a fancy word for something unique about you. What you look like. What you sound like. What the patterns of ridges on your fingers look like. What the blood vessels in your eye look like. These are things that are unique about you.

The super fancy eye scanner in NCIS is a myth. While it might actually work in practice, it will be expensive and is only part of the equation.

Fingerprint scanners are a joke. Facial recognition has more downsides than positives. And don’t have a sore throat if you are using vocal recognition.

Most low-cost fingerprint scanners don’t do a good job. They scan something they think is a fingerprint on a finger. That scan is processed and turned into a series of identified markers. That is turned into some sort of “value”. That value is what is actually compared and authenticates.

To reduce false negatives, these scanners often do a poor job of discriminating. They are also fairly weak at detecting live vs. Memorex.

Finally, if you have a fingerprint scanner or some other sort of biometric authenticator, bad actors can forcibly use your body to unlock your stuff.

It is far too common of an occurrence to have customs or law enforcement hold your finger to your phone’s scanner to unlock your phone. Don’t use biometrics to secure your devices. Oh, currently the courts find this to be legal and not a violation of your civil rights.

This takes use too:

Security Devices

A security device is a device that only you have that can communicate with other devices to help authenticate you.

Notice it is a helper, it is not the be all, end all.

The most common security device in use today is a mobile or cell phone.

The assumption is that you are the person holding your phone and that your phone can only be unlocked by you. This means that they can send you a text message, and you will have to unlock your phone to get the code they sent.

Except… Often the code is visible even when the phone is locked. The phone might be unlocked for other reasons. Or somebody cloned your phone and is getting the same SMS messages that you are.

In addition to that, some people have their devices configured to read messages to them. Or worse, they have configured their phones to read messages on command.

My favorite example of this was when I was working on a female friend’s car. She had a new boy and they were texting hot and heavy. Every time she received a new message, her phone would announce “To hear the message say “read message”.

At one point her phone announced, and I spoke up, “read message”.

She ran when her phone started to read the message out loud. It was just as spicy as I expected.

While the phone is very convent, it isn’t very secure.

Still, phones can be used as an authenticator.

This is a magic pseudo random number generator. The authenticator reads a seed from the remote device and attaches it to a particular site or device.

The two can generate the same pseudo random number at any point in time, based on the shared seed.

The site requests you provide the code from the authenticator. You unlock your phone, run the authenticator, find the correct device, copy the code from your phone to your computer to log in.

It is a fairly cheap and easy method and requires very little extra.

A number of my clients use this type of authenticator, and WordPress/WordFence does as well. It is an acceptable option if your phone is kept locked.

Better still, turn on extra security. The authenticator I use allows me to set a PIN for the application. Without the PIN, something only I know, the authenticator will not run.

Security Tokens

These supply a different form of security. They are designed to prove to a remote system, or local, that you have something that is unique.

A key.

One type of security token generates is a physical rendition of the phone authenticator. The one that I used required me to enter a PIN. It did not matter what PIN you entered, it generated numbers. If you entered the numbers from a correct PIN, you were logged in. If you entered the numbers from an incorrect PIN, the system would alert administrators or security, depending on how it was configured.

In other words, the system administrators and security personal could set them up to provide “panic” or “distress” codes.

Mine didn’t have that feature. If I put the wrong code in I couldn’t log in. Guess I wasn’t that important in the grand scheme of things.

Which takes me to my favorite authentication key, the YubiKey.

This is a small device, about the size of a thumb drive, but much thinner.

They have USB-A or USB-C connectors and some have NFC capabilities. They are small enough and light enough that I carry one of them attached to my key ring, along with a magic USB drive that contains a working version of Linux.

When properly configured, when a website needs a 2FA action, it will request that you insert the device. A small LED flashes, you touch the LED and the flashing stops. Some magic happens, and the website confirms that you have the right device.

If you have the NFC version, you can just tap the key to the back of your phone to accomplish the same thing as plugging it into a device.

In general, you should have two of them. Just in case you lose one.

Conclusion

Two-Factor Authentication adds a significant improvement to your security stance. They can almost completely stop phishing attacks.

Even if you are tricked into providing your credentials to a phishing website, when they attempt to use those credentials, they do not have the second factor to complete the authentication process.

Using your phone as your security device isn’t as strong as an authenticator. Using an authenticator application on your phone, is.

Combine these with a good password manager and you have a strong, secure system.

Until you find that the bad guys just ignore all that authentication stuff and took your computers.

Password Security

There are four ways of cracking a password.

1. Guess the password
2. Brute Force the password
3. Go around the password authentication
4. Trick the password from the owner

If your password is easy to guess, then it is a weak password. Examples of weak passwords are: password, 1234, YOUR_NAME, BIRTHDAYS. Many things use a four digit PIN. When guessing them, the best place to start is the set of numbers between 1950 and 2005, followed by 1930-1949, and 2006-2024. Years of importance to you.

Brute force is when you try all possible passwords. Back in the days of the TRS-80, there was a password on some part of the operating system. I wrote a simple brute force cracker for it.

Once it was running, my host and I got ready to go to dinner. Before we got out the door, the program stopped.

I assumed the program failed. Turned out that the password was so weak, three or four characters long, that it only took a few minutes to try all the passwords to that point.

Going around a password is sometimes easier than it should be. People don’t bother to log out. When I was visiting my father, I sat down at his computer. It was unlocked. I was able to “be” him if I had wished. I didn’t have to bother with a password.

There is an entire industry devoted to tricking people into handing over their passwords. It is so bad that it has its name, “phishing”.

And anybody can get caught in the net. I was caught just once. My wife’s school was phished, hard. The entire school got an email that looked legitimate from an administrator for the district. Her account then automatically sent it to me because I was in her address book.

I opened because it was from my wife. It had a good subject line. It looked legit.

It didn’t do anything to me because I run Linux, but it caused a great deal of damage to the school district.

Besides phishing, there is looking for the passwords that people have written down.

Again, using my father, the password for my mother’s computer was written on a PostIt note stuck to the inside of her laptop.

There is no need to guess, force or phish when the password is just given to you.

The Balancing Act

It is rather oxymoronic that the harder it is to remember a password, the harder it is to crack the password. If your password is “happyfaces” it might be easy to remember, but it is also easy to guess.

On the other hand, “wynt>Otchib5” is difficult to remember and difficult to guess. The password generator I used gave that to me as “wynt-GREATER_THAN-Otch-ib-FIVE” as how I might pronounce it and remember it. Still, it isn’t going to work

When passwords get too difficult to remember, people need to write them down. You would be amazed at the number of personal, and business, computers which have a file named “passwords”. People write them down.

The other thing that happens is that people remember one “good” password, then use it over and over again. If they ever lose that password, they lose access to everything, or the bad hat gets access to everything.

Many people think they will be tricky and use character substitution. Instead of “password” they write, “p@55w0rd”, and think they are clever. They aren’t.

There is a scene in Schindler’s List where they have just cleared the ghetto. Now they are searching for hidden Jews. The German’s come in, and they know where to look. They are experts at finding people. They’ve done this before. They know all the hiding places.

If you think you have found something clever that will make your password “unguessable”, you are mistaken.

Long Passwords Are Better(?)

Let’s assume that you are going to use a password that can’t be guessed easily. This leaves the brute force method.

This is a matter of mathematics. The larger the symbol set, the better. Longer passwords are better.

Consider a four digit pin, there are 10,000 possible PINs. As a password, that sucks.

But if we increase the symbol set to digits and letters, we get a slightly better result: 36^4 = 1,679,616. Still not strong.

But let’s say you go all out and have a symbol set of all ASCII printable tokens. There are 128 ASCII tokens, of which 94 are printable. This gives us 81,450,625 different passwords. Which still sucks, but it is getting better.

Now, let’s just make the password longer, call it 8 characters, at that point our results would be: 6,634,204,312,890,625. This is a strong password. Unfortunately, it is likely to be nearly impossible to remember.

My default is 12 characters.

Creating Strong Passwords You Can Remember

When we go back to that original statement, “The larger the symbol set, the better.” What if I told you that there is a symbol set of approximately 100,000 symbols, that you already know?

That symbol set is the set of all common English words.

What we would like to see is a number near 6 Quadrillion. With a symbol set of 100,000 words, 3 words give you 1 Quadrillion and four words give you 118,495,929,354,657,605,136.

This doesn’t consider word separators or case. Here is one such random password, “farm particularly wild refer”. If you modify the spaces to be different characters, or capitalize some letters, even if it only the first letter, you get even better results.

So what’s the problem? The issue is that it doesn’t look like a strong password. Many password checkers will see that long password and reject it because it doesn’t have special characters.

For me, a programmer, I can put together a simple program, take the string above, feed it into sha256sum to get 256 bits of pseudo noise. Extracting the printable characters, I get “dLuxo8x’H54MBd”

Now I have a good password I can remember, which can be used to generate a password which the rest of the world will accept as strong.

Password Managers

Password managers are supposed to fix much of this. They exist to store your passwords in a “secure” form, which you can then extract when needed. In addition, they will generate strong passwords for you to use.

I, personally, use four password managers and have used a fifth.

The first, most people are aware of, is the password manager built into your browser. I use Firefox and Chrome, so those are two password managers. My Linux system has another password manager built in. Finally, I use “Keeper” and have used “Last Pass”.

I love Keeper, I pay for the version I use, but there might be a free version. For me, it is worth it. One of the reasons it is worth it to me, is that with the paid version I can share access to password folders or individual passwords.

I never liked “LastPass” but I can’t say why. I do know they were cracked within the last few years. Because of their security model, when they were cracked, the bad guys extracted all the passwords.

Keeper stores all passwords encrypted. Only you have the decryption key. Thus, if they were to lose everything, they would not expose your passwords.

The browser managers are there because I was using them before Keeper. I’m slowly phasing them out.

I’m also looking into a self-hosted version of a password manager. I have not decided on which one, if any, I will try.

Chicken and Egg

The problem with all password managers is that there is a single point of failure. That is the password to access your password manager.

Which takes us back to “Long passwords work better”. Generate a random four – word password, I used xkcd Password Generator but you can just open a physical dictionary and randomly select four words.

Memorize those four words. Then you can use that as your master password.

Make the move to a good password manager. Use one that distrusts the government.

Two Factor Authentication

I need to look at my articles to see if one already exists, if it doesn’t, I’ll write something up.

In general, people are idiots. In groups, they have a combined IQ of less than 70 and the common sense of a three year old.

Daniel Penny is a US Marine who stepped up and protected the people on the subway. He held a homeless, violent, man until the man could be arrested.

He was then interrogated for hours without a lawyer because the police interrogating him established a relationship, by being an ex-marine.

It is often said that there is no such thing as an ex-marine or a former marine. You are a marine for life. There are exceptions, the cop who interrogated Daniel Penny is an ex-marine.

Having charged and arrested this hero, they are now trying to screw him over, yet again.

Prosecutors have wide latitude in what they charge. One of the standard tricks is to bring multiple charges for the same crime, over charging at least one.

Humans like to think they are being fair and reasonable. One of the oldest and most famous instances of this is when a man was taken before a Roman Governor to be “sentenced” for claiming to be a king above Caesar.

The Governor refused to kill the man, instead sentencing him to be whipped. Even though I’ve found nothing wrong with him, he still had the man flogged. When the mob insisted he be put to death, the Governor replied, I told you — he’s not guilty! I find no reason to condemn him..

The complete tale can be found in John 19:1-25.

In other words, to appease people, an innocent man was flogged.

Prosecutors overcharge in expectations that the jury will often find the accused not guilty of the most serious charge, but to appease the prosecutor, will find the accused guilty of the lesser charge.

They can go home, secure in the knowledge that they didn’t sentence a man to 20-life but only 5 to 10. (made up numbers).

Not really internalizing that 5 to 10 is still too much for an innocent person.

The Jury deadlocked. Some members of the jury found that Daniel was not guilty of second-degree manslaughter, some insisting that he was. When they reported a deadlock, the judge charged them to work harder.

The prosecutor then did Daniel a dirty. He requested that the second-degree manslaughter charge be dismissed.

Why is this dirty pool?

If the Judge accepts the motion to dismiss the second-degree manslaughter charge, then the deadlock goes away. If the deadlock goes away, then the jury will have to deliberate over the second charge of criminally negligent homicide.

Human nature will make it easier for the jury to return a guilty verdict on the lessor charge.

The judge should have declared a mistrial. Instead, he accepted the motion to dismiss. He released the jury until Monday.

On Monday, they will start deliberation on the second charge.

I hope that they deadlock on the second charge as well.