• Password Security

    There are four ways of cracking a password.

    1. Guess the password
    2. Brute Force the password
    3. Go around the password authentication
    4. Trick the password from the owner

    If your password is easy to guess, then it is a weak password. Examples of weak passwords are: password, 1234, YOUR_NAME, BIRTHDAYS. Many things use a four digit PIN. When guessing them, the best place to start is the set of numbers between 1950 and 2005, followed by 1930-1949, and 2006-2024. Years of importance to you.

    Brute force is when you try all possible passwords. Back in the days of the TRS-80, there was a password on some part of the operating system. I wrote a simple brute force cracker for it.

    Once it was running, my host and I got ready to go to dinner. Before we got out the door, the program stopped.

    I assumed the program failed. Turned out that the password was so weak, three or four characters long, that it only took a few minutes to try all the passwords to that point.

    Going around a password is sometimes easier than it should be. People don’t bother to log out. When I was visiting my father, I sat down at his computer. It was unlocked. I was able to “be” him if I had wished. I didn’t have to bother with a password.

    There is an entire industry devoted to tricking people into handing over their passwords. It is so bad that it has its name, “phishing”.

    And anybody can get caught in the net. I was caught just once. My wife’s school was phished, hard. The entire school got an email that looked legitimate from an administrator for the district. Her account then automatically sent it to me because I was in her address book.

    I opened because it was from my wife. It had a good subject line. It looked legit.

    It didn’t do anything to me because I run Linux, but it caused a great deal of damage to the school district.

    Besides phishing, there is looking for the passwords that people have written down.

    Again, using my father, the password for my mother’s computer was written on a PostIt note stuck to the inside of her laptop.

    There is no need to guess, force or phish when the password is just given to you.

    The Balancing Act

    It is rather oxymoronic that the harder it is to remember a password, the harder it is to crack the password. If your password is “happyfaces” it might be easy to remember, but it is also easy to guess.

    On the other hand, “wynt>Otchib5” is difficult to remember and difficult to guess. The password generator I used gave that to me as “wynt-GREATER_THAN-Otch-ib-FIVE” as how I might pronounce it and remember it. Still, it isn’t going to work

    When passwords get too difficult to remember, people need to write them down. You would be amazed at the number of personal, and business, computers which have a file named “passwords”. People write them down.

    The other thing that happens is that people remember one “good” password, then use it over and over again. If they ever lose that password, they lose access to everything, or the bad hat gets access to everything.

    Many people think they will be tricky and use character substitution. Instead of “password” they write, “p@55w0rd”, and think they are clever. They aren’t.

    There is a scene in Schindler’s List where they have just cleared the ghetto. Now they are searching for hidden Jews. The German’s come in, and they know where to look. They are experts at finding people. They’ve done this before. They know all the hiding places.

    If you think you have found something clever that will make your password “unguessable”, you are mistaken.

    Long Passwords Are Better(?)

    Let’s assume that you are going to use a password that can’t be guessed easily. This leaves the brute force method.

    This is a matter of mathematics. The larger the symbol set, the better. Longer passwords are better.

    Consider a four digit pin, there are 10,000 possible PINs. As a password, that sucks.

    But if we increase the symbol set to digits and letters, we get a slightly better result: 36^4 = 1,679,616. Still not strong.

    But let’s say you go all out and have a symbol set of all ASCII printable tokens. There are 128 ASCII tokens, of which 94 are printable. This gives us 81,450,625 different passwords. Which still sucks, but it is getting better.

    Now, let’s just make the password longer, call it 8 characters, at that point our results would be: 6,634,204,312,890,625. This is a strong password. Unfortunately, it is likely to be nearly impossible to remember.

    My default is 12 characters.

    Creating Strong Passwords You Can Remember

    When we go back to that original statement, “The larger the symbol set, the better.” What if I told you that there is a symbol set of approximately 100,000 symbols, that you already know?

    That symbol set is the set of all common English words.

    What we would like to see is a number near 6 Quadrillion. With a symbol set of 100,000 words, 3 words give you 1 Quadrillion and four words give you 118,495,929,354,657,605,136.

    This doesn’t consider word separators or case. Here is one such random password, “farm particularly wild refer”. If you modify the spaces to be different characters, or capitalize some letters, even if it only the first letter, you get even better results.

    So what’s the problem? The issue is that it doesn’t look like a strong password. Many password checkers will see that long password and reject it because it doesn’t have special characters.

    For me, a programmer, I can put together a simple program, take the string above, feed it into sha256sum to get 256 bits of pseudo noise. Extracting the printable characters, I get “dLuxo8x’H54MBd”

    Now I have a good password I can remember, which can be used to generate a password which the rest of the world will accept as strong.

    Password Managers

    Password managers are supposed to fix much of this. They exist to store your passwords in a “secure” form, which you can then extract when needed. In addition, they will generate strong passwords for you to use.

    I, personally, use four password managers and have used a fifth.

    The first, most people are aware of, is the password manager built into your browser. I use Firefox and Chrome, so those are two password managers. My Linux system has another password manager built in. Finally, I use “Keeper” and have used “Last Pass”.

    I love Keeper, I pay for the version I use, but there might be a free version. For me, it is worth it. One of the reasons it is worth it to me, is that with the paid version I can share access to password folders or individual passwords.

    I never liked “LastPass” but I can’t say why. I do know they were cracked within the last few years. Because of their security model, when they were cracked, the bad guys extracted all the passwords.

    Keeper stores all passwords encrypted. Only you have the decryption key. Thus, if they were to lose everything, they would not expose your passwords.

    The browser managers are there because I was using them before Keeper. I’m slowly phasing them out.

    I’m also looking into a self-hosted version of a password manager. I have not decided on which one, if any, I will try.

    Chicken and Egg

    The problem with all password managers is that there is a single point of failure. That is the password to access your password manager.

    Which takes us back to “Long passwords work better”. Generate a random four – word password, I used xkcd Password Generator but you can just open a physical dictionary and randomly select four words.

    Memorize those four words. Then you can use that as your master password.

    Make the move to a good password manager. Use one that distrusts the government.

    Two Factor Authentication

    I need to look at my articles to see if one already exists, if it doesn’t, I’ll write something up.

            

  • In honor of the Georgia peanut farmer

            

  • May his time in Hell be tempered by the good he did after he was no longer in office.

    In my opinion, this man started the decline of respect for the United States. His policies were so bad that we still have not recovered from them.

    The Middle East is a cesspool of tribes. All of which hate each other, except maybe the Jewish people.

    Middle Eastern tribes respect only one thing, power. If you have power, you are respected. If you do not have power, you are less than the dirt beneath their sandals.

    The Peanut farmer let the US embassy in Iran be taken multiple times by “students”.

    He was so afraid of “offending” the Iranians, that he ordered the Guards at the US Embassy to be disarmed. AFTER they were over run.

    When the “students” took over and took hostages, he sat with his thumb up his arse playing footsy with Mrs. Peanut Farmer for 100s of days.

    I know, personally, that there were troops in the air within hours of the hostages being taken. I know, personally, that there was a plan to retake the embassy within a few hours of it being taken.

    That weakness led to the fall of Iran. Which turned it into the terrorist state of Iran.

    The World Trade Center bombings? Jimmy’s fault.

    The bombing of the U.S.S. Cole? Jimmy’s fault.

    9/11? Jimmy’s fault.

    The slight tinge of regret I have is for his Wife. I don’t think she is in Hell with him.

            

  • I love my bagels. I love everything about them. You could use homemade bagels for this, but if you want to buy them, that makes it SO EASY. This is very much a throw-together meal that could be made the evening before then just heated up in the morning if you’re feeding a crowd. And if you can’t find everything bagels, use plain, and pick up a bottle of “everything bagel” seasoning and just sprinkle it throughout!

    Ingredients:

    • 4 everything bagels, chopped
    • 1-1/2 cups shredded cheese
    • 1-1/2 cups halved cherry tomatoes
    • 8 oz block cream cheese, cut into 1/2″ cubes
    • 1/2 red onion, thinly sliced
    • 10 large eggs
    • 2-1/2 cups milk
    • 2 green onions, sliced, plus more for garnish
    • salt to taste
    • freshly ground black pepper
    • a pinch of cayenne
    • 1 tsp poppy seeds
    • 1 tsp dried minced onion
    • 1 tsp sesame seeds
    • 1 tsp dried garlic
    • 1 tsp coarse salt

    Preheat your oven to 350°F and grease (or no-stick spray) a 9×13″ baking pan. Distribute half of the bagel pieces int he pan, and top them with half of the cheese, tomatoes, cream cheese, and red onion. Repeat to make another layer.

    In a bowl, whisk together your eggs, milk, and green onions. Season with the salt, pepper, and cayenne. Pour the egg mixture over the bagels, making sure to coat each bagel piece. Sprinkle the top of the casserole with the poppy seeds, minced onion, sesame seeds, garlic, and coarse salt. Cover the pan with aluminum foil and bake for 45 minutes.

    Remove the foil, and continue to bake until the bagels are golden and the eggs are cooked through. This may take up to 25 minutes more. Allow it to cool for 15 to 30 minutes.

    Garnish with green onions before serving.

    Notes:

    You can add spinach to this if you like! Sprinkle it through with the tomatoes and onions. Any kind of cheese will work. You should cater to your intended audience. This can be made dairy free by using a dairy free milk substitute like oat milk or Silk, and by using a non-dairy vegan cheese. It can’t really be made vegan, however, because the egg is the binder for the casserole.

    If you want to make this ahead, bake it for the first 45 minutes, then set it somewhere to cool, and refrigerate overnight. In the morning, bake it for the final 15 to 25 minutes, so it’s warm throughout and everything looks delicious.

    Some people prefer more eggs and some prefer less. The casserole should have enough egg incorporated to allow the bagel bits to “stick together.” If you like more egg and want it to be more solid, feel free to add as many eggs as you think you need to get it there. Be aware that it may change the baking time. Be prepared to add an extra 15 or so minutes to make sure the egg is cooked through before taking the foil off.

            
  • An example — from an NYU professor:

    “{DJT’s holding a rally in Waco} sends a clear message…Waco has been a pilgrimage site for White power and militia movements… He is paying homage to this tradition and doubling down on his profile as leader of an extremist cult (MAGA).

    The stagecraft and rituals seen at this rally also continue the Fascist past. In both Italy and Germany, Fascism evolved out of paramilitary environments, with a cult leader who orchestrated violence. Once in power, Fascists used propaganda to change the public’s perception of violence, associating it with patriotism and national defense against internal and external enemies. Rallies were crucial to that end.”

    Another dog whistle that only leftists can hear.

    This was in reply to a moron who claimed that this was just par for the course because “…he tried to have a rally on Juneteenth in Tulsa.”

    The original post:

    So let me get this straight. When liberals go to college, they’re called indoctrination centers and woke campuses. But if you’re from a foreign country and come to school here, Donald Trump wants to automatically hook you up with a green card. Even if it’s a 2 year junior college, so that you stay here.

    But if colleges are making everyone woke marxist communists. Why would Trump keep them here?

    🤔… it’s almost as if republicans been lying to you to keep you stupid and keep themselves in power.

    Cause I’ll tell you what. Republican leaders, they send their kids to school.

    I don’t even want to go looking for what the accusation actually is. They have a clip of Trump saying something, but I don’t trust anything posted until I can examine it in context.

            

  • Resiliency is a goal. I’m not sure if we ever actually reach it.

    In my configuration, I’ve decided that the loss of a single node should be tolerated. This means that any hardware failure that takes a node of line is considered to be within the redundancy tolerance of the data center.

    This means that while every node has at least two network interfaces, I am not going to require separate PSUs with dual NIC’s, each with two 10Gbit interfaces. Instead, each node has two 10Gbit interfaces and a management port at 1 to 2.5 gigabits RJ45 copper.

    Each node is connected to two switches. Each switch has a separate fiber, run via a separate path, back to a primary router. Those primary routers are cross connected with two fibers, via two different paths.

    Each of the primary routers has a fiber link to each of the egress points. I.e., two paths in/out of the DC.

    The NAS is a distributed system where we can lose any room and not lose access to any data. We can lose any fiber, and it will have NO effect on the NAS. We can lose any switch and not have it affect the NAS.

    We can lose any one router and not impact the NAS.

    So far, so good.

    Each compute node (hypervisor and/or swarm member) is connected to the NAS for shared disk storage. Each compute node is part of the “work” OVN network. This means that the compute nodes are isolated from the physical network design.

    Our load balancer runs as a virtual machine with two interfaces, one is an interface on the physical network. The other is on the OVN work network.

    This means that the VM can migrate to any of the hypervisors with no network disruption. Tested and verified. The hypervisor are monitored, if the load balancer becomes unavailable, they automaticity reboot the load balancer on another hypervisor.

    So what’s the issue?

    That damn Load Balancer can’t find the workers if one specific node goes down. The LB is still there. It is still responding. It just stops giving answers.

    I am so frustrated.

    So I’m going to throw some hardware at it.

    We’ll pick up a pair of routers running pfSense. pfSense will be augmented with FRR and HAProxy to provide load balancing.

    Maybe, just maybe, that will stabilize this issue.

    This is a problem I will be able to resolve, once I can spend time running diagnostics without having clients down.

            

  • In upgrading from copper to fiber, I’ve been exploring the different options and learning as I go. Some learning curves have been steep, others have been “relearning” what I already knew.

    One of the biggest things I needed to learn is that there are “switches” that are actually “routers”. That was mind-bending.

    The other is that the network dudes talk about VLAN and Tagged VLAN. They are different things. In the environments I’ve been working in, there are only tagged VLANs which are called “VLAN”. Same name, different meaning.

    The starting place when moving from copper to fiber is to understand what a Small Form-Factor Pluggable is. This is the magic that makes it all happen. This is standardized into SFP and SFP+. The SFP standard only supports 1G and lower speeds.

    The SFP+ supports higher speed modules. 10G, 25G, 40G and 100G are all standards I’ve seen.

    I’m only working with 10G modules, at this time.

    They have modules that are RJ45 copper that will run at slower speeds or up to 10G. The only issue is that they draw more power and run hot. Can’t touch them when running hot.

    The fix for this is to purchase a switch or router that has RJ45 Ethernet ports and at least one SFP+ port.

    I found a small, six port, switch. This comes with 4 RJ45 ports, rated at 2.5G each, and 2 SFP+ ports rated at 10G each. Cool.

    This allows me to daisy-chain them if I wanted.

    In reality, it meant that I had one host connected at 10G while the others were at 2.5G.

    I also found a L2/L3 “switch” that looks much like the switch above.

    Having done the upgrades, I started looking into upgrading the router between the outside world and the DMZ. The routers I’ve been getting to not support any crypto, so they don’t have good VPN capability, something I want.

    So I went looking. Looking for a “motherboard with SFP”. Something interesting popped. A mini ITX motherboard with 4 SFP+ ports and 4 RJ45 ports along with HDMI, VGA and the standard USB ports. It also provided space for two M.2 SSD modules, 2 DDR4 slots and two 6GByte SATA ports.

    It might not be the fastest computer on the block, but it looks like a good starting point.

    This leads me to other motherboards of the same ilk. And what I found was a bunch of these motherboards. And the port layouts all look the same. The specifications all look the same.

    What we have is a “standard” motherboard which is put in a “standard” case along with a wall wart, HDMI cable and a mounting bracket. The branding stays the same.

    I have an L2 switch that I’m going to take apart in a bit. It has a limit of 1550 byte packets, making it useless for my new network. I wonder if I will find an M.2 module in that box or something else that allows me to change the software.

    Meanwhile, that motherboard is on my wish list. I’ll load pfSense on it along with FRR and replace my current router. Giving me a considerable boost in capabilities and letting me dispense with the VyOS configuration language. Which I really don’t like.

            

  • This is the prime time to test your preparations. Christmas is over, but people are not settled. It’s not “usual” scheduling because kids are off school, and you may be off work. So… Go turn off your power at the main breaker.

    Why? The answer is that preparation only works if you’re actually… prepared. You cannot KNOW that you’re prepared until you test your preparations. That’s where turning off the power comes in.

    In my house, the first thing to happen if the power goes out is to locate light sources. Immediately, that might mean the flashlight on my phone, but only briefly. I want to keep the power up on the phone in case I need it as a phone. I find the flashlights, candles, oil lamps, and I get at least one lamp lit. This means I have fire, which means the world gets that much easier. With one tiny bit of fire on hand, I can start numerous others.

    When the kids were little, the next item at hand would be child wrangling. If it was daytime, the kids would be sat down near the wood stove with books appropriate to their age, or a game to play that wasn’t electronic, and told to stay out of the way. If they got in the way, they got to do “fun things” like shovel and gather wood and other stuff they hated. When they were little (under 10), it was easier to keep them busy and out from underfoot.

    As they got older, the kids were expected to do many of the “power outage” tasks on their own. It was their job to locate flashlights and solar lamps and make sure they worked. One was set to starting the fire, if it wasn’t already. The other went around and turned off all the light switches and other power hogs, so that we wouldn’t overload the circuit when power came back on. If the power was going to be out for more than 24 hours, items in the fridge were moved to our inside but unheated porch (it gets cold, but rarely below freezing) to keep them fresh. Frozen items went into the outdoor freezers, which would stay frozen for a very long time.

    After a few practice runs, we had it down to an art form. Everyone did their jobs, and within a half hour, the entire house was ready for there to be no power for however long was necessary. We had blankets over windows to hold in heat, pulled out sleeping bags so that they were ready for night, if we wanted to sleep in our beds, had easy to prepare foods on hand in case we were tired from shoveling or whatever. Everything just worked.

    The house went without power for anywhere from several hours to a few days on a number of occasions. We’ve always been fine. The wood stove sits over the water pipes in the basement, so the residual heat keeps them from freezing. We always have access to water, even if we have to go tromping to get it. We know how to make sure water is potable, too. By nightfall, we usually had everything in place, and we were all cuddled up by the wood stove, reading or talking or playing cards.

    It’s not difficult, but it is complex. There are a lot of moving parts to get figured out, and until you put them all to the test, you don’t KNOW how it’s going to work. It’s much better to do some test runs long before you actually require all this stuff to be working. Make your family a well oiled machine before the emergency happens, and the emergency won’t be catastrophic.

            

  • SCOTUS

    We currently have one case scheduled for the January 10th conference. The other two cases have not been rescheduled yet. I do not know what we will see in the court filings before the 10th.

    What does it mean to be conferenced?

    When a party petitions the Supreme Court for a Writ of Certiorari, they are requesting that their case be heard by the court. If the petition is submitted through the standard channels, it is processed in the “standard” way.

    If the request is submitted through the emergency docket, sometimes called the shadow docket, then a single Supreme Court Justice will evaluate the submission. They can then refer it to the court as a whole, or they can deny the request, or they can request more filings.

    Regardless, emergency or regular, cases that are referred to the court will be examined. This happens in stages.

    The first stage is the parties filing briefs on why the Court should grant cert or why they should deny cert. The parties can decline to file briefs, but they should file formal documents saying they are not filing.

    When all the briefs have been filed, the case is “Fully briefed.”

    Once the case is fully briefed, it is distributed for conference. This means that the briefs are provided to the justices for examination. The justices have their law clerks do law clerk things and provide reports. All of this is generally kept out of the public light. Nobody knows what the justices ask of their clerks, but former clerks have reported doing such things, in general terms.

    After the case is distributed, it is scheduled for a conference. The conference happens on a Friday. During the conference, only the Justices are present. No clerks, no witnesses, no experts, just the justices.

    They discuss the cases that were scheduled for conference. They can also discuss whatever else they want. They decide, not you, not I, not anybody else.

    They can also talk to each other before the conference and make decisions outside the conference.

    The conference is the formal event.

    If the Justices want, they can reschedule a case, before they discuss the case in conference. This is what happened to Snope and Ocean State Tactical.

    After the conference, the court will issue their orders. These orders will be “grant”, “deny”, or “relist”. If a petition is denied, it is over. If the petition is relisted, it means that the Justices will be discussing the petition again, in a future conference. If a petition is granted, then it is going down.

    A case that has been relisted can be relisted for any reason. Some known reasons include having time to write a statement to attach to a denial of cert, sometimes it is because they need additional information. One of the common reasons in the Robert’s court is a “suitability” phase.

    John Roberts likes to have a case relisted after the Justices have decided, internally, to grant cert. This is to give the law clerks time to thoroughly investigate the case to make sure there are no hidden issues or things that might moot the case.

    We now have three Second Amendment cases that have been distributed for conference. One of which is currently scheduled for conference on the 10th.

    Infrastructure

    We have completed most of the network upgrade. There is still a server that requires a network interface upgrade. There is still a rack that requires a switch upgrade. Not to bad.

    We need to finish running the redundant fiber network for backup purposes. Once we finish running the redundant fiber, we will upgrade the primary router and make sure everything understands multipath routing.

    All the cluster entities have been placed on virtual networks. This means that they no longer need to worry about multipath nor the physical layout of the networks. A complete separation of tasks.

    It turned out that I was having issues with my nodes having their clocks drift/skew relative to each other. This has been fixed, which leads me to want a Stratum-1 NTP server, again.

    The last time around, I used a handheld GPS unit as my clock source. It worked wonderfully. This time I’m looking at something in an IoT idea.

    I am currently researching NTP servers via Wi-Fi. If that gives good results, I might just do a Raspberry Pi Pico W and put the darn thing outside in a waterproof enclosure. I’m still investigating. I’m also attempting to avoid soldering as somebody broke my Weller soldering station.

    Christmas

    Ho Ho Ho, Merry Christmas!

    We hope you had a joyous Christmas.

    Happy New Year!

    And we wish you a happy new year! My your fortune be bright.

    Question of the week?

    Having had time to learn about what happened in western North Caroline after the hurricane, what changes in your prepping model have you made?

            

  • Christmas is past for another year. It was better than expected.

    Watching movies with the family was good. My wife insists on “A Christmas Story”, as it is her favorite. I picked “Red One” on a recommendation from Scott Adams on X. The final movie was “A Christmas Story Christmas”.

    This last hit a bit hard.

    Regardless, friends came through, and we were able to give back to our friends.

    My wife’s best friend’s husband passed earlier this month. We had her over for Christmas Eve dinner (tacos) and Christmas Dinner (Turkey with fixings).

    Our tradition is to go around the table and each person gives thanks for something that happened that day. Sometimes it leads to discussions, sometimes it is just a little thing, “Thank you for a dinner, I really like.”

    The goal is to stop perseverating on the bad that is happening around you, the things that are getting you down, and to acknowledge, to search for, the good that you have.

    My friend from the NVL called on Christmas Eve. That was a good talk. The only bobble was when he let his distrust of Elon slip out. We have agreed not to talk politics. We are still friends.

    My best friend died in November 2000. I don’t think I ever recovered from that day. He was not only my friend, he was my mentor.

    He was the first person I met that could program better than I could. He was a better man than I, by far.

    I found myself competing with him in programming to be better. He never competed with me. He just won. After a while, it stopped being a competition and became a lifelong friendship.

    Through Mike, I met Max. Max called me on Christmas Eve. Talking to him made me feel better. Friends can do that.

    So on this day, after you have finished with what’s under the tree, had the first of a week’s worth of leftovers, take a moment to reach out to a friend and let them know what they mean to you.