Loyal readers (those of you left) no doubt are aware that the Lair went on an involuntary hiatus of six weeks or so after being hacked into. It would actually seem that this happened at least twice. On February 5, the page that appeared if you went to the Lair was a “ha, ha, you’ve been PWN-ed” sort of page, and the WP account was inaccessible because the password had been changed. This was a bit of geekly bravado, and it sort of reminded Keyser of this scene from Jurassic Park (embedding disabled at the request, no doubt, of some assholes at 20th Century Fox). That is, all they were doing was letting you know what they’d done to show they were smarter than you.
But stuck at the bottom of the pages of the Lair (if you looked at the “source code”) was some crap stuck they’re for the benefit of search engines. That is, somebody else had stuck words there that were not visible to the regular viewer but would be found by “web crawlers” to make it look as if whatever it was was more popular than it was. Basically, these were cuckoo eggs (in the avian sense of the word, not the derived computer game meaning). The whole point of the exercise is not to be found out, so the hackers who stuck their page over Keyser’s ruined the other hackers game.
So, how did these guys get in to the Lair? I have to say, I don’t know. It could be that they exploited a weakness in one of the plugins (like the little maps that used to show you where readers came from), which need access to the site to do their job. Or conceivably, the hackers somehow figured out the password.
Which leads us to the topic of this page. Because of this recent unpleasantness, Keyser’s been forced to changed the PW for not just WordPress but for a whole bunch of other sites. They say you’re supposed to change passwords every few months, but who the hell can remember them all if they’re at all strong? At Igloo U., we use some computing technology to put internet stuff up on the board, and a few years ago, Keyser posted his password in place of the user ID, and this was plastered all up on a screen in front of 90 students. I noticed the mistake quickly and got rid of the screen, but the damage was done. I had to replace the old PW, which I’d used for years and could easily remember with something new. God Almighty, was the Igloo U. server persnickety about what it would accept! It took a long time to come up with something that I could actually remember and that was at the same time weird enough for the server’s liking.
Basically, you need to mix upper and lower characters, throw in numbers and the odd symbols that aren’t letters or numbers, mix them up, *and* not use a word that’s readily recognizable (including some pretty obscure historical figures, believe you me). Doing that and coming up with something memorable is easier said than done. Computers can randomly come up with gibberish, and that’s okay for them since computers basically understand nothing, but not so okay for a person trying to remember it. A lot of computer sites for typing in a new password have a function to tell you how “strong” it is. There’s an inverse relationship between strength and human memorability.
Keyser’s come up with something of a template for coming up with such things. It’s kind of a way of mixing and matching these things that “makes sense” to me but shouldn’t to anybody else. Sadly, no details can be given, as that would obviate the whole purpose of the exercise.
This brings to mind some ruminations on the so-called “enigma” code used by the Germans to their detriment in the Second World War. Long story short, they invented a very fancy typewriter that had rollers that manipulated the connections in an electrical circuit that went from the typed key to an output panel that lit up to show some seemingly random letter. Each time you a letter, the first rotor would turn one position, and when it completed its rotation, a peg on it would make the next rotor turn a space, and so on (the simple enigma machine had three rotors, but eventually they had four). In order to de-encrypt a message sent in this code, you had to know the position at which the rotors were initially set, or you’d get gibberish out. But if you did have the rotors set right, then all you had to do was type in the encoded message, and the light bulbs would give you the correct reader.
Theoretically, this system should have been impossible to crack. Unfortunately, theory and reality are different. In the first place, some disaffected homosexual sold the typewriter to the Poles during the 1930s, which meant that somebody had a good idea of how the system worked (the Poles eventually shared their knowledge with the British and French once the war broke out). The system also had a major flaw in it in that a given input would never give itself as an output, which had important consequences in terms of interpreting the seeming gibberish of intercepted enigma messages.
But the Germans did all sorts of stupid things that made it a lot to decipher messages. Sometimes, they would regularly repeat verbatim in code messages (like weather reports) that were also sent in other, less secure modes. This meant that the British could sometimes guess at what a message was likely to say, and thus break into the code and use that solution to decipher messages whose content was not guessable.
Also (and here’s the point) certain radio operators were known to set the rotors in a way that was by no means random (the settings were indicated by letters). Sometimes, they’d keep using the same settings, or they’d use settings that were words, or they advance the previous days settings by a fixed number of letters, so that once you knew one day’s settings you could guess those of the next day).
Now, the Germans weren’t entirely idiots, just smug, self-satisfied idiots. The machines were used in several branches of the German military, and the most complicated version was used to communicate with U-boats on patrol. Now, there were various signs that the Allies knew what the U-boats were up to, so on a few occasions the Germans undertook an investigation of the possibility that the code was compromised. And every time they came to the conclusion that the code was unbroken because it couldn’t be broken.
This is what’s known in the trade as a priori (or deductive) reasoning, which starts from a premise and derives logical conclusions from it. For instance, the Christian theological argument that “God is all powerful and all good, so the reason why there’s evil in a world entirely controlled by entirely good being is [insert unconvincing and illogical attempt to reconcile two incompatible premises]“. Deductive reasoning invariably ends in tears. The only sound method of reasoning is inductive, which leads from evidence to conclusion. (Confusingly, the word “deduce” as it’s used in normal speech refers to “inductive” reasoning, and technical “deduction” is the opposite of “induction”! When Sherlock speaks of “deducing” some conclusion, he always means on the basis of the facts, and so is using “inductive” reasoning.)
To get back to the benighted Germans, they simply thought to themselves, “The Enigma machine can generate a bazillion random outcomes, so nobody could find the solution to a given message without working at it for years and years, but by then the information would be grossly out of date, so if there’s a leak, it must be the result of espionage.” In the first place, the results weren’t entirely random, and in any event, if you knew what you were up against and the encoder cooperated with you by doing bone-headed things like not pick the setting randomly and retransmit otherwise known messages on a regular basis, then the number of permutations reaching into the bazilions turned into a number that was still large, but manageable.
Hence, a lot of sunken U-boats.
So, you might be asking yourselves, what does this have to do with Keyser’s hackers? Well, just the notion that with all the computer accounts a person might have to use on the Interwebz etc. these days, and the incompatible need to keep them a) memorable to the user and b) not easily find-out-able by hackers, life can be difficult.
God help Keyser if the place he has these things written down gets lost!
Posted March 27, 2011 by Keyser Söze under Computer Repair, Keyser, Keyser is an Idiot, Keyser's Personal Hell, Miracles of Modern Science, Nazi Germany, Theological Disputes
March 27th, 2011 at 3:12 pm
A similar point in march 26 NY Times about Japanese nuclear industry and their method of insuring the plants were safe from tsunami’s. Basically did historical research and concluded that there had not been a recorded earthquake near or big enough to overtop the reactor, that there couldn’t be…
March 27th, 2011 at 4:00 pm
Well, that’s a valid form of reasoning from a theoretical point of view. Provided that the database is big enough, which presumably it wasn’t.
FWIW, the meltdown of the mortgage-based securities was likewise based on the calculation that the historical default rate on mortgages was 5%. What no one took into consideration was the possibility that the circumstances of the new market for securitized mortgages was such that it provided strong incentives for banks to give mortgages to people who wouldn’t have been given them by previous standards. Which rendered the historical percentage of defaults irrelevant.
March 27th, 2011 at 6:05 pm
Yes. Recently read a great book “the big short” by Michael Lewis on that very topic!
March 29th, 2011 at 2:52 pm
Keyser, I would like to know what is your source of information about Enigma? It just happens so that I have some interest in this contraption and its story is surrounded by a mist of urban myths. Feel free to reply by email.