Ah! Hello there Big Brother!

Before surveillance fatigue kicks in and you hit the close button on your browser, remember that the NSA are probably right now examining all the open internet connections on your router because you loaded this Youtube video of a man talking at a security conference.

Yeah, you’re welcome.


Speedy password cracking

Earlier today Jeff Atwood tweeted:

you should *really* be scared if your passwords are all lowercase. 12 chars in 75 days on my box..

He was referring to his post on speed hashing where a video card GPU is used to calculate the hash of any given text. Compared to a computer CPU it does it much faster.

all 6 character password MD5s 47 seconds
all 7 character password MD5s 1 hour, 14 minutes
all 8 character password MD5s ~465 days
all 9 character password MD5s fuggedaboudit

It’s honestly scary and really time for everyone to use pass phrases. They’re not perfect either but they’re better because they’re longer and easier to remember. Some of my passwords are not phrases yet, this pass phrase generator (or this one) should help make it easier to change those.

* obligatory xkcd cartoon.


WordPress Upgrade Notifications by Email

This weekend will go down in history. It’s the first time I’ve been seriously sick in well over 5 years. A bug infected my son on Wednesday, but he got over it quickly enough. Then the same bug hit my wife and I on Sunday morning and we’re just getting over it now.

Odd that a worm attacks software I work on and I get very sick at the same time. Unfortunately I couldn’t run an exploit scanner and remove the bug but my body’s defenses took care of the bugs eventually.

All this leads me to a handy little plugin called Upgrade Notification by Email written by Konrad Karpieszuk. Install it on your blogs and it will check once a day if a new version of WordPress is out. When that happens it will email the admin with a message saying the blog must be upgraded.

It’s odd that the plugin itself contacts instead of relying on the built-in version checker but it’s only one request a day.

What I’d like to see next is a direct link to the upgrade page on the blog.

Far more challenging would be a plugin to auto upgrade a blog. In case a theme or plugin breaks things the plugin should probably deactivate all plugins and change the theme back to the default theme. Once the upgrade is complete, all plugins should be reactivated and the theme too. The admin has to be emailed before and after the upgrade.

It’s easy to say what it should do, but doing it is another thing altogether. The reactivation process has to be sandboxed in case of failure so the plugin doesn’t die. The plugins page already does this so at least there’s example code to work from. Anyone up for coding it?

Development PHP

PHP Optimization and Security tips and rant

Andrew van der Stock’s criticism of PHP’s security model. What security? Global request arrays go some way to making applications safer but there are obscure functions and settings which can trip up developers. (via)
PHP Optimization Tricks from Ilia Alshanetsky has one gem I didn’t know about – the ctype extension. It’s somewhat limited but would be faster and less resouce intensive than a regular expression to do simple checks.

While I’m blogging development stuff, here’s mention of a vector drawing library in Javascript!
Yes, newer browsers have SVG support but this will work in older browsers and newer. Cute.


Web Application Security Reviews

John Lim lists some of the requirements for an “enterprise” financial application. I’ve never gone to the lengths John has to pass such an audit but I can imagine it wasn’t easy!


$2 trillion fine for Microsoft security snafu?

Doubtful it’ll happen..

Microsoft’s latest security lapse with its Passport information service could trigger a $2.2 trillion fine on the company courtesy of the US government.

Microsoft on Thursday admitted that a flaw in the password reset tool of its Passport service could compromise the information stored on all 200 million users. It scampered to post a fix and is looking into potential exploits, but the damage to Microsoft may already have been done.