About Me!

This blog is about my musings and thoughts. I hope you find it useful, at most, and entertaining, at least.

Résumé [PDF]

Other Pages

Quotes

Links

Oak Island

Presence Elsewhere

jim@jimkeener.com

del.icio.us

Twitter

Facebook

LinkedIn

GitHub

BitBucket

Galactic GPS and Calendar

Date: 2014-02-25

Tags: space gps calendar time

I’m a layman when it comes to astronomy, and would greatly appreciate feedback from anyone “in the know”. These are just some things going through my head earlier.

I grabbed a pulsar database earlier today because I was bored.

If a ship could see a handful of the pulsars, with a minimum of 3, the
angle between the ship and each pulsar should be fairly unique for any
given place in space (within sensor limits).

Looking at some of the periods (/psrcat -db_file psrcat.db -c "P0" | tail -n +4 | head -n -1 | awk '{print int($2 * 1000)}' | sort -n |uniq) and was thinking that the least-common-multiple of many pulsars could be a handful of millennia at the least. This may prove to be useful as a long-term (by human standards) calendar.

Why you shouldn't trust people with your data, and how to prevent it

Date: 2014-02-15

Tags: srp crypto security authentication payment bitcoin chipnpin otp

Database breaches are becoming a common occurrence anymore.

Sometimes, in the case of health care data, there is little alternative to but to have your doctor have access to your records. However, many times, including passwords and payment information, there are better ways; we just need to use them. The first part of this post is aimed at users and the second at developers.

Users

Authentication

Since, for the time being, sending your password to the server seems to be the only option in many cases is to use a password manager to create unique passwords for each site. The password manager uses your master password to encrypt all the other passwords and username combos you create. Applications like KeePass have Windows, iOS, Android, Mac, and other OSs support and can synchronize your (encrypted) password database you can use Google Drive, Dropbox, or move the file around by hand. (N.B. your password database is only as good as the master password protecting it. See the bottom of this section for suggestions on strong passwords).

Another option is to turn on Two-Factor-Authentication. What that means is that you need two things, one you know (password) and one you have (your phone), to log into a service. The second factor (the one you have) could be a One-Time-Password app (Google Authenticator is available on iOS and Android) or an SMS message, depending on how the service handles it.

However, both of these require you have your phone or password database with you. If that’s not an option for you, then the traditional rules for good passwords are a good recourse:


Credit: XKCD

  • NEVER, EVER, EVER give your password to anyone. This includes writing it down and putting it somewhere other than a safe (i.e. DO NOT put it on a post-it note on your monitor or under your keyboard).
  • A password should be hard to guess, but easy to remember. Hard to guess means it shouldn’t be your name, username, email address, spouses name, any single dictionary word (or leetspeak translation of).
  • Different passwords for each site is recommended (because if one site leaks your password, all the other sites are vulnerable too)

With longer passwords, like Correct Horse Battery Staple you may run into sites that don’t allow very long passwords. My suggestion then is to do your best and send the site a nasty email.

Here is some advice from CERN and CMU. While I disagree with CMUs advice to shorten the password by taking the first letter of a sentence, the rest of the site is useful, and that advice is very useful for sites that don’t allow long passwords.

Based upon your trust of the service providing authentication and the permissions required by the service you’re logging into, OpenID or OAuth (e.g. “Log in with Google”, “Log in with Twitter”, or “Log in with Yahoo” provided by sites). For instance, I just used github to sign into a forum because the forum only required read-only access to my email address on github, something I felt comfortable providing.

If a site offers Persona a protocol designed by Mozilla (the creators of Firefox and Thunderbird), that is also a good option because it doesn’t require trust of the site you’re using to not abuse the service.

Credit Cards

There have been a couple large credit card breaches lately, namely from Target breach last December. One way to protect yourself against these types of security failures, is, when shopping online, to create virtual credit card numbers (VCCN). A VCCN is a credit card number associated with your account but:

  • Only exists as a number (you don’t get a card, hence being virtual)
  • Can be canceled/deleted easily
  • Have limits set (e.g. only valid until sometime or only $X can be charged to it)
  • No relationship to your real credit card number

These properties make them very useful for one-time payments (set the VCCN to expire in a week) or when a retailer saves your credit card number (Amazon, Target, &c) (valid for a few years or until deleted and not associated with your real credit card number). Citi supports this (log into your credit card account and search for “Virtual” on the page. It’s in the left-hand column towards the bottom). I can’t find it for Chase, American Express, or PayPal. Bank of America has ShopSafe which is a VCCN.

There are other companies that do this in a pre-paid manner (e.g. EntroPay) but I haven’t used their services and cannot vouch for them.

A technology common in Europe is Chip-and-Pin which requires a PIN, creating a 2-factor system for payment cards. This is more useful for preventing in-person attacks against a card (i.e. cloning where a person makes a copy of the data on the magnetic strip and puts it on another card).

Developers

Passwords

If possible, use systems that don’t require passwords at all (SRP, TLS-SRP, or Client Certs. This prevents you from even having to worry about storing passwords correctly because you never have the passwords to begin with.

If you can’t change how authentication is being don, please us a key derivation function like PBKDF2, bcrypt, or best yet Scrypt with large memory and time complexity parameters. Also, NEVER EVER EVER store a plain-text or encrypted (which means decryptable) password.

If possible, using services such as openid and oauth (google, yahoo, twitter, github, &c) also means you don’t have to deal with passwords.

Mozilla Persona is also a great option, as your users don’t have to trust you not to abuse the access you’re giving them (because they’re not really giving you access.

Credit Cards

Never store credit cards numbers. If you must identify if you’ve seen a card before, store hashes.

Most, payment providers provide a service that store client credit card information and provide you an opaque id. Auth.net’s Customer information Manager and Cybersource’s Payment Tokenization Service are two examples; just ask your gateway or processor about it! If you’re not storing information, you don’t have to worry about securing it!

Fighting Back

Date: 2014-02-12

Tags: nsa encryption security

Many groups have designated today The Day We Fight Back Against Mass Surveillance. In addition to contacting your legislators and letting them know that you are not OK with how the NSA has handled itself, there are many things you can do that can keep you safe and make it (potentially) more difficult for you to be spied on. I say potentially, because in the end, if the person you’re having a conversation or sharing data with leaks it, it’s leaked. That said, here are some ways that the average person can start the process of protecting themselves:

  • Using Free/Open Source Software such as LibreOffice Office Suite, Firefox Web Browser, and Thunderbird Mail Client. Being open-source means that many people continually keep an eye on what the software does and are able to legally go forward publicly if there are any questionable changes, the same is not always true of close-source software.
  • When using Firefox, there are a handful of extensions I highly recommend using daily. HTTPS Everywhere that will attempt to use encrypted connects between you and any site you visit without you having to do anything. NoScript which will disable scripts on webpages, along with other dangerous actions. NoScript can sometimes cause webpages to not work 100% properly, but it’s fairly simple to remedy it; here is a video that can help with any problems you may encounter.
  • Using GnuPG and Enigmail for Thunderbird to allow you to easily encrypt and/or sign messages and files. Shoot me an email if you need any help or visit the nice people at ##crypto on the Freenode IRC network.
  • Using the Tor anonymity network allows you to browse the web anonymously. They’ve really done a stand-up job and it no long is difficult to get up and running. The Browser Bundle is basically modified Firefox browser with some additionally autoconfig software to connect to the network and disable many things that could give away your identity. Contrary to popular belief, Tor and anonymity in general are not a bad thing, and like phones and the internet have many good qualities. There are many ways to get help if you have trouble getting tor to work, one of the most usfule being the OFTC IRC channel, #tor.
  • Apps such as TextSecure that will encrypt your messages to other TextSecure users (get your friends invovled!)

Some of this may seem scary at first, but just remember this: None of the above will leave you in a place where you can’t get help or you hurt your computer. Feel free to play around! The more we use technology to our benefit, the less easy it is for us to be tracked and spied on.

Also, this is just a jumping off point. There are many other projects out there that can help to keep you secure and anonymous online. Some, like Bitcoin require a lot of coöperation from many other people. Some, like Mumble require a little setup, but afterwards are very simple to use. Find your local geek or email me if you have any questions or are curious about other projects out there. (Note: I’m not an end-all-be-all resource, but I can be a jumping off point.)

The important thing is to start thinking about your anonymity and privacy. My wife noticed that an app she got to track her walks for her own use was also sending them as Facebook posts. She disabled that right away because she didn’t want people to know where she was all the time and disabled that feature. (She did decide to allow the app to post to a work-out tracking site that doesn’t make that information public, but it was a choice she made and she understands who she is trusting with this information). Now she makes sure she understands better what an app does with her data before using it.

Simply thinking about what you’re giving who is probably the biggest and most important step a non-techy can make.

Shuffling Cards

Date: 2014-02-12

Tags: cards shuffling algorithms combinatorics

While reading When Random Isn’t Random Enough: Lessons from an Online Poker Exploit I remembered what’s called Mental poker. One of the problems with this type of poker is making sure your counterpart isn’t cheating by rigging or peeking the deck when they shuffle it. The algorithms described in the link would allow a distributed, P2P card game. Without a trusted third party, you could be sure to shuffle the deck according to a known algorithm.

Another interesting thing is that there are so many types of physical shuffles and shuffling algorithms and research that has gone into analyzing such a seemingly basic action of any card game. Similar to knots, being common doesn’t equate to being simple or well-understood.

Science

Date: 2014-02-08

Tags: science

Since the Bill Nye-Ken Ham debate, I’ve been following the subject on Twitter. What’s come to my attention is that many people don’t understand what science is. It doesn’t help that certain terms are thrown around by people no realizing they are confusing if you don’t understand the multiple context they can be used in.

To start, science is being used to refer to methods, collections of knowledge, theories; as such I won’t use the term in this article. So, let’s define some terms:

  • Observation or Evidence — Something that can be seen and measured now (e.g. wavelengths, pressure, temperature, and locations)
  • Theory — A proposed model of how something works
  • Predictions — Expected observations if a theory is true
  • Support — When evidence agrees with a theory, it is said to support it (NB a theory can never be proven, only supported)
  • Disprove — When evidence disagrees with a theory, it is said to disprove it (NB a theory can be disproven, meaning it is not universally true)
  • Scientific Method — The process by which a theory is proposed and tested by observations for support

Ken Ham claims that “historical” science isn’t the same as “observational”
science because we weren’t there to witness the past. What Mr. Ham fails to
realize though, is that a theory only discusses the past in terms of how the
present is. It’s meaningless to say “We didn’t see it so we don’t know”
because the scientific method only deals with observations, which by
definition are something from the present. As such, scientists are not
describing the past through fanciful story, but in terms of “if that
happened, then we should see this” or “We see this, one explanation (which
also fits other observations) is _____”.

—————————-

Take for example the idea that a large asteroid hit the Earth:

Theory — An asteroid large enough to substantially alter the Earth’s climate for a long period of time, resulting in a mass-extinction event.

Evidence

  • Iridium Abnormality — Iridium is very rare in the Earth’s crust except for a very thin layer at the Cretaceous–Paleogene boundary.
  • Chicxulub crater, Yucatán Peninsula, Mexio — a large crater (180km in diameter and 20km deep) dated to the end of the Cretaceous and large enough to cause major climate change
  • Decline in biodiversity at the Cretaceous–Paleogene boundary — The fossil record shows a large loss in the types of creatures found after the Cretaceous.While absence of evidence is not evidence, the shear amount of the decline seen statistically points to something happening. Alternate explanations for the loss, or a reason the loss of fossils wasn’t a loss in diversity are welcome, but so far there haven’t been any.

Possible counter-evidence (and reasons for rejected)

  • Volcano’s deposited the Iridium layer — No sustained volcanic eruption has lead to world-wide sedimention and minor climate change for more than a few hundred years (Mt. Rinjani). It was not large enough to cause a mass extinction or cause a large deposition of rare-earth materials. So, while possible, there is no evidence to support it.

In the absence of any other reason, to explain the evidence the theory of an
asteroid impact is considered supported and not disproven. Note! This
doesn’t make it true or fact. Note! This doesn’t rule out other
explanations. This just means that it’s the best that we have right now.

————————————

Now, Ham dismisses radiometric dating because the rates of decay may have
been different “back then”. While possible, we have no observations or
reasons to support that theory. Additionally, radiometric dating techniques
agree reasonably well with other techniques, such as sedimentation rates
which rely on different physical processes. In the absence of evidence, we
cannot support Ham’s theory and continue to work with the theory that is
supported by the evidence we have today.

NB Ham mentions some basalt rock and a tree. I’ve been unable to find any
non-creationist source that even mentions this. Before a claim of “it’s
being hidden” is made, I would like you to consider that such a claim, when
substantiated, would make someone’s career and solidify their place in
history texts.

Also, Ham constantly references the Bible, and by proxy God, as the reason and
proof of his theories. God is not testable. Science can neither support or
disprove God; God is outside of what science can discuss. That doesn’t make
God unreal or anything else, it simply means we cannot observe and test God,
which I don’t think a Christian (or any religious) should be terribly opposed
to.

“Science” is not a cult or religion in opposition to religion. “Science” is
the application of the Scientific Method and the collection of observations
and previous applications. “Science” is capable of changing and admitting it’s
wrong when presented with evidence; it’s a way of understanding the physical
world around us. Religion is a way of understanding the spiritual world and
our relationship with God. Science and religion have very little to do with
each other until someone begins calling one the other.

I bet you’d get upset if I called a chess match a game of soccer.