A blog doesn't need a clever name
Cyberethics, Crypto, Community, Freedom, Privacy, Property, Philosophy, MP3, Online Ed, Copyright, Iran, other current topics and fun stuff
Last updated:
3/1/05; 6:05:02 AM

February 2005
Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28          
Jan   Mar
Home
Bruce Umbaugh

Salon home
Salon Blogs:
- Updates
- Rankings
- Start your own blog
Subscribe to this blog in Radio:
Subscribe to "A blog doesn't need a clever name" in Radio UserLand.

Click to see the XML version of this web page.

Didn't find what you were looking for?




-
Listed on BlogShares

Technorati Profile

E-mail this blog's author, Bruce Umbaugh:
Click here to send an email to the editor of this weblog.
  

Saturday, February 12, 2005

February 12, 2005. Katie Lucas: “Step 1: write about running really fast. Step 2: Go and draw a plan of the racetrack. Step 3: go and buy really tight lycra shorts. Step 4: run really, really, really fast. Step 5: cross line first.” [Joel on Software]
6:57:52 PM    comment []

Morphing Faces: Hidden Persuaders.

Jeremy Bailenson and Shanto Iyengar at Stanford University have made a startling and potentially frightening discovery about the power of graphical manipulation to persuade people. The abstract quoted here, furnished to me by Professor Bailenson, is from a broad study that has not been written up for publication. A smaller, pilot version, conducted with Stanford students, not a national sample, is in press at the journal of political psychology (PDF)

The authors are interested in reactions, so please post comments here.

morph.jpg

[Smart Mobs]

(Bad url fixed, I think.)

Weird line of research, i.e., I'm not sure what it indicates. But I also haven't read the whole thing yet or thought about it much. More, maybe, later.


8:57:03 AM    comment []

The Curse of the Secret Question.

It's happened to all of us: We sign up for some online account, choose a difficult-to-remember and hard-to-guess password, and are then presented with a "secret question" to answer. Twenty years ago, there was just one secret question: "What's your mother's maiden name?" Today, there are more: "What street did you grow up on?" "What's the name of your first pet?" "What's your favorite color?" And so on.

The point of all these questions is the same: a backup password. If you forget your password, the secret question can verify your identity so you can choose another password or have the site e-mail your current password to you. It's a great idea from a customer service perspective -- a user is less likely to forget his first pet's name than some random password -- but terrible for security. The answer to the secret question is much easier to guess than a good password, and the information is much more public. (I'll bet the name of my family's first pet is in some database somewhere.) And even worse, everybody seems to use the same series of secret questions.

The result is the normal security protocol (passwords) falls back to a much less secure protocol (secret questions). And the security of the entire system suffers.

What can one do? My usual technique is to type a completely random answer -- I madly slap at my keyboard for a few seconds -- and then forget about it. This ensures that some attacker can't bypass my password and try to guess the answer to my secret question, but is pretty unpleasant if I forget my password. The one time this happened to me, I had to call the company to get my password and question reset. (Honestly, I don't remember how I authenticated myself to the customer service rep at the other end of the phone line.)

Which is maybe what should have happened in the first place. I like to think that if I forget my password, it should be really hard to gain access to my account. I want it to be so hard that an attacker can't possibly do it. I know this is a customer service issue, but it's a security issue too. And if the password is controlling access to something important -- like my bank account -- then the bypass mechanism should be harder, not easier.

Passwords have reached the end of their useful life. Today, they only work for low-security applications. The secret question is just one manifestation of that fact.

This essay originally appeared on Computerworld.

[Schneier on Security]
8:55:00 AM    comment []

Sidebar.

I’m dreadful at keeping my blogroll up to date. I don’t really use blogrolls, so I don’t pay that much attention to mine. What I do pay attention to are sidebars with links to fun things happening on the web. I first saw the idea on caoine, and I’ve finally got around to shamelessly copying it. I might from time to time borrow some of the links from there as well. Such as, for example, my new favourite blog of all time - 1000 bars. It’s the story of a man trying to drink in 1000 different bars in 2005. The whole thing reminds me of a time when (at least in fiction) there was nothing at all unusual about a character stopping for a quick drink at 10:30 and adding thoughts about the bar to his interior monologue. Highly recommended.

[Thoughts Arguments and Rants]
8:52:55 AM    comment []

Stress. Stanford University neurologist (and part-time "baboonologist") Dr. Robert Sapolsky takes us through what happens on our insides when we stand in the wrong line at the supermarket and offers a few coping strategies: gnawing on wood, beating the crap out of somebody, and having friends. [WNYC New York Public Radio]
8:51:13 AM    comment []

Police: Newborn was never tossed out of car. On CNN [NewsIsFree: Popular Items]
8:45:14 AM    comment []


© Copyright 2005 Bruce Umbaugh. Click here to send an email to the editor of this weblog.
Last update: 3/1/05; 6:05:17 AM.
Powered by
(-- £ Salon Bloggers & --)