Poor passwords

I work in computer security. The following were recently shared in one of the threat intel channels I follow.

Rather lame, but it’s what Hyatt Hotel prohibits as passwords in their network: https://www.hyattconnect.com/files/passwordpolicy/dictionary.txt

This is claimed to be the largest collection of actual passwords ever assembled.

The download link on the web page given by the link above is very scary (if you can even find it). I downloaded the .gz file, decompressed it, and packaged it up as a .zip file here: http://www.joehuffman.org/misc/RockYou2021.zip

Quote of the day—Edd Gent

How do old cells in adult humans give rise to the youthful cells found in infants? New research suggests they reset to their lowest biological age in early embryonic development, with potential ramifications for longevity science.

For a long time, it was assumed that germline cells—those that form eggs and sperm and pass a parent’s genetic information on to their children—were essentially ageless. But how this could be was never clear and more recent research had shown that germline cells do accumulate the signs of aging.

This led to the conclusion that there must be some kind of rejuvenation event that allows the offspring’s cells to start with a clean slate. But when and how this occurs was a mystery.

Now a team from Harvard has shown that the age of mouse embryo cells resets about a week into development, representing the “ground zero” of aging. The finding not only provides insight into the fundamental dynamics of aging, but also suggests we might mimic the process in adult cells to rejuvenate aging tissues.

Edd Gent
June 28, 2021
Harvard Scientists Pinpoint ‘Ground Zero’ of Aging in Mouse Embryo Study
[I had often wondered about this. If old age is caused, primarily, by the shortening of telomeres, then how do embryos get normal length telomeres from non-infant parents? I figured that someone must know, it’s such an obvious question. And the obvious follow up question of, “Can we replicate this restoration of telomeres in an organism?” Must have an answer similar to, “No, it only happens during the union of a single sperm and egg.”

That these were unanswered questions has incredible consequences now that answers are being discovered.—Joe]

Quote of the day—Lee Reiners

Crypto enthusiasts call me a Luddite, statist, technophobe or worse. Asset bubbles are maintained by a common narrative, and anyone who dares question it must be attacked. But a growing chorus is pointing out the emperor has no clothes.

Lee Reiners
May 25, 2021
Ban Cryptocurrency to Fight Ransomware
[I’m certainly no fan of cryptocurrency. I might even concede that banning it would put a serious dent in ransomware. But I am very reluctant to advocate a ban on it. Doesn’t the First Amendment protect it?

When I first heard of Bitcoin I was rather enthused about it until I discovered it wasn’t completely anonymous. Anonymous financial transactions are a critical component of a free society. Anonymous financial transactions with anyone in the world who has access to a computer would solve a lot of freedom issues. To the best of my knowledge all anonymous financial transactions still, and will in the foreseeable future, require a physical exchange.

Hence, I am inclined to agree with Reiners:

It isn’t obvious that cryptocurrency provides any benefit at all beyond the chance to make a quick buck. I have been studying the crypto market since its inception, and I have yet to identify a single task or process that crypto makes easier, better, cheaper or faster. Don’t take my word for it. Ask any friend why he owns cryptocurrency, and the answer will invariably be “to make money.” In other words, speculation.

With all the above in mind what I would like to see is the natural death via a loss of faith in Bitcoin and cryptocurrencies in general such that it can’t be used for criminal acts.—Joe]

Quote of the day—Francisco

Write that down and pin it to the corkboard in your office.
It will turn out to be one of the greatest understatements you will have ever made.

Not that quantum computing will not produce many absolutely amazing positive results, it will, but the view of them will be obscured by all the smoking craters QC causes.

May 25, 2021
Comment to Quantum computing as a threat to Bitcoin
[I’m currently of the opinion the positive results will be on par with the smoking craters. But I’m not knowledgable enough on the subject to claim any expertise.

We live in interesting times.—Joe]

Quantum computing as a threat to Bitcoin

Another threat to Bitcoin. Quantum computing:

Quantum computers and the Bitcoin blockchain

An analysis of the impact quantum computers might have on the Bitcoin blockchain

Regarding the threat from a quantum computer, the public key is directly obtainable from the address. Since all transactions in Bitcoin are public, anyone can obtain the public key from any p2pk address. A quantum computer running Shor’s algorithm could then be used to derive the private key from this address. This would allow an adversary who has a quantum computer to spend the coins that the address had.

Google Aims for Commercial-Grade Quantum Computer by 2029.

A friend who was lured out of early retirement after multiple successful startups claims he has held a million (IIRC) qubit chip in his hand. He told me about this in January of 2020 when he was seeking funding to take it commercial. The last time I talked to him about this COVID had halted his funding quest.

Whether it is Google, IBM, Microsoft, other big names, or any number of startups who want a piece of the pie quantum computing is going shake up a lot of things. Bitcoin, at least as we know it, will probably be an early casualty but it will be far from the only one.

Quote of the day—Signal

Signal doesn’t have access to your messages; your chat list; your groups; your contacts; your stickers; your profile name or avatar; or even the GIFs you search for. As a result, our response to the subpoena will look familiar. It’s the same set of “Account and Subscriber Information” that we provided in 2016: Unix timestamps for when each account was created and the date that each account last connected to the Signal service.

That’s it.

April 27, 2021
Grand jury subpoena for Signal user data, Central District of California
[Good to know.

See also here.—Joe]

I like the analyst number

Last year my boss made it a requirement that everyone on our team must take the SANS FOR578: Cyber Threat Intelligence class, complete it, and take the certification exam by the end of 2021.

It was paid for by our employer and we were supposed to take the class online during company time. The class is about $8,000 and requires at least 40 hours.

I completed it last month, passed the exam on the 15th of this month, and received the certificate of completion today:


It wasn’t easy, but it wasn’t deadly hard either.

The “Analyst number” they assigned me was a special touch but entirely a coincidence.

Existential threat to Bitcoin

I don’t trust the stability of Bitcoin. I trust it even less than fiat U.S. dollars. I see mining bitcoin as wasting electricity to produce… well, what does “mining” actually turn those gigawatt hours into? Isn’t it simply faith in it’s value by some subset of the worlds population? What if people start losing their faith? Doesn’t the value of Bitcoin decrease exponentially with this loss of faith? Once some sufficiently large number of people lose faith isn’t there a high likelihood of an avalanche of people losing faith? Isn’t it likely Bitcoin will go down in the history books as another Tulip bulb or Mississippi bubble?

There is also the risk of one or more countries declaring it illegal and reducing it’s trading value to near zero in that country.

It turns out there are far more subtle yet greater or equal threats to it’s value: Bitcoin’s Greatest Feature Is Also Its Existential Threat: The cryptocurrency depends on the integrity of the blockchain. But China’s censors, the FBI, or powerful corporations could fragment it into oblivion.

Quote of the day—Rolf Nelson

This tendency of AI to speak “racist” or “problematic” things is nearly 100%. As someone who has thought about AI, and written about it, I find this humorous. It is almost as if none of these people being offended consider the possibility that the AI is correct.

Rolf Nelson
March 21. 2021
Racist AI
[It is relatively, for certain values of “relatively”, easy to create software which responds rationally to data. The response of people to that same data is almost certainly not going to be rationally without exceedingly careful processing of that data. People just don’t work that way. Hence, when the AI responds contrary to the expectations of the humans the humans are surprised.

It is irrational to expect people to be rational.—Joe]

How to make your own primers

I received a link to Homemade Primer Course via email from Rolf. I put a copy on my server as well.

This is the description of the document and author:

This document describes how to make homemade ammunition primers. Approaches to make corrosive and noncorrosive primers are covered.

W. Marshall Thompson PhD

Revision Date: June 28, 2019

I found it fascinating reading. It starts with how primers work and the history of primers, then tells how to make primers that are extremely simple and safe to make but are somewhat less reliable and powerful than commercial grade primers, and concludes with how to make commercial grade primers and even “green” (lead free) state of the art primers. It’s amazing!

Thank you Rolf.

Quote of the day—Alexey Bobrick

We went in a different direction than NASA and others and our research has shown there are actually several other classes of warp drives in general relativity. In particular, we have formulated new classes of warp drive solutions that do not require negative energy and, thus, become physical.

Alexey Bobrick
March 4, 2021
Engineers Have Proposed The First Model For a Physically Possible Warp Drive
[I wish Eric Engstrom were still alive.

Chromium Communications Corporation was incorporated on January 1, 2000 by G. Eric Engstrom. The next day, yes, a Sunday, I went to work for Eric as his first employee at the brand new company.

A couple weeks earlier I had told him I was looking for a new job and he lite up and engaged his famous “Engstrom Reality Distortion Field.” His sales pitch included his plans for the future with his company and the money we would make. He outlined he would be the first man on Mars, and exploring the planets would be so awesome that we would need to wait around for warp drive so we could explore other solar systems. To do that we would need to be able to extend our expected lifetimes essentially forever because there was so much out there to see and do. And he had plans on how to make that a reality too.

As was usual, the enthusiastic belief in the story Eric wove rapidly faded once I escaped the range of the distortion field. But that doesn’t mean I don’t still feel the yearning for some of those things to be true.

Eric is dead but maybe his dream of a warp drive will become a reality for someone he knew and influenced.—Joe]

Solar energy from space

When I was an undergraduate in electrical engineering at the University of Idaho I wrote a paper reviewing the use of microwaves to beam energy from space to the surface of earth. In 1973 Peter Glaser, vice president of Arthur D. Little, Inc was granted a patent for certain aspects of this concept.

I was quite enthralled by the concept. The critics claimed things like:

  • Bird will be cooked by the microwave beams mid flight.
  • Planes which accidently get in the path of the microwave beam will drop out of the sky.
  • The losses will be so great that on earth you wouldn’t be able to power anything bigger than a toaster.

Most of the critics were, to electrical engineers, laughable wrong.

In regards to cooking the birds the frequency of the microwaves would different from your microwave oven. A frequency that was not absorbed by rain and water vapor would be chosen to decrease transmission losses.

The energy density of the microwave beam would be little different than a microwave communications tower. The beam width was quite large and hence large amounts of energy could be transmitted without frying the electronics of anything blocking a small portion of the beam.

There are few things more well known that how to calculate the power loss of electromagnetic radiation in free space. You could power small cities from a single satellite.

There was one problem which did not have a good response. That was the cost to get the materials into orbit and to assemble it in space. If I recall correctly, Little’s study claimed the cost to orbit needed to get down to $30/pound for it to match earth based systems. Again, IIRC, the price at the time was well over $100/pound.

When the Space Shuttle went operation I thought perhaps the costs would be low enough that the concept would be practical. Nope.

It turns out that people are working on the concept again:

Scientists working for the Pentagon have successfully tested a solar panel the size of a pizza box in space, designed as a prototype for a future system to send electricity from space back to any point on Earth.

The panel — known as a Photovoltaic Radiofrequency Antenna Module (PRAM) — was first launched in May 2020, attached to the Pentagon’s X-37B unmanned drone, to harness light from the sun to convert to electricity. The drone is looping Earth every 90 minutes.

An important difference from Little’s plan is that these satellites would be be in low orbit rather than in geosynchronous orbit. This allows a handoff from one satellite to another when a satellite goes into the earth’s shadow.

It’s clean power. And more importantly, in contrast to earth based solar power, it’s 24/7/365.

I wish them luck.

Quote of the day—Selmer Bringsjord et al.

We propose to build directly upon our longstanding, prior r&d in AI/machine ethics in order to attempt to make real the bluesky idea of AI that can thwart mass shootings, by bringing to bear its ethical reasoning. The r&d in question is overtly and avowedly logicist in form, and since we are hardly the only ones who have established a firm foundation in the attempt to imbue AI’s with their own ethical sensibility, the pursuit of our proposal by those in different methodological camps should, we believe, be considered as well. We seek herein to make our vision at least somewhat concrete by anchoring our exposition to two simulations, one in which the AI saves the lives of innocents by locking out a malevolent human’s gun, and a second in which this malevolent agent is allowed by the AI to be neutralized by law enforcement. Along the way, some objections are anticipated, and rebutted.

Selmer Bringsjord
Naveen Sundar Govindarajulu
Michael Giancola
February 5, 2021
AI Can Stop Mass Shootings, and More
[See also this glowing review of the paper.

“…some objections are anticipated, and rebutted.” Uhhh… No.

Here are the objections they anticipated, paraphrasing:

  1. Why not legally correct AIs instead of ethically correct?
  2. What about “outlaw’ manufactures that make firearms without the AI?
  3. What about hackers bypassing the AI?

Their responses, paraphrasing in some cases:

  1. “There is no hard-and-fast breakage between legal obligations/prohibitions and moral ones; the underlying logic is seamless across the two spheres. Hence, any and all of our formalisms and technology can be used directly in a ‘law-only’ manner.”
  2. Even if the perpetrator(s) had “illegal firearms” in transit other AIs in a sensor rich environment “would have any number of actions available to it by which a violent future can be avoided in favor of life.”
  3. “This is an objection that we have long anticipated in our work devoted to installing ethical controls in such things as robots, and we see no reason why our approach there, which is to bring machine ethics down to an immutable hardware level cannot be pursued for weapons as well.”

The first objection and rebuttal doesn’t really require any response. It just doesn’t matter to me. Sure, whatever.

They dismiss the second objection with a presumption of unknowable knowledge. People smuggle massive quantities of drugs in vehicles even though the vehicles are searched by any number of sensors, dogs, and dedicated humans. What makes them think a single firearm can be possibly be detected by semi-passive or even active sensors?

More fundamentally they are avoiding the objection and providing their critics with the response of “If there are any other number of actions available” without an AI controlling access to the firearm then you don’t need the AI in the gun to begin with.

The third objection puts on full display their ignorance of firearms and perhaps mechanical devices in general. To demonstrate the absurdity of their claim imagine someone saying they were going to put an ethical AI, at an “immutable hardware level”, on a knife so it could not be used to harm innocent life.

Such people should, and would be, laughed off the stage into obscurity. It should also happen to those who seriously suggest it is possible to do this for firearms.—Joe]

Quote of the day—Sam Levy

[Privately assembled firearms are] a way for prohibited persons to access firearms they could not buy legally by passing a background check, a way to stymie law enforcement investigations for those who want to use those guns to commit crimes because they are untraceable.

Sam Levy
Everytown for Gun Safety
Baltimore police report a 400% increase in untraceable ‘ghost guns,’ mirroring a state trend
[Levy thinks the so called “Ghost Guns” are a problem for their side? Wow. That’s only going to get worse as the 3-D printed guns start approaching the quality of existing mass produced guns.

And then, I have my popcorn and easy-chair ready for when Levy and gang hear SCOTUS has handed down a ruling that could blast a hole in registration, including the “soft registration” via 4473’s, and other infringements for years. If you remember, there have been lower court rulings saying, according to U.S. law and ATF regulations, the AR-15 lower and perhaps as many of 90% of the firearms in the U.S. aren’t legally firearms.—Joe]

AR15.com update

If you are regular visitor to ARFCOM you probably already know this. But I got some email from someone a little behind the times so I thought I would update everyone here on the story with the GoDaddy deplatforming of AR15.com. Originally I thought GoDaddy was the hosting provider (as they are for this blog) for AR15.com. Hence when I looked up their current, and functional, IP address and found it belonged to Amazon I was concerned they hadn’t take as big a leap as necessary to escape the purge.

I was wrong. GoDaddy was only the domain registrar. It’s a lot easier and cheaper to get your domain registered than it is to change your hosting provider. They quickly changed their domain registrar (to Epik, the same as Gab) and were up and going again quickly.

It is claimed they have backup plans for other possible issues such as losing their hosting provider.

ARFCOM NEWS has all the details:

Quote of the day—Michal Kosinsk

Ubiquitous facial recognition technology can expose individuals’ political orientation, as faces of liberals and conservatives consistently differ. A facial recognition algorithm was applied to naturalistic images of 1,085,795 individuals to predict their political orientation by comparing their similarity to faces of liberal and conservative others. Political orientation was correctly classified in 72% of liberal–conservative face pairs, remarkably better than chance (50%), human accuracy (55%), or one afforded by a 100-item personality questionnaire (66%).

Michal Kosinsk
January 11, 2021
Facial recognition technology can expose political orientation from naturalistic facial images
[Via Stanford Scientist Can Tell If You’re A Liberal Just By Looking At Your Face

I have often thought I could tell the difference between gun people and anti-gun people just by looking pictures of them. Self defense instructor Greg Hamilton believes, and teaches, something similar.

The research paper cited above is saying that such a thing is possible.

Now just imagine what big tech/government could do with this technology.

We live in interesting times.—Joe]

East Germany had to assign real people

Via email from Chet (who worked with me at Microsoft on the location services for Windows Phone 7):

It is Big Tech that knows more about you than your spouse and that if they so choose could make your life miserable. As I discussed many times when we were working on location, carrying a device is like having a private detective assigned to you. Fitbit is just another source.

In East Germany they at least had to assign real people. Now, everyone can be tracked and monitored in real time without lifting a finger.

We have invented the tech that will enslave us.

This was in response to an announcement that Fitbit is now officially a part of Google.

He has a point.

But there is another point to be made as well. Intelligence sources, which your phone is, can be manipulated to your own advantage.

If your cell phone location is proof you were at some location then doesn’t your phone not being at some location prove (or at least represent evidence) you weren’t there?

Quote of the day—Kevin Maxwell

In my legal opinion the Rare Breed Triggers FRT is a perfectly legal, semi-automatic, drop-in trigger. And my opinion is further supported by the opinions of whom I believe to be two of the most significant subject matter experts in the industry.

Rare Breed Triggers FRT – Full Video from RARE BREED TRIGGERS on Vimeo.

Kevin Maxwell
December 2, 2020
[As Greg said in a private post on Facebook:

pretty genius, I doubt it will last long on the market.

If you’re into this type of fun then get them while they last!

FRT is an acronym standing for “Forced Reset Trigger”. And that tells you all you need to know to have your giggle box kicked over.

We live in interesting times.—Joe]