atomic_fungus (atomic_fungus) wrote,

#5725: IOTTMCO, that is, the bleeding obious

"IOTTMCO" is old-time hacker speak. It's shorthand for "Intuitively Obvious To The Most Casual Observer". Yes, it has that '70s flavor to it because that's how old it is, and the acronym is of course overly complex, having far too many letters to flow off the tongue. (Feature, not bug, to the '70s hacker subculture.)

"Bleeding obvious" is, on the other hand, much easier to say, and also gentler on the ear. I suppose it depends on whether you're speaking or typing, but I'd rather type "bleeding obvious" than IOTTMCO as well, so it doesn't really matter all that much.

But that's the theme for today's post: people stating, or avoiding, the bleeding obvious.

* * *

Borepatch advises us not to use biometric data as a password. Here's the thing: because your biometric data must be stored somewhere, to compare against, hackers can obtain it and use it.

Now, here's the thing I don't get.

Here's how UNIX handles passwords: when you create a password, that password is processed through something called a "trap-door algorithm", which basically takes a pig (your password) and makes sausage out of it (a password hash). (Incidentally, that's why they call it a hash in the first place.) Unlike making sausage, you can unscramble the hash into the password...if you have a really powerful computer and a couple of centuries of compute time. (WTF, you could extract DNA from the uncooked sausage and clone the pig, too.)

The point is, the computer never stores the plain-text password; it stores the hash. When you enter your password to log in, the computer takes that password and runs it through the trap-door algorithm, and compares the result to the hash stored in its password file. No match, no access.

A hacker might be able to extract the password file from the system, but he gets a list of names and their associated hashes rather than passwords. If you type the hash in at the password prompt, the computer rejects it as incorrect (of course) because the hash isn't the password, but a mathematically-scrambled version of the password. The hash of the hash won't match the hash of the password.

It is possible to undo the hash--the program has been part of UNIX forever--but no one bothers. It's easier to compare the hash of the password to hashes of arbitrary passwords. This is why computer security people tell you not to use real words as passwords, but require combinations of letters and numbers as well. It's trivial to feed a dictionary into a computer program to hash the words and compare them to password hashes if you already have the password hashes. Any match gets you into the system at the user level, which is usually all you need if you want to steal information from the database.

I explain all this as a long-winded preamble to what seems like a relatively simple point: why isn't all this stuff being stored as a hash? Why is it being stored unencrypted? The trap-door algorithm is not compute-intensive--UNIX was developed in the 1970s--and neither is it a secret. The biometric data should be stored as a hash, and the computer should compare any password input against the stored hash rather than anything stored unencrypted, so if I put my finger on the scanner, my biometric data exists unencrypted in that computer only long enough for the computer to hash it and compare that hash to the stored one.

The credit card information pretty much has to be stored clear, as it's transmitted to the issuer, but everything else could be hashed, and that would make stealing personal information a lot harder.

Naturally this does not prevent hackers from capturing the unencrypted fingerprint data as it's being scanned, and then hashing it and comparing that hash against the database to find the other information. But it makes it harder to steal the information.

Seems bleeding obvious to me: hash everything you can. Then again, security is usually an afterthought.

* * *

The problem is that Oculus Rift costs too damned much. That's why the world "refuses" to adopt VR; the hardware is $600 on top of the fairly robust computer required to run the damned thing. I don't think you can get into a VR system for under $1,500, not if you want a frame rate faster than "flipbook" and a screen resolution higher than "bank sign".

* * *

The oil is still not being used. I don't understand how oil prices can be where they are given that nothing has changed in the oil market. We still have an oversupply of the stuff. No one's stopped producing; at most there's been a limit set on increasing production. Yet gas hovers around $2.45 a gallon in the Fungal Vale.

No one seems to be noticing that it's simply being moved from place to place, and not being used.

* * *

Comey leaked classified information to the media. Considering that he just came off a year where he was investigating a prominent public figure for her complicity in poor security of classified information, he ought to have known that he was breaking the law.


The Comey confidant who actually gave the info to the press says the memos were "not marked classified". If I sit at my desk and write out classified information I saw while working for the government, and I don't mark it as such, but give it to a friend of mine, well, guess what? I'm still guilty of leaking classified information to uncleared personnel.

Commentor RAT005 gets it right:
We've been through this with [Hillary]. The exact marking on a piece of paper or document is not what defines "Classified". Classified is content that the "authorized" person is trained to know is Classified. I'm a nobody. If I find a piece of paper that isn't marked Classified, I'm not responsible for realizing the content is Classified. If Comey or [Hillary] are passing info around they are responsible for knowing what is likely classified. If either idiot puts the most Classified info on a piece of paper and hands it out on the street corner to everyone, they aren't off the hook because they didn't mark Classified at the top.
This is why the confidant's statement is nonsense. Unless he himself has a security clearance, and even then he should be able to recognize classified information and realize he must not leak it to the press.

I doubt he has a security clearance.


* * *

For many, many years, I heard about how much better Roman cement was than Portland cement. The solution always seemed obvious to me: analyze a sample. Someone did.

The basic recipe is volcanic ash (in the place of sand), calcium oxide, seawater to start the chemistry going, and rocks for volume and strength. Left immersed in seawater, the concrete's chemical reactions continue and make the stuff stronger as time goes by.

They're saying that Roman concrete requires less CO2 emissions to make. Considering that the main ingredient is still calcium oxide--and the best way to make calcium oxide is to heat limestone in a furnace--I don't think that's 100% correct.

* * *

Heavy industry used to be heavy industry. Today, no one would expect a car manufacturer to have an aerospace division, much less make a heavy-lift rocket booster. I don't know if that's good or bad, but looking at that ad makes me feel as if we've lost something important.

* * *

James Woods nails it here. The statistics on how often the transgendered (charitably using their term) commit suicide, and how prevalent drug and alcohol abuse are among that very tiny demographic, convince me that by humoring your son's nonsense you are doing him the biggest possible disservice.

* * *

There are no spoilers in this review of Spider-Man: Homecoming. Czar of Muscovy wrote it; that should be obvious.

* * *

Today it's cloudy and kind of muggy outside. It's not hot, but it's not cool. Last night, with cooler air outside than now and all windows open and fans running, it got to 83° in the computer room before I gave up and turned the AC on. By bedtime the dew point had risen to 69° and it was sticky, so I did the right thing.

Well, it's almost mid-July. What do you expect?

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.