Tuesday, June 26, 2012

Apple iPad vs Samsung Galaxy pad - Which is best for government

DISCLAIMER. I own both the new iPad with the retina display, and a Galaxy Tab. I find the iPad a wonderful tool for video and photo editing, however saying that....lets get onto the article.

This is going to be a very short post as this is a very simple argument. I recently noticed the ANC were purchasing many iPads for government use. I don't generally have a problem with tablet technology, and I really do believe that it can help government officials do their job better, but I do think its worth noting that when it comes to government and political use. The Galaxy Tab smokes the iPad for one simple reason. iTunes.

Let me give you a scenario. You are a political official. You need to visit a rural school and give a presentation. When you arrive at the school the headmaster of that school hands you a multi media presentation on a USB drive.

There is almost no way (without hacking the iPad), that you can simply copy on documents and presentations. To load files normally onto an iPad requires either iTunes or iCloud. Both which you will find difficult locate in rural South Africa. Retina displays and photo editing applications are only useful to people in the media industry. 

If you wanted to copy something onto the Galaxy Tab on the fly, or if you wanted to share documents or media, then the Galaxy Tab absolutely smokes the iPad. It is easy to go to almost and device with almost any operating system and copy whatever files you need.

Tablets do not come cheap, so if government and political parties are going to be using them, then they need to buy smartly. They need functionality over, "shiny beads". Until Apple sort out the reliance of their devices on iTunes, they will always come second to the Galaxy Tab.

EDIT: Other options to consider. The Galaxy Tab allows you to insert an adaptor that has HDMI out, which is perfect for doing presentations on. Also the Galaxy Tab has an adaptor that allows you to read flash disks on the fly. It wins hands down in usability and features.

Monday, June 11, 2012

Password entropy, or how to choose a strong password

For a long time now system administrators have been trying to teach their users how to pick strong passwords and for the most part, people appear to be listening. However, system administrators have been teaching the users the old - and now wrong way of picking a strong password. We asked people to choose passwords that were hard for humans to guess, but which ended up being easy for computers to figure out.

These days, very few systems keep their passwords unencrypted. So even when their databases get hacked, the passwords at least have a minimal form of protection protecting them and have to be brute force hacked.

When they brute force hack your password they try all possible combinations of all characters until they get the right password.

A good example of this is the recent LinkedIn hack where hackers were able to obtain all the MD5 hash`s (the stored but encrypted passwords) in the LinkedIn database.

What does this mean exactly?

Well say I join a website, and I choose a password like: Bubblz!248 . Due to sites being easily hacked these days, the person who creates the site will lightly encrypt your password with a MD5 hash, so that all the hacker can see is an encrypted form of the password which looks like this:

Md5 Hash: 57c366fbaee03d11b6a241de52037463

However there is a weakness with this encryption. If the hacker knows that 57c366fbaee03d11b6a241de52037463 = Bubblz!248 then he will be easily able to decipher your password.

If he does not yet know what the decrypted form of the password is, he will try all possible combinations of letters, numbers and other characters to find the right combination that will eventually match your password.

This is where the old form of teaching people to choose passwords is no longer sufficient. In the past we used to ask people to choose passwords that are not easily guessable. Then we asked users to choose passwords with special characters, with capitalization and other random characters inserted into them (users would often forget their passwords). Now we need to ask people to choose long passwords. Special characters are only partly relevant now. Long passwords are currently the best way to be safe now.

Ill give you an example and explain to you why. Lets say your name is Bobby. You want to make a password that you will easily remember and that will be hard to crack.

Bobby, listening to the advice of his system administrator decides to make a complex password that is not guessable, so he creates the password:


Now in that old days that would be a pretty impressive password. It uses special characters, numbers and even has upper and low case characters in it. That is not easily guessable by a long shot... but it is pretty easy to crack.

According to GRC`s Haystack, it would take a super array of computers a week to crack that password (Assuming one hundred trillion guesses per second). Added to that is now Bobby has to remember a very complex password that he can easily make mistakes with.

So what is a better way of choosing a password? As I said earlier. Choose a long password, and the best way I have found to do this is to make a simple sentence that you can easily remember. Lets go back to our user Bobby and get him to choose a new password, this time he chooses a simple sentence like:


I can guarantee you that the sentence password listed above is going to be easier for Bobby to remember. He likes dog and only has to remember the sentence, "bobby likes to take his dog for a walk".

So how much better is the new password and its entropy? According to GRC's Haystack it would take a super array of computers 9.30 million trillion centuries (Assuming one hundred trillion guesses per second) to crack that password!

So to conclude I would like to leave you with a couple of DO'S and DON'TS.

DO: Choose a sentence for you password
DON'T: Never ever ever choose a single dictionary word (even if its in another language) for your password.
DO: Use different passwords for different sites. Sites get hacked all the time, so you need to assume that at some point hackers will have an encrypted form of your password.
DON'T: Choose a password with less than 20 characters.

Think you have a good password? Be sure to check its entropy at GRC's Haystack: https://www.grc.com/haystack.htm