I don’t follow golf, but even so I get all sorts of breathless “Tiger was in the middle of the pack!” articles before I can click through to actual sports. Tiger is in the middle of the pack. It’s not news anymore. Move on.

An MD5 Hash is a big number that is generated by doing crazy math on the original information. It has two good qualities – when you start with the same text you always get the same result, and it’s pretty much impossible to tell what the text was from the number.

A lot of places store the hash of your password, rather than the password itself. When you type in your password, it’s hashed, and the resulting number is sent over the wire. If the number matches the one in their database then you’re in.

But there is one way to crack the hash I hadn’t considered: keep a database of known strings and the resulting hash. It had never occurred to me to try to keep a table so huge, but with access to this information you could pretty easily crack passwords that lots of people use.

In my search for a hashing service, I came across one such Web site. Also on that site: a service to generate a hash for you. The message: “Hey! We keep a database of hashes to render them useless! You want us to calculate a hash for you?”

Um… No thanks?

At this point, I have to advise, stay away from Web-based hash generators. I know you were about to go and use one.

She may be the sweetest-tempered dog I’ve ever met, happy to see anyone. She didn’t bark at repair men and delivery guys today, even though she’s starting to get the feel of her new territory.

The first thing we did when we got home was give her a bath; she’s been living outside for the last few weeks. She put up with the water and shampoo stoically, but we missed a few spots.

People over in Facebookland have been asking for pictures, so here for your delight are a few snaps. (You can click to see them larger.)

We had bought a package of rawhide bones for her; after she showed no interest in a tennis ball we gave her one of those. She walked around with it for a while, relaxed in the shade with it firmly between her teeth, but never chewed it. After a while, she found a corner of the yard and buried it. In the second photo she’s pushing more dirt on top of the burial site. Of course I’ve heard about dogs burying bones, but I’ve never seen it before.

As you can see our new doormat could stand to shed a few pounds. Her hip stiffens up and stairs are particularly difficult for her. We’ll be putting he on a diet.

I thought about this today as I finished my third episode this week concerning Internet security. I could become a blogger focused on that very important issue. After a while folks would start to look for me, to accept me as an authority, for better or for worse. That would be kind of cool.

Instead, I thought, “I have to break up all these techno-geek articles with something more fun.” I pushed publication of two of the security episodes into the future. (Whether the intervening episodes are actually fun is another story.) I now realize that it’s not merely that MR&HBI is poorly aligned for success, I’m actively working to keep it that way.

You don’t have to thank me, it’s what I do.

Some time ago I downloaded Edgar Rice Burroughs’ A Princess of Mars through Project Gutenberg. Recently I downloaded it again into my eReader and this time I actually read it. Not long after I began to read I was sucked into the improbability vortex.

The first coincidence was external: I realized that the main character was named John Carter and there’s a special-effecta-palooza stomping its way into cinemas with that title. I was reading the material from which the movie was adapted. I knew the cinematic beast was based on stories of this ilk, but here I was holding the exact one.

The coincidences didn’t stop, but from then on they were within the story. John Carter is the luckiest SOB I’ve read about in a long time.

“But Jer,” you say, “it’s an adventure story. It’s pulp. Some slack is due.”

Yep indeed, the words I put into your mouth are dead on. Some slack is due. Carter is a lucky SOB all right, but it is his skill and derring-do that make the most of that good fortune. On Earth Carter is a pretty impressive specimen; in the lower gravity of Mars he kicks some pretty phenomenal ass.

It is not just physical prowess that sets him apart, however. While living in a society of heartless warriors, his horses (um… thoats) are far more faithful, because he uses the carrot as well as the stick. When the pragmatic Green Martians see that sometimes a gentle hand gets results, subtle societal changes begin.

As promised in the title, there’s a Princess, the undisputed Most Beautiful Woman on the Planet, and of course she’s captured by (what a coincidence!) Carter’s Green Martian sort-of-captors. You might not be surprised to hear that Carter and the Princess hit it off pretty well, despite some problems caused by culture clash.

Let’s reflect for a moment on some of the things Burroughs did well. There are two intelligent races on Mars, competing for dwindling resources. Death by old age is exceedingly rare, especially among the Green Martians. They spend a lot of time killing each other. I had no trouble at all getting the feel of this race, of the strengths and weaknesses of the society, and how their long history had shaped them. (By a remarkable coincidence, the two Green Martians closet to Carter were throwbacks to a gentler age. By an even larger coincidence the two were related.)

For all the Princess was Unimaginably Beautiful and in need of frequent rescue, she held her own. She did have an affliction I will call diminishing adjectivitis – almost every adjective applied to her minimized her, emphasizing her slightness, her delicacy. Yet she made the decision to sacrifice herself to save her people. That the Manly Men of the story managed to free her and save her people (and unite traditional foes, realigning politics on Mars from “Red vs. Green” to “Cool vs. Asshole”) does not take away from her sacrifice. Were the story written these days, more might have been made of her self-sacrifice, but let’s face it. This story was written for the same demographic that would be sneaking looks at their fathers’ Playboys a few decades hence.

Then there was The Coincidence That Went Too Far. I felt the strain when Carter ran into an old pal in enemy territory. Credulity snapped when Carter’s airship crashed right next to his old Green Chum in the heat of a savage battle, just in time to save the guy and get leverage to assemble an army to go save the princess.

A nation is slaughtered, but their king was a jerk, so that’s OK. Don’t go starting wars if you’re not ready to pay the price. This came out during The Great War.

So, in the shambles of the One Coincidence to Rule Them All, the story winds to a close on a wistful note. It’s a tight read, easy-breezy (though the language is filled with pomp), and it keeps on moving. I wonder, if the math of publishing had been different and Burroughs felt comfortable pushing to 300 pages, if he would have needed those coincidences to get the players into position. I also wonder if the story would have been any better without the Hand of Fate smacking things around so blatantly. After all, this way we get to the next action scene that much faster.

It’s kind of funny – In the end, four-armed men who own guns accurate for miles fighting with swords on the moss-covered beds of the ancient oceans of Mars didn’t bother me at all (well… not much). It was a chance meeting in a city square that pushed me to the breaking point.

I haven’t even alluded to the Greatest Coincidence Of Them All. The Great Mambo Coincidence that makes mere luck rock back on its heels and suck its thumb. A coincidence so stupendous that it can only save all life on an entire planet. It’s actually not that bothersome here since it’s not central to the action. It does put Carter back on Earth, though.

You know what, though? I’m pretty sure John Carter goes back to Mars. Maybe his kid has hatched (best not to think too hard about biology here). I’m equally confident that I’ll read more of these stories. I expect to roll my eyes at some mind-abusing good fortune on the part of our protagonist. But I’ll still have fun, and in the end, that’s what it’s all about.

Note: if you use the above link to buy this book (or a Kindle, or a new car), I get a kickback. I chose to link to this version for the awesome cover, but you should know that if you have an electronic reading device, you can download the novel for free.

A friend of mine recently put up a post that reminded me of another way hackers can get into your accounts (including primary email), one that I’ve been meaning to mention. You know those security questions they ask you, so they can confirm your identity? Those questions aren’t very secure. Questions like, “Where did you go to elementary school?” Pretty easy to find out stuff like that these days.

Say I want to hack into a celebrity’s yahoo account. I just need to answer a few questions, most of which are probably answered in imdb. Then I’m in. There’s a GQ article linked in my friend’s post that illustrates just how easy this all is.

The problem is, lots of places force you to set up these questions – making it mandatory that you provide a huge hole in your own security. A lot of people call these “insecurity questions”.

Security questions can work, but only if you choose to answer them incorrectly. Where did I go to school? A fish. What was the name of my first pet? 4e$RE*Plaster. Of course, in the rare event that I actually need to be able to answer the questions, there’s no way I’m going to remember what I said the first time.

While pondering that I had a thought for a method of answering these questions, one that removes any worry about remembering much of anything. Let a machine do the work. Imagine if you could select the question with your cursor, push a button, and paste your own personal complete gibberish into the answer field. Then, whenever confronted with the same question, you can generate the same gibberish. No remembering and no chance of anyone ever guessing your answers.

This would actually be pretty easy to do. It might even just take GnuPG and a bit of scripting. All it has to do is take the selected text, add a little secret extra bit that you set, then put the MD5 hash onto your pasteboard. It would be better as a browser plugin, so it was ready and waiting whenever you needed it. A little gizmo like that could go a long way toward tightening up one of the biggest security holes in the interwebs.

I’d build it except for two things: I just don’t have time right now, and a major technology company would end up owning it.

While we wait for someone to step up and build that little beauty, take a moment and reset your “insecurity questions” to something no one can guess. Perhaps for each question that asks for a name, you have one ridiculous answer (that you never tell anyone) and for locations you have another, and so forth. It’s not as good as a different answer for every site (who knows how securely each place stores them?) but it’s a hell of a lot safer than the truth.

The way Bank of Money proves their identity is by passing to you a special encrypted file that says who they are. But how do you know that certificate file is genuine? Because someone else made the file and they can verify that it’s legit. That “someone else” is a Certificate Authority, and your browser is trained to trust a handful of these companies implicitly. You might have heard of VeriSign, for instance. Bank of Money can go to VeriSign, provide information (and money), and after VeriSign carefully screens the application to make sure it’s really coming from Bank of Money, issues them a certificate.

When you connect to Bank of Money, your browser goes, “oh, hey, VeriSign says this certificate is the real thing,” and you’re good to go.

Unless, of course, the Certificate Authority is controlled by an evil government. Or if a CA gets hacked. Or if a CA is just sloppy. And the crazy thing? If any one of the Certificate Authorities trusted by your browser is compromised, you can’t trust any connection, no matter where the original legitimate certificate came from.

And, well, that has happened. The two cases I know about seem to have been aimed at Iranian dissidents, but it is no exaggeration to say that all of e-commerce depends on the integrity of the Certificate Authorities. That integrity has proven to be shaky lately. Each CA is a separate point of catastrophic failure for e-commerce.

And the pain goes both ways. Let’s say for a moment that Bank of Money got their certificate from DigiNotar. DigiNotar got hacked, wasn’t forthcoming, and lost their ‘automatic trust’ status in most browsers (which is a reason to accept all those annoying browser updates – they might be quietly blacklisting known fraudulent certificates). Even though Bank of Money did nothing wrong, now none of their customers can make a secure connection. The browsers don’t trust their DigiNotar certificate anymore. For good reason. They lose, you lose, I lose.

Is there an alternative to Certificate Authorities? Practically speaking, probably not. But there is another way to establish the legitimacy of Bank of Money’s certificate. If someone you know personally and trust says that BofM’s certificate is valid, then you can choose to trust it, too. Once you decide it’s legit, and confirm it for yourself, you can put your own stamp on it, and then people who trust you can feel confident as well. It’s not about some central authority, it’s about people you know and trust.

If some bogus entity tries to jump in with their own certificate, it won’t have the endorsement of you or your pals on it. You won’t be fooled, and neither will anyone else.

This model is called the Web of Trust. A certificate is only as good as the collection of endorsements it has built up. Bogus certificates (theoretically) have a much more difficult time taking hold. If I was an Iranian dissident, for example, I’d be very, very conservative about which certificates I accepted and endorsed. There’s a pretty good chance that people died as a result of DigiNotar being hacked. The major browsers accepted the false certificates without blinking, and the government read everything the dissidents said.

Bank of Money would love an alternate system that didn’t cost them a lot of money, and protected them from blacklisting because someone else messed up. The problem, if you’re an institution like that, is getting started. You can’t just wait for your certificate to gain acceptance organically before your Web portal becomes useful. To get going quickly you need one powerful, trusted person to vouch for your certificate, someone everyone else will believe. That’s what a Certificate Authority is, and they’re built into your browser, so that you have to go out of your way not to believe them.

Yet, if the Web of Trust were well-developed, new certificates would spread very quickly. If we all had three or four people we trusted, and a bunch more we sort-of trusted (so that if several of them said a certificate was legit, we’d be OK with it), then BofM’s certificate would percolate through the WoT pretty quickly.

But what if none of your trusted people used Bank of Money, so never endorsed its certificate? You can extend your search for endorsement further, and decide for yourself how comfortable you are. This is where a centralized Certificate Authority can come in — you can choose to accept their endorsement if your personal Web of Trust doesn’t cover that certificate. It’s entirely up to you. Not like now.

And, sure, at first people would get fooled. There will be people who endorse certificates lazily. There will be fake people created just to endorse certificates. Iranian dissidents will not be fooled, however. When something inevitably goes wrong, the sloppy people will no longer be trusted, and will learn not to trust people they don’t know. Speaking personally, I already know who my trusted folk would be — I have friends who would take responsibility for their endorsements very seriously, both out of pride and a sense of social responsibility. Shit, I can think of five without even breaking a sweat, and that’s plenty. You know a couple of people like that, too. Ask yourself: Would you rather trust them or a big company in it for the money and subject to political fiat?

This might be the definition of ‘neighbor’ for the information age.

So, people of planet Earth, we have a chicken-and-egg problem. Bank of Money isn’t going to depend on a Web of Trust that doesn’t exist yet. Most of their customers aren’t going to bother building the WoT, because none of the institutions they interact with use it. I talk about the Web of Trust, but I haven’t done much about it myself. We need a catalyst. I just hope it’s not the collapse of the Certificate Authority system, and the disruption that would cause.

I’ll talk more about how we can all work together to build the Web of Trust in a later episode. The takeaway today: We need it. Prepare to do something about it. It won’t be as simple as it ought — something I plan to bring up at work.

You see, there’s a camera lens I’ve been looking at for a long time. Sometimes I’ll even look in on eBay to see if one is going for less than usual. Last week, I found one at a good starting price. No one had bid. It was a few hours before the auction ended, but for stuff like that all the action happens in the closing seconds. Still, I set an alarm for a couple of minutes before the auction ended. If I wasn’t busy doing something else, I’d look back in and watch the action.

No one had bid. Time was winding down and no one at all had bid on the lens. It was more than I could afford, more than I had any business spending. The seconds ticked down in red digits. An appeal to my sweetie followed, hoping for reason but dreading reason far more. My finger was on the button, ready to pounce.

I bid. I won. I have a new lens. It’s awesome.

A little camera geekery: photography is filled with numbers, and this lens has one eye-popper: f/1.2. The smaller the number, the ‘faster’ the lens – the more light it gathers in a given period of time. 1.2 is a very small number, meaning this lens can open way up and take in a lot of light. That in turn means it works very well in low-light situations. That can be really handy when it’s not practical to lug lights to where the action is. There’s another side effect of this gaping aperture, and that is that the depth of focus can be very, very shallow.

Depth of Focus is a little tough to explain because we don’t experience it with our eyes – they are constantly refocusing on whatever we’re interested in at the moment. But the concept is really simple. When things are too close to the lens, they go out of focus. Too far, out of focus. Then there’s a middle range where the picture is sharp. With some lenses that middle range is so huge that pretty much everything is in focus, unless it’s really close. That’s a good quality on an instamatic with fixed focus. The lens trades off in other ways to get that effect, but for taking pictures at the beach it works pretty well.

My new lens is at the other end of the spectrum. Consider these two pictures I took while sitting a few feet back from my desk (you can click to see them larger):

my mug, focused on the front of the rim

my mug, focused on the back of the rim

Even from a few feet away, the depth of focus is maybe three inches. Those candles are about four inches behind the mug.

Why would anyone want a lens with such a restriction? Holy carp, it can be pretty tricky to get the focus just right when there’s so little room for error. You could seriously get one of your subject’s eyes in perfect focus, but not the other.

But look how the mug is not lost in the clutter of my desk. Those are pictures of my mug, and nothing else gets in the way. I have pictures of rock stacks on rocky backgrounds, and headstones in a cluttered graveyard that could really have benefitted from this technique. When things are similar color or texture as the background, focus can make all the difference.

My sweetie was laughing at me as I drifted around our apartment, which is currently in a state upheaval for our move, taking pictures of this and that. I wanted something sparkly. I found it in the living room, where this teddy bear also lurked.

My first portrait subject with my new 85mm lens.

Why did I want sparklies? It’s a good way to show the bokeh, or the characteristic of the way the lens blurs the image. My new lens is carefully built to provide smooth, circular bokeh. This is a function of the way the aperture control works – the dots are actually projections of the iris mechanism inside the lens. Often they are hexagonal or another geometric, unnatural shape. It’s most obvious for the sparkles, but it affects the rest of the shot more subtly as well.

I’m sure that somewhere in my great heap o’ pictures I have some that demonstrate other bokeh, but I’m not sure where. I could go digging, but tonight is about the new lens.

The new, awesome lens.

In an interesting (to me) turnabout, I just blocked several million Chinese IP addresses from accessing my site, due to a Chinese deluge of spam. Even spam that’s blocked by my filters costs me server performance and bandwidth, so when things get bad I just prevent spam sources from reaching my server at all (thanks, CloutFlare!). Lately that’s been China.

I’m now erecting a wall to keep China out, when once I joked about them keeping me out.