I found this a particularly provocative article, with some hefty questions to answer. I’d say this is broadly heading in the right direction.
Back-to-basics attack on Hermes authentication
I have determined that while the UCS is well-behaved and imposes a correct 3s delay on all login attempts (including using the web interface), they do not prevent a client opening multiple connections. It is possible to check passwords in batches of ten, and get the average delay to under a quarter of a second per password. This extra order of magnitude allows a dictionary attack to be run on the 10000 most common words in well under an hour. Furthermore, I have done this from a remote server in the USA in the interests of experimentation and found no throttling or shaping in effect. Without having really pushed the limit of what is possible using more careful pipelining, I was able to easily achieve a rate of over 100,000 passwords checked per day. I only ran for a few hours, so hopefully over a longer time, someone at the UCS would notice the traffic. This seems to me grossly above what should be considered an acceptable quantity of information to give to a cracker, given that roughly one third of user passwords, according to surveys, satisfy the requirement for a digit by appending “1” to the password.
I recommend that the UCS implement a staggered timeout, as on many other services, so that each login attempt raises the delay, up to a maximum of several minutes. This is sufficient to render remote dictionary attacks useless, although the necessary state might mean a bit of writing. reCAPTCHAs after several failed logins would also work, but aren’t necessarily any easier or better even though they are familiar.
Multiple connections may also be opened to Raven and via SSH to guess Raven and PWF passwords. SSH does not implement incremental increases to delay, and I do not know what the recommended protection there should be. It is harder to open multiple connections, and I haven’t stressed the connection out. It might be that the speed-up isn’t quite enough to make the passwords at risk. [SSH in fact has an option to limit unauthenticated connections which should be set pretty low. It’s at least 2, and I daren’t find out just how high by trial and error, so I’ve left it at that.]
I felt slightly guilty while running the script, and hope that this early disclosure is enough to convince the UCS, should they track me down, that I am “white hat”, rather than genuinely trying to get passwords.
Update: I sent an email to the UCS, who reprimanded me but let me off. Think of this as a bit of a hasty mistake and chalk it up to experience. Contrition all round for causing an incident.
Dramatic last set of Nadal–Isner on radio. Great companion to reworking and compressing of talk on “endurance, patience, and joy” for tonight; saw all of those just now.
Just written a half-hour sermon for ten-min preaching class tonight. Oops.
Word association game: Col. 3
I did a PM BT on Col. 3 last Thursday, and we got the same again at yesterday’s MMPM (very different BT, same passage). Here’s a bit of word association for you, by looking for patterns in the verses from which phrases were quoted or used in people’s prayers. The link with Phil. 4 was especially clear to people, coming up several times, and given the Centrals and CGs it was unsurprising that Phil. 1 and 2 were each quoted too, and in fact the connection I made on Thursday to Rom. 12 was also obvious to two other people at the MMPM. I made the single tie-in to John’s writings (taking the last verse of 1 John as a summary of his discipleship theme), and I seem to remember Catherine quoting Hebrews.
Having taken an OT scholar for a wife during their doctoral studies at Harvard, the theologian Billings lives and writes for the marriage of dogmatics and biblical studies. Secular biblical scholars may find this proposal for a Trinitarian-shaped hermeneutic a narrow imposition of theological categories on exegesis. But Billings makes a compelling plea to Christian interpreters to remember who they are as disciples.
You know you’re pure when…
…you write little dots above your variable letters to remind you that they are in fact metavariables because they vary only in the language of discourse, not the language of the universe of discourse, and furthermore, you find yourself wondering by what accident these metavariables came to be commonly know as variables.
You know, UCCF is a bit like West Ham, which is in the sad position of being relegated. They have played a key rôle in training up so many great players like Bobby Moore and Frank Lampard, and you see just like UCCF are now sending them all out, with many more stars sure to move on into the world in months to come. They saw what Rahab saw: that switching allegiance to the side which gave victory was the right move, and went out into the world to proclaim it. … We too can switch our allegiance to Yahweh.
Dave Gobbett, point two and illustration
Two things I hate, three I abhor: my rattling lock; leather shoes on SPD pedals; and my chains fells off, my heart went free.
I’ve been missing out on this service! Just zipping of a few dozen lines of PHP to roll my own Tumblr app to sync my micro-blog and Faceblog. You’ll like it when it’s done, hopefully very soon before bed-time.
CU Show Choir was AMAZING
They were so energetic! Fugue on Prince Ali from Aladdin! Fugue! Huge amount of fun and very well put together.
1) Copy some CSS and look pretty 2) … 3) Lots of visitors!
I copied some styling over to this site from the other one and made some new links. They look good, and unless you were observant and watching the address bar, you’d hardly know that you were crossing between two isolated sites. That was a worthwhile little break, and makes me thoroughly happy with Tumblr.
The Inter-not-very
I’m sick of the strange piecemeal glue between various webservices. There just aren’t enough good standards, and they aren’t implemented well enough. It seems that everything I do has to be hard work. I could make a living doing beautiful blogs for people, it’s such annoying work. It’s not that I spend a lot of time on it, it’s just that it takes so much more time than it feels like it ought.
There’s no unified content publishing system around the; I want all the big services to throw away their proprietary APIs and use AtomPub, OStatus, OpenID, and so on. Just to repost my content around half a dozen sites, I need to use as many services to do the dirty for me.
Tumblr for example has a beautiful, well-designed API, but it’s unique to them, so Goodreads doesn’t support it (their API is messy and horrible by the way, but I switched to them because LibraryThing is even worse—I never could get my latest books to show up on my homepage consistently; they have disgusting terms of service; and it turns out now that I have to pay). Goodreads, in any case, is a nice provider of data to mash up, but I had to resort to writing my own shim just to cross-post my latest reviews to the tumbleblog nicely. I hate doing that; it’s capitulation, but I always end up writing everything on my sites from scratch because existing systems are too flaky or closed. What a nuisance. One day, we’ll get the web right.
