Thursday, February 21, 2013

Fidelity.com – Password Fail...

You'd think a financial institution that managed billions of dollars of its customers' money would pay especially good attention to online security.

You would be wrong, at least in the case of Fidelity.com.

My ex-employer set up Fidelity accounts for employees to handle things like stock options, employee stock purchase plans (ESPP), 401(k) plans, etc.  It's a nice benefit.  But I ran into something there that is a great example of a really bad password implementation.

When you create a password at Fidelity.com, the site will tell you that it must meet these criteria:
  • Use 6 to 12 letters and/or numbers
  • Do not use one entire piece of personally identifiable information such as your Social Security number, telephone number, or date of birth. Instead, alter or disguise it (e.g., Jane212Smith)
  • Do not use more than 5 instances of a single number or letter, or easily recognized sequences (e.g., 12345 or 11111)
  • Do not use symbols, punctuation marks, or spaces (e.g., #,@, /, *, -.)
This is already much weaker than one would expect of such an institution.  The first and last rules are enforced.  The second rule clearly cannot be automatically enforced.  I'm not sure if the third rule is enforced, though it could be.

These rules make it sound as though there are 62 possible characters (a-z, A-Z, and 0-9) for each password character position.  With a 6 to 12 character password allowable, there would be 62^6 + 62^7 + ... 62^12 possible passwords, which works out to about 3.3 x 10^21 (or smaller if the third rule is enforced).  That's a big number, but it could be much larger, if only Fidelity.com would eliminate the last rule.

However, I discovered today that the situation is actually far worse than it looks.  Fidelity.com asks for your password if you call them – they have you enter it via the touch-tone keypad on your phone.  That means, for example, that if your password's first character is "5", "j", "J", "k", "K", "l", or "L", you press the "5" key.  That means that Fidelity.com's passwords are really composed of nothing but the digits 0-9.

I have verified this.  My actual Fidelity.com password is comprised of both letters and numbers.  I converted all the letters to the touch-tone keypad equivalent digit, and entered my password as all numbers – and it worked just fine.

That means that the number of possible passwords is much smaller than even Fidelity.com's inadequate password criteria would suggest: 10^6 + 10^7 + .. + 10^12, which works out to about 1.1 x 10^11.  For the math-challenged amongst my readers, that's over 10 billion times weaker.

Epic fail, Fidelity.com.  Epic fail.  Shame should be upon your countenance...

Whose Side Are You On?

Evan Todd is a survivor of the Columbine massacre, and he objects to Obama's gun control initiatives.  In an open letter to Obama, he asks: “Whose side are you on?” Here's the letter in its entirety:
Mr. President,

As a student who was shot and wounded during the Columbine massacre, I have a few thoughts on the current gun debate. In regards to your gun control initiatives:

Universal Background Checks

First, a universal background check will have many devastating effects. It will arguably have the opposite impact of what you propose. If adopted, criminals will know that they can not pass a background check legally, so they will resort to other avenues. With the conditions being set by this initiative, it will create a large black market for weapons and will support more criminal activity and funnel additional money into the hands of thugs, criminals, and people who will do harm to American citizens.

Second, universal background checks will create a huge bureaucracy that will cost an enormous amount of tax payers dollars and will straddle us with more debt. We cannot afford it now, let alone create another function of government that will have a huge monthly bill attached to it.

Third, is a universal background check system possible without universal gun registration? If so, please define it for us. Universal registration can easily be used for universal confiscation. I am not at all implying that you, sir, would try such a measure, but we do need to think about our actions through the lens of time.

It is not impossible to think that a tyrant, to the likes of Mao, Castro, Che, Hitler, Stalin, Mussolini, and others, could possibly rise to power in America. It could be five, ten, twenty, or one hundred years from now — but future generations have the natural right to protect themselves from tyrannical government just as much as we currently do. It is safe to assume that this liberty that our forefathers secured has been a thorn in the side of would-be tyrants ever since the Second Amendment was adopted.

Ban on Military-Style Assault Weapons

The evidence is very clear pertaining to the inadequacies of the assault weapons ban. It had little to no effect when it was in place from 1994 until 2004. It was during this time that I personally witnessed two fellow students murder twelve of my classmates and one teacher. The assault weapons ban did not deter these two murderers, nor did the other thirty-something laws that they broke.

Gun ownership is at an all time high. And although tragedies like Columbine and Newtown are exploited by ideologues and special-interest lobbying groups, crime is at an all time low. The people have spoken. Gun store shelves have been emptied. Gun shows are breaking attendance records. Gun manufacturers are sold out and back ordered. Shortages on ammo and firearms are countrywide. The American people have spoken and are telling you that our Second Amendment shall not be infringed.

10-Round Limit for Magazines

Virginia Tech was the site of the deadliest school shooting in U.S. history. Seung-Hui Cho used two of the smallest caliber hand guns manufactured and a handful of ten round magazines. There are no substantial facts that prove that limited magazines would make any difference at all.
Second, this is just another law that endangers law-abiding citizens. I’ve heard you ask, “why does someone need 30 bullets to kill a deer?”

Let me ask you this: Why would you prefer criminals to have the ability to out-gun law-abiding citizens? Under this policy, criminals will still have their 30-round magazines, but the average American will not. Whose side are you on?

Lastly, when did they government get into the business of regulating “needs?” This is yet another example of government overreaching and straying from its intended purpose.

Selling to Criminals

Mr. President, these are your words: “And finally, Congress needs to help, rather than hinder, law enforcement as it does its job. We should get tougher on people who buy guns with the express purpose of turning around and selling them to criminals. And we should severely punish anybody who helps them do this.”

Why don’t we start with Eric Holder and thoroughly investigate the Fast and Furious program?

Furthermore, the vast majority of these mass murderers bought their weapons legally and jumped through all the hoops — because they were determined to murder. Adding more hoops and red tape will not stop these types of people. It doesn’t now — so what makes you think it will in the future? Criminals who cannot buy guns legally just resort to the black market.

Criminals and murderers will always find a way.

Critical Examination

Mr. President, in theory, your initiatives and proposals sound warm and fuzzy — but in reality they are far from what we need. Your initiatives seem to punish law-abiding American citizens and enable the murderers, thugs, and other lowlifes who wish to do harm to others.

Let me be clear: These ideas are the worst possible initiatives if you seriously care about saving lives and also upholding your oath of office. There is no dictate, law, or regulation that will stop bad things from happening — and you know that. Yet you continue to push the rhetoric. Why?

You said, “If we can save just one person it is worth it.” Well here are a few ideas that will save more that one individual:

First, forget all of your current initiatives and 23 purposed executive orders. They will do nothing more than impede law-abiding citizens and breach the intent of the Constitution. Each initiative steals freedom, grants more power to an already-overreaching government, and empowers and enables criminals to run amok.

Second, press Congress to repeal the “Gun Free Zone Act.” Don’t allow America’s teachers and students to be endangered one-day more. These parents and teachers have the natural right to defend themselves and not be looked at as criminals. There is no reason teachers must disarm themselves to perform their jobs. There is also no reason a parent or volunteer should be disarmed when they cross the school line.

This is your chance to correct history and restore liberty. This simple act of restoring freedom will deter would-be murderers and for those who try, they will be met with resistance.

Mr. President, do the right thing, restore freedom, and save lives. Show the American people that you stand with them and not with thugs and criminals.

Respectfully,

Severely Concerned Citizen, Evan M. Todd

The End Times Are Nigh, Part 99,232...

In a single story, we get several pieces of evidence:
  • Today's college students apparently need instruction on ... masturbation.
  • Allegheny College (a liberal arts school in Meadville, Pennsylvania) is stepping up to solve the problem.
  • The course is being conducted in the college's chapel.
You just can't make this stuff up...

Corruption, California-Style...

Via CoyoteBlog, this post from SLO Leaks:
Like me, [Steve Blank] is in the high tech industry. Like me, he has started several high tech companies....

After Steve sold his last startup company he applied for a permit to build a house in the California Coastal Zone in 2000. And, just like me, Steve’s land use permit was appealed to the California Coastal Commission. The reason for the appeal was “sensitive habitat” issues. (I don’t have any sensitive habitat issues because my proposed house is in the middle of a field of non-native weeds.)

Unlike me, Steve’s appeal to the Coastal Commission went pretty smoothly. He had his hearing in only 8 months – start to finish. It has taken me a year and a half, after waiting a year and a half for SLO County to issue the permit in the first place. And there were no onerous “Special Conditions” imposed on Steve by either San Mateo County or the Coastal Commission.

Here is the list of “Special Conditions” that the Coastal staff wants to impose on me.

Superficially Steve’s house and my house are similar. I have a main house and a barn on 37 acres, Steve has a main house, two barns, and a farm labor house. But Steve’s house is 15,780 sq. ft., with a swimming pool, and a 2,500 sq. ft. barn, and another 3,040 sq. ft. barn 31 ft. high, and a 1240 sq. ft. farm labor house all on 261 acres. So Steve’s house is around 3 times larger than my proposed house (and much taller). Steve also got to have a fence and there was no requirement for public access. And Steve was able to build his house to look anyway he wanted. No “rural agricultural theme” architecture for Steve, that’s for sure. Steve can also plant in his yard pretty much any damn thing he wants.

Steve is pretty proud of his house. A picture of his house is the banner to his web page, which ishere. You can see the front gate of his house here. And this is an overhead view.

Steve Blank is one of the current California Coastal Commissioners.
This is the sort of thing one expects in a third-world country, or Russia, or Chicago.  Not here.

Internet Jukebox...

Via my mom, this delightful site.  Debbie and I spent a happy hour just listening to the songs we remember from our teenage years, and with some amusement to many of the earlier songs that we'd never heard before...

A Reader's Suggestion...

Larry E. suggests this as a way to celebrate this blog's sixth anniversary:


Now what do you suppose he's trying to tell me?

We Broke the Tomato...

Now they tell us!  Actually, anyone who's tasted a tomato more than thirty years or so ago has long known that tomatoes are “broken” – they used to taste wonderful, now they taste like unflavored polystyrene foam.

But with the scientists' official recognition of the tomato being “broken”, they're going to work on fixing it.

Faster, please.  I would dearly love to be able to buy a tasty tomato in the grocery store!

A Rain of Spiders...

For real, in Brazil.  I know quite a few people who would find this phenomenon...less than pleasant.

Candid Animal Photos...

Recent technological advances have made it entirely practical to put up “trap cameras” – automatic cameras that take pictures when they sense an animal is in range.  These digital cameras can be in very remote areas, and store the photos – sometimes for months – before the scientists collect them.  Scientists have been deluged with far more photographs than they've ever had before, leading to all sorts of research opportunities.  Some of them get turned into animated GIFs, like the one at right.  Here are many more...

Oops, Part 3942...

Seems the scientific consensus isn't quite as previously advertised:
Don’t look now, but maybe a scientific consensus exists concerning global warming after all. Only 36 percent of geoscientists and engineers believe that humans are creating a global warming crisis, according to a survey reported in the peer-reviewed Organization Studies. By contrast, a strong majority of the 1,077 respondents believe that nature is the primary cause of recent global warming and/or that future global warming will not be a very serious problem.
That's from an article in Forbes, which by and large has been credulous about anthropogenic global warming.  Read the whole thing...

Abraham Lincoln...

Lincoln is perhaps our most quotable President, and I thought I had read most of the interesting ones.  But here's a site with a lot of Lincoln quotes I had not seen before, such as this gem:
We all declare for liberty; but in using the same word we do not all mean the same thing. With some the word liberty may mean for each man to do as he pleases with himself, and the product of his labor; while with others, the same word may mean for some men to do as they please with other men, and the product of other men’s labor. Here are two, not only different, but incompatible things, called by the same name – liberty. And it follows that each of the things is, by the respective parties, called by two different and incompatible names – liberty and tyranny.

The Crazy Jeep Dealer...

Our ancient LandCruiser (a '93 with almost 300,000 miles on it) has reached the point where we're afraid to take it on a “serious” four-wheeling expedition.  Our mechanic tells us the engine or transmission could conk out at any moment.  So we're looking around for a new four-wheeling vehicle.

One of the models we decided to look at was the Grand Cherokee Trailhawk, which we'd read some good things about.  Only one dealer in San Diego County had any in stock, a dealer in Poway.  So we went up there to see them. 

The sales guy (a very nice young man named Dwight) really couldn't answer any of my questions about it.  Mainly this was because neither he nor anyone else there knows anything at all about four-wheeling :)  We're not their normal sort of customer.  So I told them, jokingly, that they could answer all my questions if they'd just let me take one of their inventory out four-wheeling on a local road.  I never imagined they'd say “sure” – but they did!

So off we went in a brand-new Trailhawk, with permission to take it off-road.  We went up through Julian (which had about a foot of snow) and down to Banner, then onto the Oriflamme Canyon Road.  We know that road well, and after the rains the day before, it was good and muddy.  We gave that vehicle a very good test :)  When we brought it back to the dealer, it was still all in one piece, but it was no longer clean and shiny :)

We really liked the Trailhawk, and we sat down to talk with the dealer about buying one.  But right away we were stymied.  We insisted on ordering the vehicle configured exactly the way we wanted it – and they insisted on selling us one out of inventory (another dealer's inventory, not theirs).  The one they wanted to sell us wasn't an exact match to what we wanted, so we said “no”, we want to order the right.  Then they told us that the 2013 Trailhawks could no longer be ordered, and that there would be no 2014 Trailhawks.  So we just said “no thanks”, and now we're back to square one on our search.

But we still can scarcely believe that the dealer was crazy enough to let us take their brand-new vehicle out four-wheeling!

That Had to Hurt...

Update: The New York Times reverses itself, in a vindication for Tesla motors.  Kudos to Elon Musk for standing up to the bully!

Original post: John Broder is a New York Times reporter who recently penned a scathing review of a Tesla electric car.  Elon Musk, founder and chairman of Tesla Motors, knew that Broder was lying in his review – because Tesla carefully logged everything Broder did during his test drive.  What Broder actually did, and the results he actually got, don't match the data recorded.  He's lying.

And Elon Musk wants you to know every last detail.

Assuming this is not an elaborate hoax on Tesla's part (and that seems quite unlikely), it's good to see someone stand up to the lamestream media bullies.  I'm unsurprised to discover that the NYT is ok with fabricating a story to make it more sensational – but I suspect a lot of people will be surprised...