Just a few thoughts I’d like to share with you.

None of us who isn’t running supercomputers or one heck of a cluster is there yet, anyway. But as RAM continues to drop in price, I can see the day coming.
Come the day we get a terabyte of RAM in our systems, we’ll find a need for it. After all, recall that great prophet Bill Gates who swore 640K of memory would be all we’d need. Real-time high-definition video editing anyone?

That day, by the way, isn’t as far away as you might think. Violin Scalable Memory will be happy to sell you a terabyte-capable memory device to attach to your server. Indeed it would cost you a few - well more than a few - hundred thousand dollars. Still, you can see it coming.

But while I can dream up applications that could use a terabyte of RAM, that leaves aside the wee technical problem of how you access that much memory. Daniel Phillips, a Linux developer, has an idea: the ramback virtual device.

In short, Phillips is using several cache coherency concepts to make using huge amounts of RAM as a virtual drive a practical approach to speeding up I/O-intensive interactions. For example, with enough RAM, you could run, say, an Oracle database running on Oracle or Red Hat Linux, at real-time speeds.

Of course, Phillips’ idea isn’t the same as coming up with an API for applications to address multiple gigabytes of RAM, but still, it is a very useful idea. Indeed, with its potential for vastly increasing database interactions, I can see it being a commercial success and driving the demand for huge memory.

This in turn will bring RAM prices down to normal user prices.

So, what will you do with your first laptop with a terabyte of RAM? You don’t need to worry about it yet. Well, not quite yet, anyway.

PWN to OWN challenge is over and the winner were awareded with a good deal of money and the laptop they cracked.

At 12:38pm local time, the team of Charlie Miller, Jake Honoroff, and Mark Daniel from Independent Security Evaluators have successfully compromised the Apple MacBook Air, winning the laptop and $10,000 from TippingPoint’s Zero Day Initiative. According to sources at the conference, Miller used an exploit against the Safari browser that ships standard with Mac OS X.

A security researcher on Friday exploited a critical bug in Adobe’s Flash Player to hack a notebook running Windows Vista Ultimate, the second machine to fall in this year’s “PWN To OWN” challenge.

The only unclaimed laptop by the contest’s end was a Sony Vaio running Ubuntu Linux.

What does this tell us? I think it’s not as easy as it looks…

I’m pretty sure that the Vista being cracked and not the Ubuntu had something to do with luck, it also could have been the way round. Cracking MacBook Air due a bug in Safari Browser we can assume that the usage of a browser that has a uncommon update system, like Safari has, is not recommented. When Safari 3.1 is not detected in a user’s machine, the updating software, by default, automatically selects the browser for installation.

The bug in Flash Player, which was accountable fot Vista’s downfall, had also been appearing in the Linux version. It kinda dependented on chance.

An interesting, but also alarming evolution is that operating system are becoming more and more secure which will lead attention of malware coders to individual software being installed on the target’s machine. It’s alarming because it reduces the advantage Linux or Mac users had have because in further time most viruses, exploits used bugs in Windows. Not just because Windows has sufficiant bugs also because of the wide speaded usage of Microsoft’s OS.

Hopefully in future dangerous exploits won’t be a thread for all operating systems because a product is affected that is being used on every operating system.

Your password is like a key to your account, you need to safeguard it. Anyone who has your password can get into your account, and your files. Anyone who can guess your password has it. Anyone who has your password can pose as you.

There are a few basic parameters about strong password you’d take notice of.

Don’s use passwords that match any of the following:

• Words in any dictionary.
• Your user name.
• Your real name.
• Your spouse’s name.
• Anyone’s name (crackers don’t necessarily know that your aunt’s middle name is Agnes, but it’s easy enough to get a list of 100,000 names and try each one).
• Any word in any “cracking dictionary.” There are lists of words that crackers use to try to crack passwords: passwords that a lot of people use. Some of these lists include:
  

  Abbreviations, Asteroids, Biology, Cartoons, Character Patterns, Machine names, famous names, female names, Bible, male names, Movies, Myths-legends, Number Patterns, Short Phrases, Places, Science Fiction, Shakespeare, Songs, Sports, Surnames

• Any of the above, with a single character before or after it (”8dinner”, “happy1”).
• Any of the above, capitalized (”cat” –> “Cat”)
• Any of the above, reversed (”cat” –> “tac”), doubled (”cat” –> “catcat”) or mirrored (”cat” –> “cattac”).
• We used to tell people that taking a word and substituting some characters (a 0 (zero) for an o, or a 1 for an l) made a good password. This is no longer the case. New crackers have the capability to crack things like this, in certain situations.
• Words like “foobar”, “xyzzy” and “qwerty” are still just plain words. They are also popular passwords, and the crack programs look for them. Avoid them.

—

Basically it’s recommented to have a password that

• …is at least six characters long. This should be long enough to discourage a brute-force attack.
• …is a mix of lower- and upper-case characters, numbers, and punctuation marks.

—

A good trick for remember a strong password is the use of an uncommon phrase, and take the first, second or last letter of each word. “You can’t always get what you want” would yield “ycagwyw”.

The best passwords are those which are totally random to anyone else except you. It is difficult to tell you how to come up with these, but you’d be able to do it.

—

Generate a random password:

Automatic password generation tools available in debian are for example:

• APG (Automated Password Generator)
• pwgen generates random, meaningless but pronounceable passwords.
• Trigraph Password Generator generates pronounceable passwords.

My favorite tool is pwgen. It generates random, meaningless passwords but uses letter and number combinations that can be pronounced and memorized. Simply typing “pwgen” and hitting Enter will shoot back a screen full of passwords to choose from, helping to prevent shoulder-surfing sneaks, but you can easily hone down and customize the results with a few command-line switches.

—

A strong password is sufficiently long, random, or otherwise producible only by the user who chose it, such that successfully guessing it will require more time than the password cracker is willing to use guessing it. The length of time deemed to be too long will vary with the attacker, the attacker’s resources, the ease with which a password can be tried, and the value of the password to the attacker.

—

You can test your new password with Password Checker. Password Checker is a non-recording feature on this website that helps determine your password’s strength as you type.

—

What to do agains the attacker trying to crack your password using rainbow tables?

A rainbow table is a pre-computed table that greatly speeds up a search for a password with a given hash value. It is specific to one hash function, and usually restricted to passwords of a certain length and sometimes character set, e.g. alphanumeric passwords of up to 8 characters hashed by MD5.

The salt is important because you often hear about community boards that have been cracked and all user passwords stored in the database are stolen.

For an example how to use md5 checksums with salt you’d consider this (in php):

<?php
 
function encryptPassword($password) {
   $salt = 's+(_a*';
   return md5($password.$salt);
}
?>

—

Do not type passwords on computers that you do not control if you aren’t pretty sure about the provided security. Computers such as those in Internet cafés, computer labs, shared systems, kiosk systems, conferences, and airport lounges.

Don’t take one and the same passwords for different matters. A big fault can be to register in a community with an email address and set the same password for the community login as for the email account. Obviously preventing this should be self-evident nevertheless I’m sure many people don’t even think about.

At least, the first and most important, always to keep in mind, rule is NEVER to give your password to anyone. You can have the strongest password ever which is useless if known by anyone.

—

What to do if your password is stolen?

Imagine the not desirable case that someone has stolen your password. After changing it you be sure to monitor all the information you protect with your passwords, such as your monthly financial statements, credit reports, online shopping accounts, and so on.

Today I found a nice tool published by Sun© that can be used for converting almost everything into a vmware readable format.
You simply can convert Microsoft Virtual PC or Microsoft Virtual Server.

According to my opinion the best thing about it is that you can create vmware readable file (e.g. for vmware server, player) out of a backup of a physical computer (as far as I know only Windows is supported).

On one hand the Vmware Converter is available as a starter version and on the other hand as a business solution. Former can be downloaded for free here.

When writing a pretty & small countdown script for New Year’s Eve I mentioned that we’ll be in trouble at January 19^th in the year 2038. While handling with unix-timestamps (seconds since 1/1/1970) I figgured out that the signed 32-big-integer that is used in for time_t is not big enought to hold 2147472000.

Most operating systems for 64-bit architectures already use 64-bit integers in their time_t but this doesn’t solve the problem at all because it may happen that a program regards a 64-bit timestamp from the OS as a 32-bit value. The consecution would be that just the lower 32 bits would be read. On 1/19/2038 this would cause a backshift into the year 1901. (The lower 32bits of 1/19/2038 are -2³¹ = December 13^th in 1901)

The move to 64-bit architecture is already underway and probably will be completed before 2038 but what about the embedded 32-bit based systems? Will it really be necessary to re-compile some software to make them work with a (signed) 64-bit timestamp?

What about all the databases e.g. of banks or insurance companies which are full with timestamps? Lots of questions - I’m excited…