|Absolute Value|

Now my blog will get some traffic - Look at the title of this post!

Anyway back on the 12th of this month I wrote about the dangers of the forgotten password link that most sites have.

And what happens? Paris Hilton’s T-Mobile account gets broken into because the standard T-Mobile “Forgotten Password” secret question is: What is your pet’s name. And finding out Paris Hilton’s pet’s name is easy. She once offered a $5,000 reward when it went missing.

O’Reilly is mentioning this here. There is even a screenshot of the inbox available here. Well done T-Mobile!

Lee Wilkins has set up a great hosting service for anyone wanting to start a video log. $5 a month of $50 a year and you get hosting and unlimited bandwidth for your vlog with (yourname).vlogs.it as your hostname.

Sign me Up!

I recently turned 23 and Sarah taped us gathered around the cake like campers drawn to Kumbaya and a guitar. Enjoy the Video

Did the annual XP reinstall procedure last night on my laptop. How many reboots? I lost count sometime early this morning. Its still not finished. Enough said.

I have been thinking about this problem for a while now and I thought I would write (type?) down my thoughts.

If you have ever registered with a site and forgotten your password, you will know that most, if not all sites have a “Forgotten Password” link to reset your password. I find this the most insecure way of allowing users to get into their account. Most sites ask you for an answer to a question that is easy to remember. For example, the infamous “What is your mother’s maiden name?” How is this in any way secure? How many people know or can find out my mother’s maiden name? Or even anything simple like my first school or my pet’s name?

Passwords are outdated and are only useful in the most simplest of ways. New methods need to be brought into the mainstream as soon as possible. RSA keys, digital certificates, anything is better than standard passwords.

Remember security is only as strong as the weakest link. Having a 20 character password consisting of numbers, upper and lower case letters and symbols is meaningless if the holder of the password will give it away for nothing less than the answer to a simple question.

UPDATE:

Its happened! The forgotten password link was the problem. Read here!

Following on from my Rejection Letter post, here is a great follow-up. Clicky

I use Shorewall for protecting my company’s network and to control traffic. It is the greatest firewall to use and really simple to configure and maintain.

One of its great functions is the Accounting feature. With Accounting you can create rules to count certain traffic. Fully customizable, it allows any type of rule to count traffic. Now this is great but combined with a graphing tool it becomes indispensable. Using MRTG as the graphing tool enables you to quickly and easily see what is happening on your firewall. A script to integrate MRTG and shorewall is available here.

However the script does not take into account rules that return small amounts of traffic such as NTP or SSH. Anything under 1KB/s is incorrectly considered as KB/s and multiplied by 1024. I fixed the script to handle these rules and the end result is available for download. I cannot contact the developer of the original script and until that time the original script will continue to have the bug.