handslive: (aikido)
Like many others on the shreds of my friends list (it's been dwindling steadily for some time), I will be moving to Dreamwidth.  Same handle, same basic lack of activity.   But I'll be over there.
handslive: (coding)
Today's work related reading and assessment included starting some compare and contrast review of NIST's Guidelines for Media Sanitization and the Canadian Communication Security Establishment's document on Clearing and Declassifying Electronic Storage Devices.  I've only just got started on this, but one key point seems to be that NIST is satisfied with a single overwrite with any value (0s, 1s, random patterns, whatever) and CSE wants an overwrite with some value (e.g., 0), an overwrite with its inverse (e.g., 1), and then an overwrite with a preset value (e.g. 0xDEAD 0xBEEF) for verification purposes.  A three pass overwrite more or less conforms to most guidance you'll find online although they don't usually do exactly what CSE is asking for there.  Recovering anything from a drive that's had a full overwrite of all writeable sectors usually requires special equipment  (from specialized software and hardware all the way up to electron microscopes in a lab).  NIST feels you should just plan on destroying the drive if electron microscopes are something that'll be used against you.  So does CSE, but they think you should do a 3 pass overwrite first before shoving the drive into an industrial shredder (which, btw, needs to break the drive down into parts no bigger than 10mm2 if it's had top secret data on it at some point -- a bit more than half the size of a dime) and then mix the pieces with pieces of drives that weren't as sensitive.  No question, this is your super villian scenario right here, except the US and the UK are potential super villians.
handslive: (aikido)
Anyone who knows me may not be surprised to hear that I wear my heart on my sleeve.

While [livejournal.com profile] purplejavatroll has been working some extra time, I've been spending far too much time watching silly auditions on YouTube.  I think The Voice, * Has Talent, X Factor or whatever is actually lowering my IQ.  But I do like listening to people sing, so I guess.
handslive: (coding)
From Storm by Michael Longley. I googled until I found a line I liked.

I spent a fair bit of my morning looking at a threat-risk assessment one my co-workers wrote using a new template one of our new team members is developing. Or, really, I read through it quickly and then critiqued the template. I reached out to the guy working on the template and we had a really good conversation. I got a compliment on the feedback I provided, but it's entirely possible that I'm the first person to provide focused, technical feedback on the structure and purpose of the document. We've had so many new people added to the team recently, I'm feeling a bit lost sometimes.

And I learned today that our brand new director (in the job less than a year) is leaving the company before the end of the month. That makes three directors we've lost in less than a year. It's an unsettled time. I'll have worked for this director for nearly a year with no feedback on my performance. Well, until I get his written remarks as part of my formal evaluation after he's gone.

They've decided to stop searching for a replacement manager for my area. We're going to be merged with another group (under the same area) and one of those folks will be made manager officially. Not sure how he'll do as manager. I've dealt with him as a peer, but not as my superior. I think I pay a little too much attention to that, but why change now?

This current wind may blow for another 2 months at least, and I wonder what things will be like then.
handslive: (writing)
Someone thanked me today for giving him a forum where "I can just bitch.  I feel so much better.  I know you probably feel like shit, but I feel better.  So, thank you."  I think his tongue was firmly in his cheek.  He knew I didn't feel like shit, for example.  This was somewhat later in a meeting where I'd felt obliged to remind someone that I was not acting manager of the team.

And I'm not.  I'm a single point of contact from the director maybe, but I'm not "managing".   Very fiddly point, really.  You might say I'm pseudovising.

And that kinda feels like my day.  I swear I did other work.  But mostly pseudovising and a little tiny bit of fixing a mistake I made 2 years ago that has only just come to light.  (It's about firewall rules, but I don't think I should get into that.)

Tonight's activities:  whisky tasting
handslive: (aikido)
I keep meaning to write something and post it.  Well, here I am with about 20 minutes before I leave to go to aikido, hurrying to just post something.  Anything.

I'm failing to understand processes at work, lately.  Today, I had someone cold call me because she saw my name in a RACI matrix related to a new project.  On that basis, she believed I knew about the project, but it turns out I only knew who had put my name there, not about the project.  It was a good match for my skills and interests at work, so fair enough.  Normally, someone asks me before assigning me something.  This is the second time, though.

In December, I was told I was preparing a "security framework" (no, I don't know what they meant by that exactly either, but I'm better prepared to guess than you are) for a project here before the end of January.  I met with several panicked groups of people who all claimed to be waiting for this framework, all of whom had different notions about what such a divine scripture could deliver to them.  Well, one of those groups has come forward now to let me know they've changed their minds.  They have an as-is process for onboarding new staff to their application and, while they can see a need for the framework down the road, they don't need it for some time.  The other groups are not forthcoming about their scope for this "framework", but I'm hopeful that their dates aren't as agressive.

I think the most interesting thing about that was the number of people I encountered who believed I was already working on a document for them, even though we'd never spoken to each other before.  Expressing abject ignorance during the round table introductions at a meeting is not conducive to real discussion, I've discovered.

I was told last year that there was a critical requirement for us to update the standards and guidelines my department publishes.  I agreed and produced a proposed approach with short, medium, and long term objectives, which I shared with my manager around April or May, I think.  That manager left during a re-org and I sent the exact same proposal to the chair of a task force looking into process improvements.  He left to a different part of the company and I sent it to one of the managers under my director, who was expressing interest in the status of the task force's work.  I don't know what she did with it, but with 3 weeks to go in December she started issuing demands that the whole catalogue of material be reviewed and updated before the 31st, which was flat out impossible (and I was taking the last 2 weeks off).  Also, not on my list of short, medium, or long term objectives.  I made small changes to a handful of things.  Apparently, so did some others since she happily reported last week that over 80% of the material had been updated.  I suppose that felt like success, in some measure.

The new year feels like an open space or maybe a blank sheet of paper.  Possibility, challenge, and some disappointment that this is all I brought with me from last year.  (It isn't all I brought with me, but the disappointment is there just the same.)


Dec. 14th, 2015 06:00 pm
handslive: (rash)
I have been watching season 3 of Hannibal on Netflix. I have to say I love the writing, the acting, and the cinematography, which has been simply stunning for what's really just TV. But I've developed a weird theory while watching this.

What would happen if you set out to produce a TV series that attempted to follow set canon for the story of Hannibal Lecter (up to a point) for the express purpose of making the ending of Thomas Harris' book Hannibal understandable? What would that story look like?

I've gone and read the Wikipedia page on the TV show. I follow the other two pieces of logic pretty well:  "What would David Lynch do?" and "the love story of Will Graham and Hannibal Lecter". But that other idea is compelling to me just now.  I'm 13 episodes in.
handslive: (writing)
I told [livejournal.com profile] buhrger that I needed a reason to post to help break the inertia, and it's taken me a week to even start drafting a response. So, that's working.

<memetext>If you comment "Meme Me" and weren't the person who memed me, I will pick six of your userpics that you can then write about, thus maintaining meme balance in the LJ-verse. Feel free to propagate or not, ask people to ask you for six userpics, as you like.</memetext>

All userpics are pictures of my "own" hands. I use "own" because one of my userpics is actually a picture of a game avatar's hands, but since that wasn't one of the six asked for, we won't talk about it. :-)

[aikido] This pic is carefully cropped from a picture taken during an aikido-l seminar. That mailing list is stale if not actually defunct now. I usually use it for anything martial arts related, especially aikido.

[writing] This pic is me typing (randomly). I usually use this for topics where I'm either engaged in "blogging" rather than "journaling" or where I'm talking about writing, usually fiction or poetry or some other dull topic or (particularly egregious) posting samples of said materials. Not doing nearly enough of this outside of work these days and I don't like to talk about what I'm writing at work. Sorry.

[coding] This pic is also me typing, but in front of an IDE (Integrated Development Environment) and a Unix terminal window. I used to use this for posting about writing code, application development thoughts, and occasionally work items that touched on this area. I haven't done any real code development in about 10 years, so this userpic is very stale now.

[hiking] This pic is me reaching for my backpack (while wearing bicycling gloves). I do still go hiking (not as regularly, but still), so it may not be as out of date as [coding]. :-)

[playing2] This pic is me playing the piano. I usually use this one for any music related posting, especially as it relates to performance. I haven't posted much lately, much less much about playing, but this could conceivably be used sooner than [writing] would be. So much for creative outlets.

[rash] I think this pic was used specifically for the magnificently dramatic fall off of my bike in 2007 where I actually knocked myself out for a second and had a mild concussion. In practice, I'd use this one for any injury (especially foolish injury) related posting. Might mean I should have posted things that would use it, but haven't.

Could there be more pictures of my hands doing things than this? Maybe a smartphone hand or a driving hand or bicycling hand? Yeah, maybe. Something to think about anyway.
handslive: (writing)
Obtained from Mr. Ellis who pointed to this page.  I have no idea on what basis the average is six, so I`d ignore that were I you.   Possibly that would only be a sign that a person was not yet 30 or something.  And, hmm, I guess ignore some of the repitition (Chronicles of Narnia contains The Lion, the Witch, and the Wardrobe).  I suppose one could also imagine that the blank line in the middle is significant in some way...

Three books on this list are not crossed out because I started but did not finish them:  The Bible, A Tale of Two Cities, and Ulysses.

Cross out what you’ve already read. Six is the average.

Pride and Prejudice - Jane Austen
Lord of the Rings - JRR Tolkien
Jane Eyre - Charlotte Bronte
Harry Potter series - JK Rowling
To Kill a Mockingbird - Harper Lee
The Bible - Council of Nicea
Wuthering Heights - Emily Bronte
Nineteen Eighty Four - George Orwell
His Dark Materials - Philip Pullman
Great Expectations - Charles Dickens
Little Women - Louisa M Alcott
Tess of the D’Urbervilles - Thomas Hardy
Catch 22 - Joseph Heller
Rebecca - Daphne Du Maurier
The Hobbit - JRR Tolkien
Birdsong - Sebastian Faulk
Catcher in the Rye - JD Salinger
The Time Traveller’s Wife - Audrey Niffenegger
Middlemarch - George Eliot
Gone With The Wind - Margaret Mitchell
The Great Gatsby - F Scott Fitzgerald
Bleak House - Charles Dickens
War and Peace - Leo Tolstoy
The Hitch Hiker’s Guide to the Galaxy - Douglas Adams
Brideshead Revisited - Evelyn Waugh
Crime and Punishment - Fyodor Dostoyevsky
Grapes of Wrath - John Steinbeck
Alice in Wonderland - Lewis Carroll
The Wind in the Willows - Kenneth Grahame
Anna Karenina - Leo Tolstoy
David Copperfield - Charles Dickens
Chronicles of Narnia - CS Lewis
Emma - Jane Austen
Persuasion - Jane Austen
The Lion, The Witch and The Wardrobe - CS Lewis
The Kite Runner - Khaled Hosseini
Captain Corelli’s Mandolin - Louis De Bernieres
Memoirs of a Geisha - Arthur Golden
Winnie the Pooh - AA Milne
Animal Farm - George Orwell
The Da Vinci Code - Dan Brown
One Hundred Years of Solitude - Gabriel Garcia Marquez
A Prayer for Owen Meaney - John Irving
The Woman in White - Wilkie Collins
Anne of Green Gables - LM Montgomery
Far From The Madding Crowd - Thomas Hardy
The Handmaid’s Tale - Margaret Atwood
Lord of the Flies - William Golding
Atonement - Ian McEwan
Life of Pi - Yann Martel
Dune - Frank Herbert
Cold Comfort Farm - Stella Gibbons
Sense and Sensibility - Jane Austen
A Suitable Boy - Vikram Seth
The Shadow of the Wind - Carlos Ruiz Zafon
A Tale Of Two Cities - Charles Dickens
Brave New World - Aldous Huxley
The Curious Incident of the Dog in the Night-time - Mark Haddon
Love In The Time Of Cholera - Gabriel Garcia Marquez
Of Mice and Men - John Steinbeck
Lolita - Vladimir Nabokov
The Secret History - Donna Tartt
The Lovely Bones - Alice Sebold
Count of Monte Cristo - Alexandre Dumas
On The Road - Jack Kerouac
Jude the Obscure - Thomas Hardy
Bridget Jones’s Diary - Helen Fielding
Midnight’s Children - Salman Rushdie
Moby Dick - Herman Melville
Oliver Twist - Charles Dickens
Dracula - Bram Stoker
The Secret Garden - Frances Hodgson Burnett
Notes From A Small Island - Bill Bryson
Ulysses - James Joyce
The Bell Jar - Sylvia Plath
Swallows and Amazons - Arthur Ransome
Germinal - Emile Zola
Vanity Fair - William Makepeace Thackeray
Possession - AS Byatt
A Christmas Carol - Charles Dickens
Cloud Atlas - David Mitchell
The Color Purple - Alice Walker
The Remains of the Day - Kazuo Ishiguro
Madame Bovary - Gustave Flaubert
A Fine Balance - Rohinton Mistry
Charlotte’s Web - EB White
The Five People You Meet In Heaven - Mitch Albom
Adventures of Sherlock Holmes - Sir Arthur Conan Doyle
The Faraway Tree Collection - Enid Blyton
Heart of Darkness - Joseph Conrad
The Little Prince - Antoine De Saint-Exupery
The Wasp Factory - Iain Banks
Watership Down - Richard Adams
A Confederacy of Dunces - John Kennedy Toole
A Town Like Alice - Nevil Shute
The Three Musketeers - Alexandre Dumas
Hamlet - William Shakespeare
Charlie and the Chocolate Factory - Roald Dahl
Frankenstein - Mary Shelley
The Canterbury Tales - Geoffrey Chaucer
Paradise Lost - John Milton
The Adventures of Huckleberry Finn - Mark Twain
White Fang - Jack London
The Portrait of Dorian Gray - Oscar Wilde
Queen of the Damned - Anne Rice
Strange Case of Dr. Jekyll and Mr. Hyde - Robert Louis Stevenson
The Call of the Wild - Jack London
The Importance of Being Earnest - Oscar Wilde

The Wonderful Wizard of Oz — L. Frank Baum
Don Quixote — Miguel De Cervantes
Where the Wild Things Are — Maurice Sendak
The Cat in the Hat — Dr Seuss
The Giver — Lois Lowry
Inkheart — Cornelia Funke
Divine Comedy — Dante Alighieri
Macbeth — William Shakespeare
Romeo and Juliet — William Shakespeare
The Child Called ‘It’ — Dave Pelzer
The Hunger Games — Suzanne Collins
The Diary of a Young Girl — Anne Frank
Night — Elie Wiesel
Les Misérables — Victor Hugo
The Odyssey — Homer
The Scarlet Letter — Nathaniel Hawthorne
The Brothers Karamasov — Fyodor Dostoyevsky
Eragon — Christopher Paolini

handslive: (writing)

From London, we went to Bath and stayed there in a lovely B&B.  Reasonable walking distance from downtown Bath, lovely rooms, nice people running it.  [livejournal.com profile] purplejavatroll and I wandered around a bit our first night there.  We came to Bath on our first trip to the UK, I think, so it'd been quite a while.  We spent more time in Bath on this trip, too.  I took probably 45 photos, and the 10 I've put in the set are all that are worth keeping.  Bath served as our base of operations for visiting various places around the Cotswolds.

I was impressed with the Roman Baths museum.  When we went the first time, several sections that are now open were mostly still being dug up and researched.  They had some walkways setup for the tourists to keep us away from the actual work.  Now, it's amazing inside and there was a lot of really great info.

Also, the water in the Roman Baths?  I've had worse pump water in rural Alberta, but it was still pretty horrid stuff.

The Cotswolds... )
handslive: (writing)

I got back from vacation almost two weeks ago, and here I am only now getting around to posting photos and writing something up. In my defense, I got back and we had an aikido seminar the next weekend. And I've also got around 2,000 pictures to go through (I'm about half way, I think -- there's a lot of junk).

The World Con was fun. I still feel like an outsider, but then, it was only my second one. I'm a panel junkie, but I bet part of that is coming to each panel ready to discuss or hear discussion. They're new to me, not a continuation from somewhere else, so it doesn't feel like a repitition.  [livejournal.com profile] purplecthulhu and [livejournal.com profile] purpletigron introduced [livejournal.com profile] purplejavatroll and I around some places.  I certainly never lacked for people to talk to or things to do.  The two panels I sat on were enjoyable, so that was an interesting new experience, too.  Not too different from work, except with an audience actually.

[livejournal.com profile] purplejavatroll's mom stayed in London during the con, too, but spent her time going on tours, nearly getting lost, and I think generally enjoying herself.

I've got some photos up on Flickr from in and around Bath, but I'll post something about that when I've got more material from the places went to see posted.

One of my co-workers mentioned Blurb when I was talking to him about how many pictures I took.  I've made a photo book there using photos from our Berg Lake trip last year.  If it looks ok, I think I'll do something similar with some of these vacation shots and print copies for a few family members.
handslive: (writing)
I posted in January of last year after an almost 2 year hiatus of not really posting anything at all.  I sort of thought I'd have things to say or try to say things whether I had them or not.  That didn't work out.  In fact, I posted a grand total of 3 times.  In my head, I've worked on two or three posts I might put up in the new year and, even as I type this, I don't know which one you'll get here.  Maybe all of them.  Well, let's suppose I gave you teasers and gave myself a chance to see what I might do.

Post number one was going to be a self-indulgent narrative of what I was doing for 2 years (or 3 years, or actually potentially 4 years) that meant I wasn't posting anything here other than the occasional house post while we were building.  I'm worried about the self-indulgent part of it.  In my head it consistently comes out more cynical and just generally down about work than I think is really the case.  And it would be about work.

Post number two was going to be about a short fanfic bit I've been working on for longer than I care to think about in the Shadow Unit universe.  It might even include excerpts.  I have possibly around half or two-thirds of it drafted.  It's at a point where some technical specifics for the next portion need to be researched, and I need to redraft some internal narration to crank the level of disturbed up.  Or it might be about music.  Yeah, that makes sense, right?  Well, truthfully, this was going to be a "creative" post to help me focus on actually finishing something, anything really.  I might tear apart an old piece of poetry, too, and highlight all the places I don't really like but have previously been too lazy to do anything about.

Post number three was going to be about a story idea I had over the weekend.  Whenever I flip on the tv, now that I have cable again, if there's a show that involves federal agencies like the FBI or CIA or DHS, then everyone's very serious and, if you take out the plot elements, there's a lot of dystopian action involving government agents violating laws, privacy, and procedure without any consequences.  All very serious shows, with some waffling about whether these are good things or bad things, but almost never any consequences for the technical steps that advance the action.  This clearly calls for a British or Russian style comedy about a group of co-workers at NSA who bumble through bureaucratic crises while dealing with clueless officials (of varying stripes of good and bad and paranoid), inter-departmental, knife-edged politics, and absurdity.

"We can all plague and punish one another. Teaze him -- laugh at him." -- Elizabeth Bennet, Pride and Prejudice by Jane Austen.

Happy new year.
handslive: (hiking)
MarmotKinney LakeKinney LakeKinney LakeKinney LakeBerg Lake Trail

Kinney LakeWater fallWhite FallsRobson RiverValley of a Thousand FallsTop of White Falls

Berg Lake TrailFalls of the PoolEmperor FallsEmperor FallsEmperor FallsEmperor Falls

Robson RiverRobson RiverRobson RiverMist GlacierBerg Lake TrailBerg Lake Trail

Berg Lake Trail 2013, a set on Flickr.

I'm late posting this here, given that I posted it to FB shortly after I got the pictures up.

It's been about 7 years since we did any backpacking. That's about the time I fell off my bike on the way to work and messed up my shoulder for a while. And life in general interfered with getting back out on the trail.

I'm pretty pleased that, although we took it easier (2 days to get into Berg instead of trying to do it in 1), we were still able to get out there. Of the three times we've gone into Snowbird Pass now, this was easily the best I've felt coming back from that hike. Hurrah for reasonable fitness and better boots.

I took about 430 pictures all told, which is a real testament to cheap storage. This photo set is 160 of what I felt were probably the best of those. Enjoy!

handslive: (aikido)
Yeah, like I ever post here, or, in fact, anywhere.  Hi.

I joked to my former boss today that sometime last year the top of my head came off and now the weather gets in.  In response, I suppose I should say, to a question of how I was doing.  I worked for him for a few years, and was walking around looking a tad poleaxed today, so there was no point lying about it.  He was also mostly responsible for laying down a half-day meeting in the middle my week with three days notice making me quadruple booked in at least one spot and prompting cries of "where are you?!" in my IM window a couple of times.  I had spent my morning shovelling coal like mad to make my day productive and was staring down the prospect of missing lunch.  I mean, oh sure, the meeting invite had said lunch would be provided, but since he'd gone downstairs to buy a sandwich and the woman joining us was eating a salad of her own devising, I couldn't help feeling left out.  (Yes, I went downstairs and bought lunch.  I'm not a complete idiot.  My status bar only reads 90% or something.)

Today prompted me to thinking that meeting invites at work have inertia, which you can calculate by assigning a mass to the participants.  Higher mass based on status or number of participants means the meeting will be harder to move.  It's not a perfect metaphor, but it was working for me since one of the "where are you?!" folks seemed to think I should move things to accommodate him.  Not a VP?  Aw, too bad.  Your meeting has 8 participants?  Gee, mine has 19.  There are additional factors in play, but I don't know how to solve for them.  Like that one guy with almost no open spots or availability.  He's not a VP and he's only one of the 19, but this 30 minute slot is the only opening he has for the next 6 weeks and goddamn but you will not succeed if he doesn't make that 30 minute slot.  He now has an equivalent mass to a CEO.  Or someone with a C in their title anyway.

So, yeah.  Hi.

Do you know, I sometimes forget a little that I'm left handed?  I'm not as left handed as my sisters, which is to say they're left handed like many of you are right handed.  If I handed you a tool and told you to use it in your left hand, you'd be basically brainlocked and ready to give up.  Don't lie.  I've seen you.  I'm not that left handed.  I do a lot of things right handed because a lot of things are setup in this world to be done right handed.  Because you just don't think about it, do you?  Why would you?  But every now and then.  There are small screws inside my computer case that I am basically incapable of removing or putting back in with my right hand.  I'll drop them, cross thread them, ricochet them around the enclosed space.  No issue if I'm using my left hand, though.  I bumped into another example on the weekend.  I was cutting up pills for my cat (she can't hold her metaclopramide or her cyproheptadine, so I have to cut them up into quarters -- what, she's like 5 pounds).   I have a little pill cutter and it's great for cutting things in half.  Cutting a 5mg dose into 4 is trickier.  Or maybe it's just my OCD insisting that I get them roughly even in size.  Anyway, this is a teethgrindingly awful task if I'm placing the half pills in the cutter with my right hand.  It's only frustrating if I'm doing it with my left.  I've probably cut 100+ pills into quarters and I only realized I was using the wrong hand on the most recent bottle of 20.  I blame scissors.  And a fair number of building doors.  And hockey sticks.  And baseball bats.  And my desk in school.  Er, hmm.

Well.  What was that, then.
handslive: (Default)
There are a few things outstanding, naturally. But it's in our grubby little hands now along with the associated debt. Next up: moving, I suppose.

Won't keep me from giving a huge sigh of relief.

Posted via Journaler.
handslive: (Default)
Someone at work pointed to this yesterday (and I see Slashdot has a post).  If I point back here to my earlier post (TL;DR -- PIN selection is important if you're worried about the cops copying all your emails off your iPhone), one of the things I said was that for most people the 4 digit PIN would be fine, especially if you're backing up regularly and you've set the data wipe option (kicks in after 10 failures).  Well, make sure it isn't one of the 10 most popular PINs from that first link there: 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212, or 1998.
handslive: (Default)
Funky.  It looks like my choice of LJ style has gone bye-bye or at least been seriously de-tuned.  Well, something new to spend time and energy on later.
handslive: (Default)
Fireplace with hearth by HandsLive
Fireplace with hearth, a photo by HandsLive on Flickr.

I've uploaded a very small number of photos this time, but truthfully we're nearly there. We have a meeting on Monday to review final touches and discuss delivery. We should be moved in before the end of June, somewhat anyway.

handslive: (Default)
I've been following this at work a bit and Bruce Schneier recently linked to it on his blog.  This post is mostly my own notes about how the passcode on my phone protects some of my data and how well it does that.  But I've tried to write it up so it's reasonably consumable.

ElcomSoft has a suite of tools for performing forensic analysis on devices running iOS 4 and they've recently revealed some improvements, especially in the area of key recovery. Some encrypted files on the device, like email messages, require that they have the user's passcode. ElcomSoft has some technical details on how the encryption works, but a brief overview is probably helpful here.

The iOS device has some encryption keys stored internally that are not written off the device, even for syncing or backups. There are keys derived from the unique device key embedded in the hardware. There is a key derived from the user's passcode and the unique device key. There are escrow keys derived from escrow pairing records and the unique device key. These are used for device syncing with trusted computers so that the user's passcode isn't needed every time files are accessed via iTunes. Finally, there are erasable keys kept in common storage. These are part of the keychain that stores application secrets like account details, usernames, and passwords. Developers can control whether these are stored with backups or only kept on the device when developing their apps.

Using the escrow keys and the unique device keys, it's possible to obtain access to some files without knowing the passcode. However, full access still requires the passcode in order to decrypt everything.

Their approach allows brute-forcing the passcode, but they access this via some direct interface, bypassing the API that would trigger a device wipe. This also means the delays inserted by the front panel don't apply and the only limitation is the speed of the device. They claim to be able to break a 4 digit passcode in 40 minutes maximum, 20 minutes on average. That's 250 tries a minute. Just over 4 tries a second. Some anecdotal evidence from users of the passcode breaking tool suggests that, at least for non-law enforcement versions of the product, they will stop processing after some period of time, but this is obviously a configurable setting in the code if nowhere else. For the rest of this discussion, I'll assume they can keep guessing as long as their software, the device, and the universe itself keep functioning.

If you stick to a 4 character code, but make it lower case alphanumeric (36 characters), then there are 1,679,616 possibilities. Maximum time to crack this is 6,718 minutes (or just over 4.5 days). The average time to crack would be just over 2 days.

If you choose a 4 character code, lower case alphanumeric with symbols (no mixed case due to usability), then complexity is based on which punctuation this adds to the set. On the iPhone, this is -/:;()$&@".,?!' if you don't go to the next screen of keys. That's 15 additional symbols, not the full 32 you'd get with a US keyboard. This is a total of 51 possible characters or a namespace of 6,765,201. Maximum time to crack this is 27,060 minutes (or almost 19 days, less than 3 weeks). That means over a week on average. A nice increase over 2 days, but not enough to feel comfortable with.

Let's suppose you're completely paranoid. The iPhone supports 35 punctuation marks (or mine does). Our total character set is now 97. If we use an 8 character passcode, our namespace is 7,837,433,594,376,961. We can crack this in 31,349,734,377,508 minutes or 59,645,613 years. About 30 million years on average. That's more like it. But I'd be happy with a middle ground.

I'm assuming this attack gets better as iPhone hardware gets faster -- the limiting factor is how many attempts it will let you make. So suppose I'd like it to take them at least a year on current hardware. There are 525,600 minutes in a 365-day year. This is 131,400,000 guesses:
  • a 9 digit code (10x stronger than we need),
  • a 6 character alphanumeric, lower case code (20x stronger than we need),
  • a 5 character alphanumeric, lower case code with limited punctuation (ie. our 51 character set above -- about 3x stronger than we need), or
  • a 5 character code using the full set (about 80x stronger than we need).

Most of my reason for going to this level of detail isn't that I'm looking to defeat law enforcement efforts to scan my phone. Rather, my assumption is that ElcomSoft's approach is dependent on design flaws and vulnerabilities in iOS's current device protection. This means I expect that people who are not law enforcement to be able to exploit the same flaws and vulnerabilities.

Today, this would only be the result of a targeted attack. The techniques require detailed inside knowledge of the iOS architecture and at least physical possession of the device. If I forget my phone somewhere or it gets stolen, I'm probably not at any risk of someone using these techniques. Frankly, if you have the device set to wipe after 10 tries, a 4 digit passcode is more than enough (just don't pick sequential or repeating digits, like 1234 or 1111).

In another year or two years, though, ElcomSoft's tools may have been stolen, leaked, or duplicated. When that happens, the risk goes up that someone taking my phone may know how to get the data out or may know someone who does.  I think there's still some question whether the device itself is more valuable than the data on it, but some basic protection (a 5 character code isn't that bad) seems cheap to me.
handslive: (Default)
In the alt-text for this XKCD, Randall suggests that following the first content related link (ie not in italics and not in parentheses) on any Wikipedia post will lead you inevitably to philosophy.  Naturally, I had to try this, but it doesn't seem to work for me.  Once you hit mathematics, the links lead the reader in a circle that comes back to mathematics.  Many pages lead to this topic, so this seems like a fundamental flaw in his proposed logic or a lack of understanding of his rules on my part.  Or, he's satisfied that he's ended up in "philosophy" once he reaches "property (philosophy)".  If I skip loops by moving on to the second link in an affected post, then, yes, I do seem to end up at philosophy in the half dozen pages I tried.  Sometimes by very convoluted paths.

This was an easy bit of thumb-twiddling during a meeting where i only had to listen to folks on the phone.
Page generated Sep. 26th, 2017 04:20 pm
Powered by Dreamwidth Studios