http://www.stuff.co.nz/stuff/0,2106,3833700a11275,00.html

A third of people write down their passwords? OH NO, EVERYBODY PANIC!

*sigh*

This is why restrictive password policies are dumb. Anyone who has done 5 minutes of formal UNIX study will tell you that.

The best security measure is three-way: Something you are (username), something you have (cryptocard, smartcard, token, biometrics) and something you know (rarely changed secure password), that way it doesnt matter if they’ve written down their password* because while joe hacker might have socially engineered his way into the office and found the post-it note, and he might have guessed through observation the username structure, without the “something you have” he’s still up a creek…

Consider the three-legged stool – any two legs together and you’ve got an essentially useless stool. Sure it’ll work if you balance yourself, but it’s not quite right… Get all three legs and you’ve got yourself a fully fledged stool, my friend.

*Writing down your passwords is not a bad thing. If you have a secure password that you write down using a simple offset algorithm or a simple insert algorithm, laminate it and put it in your wallet – just in case you forget it, and have it change every 6 months or so, I can tell you it’s a lot more secure than a monthly change where you simply change your password from March06 to April06, or if you’ve got a slightly more lax password policy: March01 to March02 to March03 iterively forever

I’ve read about a guy who worked for a company who required a password change every 10 days and it had to be 32 chars long and had a list of other nonsensical requirements. Restrictive password policies are dumb and decrease security!

Even better are password phrases…

Oh this tickles me so, for anyone who has worked for more than a few weeks in an office, you’ll understand and identify with this dilbertonian piece of brilliance.

We all know that Google can do no evil, and they’re really beginning to push that lately with their energy efficiency plans. While Google is big enough to do whatever the hell they want for their own advantage, instead they’re sharing back to the wider IT community on some of their plans, namely energy efficiency. They’re proposing a more efficient Power Supply design (pdf) which, if adopted as a standard, could save the world billions in wasted electricity.

And now, they’ve announced that they’re going to suppliment their electricity supply with Solar energy at their HQ, some 1.6 Megawatts of it.

I don’t know if they’re just going for straight electricity production, but Solar has obvious other uses too – namely Hot Water Heating and Lighting (click on the second link).

While I realise that our current solar technology cannot use all of the energy that the Sun provides us, augmenting what we can get into existing systems is simple common sense – it’s healthier, free (as in TCO=COA/COH+Install) and reduces the impetus to keep throwing more and more generation at the problem of increasing energy demands. I’ve always maintained that the brute force method, while entertaining for bored engineers, is just not quite right.

The government has put together a preliminary package that will improve things, but it’s not quite enough. It’s a little too vague. What I’d like to see is:

*subsidisation for energy efficient appliances
*subsidisation for augmenting solar technologies
*State homes, schools, hospitals, other state buildings all brought in line with the new building codes
*All existing South Island homes insulated

Keep your silly tax cuts which only benefit the country short term, invest in the country’s health and efficiency and the long term benefits will easily manifest. Just look at Google.

Just noticed today the body behaviour of various people on public transport.

People who pay cash are treated like mere commoners, indifference is their unknown blessing.

The one-off tripper or public transport newbie with their one-trip ticket are treated with a particular level of disdain, like most people hold their nose up when walking past a homeless bum

The multi-trip ticket holder is given a glimmer of respect, and they tend to show sympathy towards the aforementioned one-wayer, but still yearning for the level of arrogance afforded only by…

The month trip or quarter year trip ticket holder are generally snooty self absorbed people, trying to be so nonchalant – using their month trip ticket as a bookmark, or making in plainly obvious to the rest of the train that they were able to budget in an expensive ticket.

Shamefully, that used to be me – except I was not quite so wanky about it – I waved my ticket when required and tried hard to not rub it into others, but I secretly disdained others for taking up seats with their one-ways when I’d paid good cash for my month trip, even though I was saving overall some 20%, so technically they were paying more per trip and ergo more deserving of the seat, screw em – I’ve got a month trip and I’m important!

Now that I’m commute cycling, I only get ten trip tickets for days when the wind is too much or my legs are too sore, and I now feel a level of outsider bemusement at the pettiness that goes on on the public transport system – while they’re sitting there with their petty little classes psyching each other, I’m the one exercising on a faster commute that costs only bike maintenance costs and only has the increased risk of being hit by some idiot.

That’s the other thing – I draw a lot of amusement from cruising past gridlock and seeing the various “1 driver per car” morons react – often with defeat at their predicament, usually with rage. If they’d engaged brain, they’d know that even though public transport has gone up in price recently in wellingon, it’s still cheaper than parking + petrol + road costs. If they need their car for their day to day work, fine. But commuting by yourself into town, to pay money to park your car for the day, only to commute home by yourself makes no logical sense – if you really must drive, find some nearby workmates and carpool to make it a bit more economically feasible.

Wellington really is a city for two wheels (pushbikes, scooters and motorbikes) yet this escapes most people. Oh well – their loss.

Just got one of these today: http://www.soekris.com/net4801.htm

So now I have to figure out how to get pfsense on it with a squid proxy – booting from a compact flash card, but using a spare 2gig laptop hard drive for squid writes and logs, I can’t wait to get a couple of other projects off my desk.

Also got to go dumpster diving today, got a free 21″ CRT. another UPS and a box of CPU’s and Ram – you know what they say: one evil company’s rubbish is my treasure

I did it. This morning I got a good cadence, maintained 29.2kmh the entire way from the petone offramp all the way to work, and the result – 27 minutes! Almost half the time it took me the very first ride (50 minutes), so I’m rapt

My quads are getting definition back that I havent seen in about 7 years and I’ve lost a couple of inches of my spare tyre – next time I’m near a calibrated scale I’ll be keen to see how much weight I’ve lost – I guess about 6kg so far

The 200 gig drives arrived, and after a few days of juggling data around, I spied a DL380 Gen1 that’s been sitting all alone and unloved in my room for a few weeks now. I ripped out the SCSI backplane and with some minor modification mounted the 200gig SATA drives into the SCSI drive caddies.

After installing FreeNAS onto a fixed SCSI drive, it began to refuse to boot. I had options – roll up my sleeves and get dirty with the CLI to try and figure it out, or fall back on the old boot cd + configuration saved on a floppy.

I’d been without music for a few hours, so I went with the boot cd + floppy, which turned out to be the easiest way to do it. When I upgrade FreeNAS down the track, I’ll give the SCSI drive another shot

My thoughts on FreeNAS – it’s good, but it’s got some work to go yet. I only need it for simple sharing, but for some reason the write rights havent propogated to some of the mount points, and the interface needs a bit of work to make it a bit more intelligible, but overall it’s a great use of BSD, and easily compliments pfsense (as they’re both based on m0n0wall)

Pix coming…