Charles Curley's Weblog

There are three articles on the blog, and no doubt there will be more.

• Free Software and Freedom: the connection between free software and freedom.
• mkcd: mkdir foo && cd foo: combining mkdir and cd into one command.
• Off Site Backups For Amanda: how I back up Amanda's vtapes to an off site location.

Even before the Social Security Number (SSN) was shown to be so easy to reverse engineer, I had been unenthusiastic about their ubiquitous use. For one thing, SSNs are the jackpot for identity thieves. Getting a victim's SSN is half the battle in faking her identity.

The security principle "need to know" applies here: only the people who can show a "need to know" an SSN should have it. If you don't have a datum, (say, someone's SSN) on your computers, then when (not if) the bad guys crack your computer, they can't get it from you.

I've just hit an example of an egregious use of SSNs. I just tried to create an account at the Wyoming Department of Workforce Services' wyomingatwork.com web site. The intake form wants a user name, a password, etc. All very standard so far. It also wants an SSN. The form doesn't say why they want it. As far as I can tell, the Department of Workforce Services has no "need to know" my SSN simply to open an account.

This is the first time in my half-century work career I've been asked for an SSN on a job site. By way of comparison, Monster.com's new account form has no such requirement.

I suspect a phone call and some pointed questions are in order. Sigh.

I had read about Canadian company i4i winning their suit against Microsoft and then today read Brad R.'s comment on it in Goodbye Microsoft. Yes, indeed, another reason to use Open Document Format, i.e. almost any non-Microsoft office program. This suit has hit Microsoft pretty heavily: they have had to stop selling the key product, Word, in their cash cow product, Office.

So we already know that Microsoft is a convicted monopolist. And it's not the most popular company in the world. And it's in the habit of using its patents to stop competitors. I have to wonder. Out there somewhere is there another company preparing to sue Microsoft for patent infringement? Yeah. tooth4tooth v. Microsoft.

A recent article on police forensic searches of computers, Arguing for Suppression of 'Hash' Evidence, by Marcia Hofmann, gives a summary of how police really search computers and the implications for defense attorneys. It also covers the current rather sparse case law.

Apparently police often search a computer by first taking a snapshot, or image, of the hard drive, and searching that. They may actually examine a few files to see if any are contraband, e.g. child pornography. In order to eyeball files, they must have a search warrant, i.e. establish "probable cause".

They may also make a list of the hash sum of every file on the hard drive, and compare that list against a list of known contraband files. Some writers have argued that this does not violate the computer owner's IVth Amendment rights because the hash says nothing about the content of the file. That sounds like sophistry to me, but then I'm not an attorney.

The article is aimed at defense attorneys, who usually get involved in a case after the police have seized the computer, imaged the hard drive, and calculated the hashes. So the article doesn't mention a very simple thing the owner can do to defeat a hash search.

Since we're talking about hashes, we're talking about md5 sums, sha1 sums, etc. Techies know well that if you change a small part of a file, you change the hash, usually drastically.

• The three graphics file formats recognized by the World Wide Web Consortium (W3C, the Web's standards body) are GIF, jpeg, and PNG. All have comment fields. Change the comment, and you change the hash.
• Change one pixel of the image ever so slightly, and you change the hash.
• Crop or change resolution, and you change the hash.
• Transform the image from one file format to another, and delete the original.

Of course, it is possible that the folks who wrote the forensic program thought of all that and included suitable workarounds. But, oh, would that slow the forensic software down!

I've decided to start a blog. I plan to pontificate on technical issues from time to time. OK, I can hear the response: "<yawn /> Everyone else has a blog. My cat would have a blog if she weren't so lazy."

Perhaps more interesting than the blog itself is the blogware I'm using, nanoblogger, or nb for short. It's small, lightweight, uses Unix command line tools like bash, cat, grep, sed, et cetera.

Also, nb produces static content. So I can edit locally, and only when I'm comfortable with the results do I push the changes out to the servers. Yeah, servers. I have a backup site as well as the main site.

I also like the elegance of crunching the data once and pushing it out to the server for the world to read. People will read this thing a lot more than I will modify it. OK, at least that's the idea of a blog. So dynamic creation of the content just doesn't make sense to me. It strikes me as lazy.

Dynamic blogging also strikes me as silly: most blogware programs are huge, therefore error prone. (Think office suites: bloatware par excellence and buggier than an ant hill, all of them.) nb is a set of bash scripts and most of its smarts are in the GNU utility programs that make up the standard Unix tool kit. Why reinvent the wheel?

Also, with dynamic blogging, the content is on the server. So you now have the problem of backing it up. With nb, backup is a non-issue: it gets backed up when your desktop or laptop gets backed up (you do back it up, don't you?). So that means one less step in creating a blog entry or article.

How secure is your social security number (SSN) if someone can readily crack it?

According to this article, Boffins guess social security numbers via public data, it is possible to guess the first five digits of a SSN. That leaves four more digits to crack by brute force (trying each one until you hit the correct one).

Armed with publicly available information about where and when an individual was born, researchers from Carnegie Mellon University were able to guess the first five digits of a SSN on the first try for 44 percent of people born after 1989. The success rate balloons to as high as 90 percent for individuals born after 1989 in less populous states such as Vermont. Success rates also rise when the researchers got more guesses. The first five digits for six of 10 SSNs can be identified with just two attempts.

If that doesn't make you nervous, think about this: the last four digits are the ones most often used to verify an SSN. So they're much more readily available than the whole thing. Which means a freelance socialist may not have to brute force it.

A useful resource for Linux users, new and experienced, is goodbyemicrosoft.net. In the form of a blog, the owner, Brad R., runs useful tips. His comments about Microsoft shenanigans help confirm my resolve to avoid their products.