What3Words as a password generator

One of my coworkers shared an interesting site last week. What3Words assigns a three-word “address” to every 3m-by-3m square on Earth. The idea behind the site is that many areas of the world don’t have street numbers and names, and a three-word combination is much easier to remember than latitude/longitude pairs. Similar combinations are deliberately placed far apart so as to make them unambiguous.

It’s an interesting idea, but I immediately began thinking of a different use for it. What if people used it to come up with long, memorable, and hard-to-guess passwords? After all, the longer a password is (generally speaking), the better it is. And while correcthorsebatterystaple might be amusing, it’s much easier to remember a place. So you pick a memorable spot on the map and now you have a long password that you can look up if you forget it.

image

XKCD "Password Strength" by Randall Munroe. Used under the Creative Commons Attribution-NonCommercial 2.5 license.

This method isn’t perfect. The main problem is that with a 3x3m grid, it’s very sensitive to differences in location. But especially for the technically unsavvy, it can be a good way to enable better password habits.

Sidebar: why Randall Munroe is wrong (-ish)
There’s another reason What3Words isn’t perfect, and the XKCD cartoon above is subject to the same weakness. If a password cracker knows people are mostly using concatenated words, they’ll start guessing combinations of words instead of combinations of characters. These sorts of passwords are stronger when they’re rare. Of course, there are trivial ways to mitigate the risks (insertion of special characters, selective capitalization, etc.).

Still, given the choice between a 20-character random string and a 20-character set of words, I’ll take the random string as my password (unless the site/app disables paste, in which case I’ll cry). I use a password manager precisely so I don’t have to worry about trying to balance security and memorability. The What3Words method could be helpful as a password for my password safe, though.

Further defense of 140 characters

Last fall, when rumors began swirling that Twitter was looking at increasing the 140 character limit on tweets, I wrote a defense of the 140 character constraint. Last week, Re/Code and others reported that the limit change may come in March and that it could be as large as 10,000 characters.

Everything I wrote back in October still holds true. 140 characters, now that SMS is no longer a primary method of interacting with Twitter, is probably to small. But 10,000 is too large. The first four paragraphs of this post are 1,244 characters. Can you imagine a timeline full of that (or more)?

It’s not just “oh noes! They are changing a thing!”, which is a common reaction whenever Facebook changes anything. Twitter has made a lot of changes that I think are great: retweets (yes, kids, retweets used to be a manual process that often required editing the tweet in order to be able to fit “MT @name” in front of it), quoted tweets, embedded images, polls (even though there’s a lot to be improved on there), and 10k character direct messages.

In this case, the short limit is what makes Twitter. As my friend Zachary Baiel said “The medium is the message. The character limit of Twitter defines itself. Otherwise, it’s a stream of blogs.”

Twitter emphasized four characteristics in its IPO filing (thanks to Karen Demerly for bringing this to my attention):

  • Public
  • Real Time
  • Conversational
  • Distributed

10,000 characters does not seem very real time (it takes a while to type that out and longer to read a lot of them) and certainly not conversational (perhaps more a series of short speeches). There’s been some talk of the UI presenting a “read more” kind of option, and as a co-maintainer of a Twitter client, I’m inclined to resist having to make changes to my application.

But more than just laziness, I think 10k is actively harmful. Whenever a new feature is announced, the biggest complaint I see is “why aren’t you addressing abuse instead?” I get it, abuse is a hard subject to deal with, particularly on an unmoderated medium such as Twitter. One way that abuse happens is that abusers get their followers to dogpile the mentions of the target. Imagine how many targets you could include in 10,000 characters.

More innocuously (even though I find it super annoying), is the phenomenon of “I took a picture of some weather, let me tag all of the meteorologists in my market so that they’ll see it any maybe retweet me or put it on the news broadcast.” Those people will certainly make use of the extra characters, but it will add nothing to the conversation, only make it worse.

I get it, Twitter stock is plummeting. (Full disclosure: I own a few shares and expect to get quite the tax write-off from them.) There’s a lot of pressure to improve revenue, user engagement, and (most importantly to the people applying the pressure) the stock price. But this change will just make the user experience worse, and that doesn’t seem to be a reasonable way for Twitter to turn itself around.

I’m hoping that 10,000 is just a trial balloon. Nobody seems committed to making that the final number, so hopefully when the feature lands, it’s more reasonable. Or not. Will I stop using Twitter if the character limit changes to 10,000? Not right away. Maybe I will at some point, though.

By the way, this entire post (including this line), checks in at 3,398 characters.

SysAdvent 2015

I contributed to the SysAdvent blog this year, again as an editor. I had the privilege of working with three great authors on outstanding posts:

Once again, the content overall is great. I liked the mix of technical and non-technical content. In the eight years of SysAvent, many wonderful articles have been written, but the best article may be this year’s Fear and Loathing in Systems Administration by H. “Waldo” Grunenwald. It should be required reading for every sysadmin.

I support Software Freedom Conservancy

If you’ve read this blog for any length of time, you know that free and open source software is important to me. It’s important to Software Freedom Conservancy as well. Conservancy is a 501(c)(3) organization dedicated to supporting software projects.

Conservancy provides a lot of services to member projects, including financial and administrivia. Conservancy also provides license enforcement services, including support of a high-profile suit against VMWare. Although Conservancy uses litigation as a last resort, it’s sometimes necessary. However, this has lead to some corporate sponsors pulling their funding.

In order to continue their efforts, Conservancy is moving to an individual-supporter model. I first became a Conservancy supporter last year, and when it’s shortly time to renew my support, I will contribute double. Free and open source software is important to my personal and professional lives, and the services Conservancy provide to projects is invaluable.

If you use computers at all, a Conservancy project is probably an important part of your daily life. Please join me in supporting the Software Freedom Conservancy with a tax-deductible* donation today.

*Consult your tax professional to see if donations are tax-deductible in your jurisdiction.

Wireless spectrum versus the Internet

Last month, The Register reported on a new OpenWRT release. OpenWRT is a Linux distribution designed to be installed on embedded devices like routers. It, along with other third-party firmware projects like Tomato and DD-WRT, offers users more flexibility than the original firmware. They often get updates long after the first-party firmware, and can provide a more stable system. For example, I had a Linksys WRT-54G that was starting to get flaky, to the point where I had to power cycle it every day or so. After installing OpenWRT, it became much more reliable.

I lay out the benefits of third-party firmware, because the El Reg article brought to my attention a document published by the Federal Communications Commission (FCC). The guidelines, last updated in March of this year, outline the security questions device manufacturers should answer in their Part 15 application. Part 15 refers to the section of U.S. regulations that deals with unlicensed radio frequency (RF) transmission (including WiFi). The document says, in part:

An applicant must describe the overall security measures and systems that ensure that:

1. only properly authenticated software is loaded and operating the device; and
2. the device is not easily modified to operate with RF parameters outside of the authorization.

These requirements are antithetical to the ideals of open source and the user freedom it is committed to promote. As an amateur radio operator, I am sensitive to the concerns regarding spectrum pollution. Part 15 devices can be a pain for licensed portions of the RF spectrum anyway, and allowing devices to be easily modified to transmit outside their intended band presents a real threat to licensed radio services, including public safety and aviation.

Essentially, it comes down to protecting wireless spectrum (by preventing unlicensed transmission) versus protecting Internet users (by allowing for more security updates and external auditing of the code running on routers). These are both legitimate concerns, and I’d advocate for either of them independently. When they’re pitted against each other, though, I have to side with free software.

Regardless of the technological restrictions put in place to prevent unlicensed transmission, they can be circumvented. The entire history of technology is a history of restrictions and circumventions. Additionally, the ability to (responsibly) modify and experiment with hardware is an important part of innovation. The updates and configuration flexibility of third-party firmware provide a real benefit (though I naively assume that a non-trivial portion of devices will get such firmware) against everyday threats. Given the choice, my choice is clear. I hope the FCC will come to agree with me.

The ad-supported web

The history of the public Internet is a story of arms races. Spammers versus spam blockers. “Pirates” versus DRM. Websites against their visitors.

That last one might come as a surprise, but it’s an accurate-if-cynical description. Websites have content that visitors want, but the visitors (often) don’t want to pay and the website owners and contributors (often) want to make money for their work. Advertisements have become more and more obtrusive and visitors have worked harder and harder to keep those ads out of the way.

Fundamentally, the problem is that the Internet has changed the economics of information. It used to be that the value (economically-speaking) in reporting and commentary was the scarcity and the medium. As the Internet has democratized communication, the cost of an individual article gets much smaller.

Of course, the ability to get an individual article makes a difference, too. With a newspaper or magazine, you generally have to buy the whole thing. That’s not the case with websites. And advertisers in a newspaper or magazine can only do so much to get in your way. Perhaps technology just allows them to behave like they always wanted to.

In any case, Apple’s recent announcement that it would allow ad blockers on iOS has caused no shortage of consternation among content producers, especially on smaller sites and sites that depend solely or mostly on ad revenue. “Dear Apple: I may rob your store” is a fine example.

Everything is free! is probably not a sustainable model in the long term. By the same token, subscriptions for everything won’t work either. Micropayments are nice in theory, but I haven’t seen any evidence that they actually work. I don’t have an answer, since this isn’t really my area. I’ve made about four cents from my ads on Funnel Fiasco in the past 10 years, which is probably commensurate with the value I’ve provided.

The sky is not falling, but the landscape is changing. Old business models won’t continue to be viable. Some people will lose their jobs, some will find new niches to fill. I’ll continue to not use an ad blocker because I understand it’s the tradeoff for free content, but I’ll also continue to avoid websites that abuse my tolerance.

Book review: AWS System Administration

In his forthcoming book, Mike Ryan aims to introduce Amazon Web Services (AWS) to developers and systems administrators. Correctly creating and managing an AWS environment is a cross between development and administration, so anyone coming from a straight admin or dev background would probably miss key components.

Unfortunately, in aiming for two audiences, he produces a book that doesn’t seem to quite satisfy either. The book goes into a lot of unnecessary detail, for example a lot of Postgresql detail in the backup chapter, and a lot of Puppet specifics scattered throughout.

My biggest complaint is the way the book is organized. Basic AWS concepts like regions aren’t introduced in the beginning. Several concepts appear in passing before they are explained. EC2 security groups are lumped into the chapter at IAM roles, but it makes more sense to separate those.

Much of the book focuses on a single example, without a lot of discussion of other use cases. However, the use of auto scaling and Elastic Load Balancers in various cases is very well explained. The use and limitations of IAM roles is excellent as well.

This book could benefit from some reorganization and a more focused audience. With more information about AWS and less on implementation details for specific environments, the second edition could be a valuable resource.

AWS System Administration is scheduled to be released on July 25. It is published by O’Reilly Media.

Introducing the “Permissive 3000” license

Software licenses aren’t necessarily the easiest texts to understand. This issue is compounded when the person trying to understand the license is in a different jurisdiction or is a non-native speaker of English. A recent thread on the OSI’s license-discuss list brought this issue to light. According to the original poster, a project using the BSD 3-Clause license was used without attribution in a proprietary product. The developer lost the court case because the judge did not understand English well. The poster brought an attempt at a rewrite to the list, but it had some contradictions and other meaningful differences. So I thought I’d give it a try myself.

This weekend, I started from the original BSD 3-Clause license and excised all of the words not on the Oxford 3000™ word list (or reasonably close modifications, e.g. verb tense conjugations). I did make an exception for the word “copyright”, since it seems indispensable to a software license. In all other cases, I used synonyms and circumlocution in order to preserve the meaning while remaining within the constrained word list. This was challenging at times, since circumlocution can end up making the document more difficult to understand than an unknown word might. The difficulty is further compounded by the fact that many words have a distinct legal meaning and a synonym might not have the same weight.

I consoled myself with the fact that software warranties (where most of the real challenge was) are probably not that useful anyway. Furthermore, just because a word has a distinct meaning in American courts, that doesn’t mean that foreign legal systems have the same definitions. Trying to use largely U.S.-centric licenses written in English is a challenge for a global society, but I don’t know that a system of jurisdiction/language-specific licenses would be any better.

In any case, without further ado, I present the Permissive 3000 license. It’s highly experimental and totally unvetted by legal professionals, so nobody should use it for anything except a learning exercise. I’m looking forward to some constructive feedback and hopefully it sparks a discussion about how licenses can be simplified so that they’re more easily understood by judges, developers, and users alike.

A lesson in ISO weeks

Last week, users of the Twitter client for Android experienced authentication problems. It was a long and lonely Sunday night for me without my Tweeps. When the issue was fixed, word on the street was that it was due to time travel, in a sense. Sunday started the first week of 2015 if you’re using ISO week numbering.

The next morning, I got my regular weekly email from our time tracking system at work, except it showed I had recorded zero hours in the previous week. Late December tends to be a quiet time, but not that quiet. Then I looked a little closer and noticed that the email was for week 2015-52. Oops!

I thought I’d take a look at the code for the report generator, and my hunch that it was also an ISO week issue was quickly confirmed. In the code, the current date was recorded and split into year and week values. Then the week value was decremented. This seemed silly to me. I changed it to first subtract a week before splitting into the year and week values. This seemed to fix…the glitch.

So what’s the lesson in all of this? First, make sure you do the math at the right time. Secondly, make sure you understand how time works. The year of the ISO week being ahead of the calendar year only happens on limited occasion. It’s not a scenario that one would think to test (though I expect a lot more tests will include it now).