The TSA has spent $1 billion on its Chat Down program to no effect. Really, I think we could say “The TSA has spent $X billion on all programs to no effect.” Except that annoying and harassing millions of innocent people certainly is an effect.
You’d think that the reason this failed was because a small number of House Republicans willed it to, rather than (off the top of my head and therefore necessarily incomplete):
- systemic flaws in the technocratic system
- a number of bloated bureaucracies
- a lack of business acumen in the administration
- a lack of IT talent in the federal government
- the absurd nature in which a half-written bill full of “the secretary of HHS will change this later” boilerplate was supposed to turn into actual business requirements for a huge application
- the sheer horror of trying to integrate dozens of antiquated IT systems into a responsive website
- general government corruption and cronyism.
Even if Republicans were gung-ho on this law, the result would still have been an abysmal failure. And I say good on them for doing everything they could to prevent this monstrosity from rolling out.
The RIAA and BPI are software pirates. So is Healthcare.gov (not that the people whose code was stolen would want to be associated with that debacle).
The US government should issue takedown notices for these copyright infringers. I assume they already did with HealthCare.gov, which would explain why it’s a big ball of failure.
Also, given that these agencies are software pirates, the lawful owner of the properties they stole should sue them at the rates that the RIAA typically handles: $150K per incident. One of the comments points out that this would be roughly $630 billion.
So Adobe has a password breach back in October. Being security super-geniuses, the wise people at Adobe decided to encrypt their passwords instead of hashing them.
Why is this stupid? Put simply, a good hash is a one-way function: you can go from password to hash but never the other way around. Encryption is a two-way function: one party encrypts the data, and a later party decrypts the data. Encryption implies decryption, and if you find the algorithm used to encrypt the data originally, you can retrieve all of the plaintext passwords quite easily. With a good hashing algorithm, however, you have to build and populate a rainbow table. If you do a really good job—using per-user salts—you essentially require the attacker to build a rainbow table for each user account, something that your average attacker simply won’t do.
We all know that writing software is hard and that it’s easy to introduce bugs into a complex system—ask the HealthCare.gov guys.
But when those bugs can literally kill you, there are problems. Toyota’s Engine Control Module firmware is one such case. Given that I like Toyota, it hurts even worse.
As long as it’s up, here’s a cached article with a summary of source code analysis findings. It’s not pretty.
Passphrases are supposed to be safer than simple passwords in that they are much, much longer than typical passwords, so a brute force attack becomes exponentially* more difficult. Unfortunately, brute force attacks aren’t the only type of attack. More complex dictionaries are incorporating passphrases, meaning that if you have some permutation of a relatively common saying as your passphrase, it might be in a dictionary.
Here’s where I prefer having one nice, secure password (which does not come from common literature) and a whole mess of auto-generated passwords stored in a password wallet.
* – In the literal sense of the term, not the sense that most people use.