Posts Tagged

technology

What is WiFi? How Does WiFi Work?

Elizabeth Technology May 28, 2024

Wi-Fi’s older than it may seem, as it spent quite some time at the fringe of new tech. The market was already flooded with dial up internet, and replacing it was going to take quite a bit of doing. When it first launched, it had an average speed of 2 mbps, which is actually pretty good, about four times faster than dial up, which had a max speed of 56 kbps. However, systems were so heavily dependent on that dial up system that it took many years for it to become the standard.

Wi-Fi is understood to mean Wireless Fidelity, but apparently nobody in the labs that studied or made it ever designated Wi-Fi as the official shortening of that term, it just sort of happened, and then licensing and officiating went from there.

Kind of Like Radio

AM and FM radio have been around for decades, now, and they work fairly similarly to Wi-Fi if Wi-Fi did both at the same time. AM radio changed the amplitude of the waves to transmit information across different bands, where FM changes the frequency of the band. However, AM and FM stick to kilohertz and megahertz frequencies, while Wi-Fi is in the significantly higher gigahertz frequencies.

Electromagnetic Radiation is a spectrum: at one end, there is infrared radiation which is extremely low-frequency, and at the other, gamma radiation, which is extremely high frequency. Visible light falls somewhere near the infrared side, where red is closer to the low end and violet is closer to the high end. Microwaves fall on the low side. A 2.4 GHz microwave has a gap between wave crests about the size of a baseball – the waves aren’t nearly as close together as they are in visible light. (Note – a microwave oven has the same frequency, it is much higher energy than Wi-Fi. Loud sounds can be the same pitch, or frequency, as quiet sounds, the same goes for microwaves). Microwaves, just like colors, are broken up into bands, and different frequencies can do different things. For this article, we’re focusing on information transmission.

What Can Stop WiFi?

Wi-Fi does get weaker when walls or other obstacles get in the way, although this is usually a good thing – there are only so many viable ‘bands’ for Wi-Fi to transmit over, just like radio, so crowded buildings would run out of available bands if they weren’t so easily stopped. While microwave ovens use metal, eventually those same microwaves would be stopped if they came into contact with walls or other solid materials. Eventually, distance also stops Wi-Fi. The waves lose energy as they travel and then carried information is lost.

Bluetooth devices can interact poorly with Wi-Fi as well – they work on similar principles, but Bluetooth is much weaker. If your headphones are undetectable to your phone, even when your device is on, it’s possible the Bluetooth is being drowned out by local Wi-Fi. Bluetooth typically has a range of about 30 feet, compared to Wi-Fi’s much larger 240 feet in ideal conditions.

How Does Protecting WiFi work?

Wi-Fi transmits over those microwave frequencies to bring information to the computer and send it back out.

How do you protect information if it’s just being broadcast like that? Well, a couple of things. While it is very similar, it’s not exactly like radio, where the information from the station is broadcast across the city, and all you have to do is tune it. The computer has to find the network first, and as previously stated, both physical objects and distances can keep Wi-Fi from reaching a compatible device. Distance is a solid defense. If a hacker is in the same building, however, how do you protect the network then? Assuming their device is within accessible distance of the network, can it intercept information sent over that network?

The second part is encryption: it doesn’t matter if the data’s intercepted if the interceptor can’t un-scramble it. Transmitting unencrypted data over unprotected Wi-Fi can get you into trouble – see all the warnings about using public Wi-Fi to do banking – but encrypting it stops most issues before they start. Hence, the rise of VPNs. However, encryption alone won’t stop intruders, so the third part is network security.

The next logical step for a hacker is to get into the protected network and then seek out the info they want, skipping the encryption step entirely. The network itself has to be protected as well! Network protection can be passwords, or firewalls, or anything that prevents closed data ports from being opened. An open port in data security just means something that will allow packets of data to go in or out. A website has open ports so you can access the information on it, for example. If a poorly configured application on a computer has an open port, it’s looking for information, and that can be used to get into the network, bypassing the encryption.

2.4 GHz vs 5 GHz

Some modems allow two frequencies of Wi-Fi, a faster channel, and a further channel. The 5GHz channel is what you’ll want to use for your video streaming. The frequency is higher, and that means information is transported to your device faster. The 2.4 GHz frequency is probably what the printer in the other room is best on. It’s better at penetrating solid objects than 5 GHz, and it has a larger range, but it’s also weaker. 2.4 GHz is also more prone to interference, because many things use that frequency. Microwaves, for example. If you’ve had issues with your Wi-Fi while the microwave is on, get that microwave checked! The odds are good it’s shielding is faulty.

Modem Vs. Router

What’s the difference? A router routes traffic from your network to the internet. It’s sometimes referred to as a WLAN (or a wireless local area network) device. Most houses have a router because of the number of network-enabled devices in a modern home. Printers are rarely connected by cable to a computer anymore, for example.

A modem, on the other hand, is designed to connect devices directly to the internet. Modems are hard-wired into cabled data lines, like telephone lines, so they’re less popular than they used to be. Routers have taken their spot in-home, as dial-up internet is basically non-existent.

Routers and Wi-Fi are here to stay, at least until the next big things comes out!

Sources:

https://www.cisco.com/c/en/us/solutions/small-business/resource-center/networking/how-does-a-router-work.html#~how-routers-route-data

https://medium.com/@syakirharis25/modem-vs-gateway-vs-router-and-its-security-considerations-d853de8b4b31

https://www.scientificamerican.com/article/how-does-wi-fi-work/

https://science.nasa.gov/ems/06_microwaves

https://www.centurylink.com/home/help/internet/wireless/which-frequency-should-you-use.html

Being Too Smooth To Use

Elizabeth Technology May 16, 2024

Breaking rank with other companies to make things smoother can certainly set your product apart, but is there a point where something becomes too sleek to use?  

Tesla Handles

Most models of the Tesla car have handles that physically retract into the doors when not in use. Inside the car, the handles operate by a button press, not by a pull. You are not mechanically opening the car door, you are instructing the car door to open, and that’s an important difference. Both sets of handles require that the car has power. Otherwise, they won’t function. Famously, one man struggled to get out of his car after it caught fire because the handles inside don’t operate like the handles of any other car, and a special ‘release latch’ that’s hidden behind the doorgrab is necessary to open the car when it doesn’t have power. He couldn’t find that latch because it’s hidden (for added sleekness), and as a result, he had to crawl through the window. Of course, Twitter commenters pointed out the latch, but if you can’t visually identify the thing that’s going to open your flaming car in a few seconds, is it really a ‘good’ design? Sure, that’s great if the car dies and the button doesn’t work and you have time to figure it out – it doesn’t work so well in an emergency. Similarly, the doors of the new Cybertruck will stop working if the electronics stop, requiring the user inside to manually disassemble part of the door and pull on a specific wire to get out in case of emergency, which lead to the death of billionaire Angela Chao : https://www.cnn.com/2024/03/10/business/angela-chao-death/index.html

The handles are also more prone to freezing over in cold climates, which is very annoying. Plenty of car doors freeze shut, and this is far from a Tesla-only problem, but it turns an already annoying problem into an even more annoying one because the handle has to be freed from its pocket in the door before you can even begin to try opening it.

 Apple and It’s Missing Jack

Apple removed the aux jack from its devices. Did it need to? Maybe – the jack takes up quite a bit of space inside the phone thanks to it’s placement, and removing it would enable Apple to put some more cool stuff inside the phone. But then the phones got bigger, and the storage chips got smaller even as they held more digital storage space. Does this mean Apple will put the jack back in, seeing as it no longer needs to conserve space as much as it did when it was trying to make phones that broke technological walls? The phones are flipping huge now, there is space for the jack.

Haha, no!

Removing the aux jack also made it so that any non-Bluetooth headphones the consumers had wouldn’t work without an adaptor. An adaptor that Apple just so happens to sell. An adaptor that has the same problems that all of the cords made by Apple do. This means that a number of accessories are now effectively Bluetooth-only, which is annoying at best and kind of malicious at worst. When carriers pushed the new phone, users had to upgrade everything if they wanted to go to the next model. Apple happens to sell a lot of those accessories, and while Apple may be pricey, the name does still carry weight – it means a defective product could be returned to a physical store or exchanged immediately without waiting for Amazon to retrieve it.

The phone is sleeker. It has less ports. It’s closer to being truly waterproof than it ever has been before. It looks cooler than ever. But the minimalist principles in the design of the phone are directly costing consumers both real money and ease of use. Apple knows this – Apple likes it that way. Eventually, there may come a time when Apple removes the C-USB port and expects you to use cordless charging, with its proprietary charging pad.

Windows 10

Windows wants you to use Bing. Windows wants to add functionality to your taskbar. Windows has combined the built-in taskbar search feature with the open web in an effort to do both of these things. Unfortunately, it turns out this configuration combines the worst of both. Have you ever had a relative who doesn’t use computers much? For a long time, you could rest assured that a search on the Windows taskbar wouldn’t somehow end with that relative downloading a browser extension they didn’t need or clicking on an ad they mistook for a file on their computer.

When Windows made it possible to search for both ‘on-web’ and ‘on-computer’ pages in the same search bar, they also created a massive headache and added additional clicks to the search. Trying to search for a file named something like ‘car report’ could bring up search results for sites like Carfax. Suddenly, you’re not in your files digging around for a report that was already made, you’re on the web. That’s annoying, but you can just go back and try again. If you’re really desperate, you can open up the file picker and search there. It doesn’t work for everything on the computer (it doesn’t want you to be able to find and delete functions like Sys32 or Task Manager, so it won’t show you their file locations, and file picker isn’t equipped to open it for you like the taskbar search is even if you do find them) but it’s better than the mess you just got into with the search bar.

But wait – go back to that relative from before. For that relative, this was a linear path that makes sense, and the website must have what they were looking for because it popped up in their search. Every iteration of Windows before this one has worked by only showing the relevant files on the device, so they don’t know that they aren’t meant to be on the Carfax website. If they don’t stop to call in help, they may end up filling out a form on that site they didn’t need to, or giving up information they might not have wanted to. Imagine how much that could suck if it wasn’t the car report – taxes, Social Security, health insurance, any number of things that might be saved on a computer, could simply be confused with an ad on their accidental Bing search.

It should say something about how poorly this worked out that there are dozens of pages on forums and blogs detailing how to disable it so this exact thing won’t happen – or happen again. Windows 11 at least gives you the opportunity to turn it off, and you have to go out of your way to get to web results in regular taskbar search once it is. A search function where everything can show up in the same place is not always better.

What is Air Gapping?

Elizabeth Technology May 9, 2024

You might have heard it in the Matrix, or in a heist movie: what does “air gapping” mean?

Normal Devices, IoT devices, etc.

 In today’s age, many devices have internet capabilities. Your washer, dryer, your coffee machine, your fish tank equipment, things like glucose monitors and portable speakers, are all now capable of internet connection. Is it efficient? Sure, if you want those features – they wouldn’t still be made with WiFi enabled if they didn’t provide some use to the end consumer that was greater than the annoyance of getting it all set up. Is it safe?

No! Generally speaking, IoT devices are poorly defended and often don’t even come with passwords to prevent unauthorized parties accessing their internal computers. This can then act as a gateway to other parts of the network – your home computer, with it’s tax documents, or your business computer that shares a network with the coffee machine, to see valuable internal documents. One unlucky casino had their devices infected with ransomware after a fishtank thermometer allowed an unsavory agent to connect to it (learn more here on Forbes: https://www.forbes.com/sites/leemathews/2017/07/27/criminals-hacked-a-fish-tank-to-steal-data-from-a-casino/?sh=4be5c0832b96 ).

It’s unfortunate, but many networks are not as totally protected as they need to be, even without an IoT device providing an easy door in. Even crucial networks can be manipulated. The only way to truly secure a computer from outside threats is to not allow it any access to the outside at all.

Locked Away in a Tower

An airgapped computer may still be part of a network with other computers on it, but every part of an airgapped network is kept in physical isolation from the outside world, or any computers that are allowed to touch the internet at large.

It has no network interfaces: other devices cannot see the air gapped ones wirelessly. It will not receive updates, it will not be exposed to the online threats that a lack of updates can present. If data must be transferred to an airgapped system, it must be done via a physical data device like a thumbdrive, or disk. You may see an issue there – a malicious party could gain access and deliver a virus or malicious program on a device to infect the air gapped computer, so physical access must be tightly controlled as well. Famously, a nuclear reactor in Iran was infected with a virus known as Stuxnet via a thumbdrive, which caused a significant setback to operations in the plant by damaging centrifuges.

System requiring less protection can use things like data diodes to filter their incoming information – an unclassified computer can talk to a classified one, but only if the data is determined to be safe coming in, and only if the data leaving the classified system is carefully monitored to prevent exactly the situation such devices are used for in the first place.

Vulnerabilities

As mentioned above, the easiest way to get into an air gapped network is to somehow get close to the system physically with a portable data device like a thumbdrive. But a number of other methods to steal or transmit data exist too! A couple of researchers found success by transmitting acoustic signals, or using a cellphone to broadcast at certain frequencies – the computer was contacted and internal equipment was manipulated into behaving like an antenna, transmitting data back to the phone. Furthermore, if someone does get into the system, viruses are often able to spread much faster than they would be on other networks, because air gapped systems are not updated as frequently thanks to their lack of internet connection. Security holes not present in other systems might still be found in air gapped ones!

The New Internet Is Full of Bots

Elizabeth Technology May 2, 2024

Ever see a bizarre post with a comments section full of people spamming emotes or otherwise responding in a way that suggests they read a description of the post, but didn’t actually see it? Of course interaction bots have been here for a while, but now with AI art (rather than stolen art) it becomes obvious these are actually bots and not people.  

What Is An Interaction Bot?

Firstly, in this area, ‘bot’ refers to a bit of code that does something. What the bot does depends on its creator’s goal – some bots sit and ‘watch’ videos to boost view count, others scrape data from websites to analyze it, and some do things like scroll, interact with buttons, and leave simple, plausibly human-sounding comments on posts online. An interaction bot is meant to be a substitute for real human interaction on a post. Since many social media sites now offer moneymaking opportunities based on views or likes, and since everyone likes feeling popular, this is a problem that said social media sites have been fighting since internet points were invented.

Every time some new ‘tell’ makes the bots easier to purge, the bot makers come up with another way to thwart moderators. When bots were getting too specific with likes, the bot makers told them to like a handful of other posts before they started interacting with the desired post, and to stagger when the interactions happened so they didn’t all hit at once. When the comments got too repetitive, a library of  comments scraped from places like Reddit started re-appearing in comment sections. It’s easy to borrow human habits, and we’re at a point where an uninterested user is borderline indistinguishable from a bot pretending to be a human, at least just by looking at their browsing habits.

The goal of some bots is to get a lot of followers to follow one account so that account can then be used to sell the new followers something, whether that be a political belief or an actual product. Even on services where views are not tied to money, those eyes are still useful. The way most algorithms work, a popular post becomes more popular because the website shows those popular posts around to new people who might not have seen it. It does this because the popular post in question created engagement, and if the website can keep you engaged, you’ll stay on longer and see more ads. Having bots enter this ring and artificially boost the popularity of certain posts has resulted in a strange new kind of post dominating Facebook. Where a post had to be written by people, and a picture had to at least be stolen from a real person in the past, the widespread availability of ChatGPT and image generators makes some of these fake posts stick out like a sore thumb.

ChatGPT and Image Generators

You can tell a bot to ask MidJourney or Dall-E to generate an image, and then put that image into a Facebook post with a caption you pre-wrote. Once you set it up, you don’t even have to check on it. Once the post has been put up, other bots show up to comment on it or like it, whether they’re yours or someone else’s.

This has resulted in posts like Spaghetti Jesus or The 130 Year Old’s Peach Cream and Filling Birthday Cake getting hundreds of comments all saying “Amen!” or “Looks Good!” with maybe a dozen people asking what everybody is talking about, because the picture usually looks terrible and fake. This isn’t a case of tech-illiterate folks seeing something obviously bizarre and giving it a ‘like’ anyway – these people don’t exist. The better ones may get a couple of real people, but the strange ones are certainly not (look at these pictures The Verge has collected as an example: https://www.theverge.com/2024/4/15/24131162/ill-see-your-shrimp-jesus-and-raise-you-spaghetti-jesus-on-a-lambo ).  

We’ve circled around! This new generation of bots are so advanced that, when given the chance to show off the state-of-the-art tech entering the market, they do it without question and accidentally pull back the curtain in the process.

What To Do?

Unfortunately, managing this issue as a user on the web is basically impossible. Even if you keep bots from following your accounts, you’re not immune to seeing bot-run accounts when you’re searching or scrolling. Instead, the best thing you can do is just refuse to engage with engagement bait – when something asks you to say “Heck yes!” in the comments, or leave a like if you love X hobby, you can ignore it, and avoid accidentally propping up bot accounts trying to get big. As for imagery, the bizarre spaghetti creatures and uncanny peach cake bakers are only going to get better – we’re entering a phase of the internet where pictures must be assumed to be fake and verified before they are treated as real, the opposite of what most internet users are accustomed to. On forums like Reddit or Tumblr, a user must look at the comments before taking a post as fact, because upvotes and comments are not necessarily the sign of quality they used to be when the internet was young and lacked bots. It’s a strange new world out there, and the bots are part of it now, for better or worse.

Emulators And The Legal Gray of AbandonWare

Elizabeth Technology April 23, 2024

What is an Emulator?

An emulator is a program that emulates a game console, usually for the purpose of playing a game that is – either by price, age, or device – inaccessible. Streamers commonly use emulators to play Pokemon games made for the Gameboy, so they can screen-record their gameplay directly from their computer instead of having to somehow hook the Gameboy up to it. Zelda fans might want to play Ocarina of Time, but they might also find that the console to play it on is awfully expensive for one game where an emulator is pretty cheap! In certain cases, games are geolocked – countries restrict access to certain forms of art as a means of censorship. Emulators can make those games accessible to people who want to play them in that country.

In the 1990s, consoles were on top when it came to games. Computers were rapidly gaining in power, however, and some folks realized that the console could be recreated using a home computer. The first emulators were born via reverse-engineering console coding. They evaded legal action by only copying devices that were outdated, but that changed too with a major emulator made for the Nintendo 64 while it was still in production. Nintendo pursued legal action to stop the primary creators, but other folks who had already gotten their hands on the source code kept the project going.

Ever since then, emulators have lived in a strange space of both making games available and making them so available that the parent company decides to step in and try to wipe it out, which is nearly impossible once it’s out on the open web. Gamers simply won’t allow a good emulator to die!

Copyright

Copyrights are crucial to the gaming ecosystem, and it’s a delicate balance of allowing fan art, but disallowing unauthorized gameplay. Allowing game mods, but disallowing tampering that could lead to free copies being distributed against the company’s wishes. Allowing fun, but not theft. Copyright laws are always evolving – new tech comes with new ways to copy, create, and distribute intellectual property. Generally, though, copyright falls back to permission: did the original company intend for their IP to be used in this way?

Emulators and copyright don’t get along very well at all! Emulators are, by their very definition, creating access to the game in a way the original company didn’t intend. As such, it’s unofficial, and if money is exchanged, it’s not normally between the copyright holder company and the customer, it’s the customer and some third unauthorized party.

Games aren’t selling you just the physical disk. You’re buying a license to play the game. If you take it as far as Xbox intended to back when the Xbox One was coming out, friends are only allowed to come over and play with you on your license because the company can’t enforce it. It’s a limitation of the system that they can’t keep you from sharing disks or accounts.

Not every company thinks like this (see the Playstation 5 and a number of more recent cases regarding digital content ownership), but that’s the most extreme possible interpretation. You bought a disk so you could play a copy of their game that they have licensed out to you. You own the right to play that copy of the game, you don’t own the game itself.

Consider: Death of a Console

When a console dies, it’s taking all of its content with it. There is no more money to be made off of it, and the games are going to slowly disappear into collections and trash bins.

Does art need to exist forever, or is it okay if some art is temporary? Not every Rembrandt sketch is still in trade – some of it was just sketches, and he obviously discarded some of his own, immature art. Immature art is interesting to see, but it’s not what the artist wanted their audience to see. Otherwise it would have been better kept. Think about the ill-fated E.T. game that Atari made, they weren’t proud of it, they didn’t want it seen, and they saw fit to bury it. So they buried it. It was directly against their wishes for people to find this game and then play it. Emulating it is obviously not what the copyright holder wants.

But then consider all the little games included on a cartridge that’s just forgotten to the sands of time, made by a programmer who didn’t want it to fade away? Acrobat, also for the Atari, isn’t very well-remembered, but it still made it onto Atari’s anniversary console sold in-stores. 97 games on that bad boy, and Acrobat was included. It’s not a deep game, it’s nearly a single player Pong. But the programmers who made it didn’t ask for it to be excluded from the collection, so some amount of pride must exist over it, right? Does the game have to be good to be emulated? Is only good art allowed to continue existing officially?

Is all art meant to be accessible to everyone?

If some art is made with the intent to last forever, is it disregarding the creator’s wishes to not emulate it, against their production company’s wishes? If a corporate exec decides a work of art is better used as a tax writeoff than launched even though it’s already complete, is it better to listen to that exec, or the dozens – perhaps hundreds – of people opposing the exec’s will?

If art’s made to last forever but the artist (and society) accepts that that’s simply unrealistic, is it weird to emulate it, in the same way it’s weird to make chat-bots out of dead people?

When you get past the copyright, it’s a strange, strange world to be in.

Ethical Dilemma

Stealing goes against the ethics of most societies, modern or not. The case against emulators is that it’s stealing.  It often is! An emulator/ROM (ROMs act as the ‘disc’ or ‘cartridge’ for the emulator) for Breath of the Wild was ready just a few weeks after the game launched, which could have seriously dampened sales if Nintendo didn’t step in to try and stop that. That first emulator, the one for the Nintendo 64, also drew a lot of negative attention for the same reasons, potentially siphoning away vital sales.

However, there’s a case to be made for games and consoles that aren’t in production anymore.

Is this a victimless crime, if the original game company really can’t make any more money off of it? It’s one thing to condemn piracy when the company is still relying on that income to make more games and pay their workers, it’s another entirely when the game studio isn’t interested in continuing support, and the console had a fatal fault in it that caused many of them to die after 10 years. That game is as good as gone forever without emulators. With no money to be made, why not emulate it?

In less extreme circumstances, the console’s still functioning, but the cartridges that went to it are incredibly rare. The company could potentially make money off of the game if they someday decided to remaster it, but that’s unknowable. Licenses could be available for purchases… but they aren’t right now.

Or, even better, the cartridges are still available for purchase in the secondary market. You just don’t happen to have the console, which has now spiked to a cost of 400 dollars due to reduced supply over time. You buy the cartridge – you’re still buying the license, you just don’t have the car, right?

According to copyright, you need a specific car for a specific license, but ethically, you’ve done the best you can as a consumer.

Brand Name

Much like Disney did with Club Penguin’s many spinoffs, emulators are kind-of sort-of overlooked up until they start eating into sales. More aggressive companies will go after emulators before they blow up (see Nintendo challenging Yuzu, an emulator) but most companies just don’t want to spend money to enforce an issue like emulators – their game is still being played, their brand is still out there, and the users are going to be very upset if this big company decides to step in and ruin fun when they don’t need to (see Nintendo challenging Yuzu, a beloved emulator). It may do more harm than good to try and wipe the emulator out when most people want to do the right thing.

Obviously, they’ll need to put a stop to emulating new games – the goal is to spend just enough money to do that effectively without also overstepping and destroying emulators for consoles no longer in production. It takes money to make games, games should earn money as a result. Removing emulators for games and consoles no longer in production isn’t helping them earn money – as such, many are allowed to stay. For now.

Sources:

https://www.pcgamer.com/the-ethics-of-emulation-how-creators-the-community-and-the-law-view-console-emulators/

https://scholarlycommons.law.northwestern.edu/njtip/vol2/iss2/3/

Is Brand Twitter Over?

Elizabeth Technology April 11, 2024

Popular fast-food restaurant chain Wendy’s has been getting a lot of attention online. It’s not a good thing: Wendy’s briefly attempted to announce “surge-pricing”, where prices would go up around mealtimes, and was promptly (and rightfully) bullied into retracting the idea. Wendy’s used to be a cornerstone of the hip, online, highly-Millennial marketing of the 2010s, so how could it make such a huge mistake?

You Can’t Win Marketing Bad Ideas

This should be obvious: people will tolerate your jokes at their expense only as long as they like you enough to overlook you crossing lines. Wendy’s forgot this. Sunny-D forgot this when it tweeted it’s now infamous “I can’t do this anymore” tweet. More severely, Elon Musk forgets this when he tried to convince advertisers to stay on the platform after a number of controversial statements regarding advertisers and free speech. Once that rep is lost, it’s almost impossible to recover. Metaphorically, even companies can say things that they can’t take back.

So what part of this pricing plan is a bad idea? Think about it from the investor standpoint, people who don’t actually eat a lot of fast food: every part of restaurant life is harder because people tend to come in waves, with giant lines out the door at lunch and dinner time and long periods of quiet in between them. Everything from stocking to training to staffing is beholden to this cycle. If companies could have a perfect world, they’d probably choose to have people come in at a steady pace throughout the entire day, rather than bunching up at lunch. So, discouraging people from showing up all at the same time with a time-sensitive fee makes sense! Right?

But, if you do regularly go to fast food restaurants for lunch, this is a terrible idea. It reeks of being out-of-touch: most people don’t have much flexibility around when they get their lunch break. Most people don’t choose when they get hungry, either. Some consumers will eat a late breakfast if they know they’ll be going to lunch late, sure, but is Wendy’s good enough to plan your entire day around like that, assuming you even can? What if it’s not? It doesn’t spread out the surge at all. If someone is already a devout Wendy’s fan, they’ll still go during their lunch break. If someone is not, they’ll go somewhere that doesn’t jack up the price during lunch, they won’t just wait for the price to go back down if they’re already hungry and there are other options next door.

All this also fails to consider the climate: right now is a mega-uncool time to pull tricks like this!

Who Is Wendy’s?

Everyone is feeling the impact of inflation. The tradeoff, the secret agreement when it came to fast food was always “sure, it’s not really good, but it’s cheap!” and when it’s not cheap, what is it? We’re experiencing a crisis of market share, where companies aren’t sure what their consumer is supposed to look like or act like any more. The rising prices of everything are forcing consumers out of their reliable habits as a matter of survival. Wendy’s targeted Millennials when it was funny on Twitter a decade ago, but when that market is not going out to eat because they’re trying to save money or pay down debt, Wendy’s seemingly has no idea what to do. So they did something that instantly cracked the fragile shell of relatability that they’d been cultivating, and made everything worse.

When Wendy’s threatened a price spike now that every big business is selling goods at overinflated prices, suddenly it wasn’t “cartoon mascot Wendy, who’s funny on Twitter” sending out news and slinging burgers, it was “corporate giant Wendy’s spokesperson, a man in a suit”, telling me that if I showed up at the wrong time, I’d be charged an extra fee for the inconvenience of daring to ask for a hamburger at lunchtime. To then try to joke with users on Twitter like Wendy’s is still a relatable, friendly restaurant after that is insulting. Other people on Twitter consistently refused to let them and instead mocked Wendy’s relentlessly no matter what it said in the tweet, until eventually Wendy’s was forced to backtrack on the idea altogether. Wendy’s Twitter will no longer be a viable source of marketing material until this dies down. Even then, potential customers are going to remember this. The internet never forgets.

Wendy’s was allowed to be funny and edgy on Twitter during the 2010’s because the burgers were what they said they were (not frozen, square, pretty decent for the price) and because they weren’t actually being all that offensive when they responded sassily to someone who said something goofy in their retweets. “Looks like you forgot refrigerators existed for a second” isn’t exactly a burn worthy of being signed to a label, not that this stopped Wendy’s from launching a rap track dissing Burger King. It’s not like that anymore – they have no diss capable of dispelling three hundred tweets all saying “at least Burger King doesn’t charge more at lunch”. The era where companies could just pull up a seat and act like other real users was already on the way out, but this might have killed it for good.

Your IoT Devices Are Opening Doors For Hackers

Elizabeth Technology April 4, 2024

Internet of Things items are convenient, otherwise they wouldn’t be selling. At least not next to regular, non-wifi-enabled items. They don’t even have to be connected to the internet, and they should stay that way!

An Internet of Things item, or an IoT item, is a device that has a WiFi- or network-enabled computer in it to make the consumer’s use of it easier. This includes things like WiFi-enabled/networked washing and drying machines, ovens, fridges, mini-fridges, coffee makers, lamps, embedded lights, etc. anything can be an IoT item, if it’s got WiFi capability.

Network Entry Point

Internet of Things items, when connected to WiFi, represent a weak link in the chain. They’re poorly protected, they’re designed to favor user friendliness over all else, and they’re usually always on. You likely don’t unplug your fridge or washing machine when you go to bed – that device’s computer may sleep, but it’s not off. You probably don’t disconnect the internet when you go to bed, either. Some devices take advantage of this, and only schedule updates for late at night so you don’t notice any service interruptions. Unfortunately, their strengths are their weaknesses, and an always-open port is a dream for hackers.

Outdated Password Policies

Internet of Things items are rarely password protected, and if they are, many users don’t bother actually changing the password from the factory default. This makes them excellent places to start probing for weaknesses in the network!

Assuming someone’s hacking into a place to ding it with ransomware, there are a number of worthy targets: corporate offices, nuclear facilities, hospitals, etc. are all staffed by people, and people like their coffee. A well-meaning coworker bringing in an internet-enabled coffee machine for his coworkers is suddenly the source of a critical network vulnerability, an open port in an otherwise well-defended network!

If the coffee machine, or vending machine, or the lights are IoT items, they need to be air-gapped and separated from the main network. They don’t need to be on the same network supplying critical data within the center. The devices are simply unable to protect themselves in the same way a PC or phone is! There’s no way to download a suitable antivirus onto a coffeemaker. If something gets past a firewall, and that password is still the default or nonexistent, there’s no second layer of protection for IoT devices.

Malware

For example, hacking into a fridge is not nearly as hard as hacking into an old PC. Even great antivirus can struggle with traffic coming from inside the network. Even worse, IoT devices are often missed in security checkups anyway. When McAfee or Norton or Kaspersky recommends you scan your computer, are they offering to scan your lightbulbs as well?

Once they’re in, the entire network is vulnerable. Ransomware events with no obvious cause, malware that’s suddenly deleted all the files on a server, stolen data and stolen WiFi – all of it’s possible with IoT devices. There’s more to gain than just bots for the botnet, which is why hackers keep going after these IoT items.

IoT devices are also much easier to overwhelm to gain access, even with firewalls and effective load balancing. DoSing an IoT item can be as simple as scanning it. No, really. A team in the UK found that they could shut down turbines in a wind farm by scanning them. The computers inside weren’t equipped to handle both a network scan and their other computing duties at the same time. Many user devices are in the same spot or worse!

Security

Besides turbines, items like cameras and door locks probably shouldn’t be connected to the internet just yet. A terrifying string of hacks let strangers view doorbell and baby monitoring cameras, for example. The cameras themselves were difficult to defend even though the network was protected by a router. This is terrible for obvious reasons and class action suits were filed soon after. It even happened accidentally; Nest users would occasionally end up viewing other people’s cameras unintentionally, a bug in the system that was only fixed after complaints were made.

A consistent pattern is forming here: security patches are only issued after vulnerabilities are discovered by the consumer! Any other type of programming wouldn’t get away with this without some public outcry. You shouldn’t have to become a victim of a security flaw as large as “someone else is viewing the inside of my house” to get it fixed.

And then there’s things that physically interact with the security features of a house, like electronic locks. There’s nothing wrong in theory with a password lock. However, electronics are not inherently more secure than physical locks, and adding in WiFi only gives lockpickers another ‘in’. Hacking the lock could lead to being locked out of your own home, or worse. Besides, a regular lock will never unlock itself because its battery died, or because you sat down on the fob while getting on your bike or into your car. If you do want a password lock, it’s better to get one that’s not network enabled.

We aren’t quite at the point where hacked self-driving cars are a legitimate issue, although the danger is growing on the horizon. Cars are also poorly protected, computer wise.

BotNets

The fridge doesn’t need a quadcore processor and 8 GB of RAM to tell you that it’s at the wrong temperature, or that the door’s been left open and you should check the milk. The voice-controlled lightbulbs only need enough power to cycle through colors. IoT items are weak. But not too weak to be used for things like Botnets, even if your main PC wards off botnet software.

Botnets are networks of illegitimately linked computers used to do things like DDoSing, brute-forcing passwords, and all other kinds of shenanigans that a single computer can’t do alone. By combining the computing ability of literally thousands of devices, a hacker can turn a fridge into part of a supercomputer. No one ant can sustain an attack on another colony, but an entire swarm of ants can!

This is another reason tech experts are worried about IoT items becoming widely used. Their basic vulnerabilities give skilled hackers the ability to ding well-protected sites and fish for passwords even if the network they’re targeting doesn’t have any IoT items on them. It’s a network of weaponizable computers just waiting to be exploited. Remember, password protect your devices, and leave them disconnected if you can!

Source:

https://eandt.theiet.org/content/articles/2019/06/how-to-hack-an-iot-device/

https://danielelizalde.com/iot-security-hacks-worst-case-scenario/

https://cisomag.eccouncil.org/10-iot-security-incidents-that-make-you-feel-less-secure/

https://www.courtlistener.com/docket/16630199/1/orange-v-ring-llc/

Pirating Is a Crime

Elizabeth Technology March 26, 2024

Piracy is a crime. Don’t pirate things. They’re serious about it. There are real reasons beyond “big music corps are people too”.

Why are the fines so steep?

Piracy seems victimless. In reality, the victims are just barely affected with each instance, up until the cumulative effect starts to affect their desire to create. Art has a price, and if folks aren’t willing to pay it, art disappears. Not all of it, of course, but the niche, unusual, and otherwise less profitable stuff goes by the wayside.

Fines are a strong motivator for many people – the main goal is to make piracy so undesirable that nobody does it for fear of the fines, not for the fear of being a thief (or “thief”, depending on how you define copyright violation). Many people don’t see anything actually wrong with stealing content from big name artists. What would the harm be? They aren’t really wrong, but they’re not right – they won’t be affecting that artist very much by themselves, and the amount missing from their art consumption is maaaybe a couple of pennies.

For example, Pharell only made something like $2,000 on Spotify when he was #1 on the top 40. Pirating that song would cost him maybe a twentieth of a cent, more in potential lost sales if you were intending to buy it on iTunes but went to LimeWire instead. However, now that Spotify is not monetizing any songs under 1,000 listens, you not listening in a legitimate channel could make a bigger difference to smaller artists. It’s like littering: if everyone left their trash at the park, the park would close for cleanup. One person is just an inconvenience to the groundskeeper. One plastic bottle won’t ruin the park’s water, but dozens will, and the rangers only need to catch one to get some of the others to stop. Fines keep litterers and minor pirates alike in check. If everyone thinks ‘my trash won’t hurt’, you get a trashed park. If every pirate thinks ‘my pirating won’t hurt’, you get musicians and moviemakers on strike.

Besides, fines for piracy are massive. Up to $250,000, and possible jail time!

Who are you actually going to hurt?

Small artists who get ripped off with copyright breaches and stolen songs are the people on the cutting edge of new. New music, new tech, new art – the small artists create things that you won’t find in Bed, Bath and Beyond, or on the Top 40. Cost these people money, and you’re destroying a complicated ecosystem of inspiration and passion-projects that the Top 40 is not looking to recreate. Layer Ariana Grande songs over each other, and you’ll discover patterns you didn’t notice before – patterns the producers definitely did notice, and they went down a checklist to get that song out and on the charts.

Small bands don’t have the same resources. When something sounds good, it’s because they made it sound good by themselves – you’re rewarding individual talent by not pirating. Tame Impala didn’t have access to a recording studio for their first album. He wrote the songs himself. He mixed it, himself. The same goes for Billie Eilish, and any other number of bedroom musicians (musicians who record their music in their bedroom). No disrespect to Ariana Grande, but she can’t make albums with the creative freedom that a bedroom band can. The people who invested in her can’t afford to have a flop, so she always gets breathy, poppy, peppy songs with high notes. It’s her strength, so it’s all she gets to release. She has creative input, but not a lot of control.

Pirating wouldn’t directly affect her unless everybody started pirating. It would take significantly less to accidentally crush something like early (early!!!) Tame Impala, or early Billie Eilish, and you might not hear anything like them ever again.

Don’t pirate the music if you want more of it!

Movies: More Serious

Movies are more serious to pirate. The theater runs on a tight margin to keep the tickets cheap. This is why a cup of popcorn is six dollars, that’s where the operating cost goes – the ticket is just paying for the movie’s rental of the reel from the studio.

The studio puts its money towards making back the budget of the film, and if the film does well enough, there may be a sequel. Trolls, for example, did well enough for studios to invest in Trolls: World Tour. The same goes for Tenet, and for Sonic. They made enough money back that the studio wants to keep the gravy train running. Not all sequels are good – and some may say that money shouldn’t be running art – but the world we live in has these rules. More money = more creation. Many talented artists literally cannot afford to create art full-time if they aren’t being paid for it.

However, assume pirating eats into the profit. One guy copies the file and sends it out and around, and a bunch of people see the pirated version on disc or download. They don’t want to spend money to see it again. Pirating takes the movie off the watchlist of hundreds or thousands without actually funding the movie. That wouldn’t have ruined Sonic or Tenet necessarily, but for an indie project, that can be devastating.

Pirating can happen at the theater too! You think you’re watching a legitimate copy of Fast and Furious 8, but the owner had pirated it from a connection he had who got it early for review. That theater makes blockbuster movie money, and the studio sees none of it. Stuff like that is why the fines are so huge, that owner would gladly do it again for a $2,000 fine. Illegitimate rental places were also a real problem. BlockBuster franchises (and small locally-owned rental stores) making illegal copies of recent hits was a profit-killer.

And as small bands suffer more than big bands, so too do small movie studios. Some of the wildest, most creative movies ever pushed to the big screen come out of small studios. The group that made Coraline, for example, is relatively small compared to Disney or Pixar. Pirating a newly released movie en masse could seriously dampen their funding for the next movie even if it wouldn’t make a dent for Disney.

It’s cumulative. They won’t catch everyone who pirates… but they’ll get enough to be a deterrent. Good art comes from protecting the artists who made it!

Sources: https://variety.com/2020/film/news/trolls-world-tour-streaming-theatrical-window-future-1234573263/

Sony’s DRM Nightmare

Elizabeth Technology March 21, 2024

In 2005, an organization had been covertly installing a program similar to a rootkit onto consumer devices without warning. For those who haven’t heard it before, a rootkit is simply a program that is designed to remain unfindable on a device. They aren’t all bad, but their difficult-to-detect nature and ability to evade even aggressive anti-virus makes them a top-of-the-line tool for hackers. Back to the story.

The rootkit was on the lookout for ‘suspicious activity’, and if it detected any, it would quietly alert the parent company. However, even if you had nothing to hide, you still had something to fear: the rootkit left a gaping security hole, and a smart enough hacker could piggyback off of it to get Trojan Horses, Worms, and other nasty bugs in without alerting the computer that “hey, there’s an .exe file doing weird stuff!”

The rootkit was designed to hide itself, and it would hide the bugs behind it. There was no mention of this anywhere in the EULA agreement for the program that had the rootkit.  The parent company hadn’t meant to leave a backdoor, but they did, and attempts to fix it without removing their own program just made the problem worse. Attempting to fake fixing it with an uninstaller only hid the program deeper in the system, and trying to uninstall it could brick the computer, depending on which program you got. They’d really screwed themselves, and they hadn’t expected to get caught.

This wasn’t some Russian hacking scheme, or some government overreach – it was Sony, attempting to keep copyrighted material off of pirating websites. Talk about an overreaction.

The History

At some point, a company has to admit it would rather ruin the legitimate user’s experience than let a pirate go unpunished. That’s very understandable: stealing is wrong, and smug pirates behaving like they’ve gotten one over on ‘the system’ are frustrating. Ordinary responses to this can be anything from asking for the license # on the inside of the clear case to more subtly ruining the audio quality of pirated copies. This is a normal level of copyright protection. Very determined pirates could still get around these measures, but hey, you can’t spend all your resources on the fringe cases.

Companies are aware of this, and some begin to factor ‘unstoppable piracy’ into their calculations – you know, like grocery stores will factor in ‘lifting loss’ and spoiling produce. Companies usually determine they’d be spending more on preventative measures than they’d be keeping on the shelves. Theft is wrong, but so is littering and driving without a license. Somehow, all three still happen anyway. Sony is very mad that pirates are getting away with fresh content, and they want to do the equivalent of TSA pat-downs on everybody at the exit of the grocery store to stop a small percentage of thieves.  They don’t care anymore; nobody is going to get away with it.

Was it Reasonable?

Napster and LimeWire are making inroads into the music industry’s profit, and 2005 was the peak. The pirating of copyrighted content is only made easier with the rise of the internet, and Sony realizes it’s nigh impossible to find the illegitimate downloaders, and uploaders were only marginally easier. They decide to go for the source, but they decide to hit hard.

“The industry will take whatever steps it needs to protect itself and protect its revenue streams… It will not lose that revenue stream, no matter what… Sony is going to take aggressive steps to stop this. We will develop technology that transcends the individual user. We will firewall Napster at source – we will block it at your cable company. We will block it at your phone company. We will block it at your ISP. We will firewall it at your PC… These strategies are being aggressively pursued because there is simply too much at stake.” – Sony Senior VP Steve Heckler

This quote was said in 2005, after Sony had merged with another company, BMG. BMG had an incident in Europe in the 2000’s, when they’d released a CD without warning users of the copyright protection on the inside. Apparently, burning money to replace those CDs (and burning goodwill) was not enough of a lesson, and Sony and BMG together prepared to take a stand against pirates.

The Problem

They’re going after the big boys, the folks downloading music to upload everywhere else…for free.

These are the people depressing profits, in theory. Some companies theorize that once these people are gone, the people passively pirating by downloading stuff from them will also disappear and go back to buying the content. They’re somewhat right, and this audience shrinks over time. More on that later.

This is illegal and very annoying! The estimated lost sales from piracy were in the billions, and many companies were beginning to look at more intense DRM: Digital Restriction Management.

To some people, DRM is the root of all evil, the seed of the eventual downfall of consumer’s rights. After Sony’s screw-up, they were right to call it as such. John Deere, Apple, Sony, Photoshop, etc. are all slowly eating away at their own best features for the sake of pushing users into proprietary software. Software they’re not allowed to repair because of DRM. Take Deere: if a new Deere tractor detects a common tractor repairman’s diagnostic software, a Deere tractor will stop working until you call out a Deere technician. This obviously drives up demand for Deere technicians, and it’s horribly restrictive to the user. Lawsuits are in progress right now over this because the obvious result is that Deere can cost you your farm by doing this.

To others, DRM is an essential part of the free market. Companies should be allowed to protect what they made, and if users find their methods extreme, they shouldn’t have bought it. And in less extreme circumstances, they’re right! That’s what the EULA, the End User License Agreement, is for. The user can decide if they’re willing to put up with the DRM specified in the Agreement, and if they’re not, they don’t have to buy it. ‘If you pirate this, it will only play static’ is reasonable.

Sure, some super-cheapskate who found a sketchy download off some sketchy site is going to listen to static with Hint of Music, but the average user would rather buy the disc and be done with it. If the company can make the ripped upload sound like garbage when it’s off its home CD, they won. The company has successfully used DRM here to keep their honest customer honest, and any would-be pirates away. And they did it without destroying either computer! As Stewart Baker of the Department of Homeland Security said, “it’s your intellectual property – it’s not your computer”.

Doing it this way means normal consumers still get a high-quality product, and if the DRM is limited entirely to the content itself, there’s no risk of it coming back to bite the company in the butt.

Still, if you really disagree with DRM, there were companies that successfully reduced their piracy problems in other ways. Some found that guilt was enough, others found that once certain websites were gone, their piracy problems disappeared too. Warning folks that piracy was still a crime got the people who didn’t know any better to stop. Fines did a number on the folks who were too bold or too dumb to not get tracked with non-DRM means, and for the people who were doing it because it was more convenient? They reduced their pirating when better paid methods became available. Sony’s problem could have been solved in a lot of ways!

Besides, Sony wasn’t struggling. Lost sales are not the same as losses! Companies are still making profit, just not as much as they’d like. Property is not being damaged, and nobody is experiencing physical harm as a result of pirating.

The Response

Sony’s DRM was a severe overreaction to the problem at hand, and it did lead to several lawsuits. As said at the beginning, Sony had not only installed software without the user’s knowledge, but they’d then left a big entry point for security threats to get in undetected. Hundreds of thousands of networks were affected, and some of them were government. Once someone blew the lid on the DRMs, they released a cover-up “uninstaller” that just hid the rootkit better and installed more DRM content on the user device.

This does not help!

The blown cover for the rootkit meant that black-hat hacking organizations could tool around and create something that could get into anything with that rootkit on it, undetected. Eventually Sony was forced to admit this was wrong, but not before screwing over a couple million people who just wanted to listen to Santana or Celine Dion from a CD they paid for. Over pirates.

Yeah, there’s some lost profit – but it doesn’t outweigh the regular customers.

The Aftermath

Sony’s first instinct is to hide it. As mentioned in the article above, the uninstaller available didn’t actually uninstall it, and some users reported issues of system crashes and their machine bricking up when the uninstaller’s poor programming tried to interact with the rest of the device’s programming.

Their second decision is to lie – ‘the DRM has no backdoors and doesn’t pose a risk to your computer’s security’. This is demonstrably untrue, and given that they were already in the beginning stages of recall, could be considered a deliberate lie.

Sony’s third action is to recall the discs with the DRM on it, but they don’t get all of the discs. Some users aren’t sure if their disc is affected or not, and even non-profit organizations dedicated to maintaining free internet can’t figure out what discs have it and what discs don’t. The best they can do is a partial list. Stores in New York and Boston are still selling the discs three weeks after the recall. However, users do get to swap their disc with an unprotected one through the mail. Sony seems to have acknowledged their screw-up at this point.

Sony’s fourth action is more a consequence – they stick a class-action lawsuit sign-up notice on their home website, and users affected can claim damages up until 2006. Class-action lawsuits filed by individual states start to drag down Sony’s profits more than the piracy ever did, and the end result is a mandate to put warnings on the cover of discs and to stop using DRM that could damage a user’s computer. DRM is still allowed, it just can’t be possible to destroy a computer to protect a song license. The feds actually considered this a breach of federal law and stated that it was engaging in deceptive and unfair business practices. Sounds about right – consumers wouldn’t have bought a disc that downloaded DRM without their knowledge. From conception to execution, this was a moral, ethical, and legal mistake. While pirating is wrong, it’s possible to be more wrong trying to stop it.

https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal

https://us.norton.com/internetsecurity-malware-what-is-a-rootkit-and-how-to-stop-them.html

https://www.wired.com/2006/12/sony-settles-bm/

https://www.theregister.com/2005/11/01/sony_rootkit_drm/

https://money.cnn.com/2005/06/24/news/international/music_piracy/

https://www.networkworld.com/article/2998251/sony-bmg-rootkit-scandal-10-years-later.html

https://fsfe.org/activities/drm/sony-rootkit-fiasco.en.html

https://digitalscholarship.unlv.edu/cgi/viewcontent.cgi?article=4058&context=thesesdissertations

https://www.networkworld.com/article/2194292/sony-bmg-rootkit-scandal–5-years-later.html

The Worst Way To Make A Password

Elizabeth Technology March 19, 2024

There are many ways to make good passwords.

How do you make a password that barely protects you at all?

1) Use something really identifying

Using a password like “dadof4” or “kayaking” when you regularly tell people that you have four kids or that you kayak is a good way to let your acquaintances know that you might be easy to Facebook-hack. The same goes for any interest, really! If your password is a political slogan or something to do with something you own and regularly post about – like a classic car, or #vanlife – you’re in for a bad time.

2) Use a Sequence

This goes beyond something like “12345” or “2468”.  Don’t try the Fibonacci sequence, don’t try whatever the DaVinci Code had going on with that codex thing – don’t try pop-math as a password. Most brute-forcing AI is designed to try these numbers first. Trying a single instance of an eight character password in a dictionary attack takes less than a tenth of a millisecond on a reasonably powerful home-desktop computer, of course a cyber-criminal is going to put all the memorable sequences at the front of the queue.

3) Use Pop Culture

In fact, stay away from pop password references in general. Ramses2? Someone who knows you like Watchmen could guess this. EequalsMCSquared? If your buddies know you like Big Bang Theory, the password’s not good enough. There are plenty of nonsensical pop-culture references that make good passwords – so you don’t need to be using the passwords that are super obviously passwords, the passwords the characters use in the show. Just stick to the sayings or catchphrases that are somewhat obscure, and make sure it’s A) long enough and B) mixes in enough special characters to thwart brute-force AI. Don’t let your hint (if the website lets you set one) become a trivia game.

4) Make it too short

Most websites won’t even let you get away with anything less than eight characters, but in case you find a really ancient one that doesn’t have these requirements, a surefire way to get yourself in trouble is to make your password very, very short. I’m linking a better description that goes over the equation in more detail here.

The equation they use assumes it will take 0.0017 milliseconds to compute a hash, or (1.7*10^-6) seconds. Multiply that by the available character libraries: 26 (all lower- or all upper-case only), 52 (upper and lower cases), 62 (upper and lower cases and also numbers), or 80 (all of the above + special characters allowed in the password field). You multiply the character library by the number of characters in the password, and then divide all of that by two. For an eight character password written with upper and lower case libraries, the equation is this: ((1.7*10^-6)*52^8)/2 (seconds).

This is the time it takes to compute one hash multiplied by the number of characters that could be in any one spot, times the number of spots, on a regular computer. Botnets and super computers, which hackers may have access to if they’re well-funded, take a thousandth of that time. When it’s very crucial to keep bad actors out, limiting login attempts and 2FA can help hold back even the most powerful of computers – but most people aren’t going to be targeted by someone with a botnet.

Basically, what you should glean from this is that a ten-character password using all available character libraries (26 upper case plus 26 lower case plus numbers 0-9 plus special characters) takes about three years to crack on a bot-net or a supercomputer and may as well be impossible on a single desktop.

An eight-character password with the same libraries takes approximately 4 years on a desktop, minutes on that botnet/supercomputer. Still powerful, not as powerful as a ten-digit one though. An eight-character password with only lowercase or only uppercase (26 total possible characters) will take two days on a desktop, seconds on the botnet.

A four-character password with all the full character libraries takes 34 seconds on a desktop, using the equation provided.  On the botnet, it’s broken in less than a blink. The number is even worse if you’re sticking to upper or lowercase letters only. If you want a bad password, shorter ones are the best way to make problems for yourself! Vice versa, the longer a password is, the harder it is to crack. Every character adds exponential amounts of time to the botnet’s attempts.

5) Make it a Sequence with numbers

Using “Password – Password1 – Password2…” can turn into a security problem, even though an AI might not be able to guess what you’re doing right off the bat. Using “ILovePuppies2” should, in theory, not be any less secure than “ILovePuppies1” or “ILovePuppies3”. Mathematically, they’re the same number of guessable characters to an AI. However, if your coworkers know that you use a base password with numbers behind it, they could brute force your account with knowledge the AI doesn’t have, and get in.

6) Use special characters in places you won’t remember them.

Doing the bare minimum eight to ten characters with an @ or a & sign thrown in there makes you more secure. However, it also makes the password more difficult to remember. If you were online in the 2000s, you might remember LeetSpeek, wh353 3W3 T&P3 L1%3 7H12. It was awful. Entire paragraphs were unreadable because the writers didn’t have solid rules for letter replacement, and would mix in homophones for words just to up the difficulty even more.

If you don’t remember your own rules for replacement (is 2 an S, or a Z? Do you always use % for K, or can it sometimes also be X? etc.) when writing a LeetSpeek password, you’re just making an easy-to-forget password with more steps. The same goes for using special characters in general – if you know you’re not going to remember replacing A with @ or 4, you’re going to give yourself a lot of trouble by trying to force these special characters in when you could use others, like punctuation characters, in easier-to-remember spots.

LeetSpeek makes great passwords – if you’re used to it, and if you know that your word or phrase will always come out with the same replacements. If SPEAKFRIEND is always 5P34KFR!3ND and never SP34%5R13|\|D, you’ve got a good code going on. Otherwise, you may as well be keysmashing.

7) Keysmashing

Don’t do this unless you have a password manager. You’re not going to remember the keys you hit. Your browser might, but then what do you do when you’re not on your native browser? You’re stuck resetting the password. Don’t keysmash. Just…don’t. It’s a bad way to make passwords. If you’re truly obsessed with randomness in your password, a solid password manager is a great way to make sure you a) always have your password with you and b) always pick a password with peak randomness. After all, keysmashing usually makes all the characters lowercase and keeps special characters out – it’s not actually fully randomized.

8) Make it something you won’t remember at all

Having to regularly reset your password is definitely annoying – and it can lead to security gaps when users get fed up with having to hit the reset password link, go to their email, hit that link, go back to the website, pick a new password, type it in twice, wait for the two-factor authentication message to come in, yada yada. CIS recommends no more than once a year because this is so common. The frustration of having to do this song and dance every couple of weeks can lead users to write their password down – which is significantly worse than just leaving the old, strong password that they remember as it is. Regularly resetting passwords won’t improve the security of the system if the user got it right the first time, and there’s solid 2FA in place – even the FTC agrees!

9) Use a master password for everything

It’s good to have a strong password. It is not good to use that same strong password everywhere! Let’s say you subscribe to an online game website. The game website is free, and the account is purely for age verification, so there’s no payment details. Only your email and password. (This applies to online forums, too!) They don’t invest in top-notch security because there’s no real reason to, no payment details, no SSNs stored somewhere, so a hack wouldn’t destroy their users – it would just be annoying to lose save progress for games. Unless…

Unless those users use a master password that’s tied to their email for every account they have. And if a hack were to get both off some little website that doesn’t even store payment data, like they frequently do, suddenly a hacker has access to everywhere you’ve used that master password. They’ll try everywhere. Every bank, every shipping company, every streaming service. That’s why the gaming website is even a target in the first place. It’s tempting – don’t do it.

10) Don’t use Two-Factor

If you really want an unpleasant online experience, don’t use two-factor anywhere. That way, even good passwords can act like bad passwords! Consider bullet number 4 here to imagine the power of a very determined hacker. Ultimately, if something’s really, really determined – it will spend all the resources it can to get in. Using two-factor can only help you! An eight-character password with no attempt limit is not nearly as much protection as it used to be, so Two-factor is essential unless you’re looking to have a bad time.

Sources: https://thycotic.force.com/support/s/article/Calculating-Password-Complexity

https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes

‹  Older posts