Wow, feeling hungover today after 3 days of TechCrunch Disrupt. Not alcohol hungover, but energy hungover. Being in a hall full of startups (more than a 100) creates an enormous amount of energy. I came home each night tired, but unable to fall asleep as I thought through some of the interesting companies, and mulled over interesting strategic options for them.
Being on the floor of TechCrunch is like being at the Circus Maximus. All of these entrepreneurs have a sincere conviction that they are going to win, but the sad truth is that most will not. Luckily, the consequences of failure in Silicon Valley are a bit less severe than in ancient Rome. After their companies die, they will be back. To paraphrase from Gladiator, "I will have my success, in this life or the next!".
I want my next hit of entrepreneurial energy. I will get some at the Mobile Apps conference next week. In two weeks, I will start my 10 day program at Singularity University--that will be really energizing/exhausting.
Thursday, September 30, 2010
Friday, September 17, 2010
Security--random thoughts
My Hotmail account was hacked last week. Very embarassing--I have never had an account hacked before because I use decent passwords and I avoid viruses by not clicking through on strange links and using a Mac. The hackers sent out a link to an online pharmacy, though I suspect the linked page is also use to spread malware. I was able to send out a follow up email within 2 hours to let people know to delete the email, and, fortunately, I don't have a lot of addresses in my hotmail addressbook. My aunt had it even worse--I saw 4 or 5 emails from her account, and she struggled to regain control of it and is now just going to shut it down.
It got me thinking about security, both virtual and physical.
On the virtual side, the long held belief is that a strong password will keep you safe. That is apparently not true, as I just learned. But the reason why is a bit annoying. Hackers use "dictionary" attacks on popular web services, where they just bang on an account trying thousands (hundreds of thousands, actually) of combinations.
The most sophisticated tools (eg. L0phtcrack), easily available online, can crack 25% of passwords in seconds, and can try 17 BILLION combinations an hour. An 8 character password with a combination of letters, numbers and special characters (eg. asterisk, dash, underscore) has only about 100 billion different combinations. So, if someone really wants to crack your account, they just need a few hours. Presumably, the hackers just spend a few seconds to get the easy accounts. The password length I had been using, a mere 6 digits, had only 45 million combinations. I do use longer passwords on my more important accounts, but Hotmail is mostly for spam anyway, so I never upgraded the password.
The real problem here is obvious, but few ever mention it. Why do Hotmail and other services allow hackers to bang on the door thousands of times? If you blow a password 10 times in a row, your account should be locked. Then a simple, easily remembered password would be perfectly adequate.
The problem here, and I suspect why the web services do not enforce this, is that if hackers are banging on Hotmail all the time, thousands of users will be locked out every day, generating an enormous amount of traffic to customer support. Very sensititive systems such as SaaS ERP do enforce a limited number of tries, but they have a small number of users and an enormous reputation problem if they are cracked.
So, perhaps the solution is multifactor authentication. Not the physical token systems that you see some corporate users carrying around, but merely a second layer of security. You could have a password that gets you to the second layer, which would require you to pick out a face or picture from a matrix of options. The human brain is particularly good at remembering faces. Because you can only present 15 or so options, it is really not adding that many combinations, but it would definitely help, and the fact that it eludes keylogging software is a definite bonus.
[UPDATE 9/20: Google just released two factor authentication for Google Apps accounts. It uses a smartphone app to generate an authentication code that is the second step of the process (replacing a dedicated fob such as used by Verisign systems). I am feeling rather pleased with myself for being one day ahead, for once, instead of the reverse.]
So, "strong" passwords present the illusion of security, but in reality are just a slightly higher fence. That works for random attackers, but not an attacker that might be targeting you.
Many physical security measures work on the same principal--you don't have to outrun the bear, you just have to outrun your friend. But if someone is targeting you specifically, you are in trouble. This is where things like airport security often fall down. They annoy the casual traveler in the name of protection, but fail to deter the dedicated attacker.
The auto theft statistics for 2009 show almost a 25% drop in theft from 2008--a big decrease. But they also show a drop in the recovery rate. Basically, the casual thief is deterred, but the pros are still doing fine.
The most effective part of a home security system is the sign out front. Casual thieves move on to your neighbor. If you are targeted by pros, then you had better installed something a bit heavier duty than ADT.
It got me thinking about security, both virtual and physical.
On the virtual side, the long held belief is that a strong password will keep you safe. That is apparently not true, as I just learned. But the reason why is a bit annoying. Hackers use "dictionary" attacks on popular web services, where they just bang on an account trying thousands (hundreds of thousands, actually) of combinations.
The most sophisticated tools (eg. L0phtcrack), easily available online, can crack 25% of passwords in seconds, and can try 17 BILLION combinations an hour. An 8 character password with a combination of letters, numbers and special characters (eg. asterisk, dash, underscore) has only about 100 billion different combinations. So, if someone really wants to crack your account, they just need a few hours. Presumably, the hackers just spend a few seconds to get the easy accounts. The password length I had been using, a mere 6 digits, had only 45 million combinations. I do use longer passwords on my more important accounts, but Hotmail is mostly for spam anyway, so I never upgraded the password.
The real problem here is obvious, but few ever mention it. Why do Hotmail and other services allow hackers to bang on the door thousands of times? If you blow a password 10 times in a row, your account should be locked. Then a simple, easily remembered password would be perfectly adequate.
The problem here, and I suspect why the web services do not enforce this, is that if hackers are banging on Hotmail all the time, thousands of users will be locked out every day, generating an enormous amount of traffic to customer support. Very sensititive systems such as SaaS ERP do enforce a limited number of tries, but they have a small number of users and an enormous reputation problem if they are cracked.
So, perhaps the solution is multifactor authentication. Not the physical token systems that you see some corporate users carrying around, but merely a second layer of security. You could have a password that gets you to the second layer, which would require you to pick out a face or picture from a matrix of options. The human brain is particularly good at remembering faces. Because you can only present 15 or so options, it is really not adding that many combinations, but it would definitely help, and the fact that it eludes keylogging software is a definite bonus.
[UPDATE 9/20: Google just released two factor authentication for Google Apps accounts. It uses a smartphone app to generate an authentication code that is the second step of the process (replacing a dedicated fob such as used by Verisign systems). I am feeling rather pleased with myself for being one day ahead, for once, instead of the reverse.]
So, "strong" passwords present the illusion of security, but in reality are just a slightly higher fence. That works for random attackers, but not an attacker that might be targeting you.
Many physical security measures work on the same principal--you don't have to outrun the bear, you just have to outrun your friend. But if someone is targeting you specifically, you are in trouble. This is where things like airport security often fall down. They annoy the casual traveler in the name of protection, but fail to deter the dedicated attacker.
The auto theft statistics for 2009 show almost a 25% drop in theft from 2008--a big decrease. But they also show a drop in the recovery rate. Basically, the casual thief is deterred, but the pros are still doing fine.
The most effective part of a home security system is the sign out front. Casual thieves move on to your neighbor. If you are targeted by pros, then you had better installed something a bit heavier duty than ADT.
Thursday, September 2, 2010
Google Priority Inbox--the end of Serendipity?
First off, I am in the Google ghetto, as apparently the only person for whom Google has yet to turn on the Priority Inbox feature. I even pay for a premium account, and still I am not cool enough.
People in the tech industry, whether entrepreneurs, investors, business development or whatnot, suffer famously from email overload. I use a tiered system of email accounts to deal with it and prioritize emails.
It is hard enough to get noticed as an outsider when you send an email, but it is possible with a pithy subject line and succinct opening paragraph. Now, you are at the mercy of the machine. Is there going to be an SEO business for emails to try and find your way into the priority inbox? For many harried execs, an email in the non-priority queue might as well be in the spam folder.
Is this the end of the serendipitous connection? Does that matter? Are we now doomed to insularity?
It certainly means that having a warm introduction to a targeted contact is more critical than ever. It also means that the conference business is going to see a rebound, because you need to find your targets in person, not digitally.
People in the tech industry, whether entrepreneurs, investors, business development or whatnot, suffer famously from email overload. I use a tiered system of email accounts to deal with it and prioritize emails.
It is hard enough to get noticed as an outsider when you send an email, but it is possible with a pithy subject line and succinct opening paragraph. Now, you are at the mercy of the machine. Is there going to be an SEO business for emails to try and find your way into the priority inbox? For many harried execs, an email in the non-priority queue might as well be in the spam folder.
Is this the end of the serendipitous connection? Does that matter? Are we now doomed to insularity?
It certainly means that having a warm introduction to a targeted contact is more critical than ever. It also means that the conference business is going to see a rebound, because you need to find your targets in person, not digitally.
Review--Speedplay Pedals
I decided to try Speedplay Zero pedals a few months ago, because I moved my cleats back a touch on my Specialized shoes and could not duplicate the position on my Sidis. Sidi apparently has not gotten the memo that we are all moving our cleats closer to the arch of our foot--your calves are not that strong, so why engage them so much? I also find that my left foot is finicky and inconsistent about the lateral angle it likes to pedal at. My heels are closer to the cranks, but my left foot is more so, and it seems sometimes like I am pushing against the limits of float on the Shimano Dura Ace pedals I normally use. Finally, I am retarded when trying to get into my pedals at the start of a race. I can be relied upon to fuss around for a few seconds trying to get in while everyone else takes off.
Oh, and Spartacus uses Speedplays.....'nuff said.
Speedplays are renowned for their adjustability, and having a 2-sided pedal makes it easier to get into. They are a bit lighter and allegedly more aero, but I really did not care about that.
So I bought some. Turns out that I still could not get the cleats mounted far enough back. No problem--some hunting and $40 and I found the extended base plate that gives a ton of fore-aft adjustment. Oh, and another $40 for some angled wedges. That makes the total investment a bit pricey. I purchased the Stainless axle version of the Speedplay Zeros, as they are much cheaper than the Ti, and stiffer and more durable.
I have been using the Speedplays on my carbon bike, which I have ridden most of the time recently, but I am still putting in days on my Ti bike with the Shimano pedals.
I definitely like the new cleat position....it just feels very natural. Remember that you have to bring your saddle height down if you move your cleats back.
On the bike, I like the Speedplays a lot. Engagement is a bit easier, though not foolproof. I still manage to miss sometimes, and when you do, the consequences are more catastrophic that with the Shimanos because your shoe flies off the pedal. The feel is a bit odd, because there is no resistance to the float. At least with the Zeros you can set the limits of the float, but there is a bit of an ice rink feel, though I quickly adjusted to that.
The Speedplay design is different in that it is the reverse of most pedals--the retention mechanism is on the shoe, not the pedal. Effectively the pedal is the cleat.
The cleats are a pain. I have already had them come loose twice and slide laterally. If you tighten them too much, then they don't work properly because you create too much friction for the ring that is the retention mechanism. I tightened them to the torque spec but even with the threadlock on the screws they don't appear to want to stay in place. So, I finally just overtightened them and accepted slightly balkier function.
You need to keep debris out of the cleats, and the cleats are metal, so they are slippery to walk on. That means you really need cleat covers, which are a pain.
The Shimano cleats, by comparison, are just easy to deal with, and you can walk for miles on them.
For the riding I do, which involves a lot of walking around in coffee shops, I think the Shimano pedals work better. If racing performance is a priority or you have fit issues, the Speedplays get the nod.
Oh, and Spartacus uses Speedplays.....'nuff said.
Speedplays are renowned for their adjustability, and having a 2-sided pedal makes it easier to get into. They are a bit lighter and allegedly more aero, but I really did not care about that.
So I bought some. Turns out that I still could not get the cleats mounted far enough back. No problem--some hunting and $40 and I found the extended base plate that gives a ton of fore-aft adjustment. Oh, and another $40 for some angled wedges. That makes the total investment a bit pricey. I purchased the Stainless axle version of the Speedplay Zeros, as they are much cheaper than the Ti, and stiffer and more durable.
I have been using the Speedplays on my carbon bike, which I have ridden most of the time recently, but I am still putting in days on my Ti bike with the Shimano pedals.
I definitely like the new cleat position....it just feels very natural. Remember that you have to bring your saddle height down if you move your cleats back.
On the bike, I like the Speedplays a lot. Engagement is a bit easier, though not foolproof. I still manage to miss sometimes, and when you do, the consequences are more catastrophic that with the Shimanos because your shoe flies off the pedal. The feel is a bit odd, because there is no resistance to the float. At least with the Zeros you can set the limits of the float, but there is a bit of an ice rink feel, though I quickly adjusted to that.
The Speedplay design is different in that it is the reverse of most pedals--the retention mechanism is on the shoe, not the pedal. Effectively the pedal is the cleat.
The cleats are a pain. I have already had them come loose twice and slide laterally. If you tighten them too much, then they don't work properly because you create too much friction for the ring that is the retention mechanism. I tightened them to the torque spec but even with the threadlock on the screws they don't appear to want to stay in place. So, I finally just overtightened them and accepted slightly balkier function.
You need to keep debris out of the cleats, and the cleats are metal, so they are slippery to walk on. That means you really need cleat covers, which are a pain.
The Shimano cleats, by comparison, are just easy to deal with, and you can walk for miles on them.
For the riding I do, which involves a lot of walking around in coffee shops, I think the Shimano pedals work better. If racing performance is a priority or you have fit issues, the Speedplays get the nod.
Subscribe to:
Posts (Atom)