Gravity Blog

Home / Blog

Passwords

July 2, 2020 - Mark

Love them or hate them, have one or have hundreds of them; you’ll need to use passwords for the rest of the foreseeable future. (Despite people trying to move on from them.) And while the thought of all the accounts you have, with all their hopefully varied passwords might make your head spin, they provide an essential service to us… keeping out prying eyes.

Recently, someone I know mentioned their password characteristics to me. I wasn’t shocked, because I’ve heard worse – but I thought, I wonder just how long it would take to break into something with that many characters including only those types.

So I did some digging and found that there are wildly varying results on any one particular password. Presumably websites have been up for a while, and the march of progress has left behind their computational statistics.

L3tm31n! For example (no, that wasn’t the password in question above), rates at 9 hours on How Secure Is My Password?, while on Gibson Research Corporation it ranges from over 2 centuries to just over 1 minute (depending on the scenario).

Regardless of that, there are two primary ways to break through a password wall: Brute force and Dictionary Attack.

Brute Force tries every possible combination until it gets through.

Dictionary Attack basically throws words and variants thereof at it until one of them fits. This idea has been modified to include classic phrases, verses from religious texts, movie titles, etc, etc. As well as all their misspellings, obvious character replacements and passwords from known real passwords found in data breaches. (That’s right, L3tm31n! isn’t the secure password you might think it is.)

A creative hacker might just mush the two techniques together as well, creating a third option which will no doubt get to password2020 just as fast as it gets to password2021.

The key to hold out until the next password change is to go for length.

As the Gibson Research Corporation implies a password that is simple looking, long password is more secure than a shorter, complex password. This is why you should move your focus from passWORDS to passPHRASES. (This is also the reason why there is a modified dictionary attack.)

Since we’re using these examples, let’s plug them into have i been pwned’s Pwned Passwords. At the time of writing:

  • L3tm31n! has been seen in data breaches almost 150 times to date,
  • password2020 has been seen almost 203 times,
  • password2021 has been seen almost 20 times.

If you haven’t heard of have i been pwned, it’s a collection of all the known data breaches and lists that have come to light, which have been curated and pulled into a nifty website by fellow Australian Troy Hunt, so that anyone can check to see if their email address or passwords known in the land of hackers.

NB. The above noted techniques assume that there is an online system which they’re trying to get into. If they happen to have the database then there are other options as well – like Rainbow Tables – but this is outside of what I’m writing about here.


Adobe Flash

June 24, 2020 - Mark

Adobe Flash, once the go-to technology for browser based "cool stuff" on the web, will be officially unsupported as of the end of this 2020.

As with all End of Life procuts, it means there will be no further security updates past the EOL date.

Flash, or specifically Flash Player has become known as a hacker/malware vector for a number of years now, and I have a feeling that Adobe can't wait to see the end of it. Adobe has noted on the Flash EOL page that...

Flash-based content will be blocked from running in Adobe Flash Player after the EOL Date.

Despite this, there are quite a number of websites that still rely on Flash. Even though HTML, JavaScript and CSS can basically achieve the same ends. These languages are all part of every modern browser, and do not require a plugin installed in the browser to make it work.

If you still have a website, CMS or CRM that relies on Flash, now is the time to act. Don't wait until it stops working to act. Contact Gravity Tech to see what options we can provide.

But how do I know if my <important website> is using this Flash thing?

Simple, just remove/disable the Flash Player plugin from your browser. You can find instructions at How To Geek


Operating System Descisions

April 17, 2020 - Mark

Recently I was resetting a laptop that was loaded with Windows 8. As I was watching it start rebuilding, I had an odd feeling. The only words I could put on that feeling was the question: “Do I really want to pass this on with Windows 8 on it?”

Now, don’t misunderstand me – I liked Windows 8. But I imagine it held more excitement and foreshadowing for me than it did for most other people. For me it was a fresh departure from the norm; a sign that there was a future convergence between mobile device and primary computing device – and that it wasn’t too far away.

Obviously, not everyone saw it that way. It somehow almost became a pariah of the operating system world. Fortunately, the client involved this time actually liked Windows 8 as well. However, the question still nagged me all the way through the reset/rebuild. But why?

To the internet! <cue 70’s batman theme music>

Looking up the End of Life (EoL) dates for recent Windows OS revealed that all Windows versions prior to Windows 8.1 had all passed EoL. While Windows 8.1’s extended support (read: important security updates) finishes in January 2023.

Due to Windows 8.1’s mainstream support (read: improvements & new features) ending January 2018, the upgrade to Windows 8.1 no longer exists; and the free upgrade to Windows 10 finished ages ago. Right?

Wrong. The Free Windows 10 Upgrade still exists. Furthermore, the laptop ran well – even with it’s almost 7 year old CPU and 4GB of RAM. Problem solved.

Good news stories aside, there are still many people in Australia on Windows versions that are past EoL. Statcounter (.com) says that in March 2020:

Windows 10: 82.02%Windows 7: 12.55%
Windows 8.1: 3.66%Windows Vista: 0.24%
Windows 8: 0.9%Windows XP: 0.55%

That means there are almost 14¼ % of Windows usage happening on Operating systems that no longer receive updates. And in case you weren’t aware.

That’s bad.

Windows has traditionally had the lion’s share of users, so it’s been a popular target for hackers and the like for a long time. Especially now, when people are spending much more time at home due to the Corona-virus COVID-19; hacks, breaches and rumours thereof have allegedly increased.

Currently, the ability to pop out and get a replacement computer has been greatly reduced due to a) restrictions on travel, & b) stock availability.

Fortunately, there are options. Starting with upgrading to Windows 10 as per above.

Beyond that there’s a whole world of Linux out there. Some very beautiful desktops are available too. Gone are the days of Linux being just nerds adjusting their glasses while typing furiously at a text-only screen. The are all full HD capable, internet savvy and comes with a wide range of help available on the internet.

If you want to explore some of the options in this realm, then here are some starting points:

Solus (getsol.us) is designed for modern hardware and to do away with versions. They have rolling releases.

LinuxMint (www.linuxmint.com) is designed to be an easy transition for Windows users

Ubuntu (ubuntu.com) is designed with user experience being the foremost consideration.

If you have any questions, or wish to get some direction or assistance, let me know via the contact form.


Browsers, Monopolies, and Bears. Oh My!

December 20, 2019 - Mark

Google has long had an old motto of “Don’t be evil”, but over time we have seen that disappear to be replaced it with what amounts to “Do the right thing.” As Fast Company says: “It’s subtle shifts like that one that can make a huge difference.” I would have thought this is a step up. (Ref: Google Code of conduct April 21 2018 and May 4 2018.

I would dearly love to believe that Google is on the up and up, as I decided some time ago to throw my weight behind Google, generally speaking. However, being a disenfranchised member of a few now dead Google products, I find it all a bit bitter.

And then there is this: Johnathan Nightingale (former Mozilla G.M.) has revealed a series of “oops after oops” that he says were Google systematically sabotaging Firefox – intentionally even – to boost the adoption of Chrome. (Ref: https://archive.is/tgIH9)

Nightingale said, "When Chrome launched things got complicated, but not in the way you might expect. They had a competing product now, but they didn't cut ties, break our search deal - nothing like that. In fact, the story we kept hearing was, 'We're on the same side. We want the same things'."

"Google Chrome ads started appearing next to Firefox search terms. Gmail & [Google] Docs started to experience selective performance issues and bugs on Firefox. Demo sites would falsely block Firefox as 'incompatible'," he said.

"All of this is stuff you're allowed to do to compete, of course. But we were still a search partner, so we'd say 'hey what gives?' And every time, they'd say, 'oops. That was accidental. We'll fix it in the next push in 2 weeks.'

Nightingale believes that there were so many of these oopses, that it could have numbered in the hundreds. And of course while they were chasing these oopses down; they lost users, and lost time on developing Firefox. “We got outfoxed for a while and by the time we started calling it what it was, a lot of damage had been done," Nightingale said.

Which leads me to where my daily reading started. Jon von Tetzchner from Vivaldi, a great browser, blogged in 2017 that he believes that Google is misusing their monopoly-based power.

And now, Vivaldi has decided that they need to pretend to be Chrome 24/7 in order to not be blocked from blocked from certain websites. “Vivaldi is blocked for many reasons, and often by competitors, rivals and tech companies in a position of power. Blocking Chromium-based browsers has no technical merit in 2020, nor has it ever had.” (Ref: Vivaldi Release page & ZD Net article)

Interestingly, Brave – another browser based on Chromium – also pretends to be Chrome.


Website Navigation

December 19, 2019 - Mark

If you haven't noticed, the main navigation menu on this site has changed from a 3D fold down idea, to a slightly more traditional left menu - with a bit of fun.

But why? It was so three dimensional and foldy!

Indeed. But it wasn't very helpful for deep navigation. I've been thinking on our product offerings, and I realised that while that menu was interesting because it was unusual - it had some obvious drawbacks. So with the planned addition of pages, it just wasn't going to cut it.

Which leads me to think on navigation as a whole. The purpose of website navigation is to enable website viewers (you) to get around the website. Byproducts of effective navigation include viewers being able to see what sort of content you have on the website, and having some idea of what the page they’re about to click on contains.

This was one of the drawbacks of the 3D menu Gravity Tech started out with. On small phone screens, the menu didn’t show page names; all that you could see were icons. And while I understood what the icons meant, that doesn’t mean that everyone will.

There has been a lot of research and studies into effective navigation, with results ranging on the maximum number of top level pages to have; to whether or not you should use drop-down/nested menus on your primary navigation. (If you’re interested, the answer to the first one is 7, and the result of having drop-down/nested navigation is that people tend to skip the top level page entirely.)

Another important realisation I had as I worked on content, is that if you were halfway down a long page, you were stranded. Lost in a sea of text. So now the menu button stays with you. Like a faithful dog.


Passwords and Our Data

October 29, 2019 - Mark

My preferred browser, Mozilla's Firefox, released a new product recently called Firefox Monitor. Usually I don't go for these branded value add things, but as I wasn't sure what this was, I did a bit of research.

It seems that Mozilla has partnered with Troy Hunt creator and curator of haveibeenpwnd and pwnd password to add their functionality into Firefox's realm. Which is a great thing for everyone.

In case you're in the 99% of people who don't know what HIBP does, it's simple. They collect all the leaked and published account breaches that would-be hackers use, and provide them as a searchable database for people like us. If you sign up with them, or now Firefox Monitor, they will actually alert you to tell you when this has occured as soon as they become aware. Meaning you can act as soon as possible and change that password.

Which of course then leads us more firmly into the topic of passwords.

The other part of the aforementioned is pwnd passwords. What this does, is gives you a safe way to check your password(s) against the collected list of passwords in the massive list of ones collected in these breaches.

If your first reaction is to say:

... Wait, you want me to type my awesome password into some random site?

... then I salute you. Complacency is the mother of breached...ness :)

That said, I have written two implementations of the pwnd passwords API, and can safely say that at least those two, presumably the original and probably the new Firefox implementation will as safe as you'd expect. The passwords never leaves the browser page you're on. It's all done within the page, and doesn't send the whole password to the foreign server. (Technically, it hashes/encrypts it, then sends the first few encrypted chars off, and gets back a list of possible matches for the local browser to check against.)

TL;DR - It gives you the number of times and entered password has been seen in the breaches collected. If you enter the text password, you'll see it comes up millions of times.

1Password (a cloud/browser password manager) has also got in on the action, and will be offering the same accout/password checking service in real time.


Recent Work

October 11, 2019 - Mark

Last week I was approached by someone who needed a media purchase & distribution system written for a state wide conference. There was a catch though: under a two week turn around.

They were already set up for a Stripe payment integration, and just needed… everything else. Fortunately, I had recently worked with Stripe for another project so that streamlined the development of the third party connection. (They have the potential to be tricky.)

Oh, speaking of Stripe, I quite like the way that they have structured their embedded system. Their concept of insta-approving the card, and allowing a token only to be set for the form being submitted is really clever.

With the final approval (and changes) coming today, the project is live. Feels good to have another project in the wild. I wonder what the next one will be?


A Few Months In

September 17, 2019 - Mark

I would like to start this entry by thanking those who have used Gravity Tech's services over the last few months. I appreciate the work, but I also appreciate the trust that you've placed in me to get the work done. So thank you :)

Work has been consistent of late, which has been a blessing. There are a few things on the horizon, and a few things that are current. All things considered, and from all accounts, it's quite a good start to a small business.

During this time as my own boss, I have discovered something interesting: No matter what I do, I never have enough time to actually start (or finish?) all the ideas and plans that I have in my head. I had assumed that once I was able to work on these during work hours, and was able to plan my own work schedule, that I would be able to progress things on all fronts. That hasn't really happened... Although, perhaps I'm not giving myself a chance, as it's hasn't even been three months yet.

One of the things that I'm enjoying about this journey is waking up to the excitement of all the things I can / will do each day. I really like that. It's like like Oprah giving out prizes or a child in a toy store listing all the things they could do with what they see.

Let's all hope that this continues for decades to come!


New Small Business Training

August 8, 2019 - Mark

This week I started Training with a local RTO to get a certificate IV in New Small Business. Hopefully this gives me the basics for being in business for myself.

It's been an interesting time, meeting people with varied and interesting thoughts about their future. We've learnt about the importance of having a why behind what we do. It gives us direction into what we do, and how we do it.

So what's the why for Gravity Tech?

Our IT management, development and support services help small to medium sized businesses who need an IT solution, and want it delivered in a positive and upbeat way. We eliminate the mystery around IT systems, and provide reliable and efficient solutions that suit their unique requirements.

Which is rather multifaceted, but then so am I. So I guess that makes sense.


Business Start-Up

July 18, 2019 - Mark

The end of this week marks three weeks since I found myself without a job. The company that I worked for was purchased by new owners, and events transpired in such a way that I'm currently no longer working for them. (Ironically, I set out on the freelance / contract work journey so that I would be able to work with them, and perhaps one day I will.)

Over the last three weeks, I have been thinking, creating, planning, talking and checking business names constantly. It was interesting that the first thing I reached for when trying to get my thoughts together was this website. Putting the words down in HTML seems fitting, since I've been doing it for decades - which I know makes me sound "old", but I'm not even 40 yet.

I had a rough plan in my head; Supply the Suppliers. Enable local design / marketing / computer companies to take on more projects (or perhaps more complex ones) by supporting them. So I wrote down what I could do and found that I had a problem. While I really love web development & coding, I am able to do almost everything in IT to some degree - so what do I aim for? What do I want to do? What to people need? What's that catch phrase from the movie Robots? "See a need, fill a need."

It so happened that on the Friday before I was ungainfully unemployed, I recieved my first job - a new computer assembly. Which was very encouraging and a good feeling to be making money on day-one.

That lead to all sorts of realisations & questions. One of which was... what name do I put on the invoice? Then the hunt for a business name began. I'm sure it will come as no surprise to hear that while trying to ensure that both the business name and website address were available - all the obvious ones, and most of the cool ones were taken. It took over a week to think of and settle on Gravity Tech. And for this, I want to thank my lovely wife - as it was her suggestion. (Thank you!)

While I'm thanking people, I would like to thank Ally Mosher, Robert Leslie and Ben Baker for their help in various areas. You've all been great, and I really appreciate your input, help and being able to lean on you during this time.

Anyway, the website (and thoughts) have been coming together to the point where I'm able to launch put it online. Which finally means that I can start promoting the business to all the suppliers I'm hoping to work with.

Wish me luck!