Chris Erickson

Life is an Adventure.

Closest to a Felony I Ever Got

A 14-year-old eighth grader in Florida, Domanik Green, has been charged with a felony for “hacking” his teacher’s computer. The “hacking” in this instance was using a widely known password to change the desktop background of his teacher’s computer with an image of two men kissing.

I count my lucky stars that my treatment in elementary school for changing folder icon colors and logically arranging aliases into them on the classroom computers was more forgiving. I was banned from computer class and put in detention where I had to put batteries in remotes for all the new TV’s the district had just purchased.

Now that my probation has been served, I can change icons and sort things with reckless abandon. Excuse me while I do some hacking.

Why We [Should] Encrypt

This is important. If we only use encryption when we’re working with important data, then encryption signals that data’s importance. If only dissidents use encryption in a country, that country’s authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. No one can distinguish simple chatting from deeply private conversation. The government can’t tell the dissidents from the rest of the population. Every time you use encryption, you’re protecting someone who needs to use it to stay alive.

Utilizing encryption everywhere is like immunizations – it often protects someone else.

Timing hashers with Django

I’ve always been interested in the various password hashers available to Django developers, and the recent disclosure of master password hashes for LastPass pushed me over the edge. Now I really wanted to understand how to best protect user password hashes on any Django sites I work on where this might be a concern.

Out of the box, Django supports a wide range of hashers, but only a few should you really be using — ideally, PBKDF2 with SHA256 (Django default), bcrypt, or scrypt.

Other than whether your platform supports these, the next thing to be concerned about is tuning their work factors to make them as high as possible, without making your users wait long for the hashing on login. To test this out, I timed them in iPython using ‘magic functions’.

Here is a test for PBKDF2:

from django.contrib.auth.hashers import PBKDF2PasswordHasher
from django.utils.crypto import get_random_string

ph = PBKDF2PasswordHasher()
password = 'this is my password'
salt = get_random_string()

%timeit ph.encode(password, salt, iterations=24000)  # Django default iterations
%timeit ph.encode(password, salt, iterations=100000)  # Something better

Here is a test for bcrypt:

import bcrypt
from django.contrib.auth.hashers import BCryptSHA256PasswordHasher

bh = BCryptSHA256PasswordHasher()
password = 'this is my password'

%timeit bh.encode(password, bcrypt.gensalt())  # Default work factor of 12

When running these on a single core, 512MB of RAM Digital Ocean droplet I get these results:

Hash Time
PBKDF2 - 24,000 121 ms
PBKDF2 - 100,000 487 ms
bcrypt - 12 395 ms

The takeaway here is that 100,000 iterations will make your user wait another 366 ms - probably not all that bad. Complete conjecture, but I would bet this is already one of the longest waits in the login process. Your results certainly will vary so you’ll want to confirm the result you are interested in.

As an aside, I haven’t tried scrypt since it isn’t really supported out of the box with Django. In theory, that would be the best one to switch to from PBKDF2 as it puts up substantial barriers to massive cracking array scenarios. Some libraries and django apps exist, but they don’t inspire a lot of confidence in an area where they really ought to.

In the end, it’s probably easiest to just increase the number of iterations of PBKDF2 to a length that is as high as your users will be patient with, since some don’t seem to like bcrypt very much.

With these changes, keep in mind that this could open you to DOS attacks if you don’t have any throttling on your login page. Something like fail2ban can help you throttle an IP that is repeatedly failing the login process. Also don’t forget to increase this over time, like Django does.

You’re going to be great one day.

This week we lost a legend in Blues music. My story isn’t one of deep knowledge of his music, or of going to great lengths to see him play live.

Mine started in the New York City Virgin Records store in 2000. I was at the store with my Dad, who had taken me on an incredible trip for me at the time — Macworld Expo, New York1. While there, a new collaboration between B.B. King and Eric Clapton had been released days earlier and was featured on the in-store monitors. My Dad and I both liked it, sought out the CD, and bought it. I still listen to it regularly2 and it’s just as good now as it was then.

More modern music services like Spotify have encouraged me to expand my horizons quite a bit since then. I’ve come to really enjoy all kinds of Blues for it’s willingness to acknowledge the hard times in life, while somehow being some of the more therapeutic and uplifting music I listen to.

The uniqueness of the story in New York didn’t end there. I attended one of the last Macworld expos held in New York, saw the newly released PowerMac G4 Cube, and visited the rooftop of one of the World Trade Towers for the last time.

For me, B.B. King’s music will always remain at the top of my favorites but more importantly, it will remind me of a memorable trip with my Dad to places and times that I can only now visit in my memory.

  1. Wait, I potentially crossed paths with Siracusa there, too? 

  2. Well, not the CD anymore, though I still have it. 

All About that Space

I have seen suggestions that the rationale for the new trackpad is because Apple needed or wanted it to be thinner for the new MacBook:

This is all presumably to drive a little more thickness of out of the MacBook

or this:

Another casualty in Apple’s ruthless quest for thinness is the trackpad’s clicking mechanism.

Looking at teardown comparisons between the old and new MacBook, it seems that the thicknesses of the two trackpad units are hardly different - the new one may even be thicker! Additionally, the old trackpad looks mechanically simpler - space savings don’t usually ride in on the backs of more large components. I think this is a testbed for a technology that Apple wants to make much more use of in the future — it’s not a space saving objective.

Hopefully not the last

People don’t usually complain about being “busy” when their time is filled with things that they enjoy doing. My guess is that there is an imbalance between what they want to do, and what they have to do.

This is the inaugural post for my new blog. It’s a product of me being “busy” lately, and trying to find some sanity and balance in a project that I want to do. When I look at it in this way, I’m thankful that I regularly find myself feeling busy. These time constraints push me to focus more on what I want to do and better use the free moments of the day. So there you have it, my first meaningful post.