# The Growing Importance of Strong Passwords

I received a call today from the Fraud Prevention service of my credit card company, saying that “someone” called in to Customer Service, posing as me, and attempted to gather information about my account. This person had my credit card number, but failed to get past the additional security questions asked by the support staff. The support staff then promptly called me, and asked if it was I who tried to call in to Customer Service. The moment I said “no,” the operator told me that my account will be immediately deactivated to prevent any fraudulent charges, and that a new credit card would be mailed to me within 5 business days.

Despite the inconvenience of having my credit card account shut down, and being issued a new card, I applaud the support staff for taking their users’ security so seriously. But this incident also got me thinking about the current level of security used by online retailers, as well as online banking and credit card websites. After all, how exactly did a would-be identity thief get a hold of my credit card number? All of my online purchases are through very reputable stores like Amazon and Newegg. All the items I purchase are completely legal — i.e. no kinky horse-on-girl porn from shady Russian websites. All of my transactions are over SSL, and I’m quite sure that I don’t have a keylogger installed on my system.

This leads to one of the following conclusions, arranged from least to most likely:

• Someone cracked my SSL session with an online retailer. This is astronomically unlikely, but still possible.
• Someone hacked one of the online retailer’s servers, and retrieved the raw database of credit card numbers for thousands of customers.
• Someone hacked one of the company’s servers, and retrieved password hashes for thousands of users, and decoded the passwords at his/her own leisure. If the hacker is an employee of the company, no hacking would even be necessary. The database would be readily available for copying and selling to the black market.

As the incredibly eye-opening Ophcrack project has shown, old-style passwords are no longer safe (i.e. passwords shorter than 15 characters, consisting only of letters and numbers). Any Windows system administrator who hasn’t disabled LM Hashes has been living in a cave, and any Linux administrator who isn’t using shadow passwords is almost equally neglectful. And of course, any administrator or developer who stores users’ passwords in plain-text format should be fired on the spot, and have the infraction recorded as a felony in his criminal record.

The point is, many forms of identity theft can be prevented by using strong passwords — that is, passwords that are generously long (15 or more characters), that contain uppercase and lowercase letters, numbers, and special characters like $, %, &, space, and maybe even extëndéð Åscíí characters, or even Unicode! The question is, are online retailers and banking websites “ready” for strong passwords? ### No! At least that’s the short answer. As an example, let’s take a look at what happened when I tried to change my password on my banking website, which happens to be Huntington. I typed in a strong password with letters, numbers, and special characters, and this is what I got: I beg your pardon?! Of all the websites in the world, banking sites should be the most secure by definition. And yet, here we are with Huntington’s website telling us to limit our password to 16 characters, and not use any special characters! In Huntington’s defense, they do provide an additional level of security by asking a secret question (in addition to the password), if a user logs in from a different IP. I can understand enforcing minimum requirements for password strength, which Huntington does, but setting limitations on password strength? What gives? Let’s move on to my credit card website, which is Chase. Attempting to change my password there, I get the following: Again, they tell us not to use special characters, and to limit the length of our password. Even though the length limitation here is 32 characters, my question is why is there a length limitation? And why can’t special characters be used? If the excuse is that the underlying software that runs the website doesn’t support passwords with special characters, then the software is in serious need of revision. The password hashing algorithm should not care about what characters are passed into it. I’m a big fan of passphrases, too — that is, passwords like “How many licks does it take?” or “Density = Mass/Volume” or “E = m*c^2″, all of which are much stronger than passwords of equal length with just letters and numbers. But, since these websites don’t allow passphrases, I’m forced to come up with a weaker password that fits all their guidelines and restrictions. Even worse, since each website may have slightly different restrictions on passwords, I’m forced to come up with a least-common-denominator password if I want to use one password for multiple sites. With this kind of “password mess” on the most secure internet websites, it’s no wonder ordinary users become confused about what kind of passwords they are and aren’t allowed to use, and default to using common, easy-to-remember passwords that are just waiting to be cracked by malicious individuals. # The philanthropist Just received this e-mail: I wish to notify you that your name appeared in the codicil and last statement of your deceased relation, and you entitled to his fund of US$19,900,000.00 deposited with a bank here in Nigeria. I will advise you about the steps on how to redeem the inheritance funds from the bank.
Reply to me on time because the bank is waiting for you to show up and claim the funds.

Regards,
Barrister David Mark.
Legal Head, Wester and Co. Chambers.
14 board way Victoria Island, Lagos.

And my response:

Dear Barrister Mark,

Thank you for notifying me of the funds bestowed unto me by my late “relation.” As you know, my Nigerian heritage is very important to me, and I am pleased that my relation chose you to handle his will.

Fortunately I have a very simple resolution for this situation:
I hereby authorize you to donate the entire sum of my inheritance to a charity that helps fight the AIDS epidemic in your country of Nigeria and its neighbors. I will leave the choice of charity up to you — we’re all in this together. Naturally, you may withdraw any amount you see fit from this fund to pay for your legal fees. I have the utmost confidence that you will be fair and just in handling this money.

Once again, sir, I am in great debt to you for bringing this to my attention.
Best regards,

Dmitry Brant

# More Modding of the RAZR V3xx

The quick-start guide that I gave two days ago is hereby out of date!

On another Motorola hacking website, modmymoto.com, I found a vastly superior program called P2KTools. This utility allows you to access absolutely everything the phone can possibly support. It even lets you switch communications between P2K, AT, and Flash mode.

Best of all, P2KTools doesn’t require PST Phone Programmer to operate. Apparently, PST is a proprietary Motorola application, and is illegal for distribution to the public. The good folks at hacktherazr.com fail to mention this clearly (naughty!).

Once again, to communicate properly with the RAZR V3xx, go into the program’s Settings, and check the “P2K05″ check box under “P2K Settings.” As we learned earlier, the V3xx only supports the newer P2K05 command set, and will not work with the regular P2K commands.

# Modding the Motorola RAZR V3xx

[Disclaimer: Modding your phone probably voids all kinds of warranties, and is not recommended for anyone.]

Update: I found a better program for RAZR hacking!

This is a quick-start guide for anyone who wants to start hacking away at the RAZR V3xx. For some reason, other guides that I’ve found on the web either don’t apply to this particular model, or often contradict themselves and drove me into further confusion.

I recently “upgraded” my cell phone to a V3xx, with AT&T as my provider. Naturally I wanted to see what kind of features I could access within the phone, and to what extent I could customize its skin, sounds and interface.

Here is the exact sequence of steps I took to get my phone connected to my PC and start modifying its filesystem:

• Go to hacktherazr.com, which is a site with plenty of loosely-knit resources for hacking the RAZR. The only drawback of the site is that it doesn’t contain any information specific to the V3xx, and all of their “get-started” guides only pertain to earlier models.
• From the site’s “Start here” guide (not from their “Downloads” section), download the Motorola USB Driver Installer, install the drivers, and follow the rest of the “Start here” guide.
• From their “Downloads” section, download and install “PST 7.2.5,” which is a utility from Motorola to facilitate communication with your phone. Make sure you apply the “patch” included in the Zip file! Installing this tool will probably require you to restart your computer.
• The last tool that you’ll need is called P2K Commander. But do not use the version that they have on their site — it’s outdated and will not communicate with the V3xx! To get the latest version of P2K Commander, go to the author’s website and download it from there. As of this writing, the latest version is 4.9.D. The author requires you to register in his forums to download the files, but registration is free.
• To prepare your phone for communicating with your PC, you must set its USB mode to “data connection.” To do this, go to Main Menu → Settings → Connection → USB Settings, and set the Default Connection to “Data Connection.”
• On your PC, launch the PST Phone Programmer before you plug in your phone! Let PST load completely before plugging in.
• Now plug in your phone, and give your PC a few seconds to recognize it. Then give PST a few more seconds to configure the phone for communication. You should hear the phone’s “charging” sound two or three times as it’s being configured, as well as the PC’s USB plug/unplug sound.
• Now you’re ready to launch P2K Commander, so launch it. P2K Commander is a gateway to the phone’s internal filesystem. But, before doing anything in this tool, click on its “Options” menu, and check the “Use P2k05″ check box! This is the critical step, since the V3xx uses the P2k05 command set, unlike its predecessors.
• Finally, you’re ready to use P2K Commander to your heart’s content. From this point on, you’re welcome to follow the other guides outlined at hacktherazr.com, since most of them still apply.

Here is a very simple example of what could be done with P2K Commander and the RAZR V3xx:

### Changing the secondary display image

When the phone is opened, its secondary display (the smaller display on the outside) only displays the AT&T logo. But suppose you wanted it to display something that was meaningful to you, such as this:
To change this graphic, use P2K Commander to navigate to the phone’s file system (“/a”) and go to the “mobile” directory.

In this directory, there is a file called cl.gif. That’s the file that gets displayed in the secondary display! This means that you can replace this file with whatever you want (as long as it’s called cl.gif), and it will be shown! Of course, keep in mind that this file must be a GIF file with dimensions of 96 x 80. Et voilà:
Short of reprogramming the phone’s firmware, there’s no end to the customizations you can make to your V3xx by simply editing or replacing certain files in the phone’s filesystem using P2K Commander. As always, don’t forget to back up any files you edit or replace. Enjoy!

# The Intention Experiment(s?)

Unknown to me until now, Lynne McTaggart (author of The Field and The Intention Experiment, discussed in my previous post) has apparently been spearheading a series of actual “intention experiments” online. This is done by giving online readers a certain task to “intend” upon, and observing the results.

I found a very interesting discussion thread on the JREF Forum that details the various iterations of McTaggart’s website over the last several months. Apparently, every “intention experiment” promoted by the website is referred to as “the first intention experiment.” When that experiment fails or produces inconclusive data, the next experiment is called the “first,” and so on.

The “experiments” themselves appear to be completely nonsensical. For example, one of the experiments was to measure the emissions of “biophotons” from plants that were being intended to glow by distant observers. According to the website:

Our first experiments examined the alteration in the tiny light — called biophoton emissions — being emitted from living things. We chose to look at this tiny current of light, because it is infinitely more subtle than, say, cellular growth rate.

Of course! Why measure something tangible, when you can measure something “infinitely more subtle”!

The current incarnation of the Intention website doesn’t even brag about the results of the experiments anymore, but instead directs visitors to purchase McTaggart’s books and DVDs, and join an online community that’s reminiscent of some kind of sad, pathetic support group for people who are uncomfortable saying, “won’t you pray for me?”

Here’s an example of the Intention website’s community posts:

…In 2001 I was diagnosed with Breast Cancer. I had a mastectomy & chemo (experimental) that just about killed me. I had a bad reaction that left me with nerve damage and constant bone/joint/muscle stiffness & pain. Last week I had my annual mammogram on the remaining breast. I rec. a letter saying there was a “suspicious” area, so I have to return on 8-8-07 for more films/sonogram. I would really appreciate as many members as possible to send the intent that all will be fine

Wait a minute… for some reason that has a very familiar ring to it. What if we replace the word “intent” with the word “prayer”? Isn’t this the exact same thing?!

Who are they trying to kid? Instead of praying to an invisible supernatural deity, they’re simply praying to an invisible supernatural “field”! Well, I’m afraid the old adage still applies: Nothing fails like prayer.

# The non-science of Lynne McTaggart

A friend of mine recommended that I read a book called The Field by Lynne McTaggart, and referred to the subject matter as thought-provoking, if not life-changing. A cursory examination of the book on Amazon.com revealed overwhelmingly positive reviews and similar “life-changing” testimonials. So I obtained The Field for myself, as well as McTaggart’s more recent book, The Intention Experiment.

The moment I read the back cover of The Field, I knew what I was getting myself into:

Science has recently begun to prove what ancient myth and religion have always espoused: There may be such a thing as a life force.

Naturally, I become suspicious of a book that demeans and cheapens science by putting religion on a pedestal, and claiming that “ancient myth” knew something all along that science is just now discovering.

The idea of “uniting science and spirituality” is nothing new. Whenever a new buzzword gets coined in science (especially physics), within a month or so, someone will publish a book relating the buzzword with auras, spirits, energy fields, and how anyone can harness the new buzzword to improve their health, marriage, and credit rating. The hot topic in this case is the zero-point field, or more generally, quantum mechanics.

Essentially, both of McTaggart’s books are opinions on various studies and articles published over the years that, according to McTaggart, show a connection between the will (or “intention”) of the mind, and physical reality. With the logical agility of an acrobat (albeit a retarded one), she concludes that, through the effects of quantum mechanics, it’s possible to influence the world around us using nothing but our intentions, hence the “life-changing” reviews associated with the books.

To begin, it doesn’t help that McTaggart is an “investigative journalist” (instead of, perhaps, a physicist?), with no formal training in physics or biology, which are the very subjects she’s writing about.

Nevertheless, McTaggart digs up an impressive handful of studies whose results are certainly curious, as long as we interpret the results the way she wants us to. But then, like most other authors in the genre, she blatantly disregards the vast, overwhelming body of evidence that proves that people do not have psychic powers, that we cannot move objects with our minds, and that we cannot change the world through our intention alone.

Even if we suppose that the results cited by McTaggart are in some way anomalous, there’s no reason to assume that ESP or some other paranormal influence was involved. This kind of assumption would only be made by someone who is predisposed to believe in such things to begin with. A competent researcher would instead look for more plausible factors that may have skewed the results, and inevitably such a factor will eventually be found.

### Appeal to Vanity

People like to feel smart. And books like this appeal to this desire. The average casual reader who is intrigued by quantum physics would love to understand the staggering complexity of the science surrounding it. If only there was a shortcut to understanding quantum physics at the same level as the researchers at Cambridge or MIT….

Unfortunately, there is no such shortcut. Anyone who claims to understand quantum mechanics without any formal training is either misinformed, deluded, or has an agenda. Quantum physics is a maddeningly complex subject. It’s quite possibly the most hard-to-understand theory in all of science, ever. To even begin to grasp it, one would require intimate familiarity with graduate-level mathematics (linear algebra, complex analysis, etc), not to mention a very firm grasp of classical physics.

But then, a book like this comes along and suggests that it can make you understand quantum physics in a paragraph! And not just quantum physics, but how it relates to any number of completely unrelated topics. It makes the reader exclaim, “Wow, I can understand quantum physics in a day! Sucks to be the losers who spent so many years actually studying the subject!”

People also seem to like the fuzzy, addictive feeling of “understanding” or “enlightenment,” even if the feeling is completely false and unwarranted. Well, books like this do just that — provide the reader with a feeling of enlightenment without presenting any actual science or any useful information. The best analogy for this would be mental masturbation — tell the readers who are likely to believe this stuff exactly what they want to hear, and they’ll eat it up like candy.

But in the end, after reading this type of book, all the reader “understands” is just a cleverly-worded regurgitation of the same old pseudo-intellectual nonsense that has no bearing in reality. It is certainly not quantum mechanics.

Recall Richard Feynman’s famous quote, “If you think you understand quantum theory, you don’t understand quantum theory.” McTaggart (the investigative journalist) thinks she understands quantum theory.

### Taking Analogies Too Far

Now, to be fair, a lot of scientific concepts, including aspects of quantum theory, can be easily explained to a layperson using analogies with commonplace objects and phenomena. But any analogy is liable to be taken a bit too literally.

For example, in electrical engineering it’s a highly useful analogy to compare an electrical circuit to a system of pipes with water. The flowing water is electrical current, a pump is a battery, a one-way valve is a diode, a very thin pipe is a resistor, and a rubber tank is a capacitor. However, if taken too literally, the analogy falls apart. If a pipe cracks, water will leak out of it; this does not happen in an electrical circuit. Also, the motion of water in a pipe is caused by the physical pressure of water molecules on each other; in an electrical circuit, the energy is propagated by fields produced by each electron.

Taking analogies too literally is dangerous, and ultimately paves the way towards pseudoscience and voodoo. As you may have guessed, McTaggart takes quantum analogies to the extreme, and beyond.

The biggest error anyone can make in trying to understand quantum mechanics is to make the extrapolation that, since quantum effects occur on quantum scales, they must also occur on large scales. They don’t!

For example, in quantum mechanics, the position of a particle is defined by a complex wave function, the square of which represents a probability density — the “chance” of finding the particle in a given area of space. A naïve interpretation of this would be that “there’s always a slight chance of finding any particle at any point in the universe.”

As profound as that may seem, it only applies on a quantum scale. It does not mean that something as large as a watermelon, or a baseball, or a blood cell can suddenly blink out of existence and reappear somewhere else in the universe!

Similarly, the concept of quantum superposition refers to the idea that, before a particle is observed, it exists in a “superposition” of possible states, and only “collapses” to a certain state once it’s observed. From this, McTaggart makes the generous extrapolation that, since our mind is “the observer,” we can choose which state something will be in when we observe it, thereby creating our own reality!

And finally, the zero-point field refers to the nonzero energy of pure vacuum, the existence of which is a requirement of Heisenberg’s uncertainty principle. But just because the zero-point field isn’t fully understood doesn’t mean that it must be the unifying force of all things in the universe (whatever that means)! And it takes an even greater leap of logic to suggest that our intentions (patterns of tiny electrical impulses) can have an effect on the zero-point field anywhere outside of our brain.

Schrödinger, Heisenberg, Pauli, and Planck must all be spinning in their graves — I doubt that any of them intended for their theories to be so grossly misinterpreted and misapplied. There is nothing in quantum theory that states that any quantum effects occur on a macroscopic scale. To state otherwise would be intellectually dishonest.

### You Can’t Always Get What You Want

Here’s where I get a little personal. To an actual scientist, this kind of book is more than just innocent fun and games — it’s actually insulting; it’s a slap in the face to anyone with the slightest scientific background. Some say that religion is the enemy of science — well I think this is way more dangerous than religion. At least religion doesn’t claim to be scientific in nature. But these “theories” go out of their way to show how they’re “backed up” by science!

So then, what should we tell the thousands of children in the war-torn countries of Africa who are dying of starvation and disease? Surely they “wish” for food and medicine every minute of their miserable day; surely they “intend” for a world of love, joy, and prosperity for themselves, so… where is it? Are they not intending hard enough? How can we, in good conscience, even entertain such a despicable idea? McTaggart apparently can. The message in her books is clear: you can intend your world into existence; and if it’s not working, you’re not intending hard enough.

But did McTaggart “intend” her own prosperity into existence? Of course not! She simply wrote a bestseller that happens to appeal to the wants, needs, and fears of suckers gullible enough to believe her.

All that The Field and The Intention Experiment boils down to is the age-old quest for the genie in a bottle, or rather the embodiment of human laziness: “you can get whatever you want by wishing for it.” Sadly, this is not how the world works.

### Resources

The articles that McTaggart cites in her “amazing” exposition are either studies done by people who already believe in this stuff, or simply articles that talk about actual studies and reinterpret their results as they see fit, much like McTaggart has done, to a second degree.

It’s sufficient to examine just one of McTaggart’s sources to see the quality of data she’s working with:

F. Sicher, E. Targ et al., “A randomised double-blind study of the effect of distant healing in a population with advanced AIDS: report of a small scale study,” Western Journal of Medicine, 1998; 168(6): 356-63

This was a study where 40 patients with advanced AIDS were selected, some of them randomly chosen to receive “remote healing” treatments, while the rest continuing their course of regular treatment. According to the study, subjects who were “healed … acquired significantly fewer new AIDS-defining illnesses,” plus other positive effects, although there were “no significant differences in CD4+ counts” (darn).

Upon reading the abstract of this paper, numerous glaring red flags emerge. The most obvious of these, I think, is that the healers who performed the “psychic healing” were “located throughout the United States during the study,” meaning that the healing was completely uncontrolled.
Furthermore, if the healers and the subjects “never met,” how did the healers know where to direct their “intention for health and well-being”? Did they direct their intention at a photo of the subject? And if so, how does “The Field” know to redirect the intention from the photo to the real person? Wouldn’t this be a line of bullshit that’s even crazier than McTaggart is willing to push?

Curiously enough, there is a note from the editor of the Western Journal of Medicine (Linda Hawes Clever) at the top of the paper:

…Does the paper prove that prayer works? No. The authors call for more research, as do we and the reviewers, for a number of reasons. We note that the study was relatively short and analysed rather few patients. No treatment-related mechanisms for the effects were posited. The statistical methods can be criticized….

We can tell from the editor’s tone that she was being charitable by publishing this paper in her journal, and inserted her note to avoid embarrassment. If studies like this are the “definitive evidence” that McTaggart uses to support her claims, then her theories don’t have a leg to stand on.