Solving an arithmagon

One of my nephews was working on an “arithmagon” puzzle. Here’s an example puzzle:
The idea is to solve for a, b, and c such that:

a + b = 26
a + c = 33
b + c = 35

and, I guess, the idea at his young age is to try different numbers ad-hoc until you find the ones that work.

Well, of course, that’s not how I think these should be done. 🙂

In general:

we have:

a + b = X
a + c = Y
b + c = Z

Three unknowns (a, b, c) and three linear equations; we can solve for the general case:

b = X - a
c = Y - a

therefore

b + c = Z
using b = X - a and c = Y - a:
X - a + Y - a = Z
X + Y - 2a = Z
X + Y - Z = 2a

a = (1/2) * (X + Y - Z)

So we get a = 12 for the original example shown at the start, and from that (using c = Y – a and b = X – a) c = 21 and b = 14.

Easy! Sorry for ruining all the puzzles for my nephew (once he can understand algebra).

 

My Lutron Experience

I have three Lutron home automation controllers in my house. They operate the motorized window shades and the exterior landscape lighting. My architect wanted me to have many more of these – to control all of the interior lighting. I vetoed that idea and insisted on regular, “you can buy them at home depot” switches for all my interior circuits. I am so glad I did that!

Here’s my Lutron installation with the covers off:

Three Lutron Automation Processors

The reason the covers are off today is because two of them died in a recent power failure. This happens “often”, this is the third time in nine years of owning these that I’ve had to call the automation company in to replace them.

Maybe you don’t think three times in nine years is “often” – but let me ask you this. When was the last time you replaced your microwave oven because of a power failure? How about your TV? Look around your house at all the equipment these days that has a computer inside it – pretty much every appliance you own has one. How many of them have you ever had to replace simply because the voltage fluctuated during a storm and killed the device?

I’m sure it happens from time-to-time, but the consumer-grade appliance manufacturers know that they would have a very bad reputation if their equipment died all the time in power failures. Lutron? Apparently doesn’t care. These processors must have little or no input voltage protection and any glitch on the power lines burns them out. Then, even if just one of them burns out, you end up having to replace all three because the company is constantly obsoleting old versions of these processors when new ones are released. New ones won’t interoperate with old ones.

It’s outrageously bad engineering and it’s hard not to point out that this bad engineering increases sales of the Lutron devices and the billable-hours of the installation/programming service providers.

I “fixed” the “one failed, but you have to replace all three” dilemma by stocking several additional processors the first time I got hosed by that. Unfortunately, today I am having the last spare installed and the next power-glitch will force an upgrade of all three even if just one dies. I am now investigating front-ending the power inputs on these devices with some server-room grade power conditioning instead.

Never, ever, ever, ever, ever allow anyone to talk you into installing this product in your house.

Totality report: Salem Oregon for the Eclipse

Just a short note – was in Salem Oregon for the Eclipse on August 21 2017. Most surprising (and awesome) to me was the stark difference between totality and 99%.

If you weren’t in the totality, you missed something special, regardless of how “close to total” you were. With even just a sliver of the sun still showing, it’s too bright to (safely) look at the sun. You still see that sliver very brightly through your protective glasses, regardless of how “close to total” it is.

At totality, you can’t see anything through your glasses – and you can (safely) take them off! At that point you see the corona of the sun, which is normally completely swamped out by the sun’s brightness. The sky gets dark – really dark, like night – and you can see stars. But it’s odd because the horizon still has daylight or at least dusk-like characteristics, if you are somewhere where the horizon is outside of the shadow zone.

Pictures taken of the totality and the partial stages don’t really illustrate the difference between the two views, because the process of photography (necessarily) equalizes out the stark difference in brightness.

That said, here are two cool pictures taken by someone in my group in Salem at the totality and just after the totality.

Salem Oregon, 8.21.2017
Just after totality

Why the “new” NIST password recommendation makes sense

The National Institute of Standards and Technology (NIST) recently released a new recommendation on authentication, including best practices for constructing passwords.

DISCLAIMER: I am not a password security expert. But I can do some math.

You are already familiar with the previous/old NIST recommendations because these are the recommendations that drive you crazy:

  • Use upper case and lower case
  • Use numbers
  • Use special characters (!@#$% etc)

One way or another those recommendations have worked their way into almost every system in use today, with the corresponding rules that you curse at when you are setting up a new account.

The new rules say that it’s better to just use some number of words in a phrase. No digits or special characters needed.

Why?

Let’s look at the history of password technology and do some math. Don’t be scared – we won’t be doing anything more difficult than raising a number to a power — which, in a throwback to the old days of Fortran, I will represent in this note using ** as in: 2**3 is 8:

2 ** 3 = 2 * 2 * 2 = 8

If I happen to know that your password is only two characters long, perhaps because I heard how many keyclicks there were when you typed it in, and I can guess that (like most people) you picked your password only from lowercase letters from a to z, then how many passwords would I have to try to guess yours? The answer is that there are 26 letters to choose from, therefore:

N = 26 ** 2 = 676

There are only 676 two-character lowercase passwords I have to try if I want to search all the possibilities to break your password. I can break your password by simply trying every combination “aa”, “ab”, “ac” … “zx”, “zy”, “zz” until I find the one that works.

In the old days passwords were usually limited to 8 characters. This limit can be traced all the way back to late 1970s Unix implementations of the DES password encryption algorithms. In the early days of the web most web site servers were running on Unix boxes that still used the same password code from the 1970s and often still had the eight character limit.

Obviously, 676 passwords won’t take very long for someone to try (by computer), which is why password software usually required you to use more characters – often times making you use an eight character password. A dirty little secret of some of those older systems is that they’d let you set a longer password, but in fact only ever computed based on the first eight. The old NIST recommendations were written during a time when that was still a consideration.

If I still know that you only used lowercase letters and there is a maximum of 8 characters, there are:

N = 26 ** 8 = approximately 208 billion

password possibilities.

When crackers “steal password files” from hacked web sites, what they get is not the passwords themselves, but rather their encrypted forms. This looks like a bunch of gibberish characters. When a web site checks your password, it asks you for your password, encrypts it, and sees if it gets the same gibberish it got back when you first set your password.

Web sites generally never store your original password and there is no way to recover the original password from this encrypted gibberish. Thus, when the bad guys steal a “password” file what they really have to do is just guess every possible password, putting each guess through the encryption software, until they find one that matches the gibberish string they have gotten their hands on.

So we can see the advantage of an 8 character password, instead of a 2 character password, is that they will have to try roughly 208 billion guesses to find your password. Technically, on average, they will have to try half of that before they get lucky and find yours, but for the rest of this memo I will ignore that factor of 2 because it’s not really significant and just clutters the discussion.

When computers were slower, running the DES algorithm 208 billion times would take a long enough that it wasn’t much of a threat. The calculations could take weeks, but as computers got faster and faster that number gradually came down and with modern machines this is now a practical method of attack.

This is why the old password recommendations suggested that you use more characters than just lowercase a to z. If, for example, you randomly picked from uppercase and lowercase characters, there would be 52 possibilities for each position in your password, and the number of guesses required to crack your password went up dramatically:

N = 52 ** 8 = 53.4 TRILLION

Simply by adding upper case into the equation the number of possible passwords increases by a factor of 256 (those of you who are insightful with math will note that we doubled the choices – from 26 to 52, and since there are 8 password characters the possibilities increased by a factor of 2 ** 8 = 256)

If digits (another 10 possible characters) and special characters (!@#$% etc) are added, the possible choices go up to 80 or more. Let’s take 80 possible characters and see what we get:

N = 80 ** 8 = 1677 TRILLION

That looks like a lot of possibilities. And it could be even higher because there are actually more than 80 choices of possible characters people could use in their passwords. But there are some problems. In reality humans get annoyed by all those rules and usually pick passwords that aren’t really randomly selected from all possible characters and they do other things that reduce the possible number of passwords that have to be guessed.

Let’s go back to the upper and lower case combinations (and ignore digits and special characters for now). I said there were

N = 52 ** 8 = 53.4 TRILLION

possible combinations for choosing 52 characters (upper and lower case a to z) eight times. But when most people see this message:

Password must contain at least one upper case character

what do they do in reality?

They take their lame password, and capitalize one letter of it to get past this rule.

How many combinations of passwords are there, if as a bad guy I am reasonably assured that your password only has one uppercase character? Now instead of 52 possibilities for each character, there are still only 26 possibilities, and then there are 8 choices for which one of the positions is going to be upper case.  Therefore, instead of:

N = 52 ** 8 = 53.4 TRILLION

possibilities, there are really only:

N = 26 ** 8 * 8 = 1.6 TRILLION

A similar problem occurs with the digits and special character rules. Many people just substitute numbers for letters in a fairly predictable way, e.g., using the digit zero for the letter “o”, and the digit 3 for the letter “e”, and similar things like that. We all do this, thus many passwords in the real world look like these:

pa55w0rd
dumbrul3
thissux!

The bad guys know that people do this, and when they write their guessing software they don’t have to go through all of the character possibilities. The real number of strings they have to guess is much, much, lower than the simple exponentiation math would imply. This knowledge dramatically decreases the number of possibilities that have to be computed to try to crack your password, and the sophisticated cracking software incorporates knowledge such as “try ordinary words but substitute the number 3 for e” and similar tendencies.

Over time the eight character limit went away, so longer passwords became possible, and many web sites will allow you to have fairly long passwords but still encouraged you to use all sorts of random characters in an attempt to make that exponentiation math work out to a large number.

But people still pick bad passwords because a truly random password like “x@8Q-99!va@:d” is just impossible to remember; no one picks passwords like that.

The new recommendation from NIST takes that into account, and instead recommends that you just pick a phrase that you can remember and no one else would know. This assumes that modern password systems can accept much longer passwords – which most can (it is likely that there is no practical limit in most software these days, though sometimes the web designers impose limits on the login screens).

So let’s look at some math. Suppose you picked a four word phrase from the vocabulary of an 8 year old child. How many passwords are possible?

According to various studies, the average 8 year old native speaker has a vocabulary of about 10000 words. This means that there are:

N = 10000 ** 4 = 10,000 TRILLION

This number is already 6 times higher than the 80 character, fully-random, 8 character calculation, and keep in mind that we already debunked that math as overly generous because no real human being ever actually picks those gibberish characters randomly. This implies that the advantage of the four word random phrase is far greater than “just” a factor of six we just calculated here.

Most adults will have even larger vocabularies, in the neighborhood of 20,000 to 35,000 words, so the number of four-word phrases you might pick for your password becomes even larger.

Now, of course, people are still people, and they might still pick bad passwords even if they are made out of multiple words:

this is my password
I hate password rules
you can't guess this

and so forth. But if you pick a password that:

  • is selected from a wide range of words
  • uses at least one “unusual” word
  • isn’t obviously based on something people might know about you
  • but is still easy for you to remember

then simply combining four words into a phrase and using that as your password is likely to be more secure than eight characters of gibberish. So, as systems around the web start getting updated to conform to the new password recommendations, hopefully you’ll be able to use passwords like these:

lemon blue flying campfire
tree eating pickle moon
disintegrating alien cheese sundae

It would be best if you tried to include some unusual words; remember, you are trying to make the bad guys have to guess from as many words as possible. Though, even if you stick to “just words an eight year old would know” there are roughly 10,000 choices and that already makes your password harder to guess than a realistic eight character “old style” password. Personally I can type pretty well, so “disintegrating alien cheese sundae” is something I could potentially envision using as a password (ooops, ok, not now that I’ve published this haha).

The beauty of the new NIST recommendations is that most people should be able to come up with memorable passwords that are difficult to guess and draw from between 10,000 and 20,000 words for each word in the phrase. The math is inexorable: there are more combinations for these passwords than there are for shorter gibberish passwords.

Of course, if you pick an obvious phrase that a bad guy can guess, that’s your fault. Don’t set your new password to “I love my cat” if everyone knows you love your cat.

If you are paying attention, you will note that the new NIST recommendations are somewhat equivalent to saying “hey, just use a longer password”. So my example of “disintegrating alien cheese sundae” is actually a password of length 33 (including the spaces). Thus in some sense the NIST recommendation isn’t really anything new or earth-shattering. We already know that every time you add one character to a password, it gets harder to guess by a factor related to how many possible characters there are. In fact, a 33 character random password made out of only lowercase letters would have:

N = 26 ** 33 = an enormously large number (10 to the 46th)

possibilities. But, of course, no one is going to have a 33 character random password because it would be impossible to remember. So the NIST recommendation is actually a sneaky way to get us to have longer passwords, at the cost of choosing from a less-than-random set of characters (i.e., those that combine into actual words). There’s no magic here, it’s simply the observation that the longer the password is the better it is, and if we have to give up some randomness (fewer character choices than totally random) to get to this longer password length, the math still works out favorably.

I’m looking forward to getting rid of my ridiculous eight character gibberish passwords and replacing them with easier to remember phrases, though I imagine it may take many years for the tedious old NIST suggestions to become thoroughly debunked and for the newer methodology to find its way into account password rules.

Netgate SG-4860 installed

Finally got rid of the last soekris/pfsense router in my empire. This sg-4860 replaces a net6501-70 that had 8 intel interfaces. I “need” (well, use) five, and have plans for a sixth subnet. The Netgate box has six interfaces so it suffices both for the current needs and the planned one-additional subnet. I don’t anticipate ever going beyond the sixth subnet, and if I do there’s always VLAN trunking options to get more interfaces out of the existing box (and/or multi-hop routing via a secondary router)

Installation went without any glitches. Still running pfsense in basically the same configuration; just had to update the interface names in the configuration XML file.

Now the question is what to do with an old, but perfectly functional, nanoBSD/freeBSD box…

Ordered replacement for my last Soekris router

I am down to my last (and largest configuration) www.soekris.com net 6501 pfsense router, and just ordered a replacement for it from netgate. I’ve already replaced two other routers in my world (at other locations) with netgate products. The nice thing about them is they are directly supported with pfsense, so it’s just an easy way to go once you’ve decided to run pfsense.

This last one, at the hilltop, has been up now for over 454 days:

 

 

 

 

 

 

The router is (obviously) on a UPS. I’ve had the router for even much longer than that; I’m not entirely sure what made me reboot it over a year ago – probably a software upgrade.

Alas, it is time to replace it, primarily because I want to be able to run the newest versions of pfsense that no longer support 32-bit platforms. This box can run in 64-bit mode, but the board itself lacks one specific feature the generic freeBSD 64-bit build requires. I know I can still run pfsense by taking the stock distribution and wedging in a custom kernel build, but it just seems wiser to replace this box with something newer and fully supported anyway.

I took the easy (albeit expensive-ish) way out and ordered a netgate SG-4860-1U. I use 5 different networks in my configuration (only four made it into the screen capture) and though I could certainly achieve that via “router on a stick” with VLAN trunking and a suitable switch, I prefer to have a router with true multiple NICs on general principles.

Not sure what I will do with the soekris box when the new netgate gear arrives; it makes a great Unix freeBSD sandbox but I really have no use for such a thing. Maybe I can turn it into some ridiculous lego contraption controller someday 🙂

Amazon AWS Route53 Region: us-east-1

This is one of those things that seems hard to find even though it is in fact documented, so I thought I’d post this note in the hope that someday it will pop up on someone’s google and be helpful.

So, here are some keywords of note: This is about Route53, the DNS service in Amazon AWS, and the “region” field. The way I ran into it I was using the DynamicDNS feature in my router (pfsense), which can directly update a Route53 record. But it wants the ZoneID in this form:

REGION/ZONEID

I had a ZoneID — they look something like “Z2X8NGLIQTGFO4” (I’ve altered this from what my real ZoneID is of course). But I didn’t know what my region is. In general “my” (best/default) region is “us-west-2” but that didn’t work (generated a complaint about an invalid region). I couldn’t find any way to reveal what the correct region for my Route53 service was.

The reason is … all Route53 services are in us-east-1. That is in fact documented but you really have to dig into the AWS docs to find it if you didn’t already know where to look. So, since it took me a while to find, I wrote this note, in the hope that someone else might stumble onto it via google and get to this answer more easily than I did.

It’s extremely frustrating because the user interface will show you the ZoneID but seems to have no information at all on the Region. It would have been nice if they threw that in the info panel even though the answer is always just us-east-1. Oh well.

2017 WSOP Results

Back from too-much-Vegas. I didn’t go for the entire WSOP I just went for two separate shorter visits. I played fewer tournaments than I have in years past and took more days off; it was much more civilized that way.

I’m reasonably happy with my results. I cashed 64th in a WSOP $2500 NLH (1086 runners). I busted out early in a WSOP six-max. I cashed in several side tournaments, the deepest one being 13th in an $1100 Wynn NLH (486 runners if I remember right).

My Main Event wasn’t very satisfying; I busted on day one. There weren’t any specific bad beats or crazy situations; it was just one of those tournaments where you keep making strong hands that turn out to be second-best and you end up having to pay off the value bets. Then of course you eventually get down to the point where you are looking to jam pre and race. My final hand was a truly well-executed trap that got my opponent all-in preflop w/K8 vs my AK, but … well, I did already tell you that it was my final hand. 🙁

At a Venetian cash game we got confirmation that people still don’t understand the rules about when short all-in raises do or do not re-open betting action. The hand went like this post-flop:

  • Three Players, A, B, C.
  • A bets $45
  • B makes it $135 (a raise of $90 over A)
  • C pushes all-in for $195 (a raise of $60 over B)
  • A calls. He clearly could have raised if he wanted to, as he is facing a total raise of $150 from his initial bet of $45, and of course B’s raise alone re-opened action to A. That’s not the question here, and anyway as it played out he just called.

Now we get to the interesting part. B says “ALL IN”. To review at this point: he had raised to $135 (when facing $45) and now was facing an incomplete raise to $195  from an all-in. The dealer does a quick calculation and says that since C’s all-in, which is not a complete raise, was $60 over the $135, and B’s original raise size (the size of the raise, not the total bet) was $90, that B can raise here because $60 is more than half of $90.

The dealer was misapplying the 50% rule, which is a rule about mistakes (e.g., throwing out $300 if facing a bet of $200) and is not supposed to be used for short all-ins.  I’ve written about this before though more from the perspective of TDA rules and tournaments. But this particular rule applies equally in cash games and tournaments.

At this point the dealer incorrectly allows B’s ALL-IN, and player A questions whether that should have been allowed. The dealer reiterates “yes, because over 50%”.

I wasn’t in this hand and I was a little bit conflicted about what the right thing to do at this point was. The rules explicitly say that players should “protect the integrity of the game by pointing out errors that occur” and this is an error, but there’s also a strong sense of “mind your own business” in cash games. I decided that it was likely someone would be upset either way – whether the error was corrected or allowed to stand and so I blurted out: “I don’t believe that’s correct; the rule is it has to be a full raise”.

At which point the dealer recalculated the $90 and $60 deltas and asked me to confirm his ruling because it was more than 50% of the way (if you are paying attention, you will note that this means the dealer didn’t really listen to what I had to say).  At this point one of the players in the hand SHOULD have called for the floor, but none of them did. I decided I had made the only factual statement I could make and answered all further questions (there were several) with “I’m not in the hand.”

After a few moments of confusion with a bunch of other players chiming in the dealer did the right thing and called the floor over.

The floors at the Venetian are all pretty good and this one gets it right: Ruling: B cannot raise. The floor reiterated that it takes a FULL raise amount to re-open action; the fact that the $60 incomplete-raise of the all-in is more than 50% of the way “there” was irrelevant.

As the hand played out it turns out none of this really would have mattered either way to the action. It was nice to see a confirmation of the rule in practice, and it was nice that no one in the hand threatened to kill me for sticking my nose into their business. 🙂

Goodnight Soekris

Sadly, Soekris is shutting down:

Soekris Engineering, Inc.

April 24, 2017
Due to declining sales, limited resources available to design new products, and increased competition from Asia, Soekris Engineering, Inc. has suspended operations in the USA as of today.

It has been our pleasure to serve our customers over the last 16 years. We are proud that we provided reliable, low-power communications computers Made in the USA to many markets worldwide.

Thank you for your business.

I built several pfsense routers with various soekris boxes and they’ve all been running flawlessly for years. I just looked at my router at the hilltop and it has been running for 381 days without a reboot (this router is on a UPS for no especially good reason but it does allow for long uptime runs).

The box has no fan, no moving parts (the filesystem is a nanobsd configuration on a CF card), it’s rack mountable, and it has six ethernet ports (I added a 4-port PCI card). It’s awesome.

The pfsense folks sell hardware (Netgate) now customized with pfsense right out of the box. I have one of their boxes in another location and it works perfectly well too, though I wish they’d support a nanobsd configuration (for the read-only filesystem and the alternating/two-boot-slice concept for updates).  Eventually I’ll change out the soekris boxes for newer gear; but for now … 381 days  of uptime and counting.

 

I can't complain but sometimes I still do