Password Expiration

For anyone who follows infosec, or even just basic tech, news–NIST has made a landmark change to their password guidelines:

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

The change came last month, with the NIST Special Publication 800-63B.  Now, to clarify, NIST cannot enforce these standards upon the private sector.  However, as a general best-practice, businesses incorporate the NIST standards anyway–a decision with which I personally don’t find any fault.

But a consequence of this has been the eternal password debate.  I jested at the very-popular entropy argument, and offered my own thoughts on the matter, specifically that the mathematical models change depending on how one views a password’s derived length.  And while this argument still continues, as least now we can finally acknowledge that once a “good” password has been created, the human elements create enough points of failure as to render any advantages of regular password changes negated.

I therefore beseech you, my employer: can we now please stop with the mandatory 90-day password changes?

–Simon

Genetics

Liz bought me one of those genetics tests for Father’s Day.  I’ve been waiting for the results since, but they came in today, thus putting to rest the quandary of whether I’m Irish or Scottish.  Turns out I’m definitely not Irish, at least not according to the DNA in my saliva.

I assume Great Britain is referring the the isle, as the regional color indicates, which would naturally include the Scots, thereby explaining the Moorhead surname.

This also confirms the German in me, which is no surprise.  That’s mom’s side.

I surmised that there was some Scandinavian blood.  They had a tendency to spread their genetics all over during the Viking age.  So confirmation on that too.

The Iberian genes were somewhat unexpected, but since we’re going back thousands of years, Iberia was Celtic/Gaulic, so that makes sense.

The test also provided me an analysis of to where my people have migrated within the last several generations.  Cincinnati isn’t exactly a surprise (again, mom’s side).

Looks like I’m living with my own.  No major genetic shockers.

–Simon

Pumpkins!

Volunteer plants are always fun.  Nature has done the selection process for me.  I don’t have to cull or deal with failed germination–just transplant and be rewarded with a hardier stock, already more adapted to my specific micro-climate.  I mentioned these plants previously, but now I have actual fruit.

I still don’t seem to be having major problems with the vine borers either, so maybe everything’s happily maintaining in symbiosis.  I’ve also been pretty generous with the nitrogen additives, given through foliar feeding, which has yielded giant leaves, resembling tropical undergrowth.

I have two promising jack aspirants:

I’d swear this was a watermelon

–Simon

The Filename Doesn’t Match

I usually refrain from posting about my job because 1) There’s always someone with no sense of humor who takes things too literally/personally, and 2) There’s always a fine line between giving context and disclosing too much about things that aren’t public knowledge.

But I will attempt to traverse this line because in this scenario the story involves no widespread PR disaster, nor does it explain anything proprietary–simply basic technology.  All is paraphrased.  Here goes:


I notice an email campaign isn’t launching.  I ask the guy who schedules them with the FTP server why.

FTP Guy:  “The filename doesn’t match the email platform template, so the SAS code is sending data to the inactivate template.”

Me:  “Why doesn’t the filename match?”

FTP Guy:  “Because when you requested the original test file from the Data Team, you gave them the name of the old template.”

Me:  “Fuck.”

I consult a colleague.

Me:  “Why did the test files launch if the filename was for the wrong template?”

Colleague:  “Because the test files will still work for test emails, just not live data.”

Me:  “So I’d have no way of knowing the filename was wrong based on the test emails?”

Colleague:  “Correct.  You’d have to go back and verify a successful launch with the [generated report A] for each email campaign you manage.”

Me:  “I checked [generated report B], and it showed volume.”

Colleague:  “[generated report B] only shows activity between SAS and the email platform, which was sending files as intended, just to the inactive template.”

Me:  “So [generated report B] does not confirm live email activity?”

Colleague:  “No.”

Me:  “Fuck.”

I consult my manager

Me:  “So, this email didn’t go out because the filename mismatch caused SAS to send data to an inactive template.”

Manager:  “Why was there a filename mismatch?”

Me:  “Because I requested a test file for the wrong template, but it still worked for test emails so I didn’t notice.”

Manager:  “Why didn’t you notice that the email wasn’t launched?”

Me:  “I checked [generated report B] to confirm email activity, which I just found out only only shows activity between SAS and the email platform, and does not confirm emails go out.”

Manager:  “Okay, I will log this error.”

I go to inform the client liaison.

Me:  “So, this email didn’t go out because the filename mismatch caused SAS to send data to an inactive template.”

Client Liaison:  “Why was there a filename mismatch?”

Me:  “Because I requested a test file for the wrong template, but it still worked for test emails so I didn’t notice.  I checked [generated report B] to confirm email activity, which I just found out only shows activity between SAS and the email platform, and does not confirm emails go out.”

I get summoned to a meeting with my manager.

Manager:  “We have to put together a report and fill out this form explaining what happened, then discuss with your colleagues how to prevent it from happening again.”

Me:  “Okay.”  I fill out the form as follows:  “I requested a file for the wrong template, but it still worked for test emails so I didn’t notice.  I checked [generated report B] to confirm email activity, which I just found out only shows activity between SAS and the email platform, and does not confirm emails go out.”

I consult colleague for advice

Me:  “How do I regularly verify email activity?”

Colleague:  “You check [generated report A] for each email you’re managing.”

Me:  “Is there a quicker way to check all emails at once?”

Colleague:  “You can check [generated report C].”

Colleague shows me how to generate [generated report C].  I return to my manager.

Me:  “So in order to prevent this issue again, I will generate [generated report C] regularly to confirm email activity.”

Manager:  “How do you generate [generated report C]?”

I show my manager how to generate [generated report C].

Manager:  “Okay, I will add that to the report.”

I get summoned to a surveillance meeting to discuss the larger implications of the error.

Surveillance:  “What caused this email to not go out?”

Me:  “I requested a file for the wrong template, but it still worked for test emails so I didn’t notice.  I checked [generated report B] to confirm email activity, which I just found out only only shows activity between SAS and the email platform, and does not confirm emails go out.”

Surveillance:  “Why did you not notice the email didn’t go out?”

Me:  “I checked [generated report B] to confirm email activity, which I just found out only shows activity between SAS and the email platform, and does not confirm emails go out.”

Surveillance:  “How will you check for this in the future?”

Me:  “I will generate [generated report C] regularly to confirm email activity.”

Surveillance:  “How will you prevent it from happening again?”

Me:  “I now know how to properly request a test file for the right template, that test emails still generate with a filename mismatch, and that [generated report B] does not report email activity.  I will now generate [generated report C] regularly to confirm email activity.

End of meeting.


The above chain of events has been greatly shortened.  Bureaucracy is a consequence of large groups of people all performing specialized roles, and since this is a large company, it’s inevitable.  But one thing is certain, and that’s that I won’t request a file for the wrong template, thus creating a filename mismatch, ever again!

–Simon

Minty

I realize of course that it’s a little silly to get excited about mint growing well, but look at the size of this sprig:

And this was only one of several sprigs that Liz cut, as it was starting to crowd the rest of the herb garden.  And so, faced with the conundrum of too much mint, what should we do?  It would be a shame to waste it.

If you know anything about me, then you probably already figured out what happened.  Hehe–MOJITOS!  Some classics are eternal for a reason.

–Simon