I suspect I’m preaching to the choir here, since most readers/co-bloggers are quite tech-savvy. But here goes…

Edit: I’ve revised this post a little, after realizing that the first version was epicly long and lacked ‘sections.’

Understanding the Risk: And Why You Are at Risk

(Short version: everyone is likely to have someone try to crack their password, and it’s going to be done by a fast computer over the Internet.)

When it comes to passwords, a lot of people think, “Who would try to crack my password?” And indeed, I used to think that, too. Using “c” as a password might work great, because no one is going to sit down at your computer and guess that.

But this way of thinking is a serious blunder. You probably wouldn’t think, “Why would terrorists single me out?,” or, “Why would a mugger take my purse?” Others might wonder, “Who would send me a virus?” or, “Why would lightning strike my house?”

The “threat” that passwords protect against, though, isn’t a guy in a hamburgler mask that’s going to sit down at your computer and type in various possible passwords. The threat is automated attacks over the Internet. They don’t ‘single anyone out,’ but instead, they go after every account they can find. No one sits down and types out possible combos, but they let a computer guess thousands of passwords a second.

If you’re like most people, you don’t have a fortune in your bank account, don’t have any big enemies, and don’t have access to anything all that special on the computer. But you’re at risk. While “hackers” is a nice scary term to be afraid of, the reality is that a lot of what goes on now is carried out by viruses and worms. Someone’s computer gets infected with a virus that will seek out accounts and try to guess the password.

It’s almost a classic human move to try to protect against threats without understanding them. A while back I read a neat piece on burglars, that involved interviewing a few burglars and a few people who had their homes broken into. And it really turned my thinking on its head. You know those ingenious “book safes,” where a book is hollowed out and used to store jewelry and cash, disguised as just another book on your bookshelf? To you and I, it seems like a great idea. It’s surrounded by lots of other books, so we might never notice. The problem is that we never stop to think like a burglar. People who had their homes broken into routinely mentioned that their bookcases were knocked over. That ultra-hidden “book safe” will spill your gems all over the floor. And you know those hollowed-out cans of Campbell soup that are sold to hide your valuables in? They’re actually not a bad idea, but most people don’t think it through enough, and end up leaving a fake can of soup on their dresser, where it looks ridiculously out of place and practically screams, “Look, the valuables are here!” One of the burglars who was interviewed mentioned that he robbed a house where the owners had apparently thought to stash a bunch of their cash in their DVD player. The problem is that he was looking for electronics to pawn, so the cash that the owner had meant to ‘hide’ became an unintentional bonus for the crook.

So no one is going to ‘single you out’ to break your password. You’re going to be one of thousands, and in most cases, they really don’t know or care who you are.

How Passwords are Cracked

Let’s start with a seemingly-irrelevant story. Bear with me, because it’s entirely relevant. Every now and then scientists, many of whom seem to devote their lives to writing boring theses about boring topics, do something that makes me chuckle. Such is the case with the Infinite Monkey Theorem. You’ve probably heard of it, in fact: “An infinite number of monkeys, on an infinite number of keyboards, will almost surely eventually reproduce the complete works of Shakespeare.”

The theorem really has nothing to do with monkeys, keyboards, or Shakespeare, though. It’s about probability, especially when huge numbers (especially infinity) are involved. For example, consider a no-hitter game in baseball. For the sake of argument, let’s (completely arbitrarily, but believably) say that the odds of a MLB pitcher having a no-hitter game are 1 in 10 million. Most pitchers, then, will probably go their whole career without having having one. But now suppose that a given pitcher, by some strange chance, pitches in 17 billion games. This, of course, is a pretty unreasonable assumption: assuming one game a day, year-round (365 days a year), this would take about 46.5 million years. But that’s really the point of the theory: as the number of ‘iterations’ of something grows, approaching infinity, the probability of it happening approaches 100%. If the odds are 1 in 10 million, and he throws in 17 billion games, it’s practically guaranteed that he’ll throw several no-hitters.

Passwords, and encryption is general, are often compared to locks. The big difference (besides one being tangible and the other being a complex mathematical science) is that locks can be pretty trivially picked. Most methods of encryption in use have been thoroughly analyzed by teams of people with advanced degrees in fields you and I haven’t even heard of, so most people agree that you can’t really ‘pick’ encryption: hundreds of the brightest minds couldn’t find any vulnerabilities. If passwords were like keys, then, the only option is to try lots and lots of keys until you find the one that opens the lock.

And here’s where the Infinite Monkey Theorem comes in. Computers are excellent at performing mathematical tasks like generating every possible password. A modern computer can guess thousands of passwords a second. To use the key analogy, you get a key cutting machine and lots of blank keys, and try every one. There are a lot of possibilities, but computers make short work of it. A one-in-a-million probability of guessing your password is actually dangerously low. It’s probably under an hour’s worth of work for a computer. Increasingly-powerful computers, in a way, are the infinite monkeys: they make it extremely easy to simply try every single possibility.

But It’s Easier Than It Seems

(Short version: a lot of common mistakes can make your seemingly-good password easier to crack than you’d like to think.)

The problem is that most people make it easier than it should be. Falling back on our key analogy, the typical key has five or six ‘teeth’ that stick up to move the pins in the lock to just the right height. If all the pins are at the right height, the lock cylinder can be turned, and the door will open. There are nine or ten possible ‘heights’ for each ‘tooth.’ (Note that I’m not a locksmith, and I’m simplifying things a bit anyway. If you’re seeking to know everything there is to know about how tumbler locks work, I’m not the one to listen to.) Assuming five ‘teeth’ and nine possibilities for each, we get 9 x 9 x 9 x 9 x 9 (9⁵) possibilities, which gives 59,049 possible combinations. It seems that we’d need to make 59,049 different keys to open the lock, then.

But we probably don’t need that many. For one, 59,049 is the total number of possibilities. Cutting 59,049 keys guarantees you’ll have the right one. But what if the third key you try happens to be the right one? That’s incredible luck, but any of the possibilities are (theoretically) equally probable. And you can figure that there’s a 50% chance that you’ll get it in 30,000 tries or less.

But there’s another thing that makes guessing passwords even easier. (Time for another analogy.) If you’re anything like me, you find yourself, on a daily basis, looking around trying to figure out where you left your car keys. If I was really, really bored, I could probably make a list of 10,000 different places in my house where my keys could be. However, you probably wouldn’t sequentially run through that list of every possible place. It’s possible that I left my keys behind the refrigerator again, or that I decided to store them at the bottom of the gallon of milk in the fridge this time. But, unless you’re absolutely insane, you’re going to start your search by looking on the kitchen counter, and them move to my desk. And the odds are pretty good that you’ll find them in one of those places, without ever having to take apart my printer or disassemble the lamps. This whole comment sounds incredibly ridiculous, I’m sure. Of course you’re going to start your search by looking in the most common places. And so do password cracking tools.

How many people do you think have “password” set as their password? “asdf” and “qwerty” top the lists, too, as does a blank password. And “monkey” seems to make a lot of lists for reasons no one’s ever really figured out. So password crackers start with a list of common passwords. Most lists have a couple hundred to a couple thousand of the most common passwords on them. It’ll take maybe 2 seconds for the computer to run through all of them, and it seems like they get an insane number of results right there.

If that fails, they’ll then fall back to a list of every word in the dictionary. “doorjam” might not be the most common password, but it’ll probably get cracked in about 30 seconds as the script runs through the dictionary.

If that fails, it then has to methodically search everything. Your goal is to make sure that any password cracker ends up here. It’s kind of like the locks on your house: a would-be robber might try jiggling the handle to see if it’s open. And if it’s locked, he might give the door a quick kick to see if it breaks open. If it does, you’ve made it super-easy for him to get in. But if it doesn’t, he’s got to do something really hard (maybe take a torch to cut the lock off, or work on picking the lock). So most people might just move on to find an easier target. But read on to see why you shouldn’t stop at making a “slightly” hard password.

What Are the Odds?

So you know that using a dictionary word is a really bad idea, as is using any of the super-common passwords. (“qwerty” technically isn’t in the dictionary, nor is “abc123.” But both will be tried even before running through the dictionary.) The other bit of advice that’s common to hear is that you want a long password. And this is incredibly good advice.

Let’s incorrectly assume that there are only 75 possible characters for a password (a-z, A-Z, 0-9, and a handful of things like +, &, and whatnot). A one-character password, obviously, would have 75 possibilities. Two characters brings it to 75 x 75 (75²), or 5,625 possibilities. Each character added, then, means the field of things a brute-force cracker would have to try is seventy-five times bigger. This grows unbelievably quickly. Six characters would leave 178 billion possibilities. That’s an awful lot, but remember that thousands a second can be tried. Go for 8, and you’re in numbers that no one can make sense of without exponents. (1 x 10¹⁵, or a quadrillion). Spring for 10 and you’re at 5 x 10¹⁸, which is 5 quintillion, a number so ludicrously large that I had to look it up to see what it meant.

But do remember that the length of your password alone doesn’t matter. “password” is eight characters long, after all, and that’s a pretty good length, but will probably take less than a second to crack. The real point here is that each character you add can make your password massively more difficult to crack.

Generating a Good Password

So you’ve read this far. (Or just jumped to the headline that looked like it was worth reading.) You know to avoid dictionary words, and that you want a long password. But what does that leave? Will you be able to remember a “good” password? The answer is yes, and it’s easy.

Start with a “word” you’ll remember, but that isn’t a word in the dictionary. E-mail addresses, screen names, license numbers, model numbers, serial numbers and the like are pretty good. Avoid anything that’s all numbers or just really common. And even though “the enemy” your password guards against probably doesn’t know you, it’s still bad practice to pick something easily linked to you: don’t use your screenname, for example. But how about your neighbor’s license plate, or your boss’s e-mail address? Remember that this is just the starting point, not your final password.

If it’s something short, add something else to it. “n1zyy” isn’t good because it’s short, and “xts3000” (a radio model number) isn’t that good, either. Really, they’re not even good starting points: they’re both short, they’re both simple, they’re both things someone might guess about me, and the numbers are quite simplistic. (“n1zyy” is an especially bad choice for me, given that it’s also my username. That’s right up there with using “password”.)

But since I don’t want to use any “excellent” choices as an example to post on the Internet (which would transform it into a really bad choice), let’s use them for this example. We’ll start by just combining them: “n1zyy+xts3000”. Thirteen characters long, neither of them in the dictionary. We’re doing alright. But stopping here is no good.

You then want to apply various “changes” to this, such as:

• Deliberate “typos” (“xts3000” might become “xst3000”)
• Using l33t (“password” would become “p4ssw0rd”… “n1zyy+xts3000”, incidentally, doesn’t really lend itself to any l33t at all, but this is atypical.)
• Inserting random characters (oddball ones, like & or _ or :, are excellent)
• Changing capitalization (“password” is bad; “pAsswoRD” is better, though still bad)
• Incrementing/decrementing numbers (or letters): “xts3000” might become “xts2999,” though it’s better to not just shift by one, and it’s better to treat each character individually (“xts4111” adds ‘1’ to each digit individually). Or, even better, be entirely inconsistent.
• Hold down shift on some of the numbers (“1234” becomes “!@#$”) as an easy way to mix in ‘harder’ characters.
• Avoid the things everyone does, like adding “1” to the end of your password and using “+” to merge two words, in particular. You might also want to know that l33t, in and of itself, is a common trick for passwords. If you catch your self doing any of these things, run through the list again to change those things a little more. (“p4ssw0rd” might become “p5ssw1rd”, which is suddenly looking a lot less-likely to get cracked. And “big+cat” might become “big%cat”. Both of those, of course, are still bad passwords.)

The goal is to mix-and-match from those sort of things, in whatever order you see fit. You shouldn’t see this as a list of the steps to take, but as sources of inspiration for various ways to “mess up” the base ‘phrase’ of your password, making is astronomically more difficult to guess.

The end product might be something like “N2zyy&&xst29))” which isn’t a bad password: it’s long, and, best of all, it looks like total gibberish, mixing in a fair amount of unlikely characters.

And although it doesn’t look it, it’s easy to remember. That’s because you’re not remembering that weird string of characters itself. You’re remembering “n1zyy” and “xts3000” (which, if you were the one making the password, were things you already remembered), but with some simple changes made: they’re combined with a && (anything but a “+”), and then with a few changes: Upper-case the “N,” change the 1 to a 2, “xts” becomes “xst,” 3000 becomes 2900, and you hold down Shift for the last two characters, making 2900 “29))”.

You might have to “think it through” the first few times, but if you’re like me, after a couple times, muscle memory takes over, and you’re typing the password without even thinking about it. It’s actually possible to get to a point where you don’t “know” your password: it’s something your fingers can type, but if someone asked you, you really couldn’t answer without typing it out. You might never consciously remember, character-for-character, that your password is “N2zyy&&xst29))” but you’d use it many times a day without even having to think.

One quick note: make sure you don’t incorporate things you type every day into your password. Putting aside all the other reasons that “bl0gs” would be an awful password, it’s especially bad for me, because whenever I try to write something about the blogs, I’m liable to type “bl0gs” instead, inadvertently showing my password to everyone. I made a mistake of this sort with a previous password, loosely based on a common word. The “o” and “0” are next to each other, so maybe “bl0gs” is a conceivable typo. But if you make a strange error in typing a common word more than a couple times, it doesn’t take much to deduce that it’s probably a password to something.

Writing Your Password Down

It seems like anyone who knows anything about security will tell you that writing your password down is the worst thing you can do. Here, I tend to swim against the current: the odds of someone finding and using my password that I write down are very slim, but the odds of me forgetting the deliberately-complicated password I just came up with are very high. Obvious exceptions apply if you’re in a position where you need a really strong password: I’d really hope that top military leaders don’t take my advice to write their password down, and if you work right next to other people who you don’t trust, writing down your password is bad, too. But for most people, it’s really not a bad idea.

Of course, don’t do anything foolish. Security experts go crazy at the number of people who have their password on a Post-it note on their monitor. (Putting it on the bottom of your keyboard is more clever, but it’s kind of like using the fake book as a safe: it might make you feel good, but it’s not going to fool anyone with the least bit of experience.) When I’d just come up with a strong password I worried I’d forget, I wrote it down and stuck it in my wallet. I’m quite protective of my wallet, and if someone got my wallet, I had enough problems anyway.

The other important bit with writing your password down is to be vague. If you snatched my wallet and saw “N2zyy&&xst29))” written inside, you might assume it’s a password. But to what? Make sure they’re left wondering: giving in and writing “www.bank.com – Account 1234567” is just begging to have your account compromised. But the password on its own is relatively meaningless. (Unless, of course, it goes to a bank account listed on another card in your wallet, or something of that sort.)

So if you’re worried you’ll forget it, write your password down. Just make sure you’re not dumb about it, and that you don’t forget about it: once you no longer need it, rip it up and throw it out.

Use a Really Good Password for E-mail

A lot of us assume that no one wants to read our e-mail. But protecting your e-mail is actually super-important. There are lots of ‘little’ reasons: they could “harvest” lots of e-mail addresses to spam (or to try to break into); you probably have some financial data in there; you might have login information sitting in there; they could send spam from your account…

But there’s one really big reason. Practically everything these days uses your e-mail address to validate your identity. Forgot your password and need it reset? They’ll send you an e-mail to confirm that it’s really you. Need a new PIN at your bank? Probably done via e-mail. If someone can get into your e-mail, then, they can “take over” almost any of your accounts. They can go to a site where you have an account, plug in your e-mail address, and request that the password be reset. It’ll be sent to you, but they’ll be in your mailbox, act on the e-mail, and promptly delete it. You’ll probably be none the wiser until you can’t log in anywhere, and the password reset e-mails don’t come. (Because, after hijacking the accounts, they changed the e-mail. You were sent a confirmation e-mail about that, too, but they confirmed it and then deleted that e-mail.)

Don’t Trust Websites

(Short version: Speaking as a webmaster, it’s disconcertingly easy for people running websites where you have to log in to see your password. For important accounts, have a password that’s used only for that account.)

Simply put, whenever you log into a website, you’re sending them your password “in the clear.” (If you use a “Secure” website, all it means is that the communications between your browser and their webserver are encrypted. It doesn’t mean that the people running the webserver can be trusted, nor that they’re going to store your password in a safe manner.)

Most good sites don’t store your password, but instead a one-way hash of it. The passwords used on the blogs, for example, aren’t capable of being decrypted.

But you should take absolutely no comfort in that. (For one thing, lots of websites don’t do this, and store your password in the clear.) When you go to log in, even at a site that does things the right way, you send your password to the webserver. The code will run it through the MD5 function and see if the resulting hash matches the one in the database. But nothing stops an unscrupulous webmaster from changing the code to first log the password you send. (Or an unscrupulous “man in the middle” from snooping the password off the network, unless you’re using HTTPS/SSL.) Or, anyone with access to the website’s users database could just try a brute-force attack on the hash, just like I wrote so much about earlier here. But they might not even have to do that: there are huge databases online of MD5 hashes and the corresponding passwords. (Warning: don’t submit your password to “see” if it’s there, as you’ll most likely add it to the database!)

Those of you with accounts here, your passwords are safe, and you can trust me. But you shouldn’t. Especially on other websites, you should essentially assume that the webmaster is able to see your password, and that the webmaster doesn’t know the first thing about keeping hackers from viewing the database, either. Because if you have lots of accounts online, it’s probably true of at least one of them.

This needn’t be a big deal, though. You can make the problem meaningless by using a different password everywhere. If you have a password that you only use on the blogs, and I ‘crack’ it, all I can do is log into the blogs as you. (And since I’m the administrator, that wouldn’t let me do anything I can’t already do.) Many people, though, use the same e-mail address, password, and username everywhere. Those people are setting themselves up for big trouble.

What I do isn’t perfect, but it’s an improvement. I have a set of nice, strong passwords I use at important places. My passwords for PayPal and my bank are things no one would ever guess, and that would take a good computer years to guess. But I also have one ‘garbage’ password that I use at multiple places. I’m at risk in a way: if any of those site admins figure out my password, it wouldn’t be too hard for them to log into other sites using the same credentials. But for sites that are important (here, my bank, school, etc.), I generate a unique password. My password on some forums will get you into my Digg account and my Youtube account, but it most certainly won’t get you root on my server, or let you into my bank account.

Both of these lots seem insanely underpriced. Alas, I don’t have $20,000 to invest in a rack full of servers. 🙁

I came across a reference to cable modems speaking SNMP, and though it’d be neat to have something like Cacti query my cable modem periodically to see bandwidth usage.

Comcast, though, blocks SNMP access. I initially thought this was pretty cheap, but it turns out that it’s for good reason: while I’ve always thought of SNMP as a read-only way to see bandwidth usage, it turns out that it’s also able to set data, and that’s how much of the configuration is done. Thus they don’t really ‘block’ SNMP, as much as hide it from customers. From what I’ve read, they set a random ‘community’ string that only they (and those who can read the config files the cable modems pull down at boot), but further limit access to certain IP ranges.

But in the course of scanning for SNMP devices on my network, I did get a hit, from an unlikely source. It seems that our network printer, a consumer-grade inkjet with an Ethernet port, has an onboard webserver and an SNMP server.

Unfortunately, it seems they don’t publish MIBs for the output of the OfficeJets, meaning that, aside from some of the standard levels, we’re left to guess. I’ve put the output of an snmpwalk up on my webserver for anyone curious. Some potentially valuable data:

• mib-2.43.5.1.1.2.1 = INTEGER: 1
• mib-2.43.5.1.1.3.1 = INTEGER: 3
• mib-2.43.10.2.1.4.1.1 = Counter32: 8244
• mib-2.43.10.2.1.4.1.2 = Counter32: 8244
• mib-2.43.10.2.1.5.1.1 = Counter32: 275
• mib-2.43.10.2.1.5.1.2 = Counter32: 275
• mib-2.43.10.2.1.6.1.1 = INTEGER: 1
• mib-2.43.10.2.1.6.1.2 = INTEGER: 3

8244 is the printer’s page count, which seems to be “mib-2.43.10.2.1.4.1.1” and “mib-2.43.10.2.1.4.1.2,” though I’m not sure what the difference is. I don’t know what the 275 represents.

The web interface shows black and color cartidge ink levels; we’re at 1 out of 10 ‘bars’ on black, and 3 out of 10 ‘bars’ on color; thus the “1” and “3” next to each other gives me reason to believe that’s what they may represent.

Actually, these strings may be a further clue:

• mib-2.43.11.1.1.6.1.1 = STRING: “black ink cartridge”
• mib-2.43.11.1.1.6.1.2 = STRING: “tri-color ink cartridge”
• mib-2.43.11.1.1.6.1.4 = STRING: “ink blotter”

Note the 1.6.1.x prefix, with “1” referring to the black cartridge, “2” being the color, and “4” referring to a blotter. That causes this string of .1, .2, and .4 all in a row to stand out:

mib-2.43.11.1.1.2.1.1 = INTEGER: 1
mib-2.43.11.1.1.2.1.2 = INTEGER: 2
mib-2.43.11.1.1.2.1.4 = INTEGER: 2

mib-2.43.11.1.1.3.1.1 = INTEGER: 0
mib-2.43.11.1.1.3.1.2 = INTEGER: 0
mib-2.43.11.1.1.3.1.4 = INTEGER: 0

mib-2.43.11.1.1.4.1.1 = INTEGER: 3
mib-2.43.11.1.1.4.1.2 = INTEGER: 3
mib-2.43.11.1.1.4.1.4 = INTEGER: 4

mib-2.43.11.1.1.5.1.1 = INTEGER: 5
mib-2.43.11.1.1.5.1.2 = INTEGER: 5
mib-2.43.11.1.1.5.1.4 = INTEGER: 1

mib-2.43.11.1.1.6.1.1 = STRING: "black ink cartridge"
mib-2.43.11.1.1.6.1.2 = STRING: "tri-color ink cartridge"
mib-2.43.11.1.1.6.1.4 = STRING: "ink blotter"

mib-2.43.11.1.1.7.1.1 = INTEGER: 15
mib-2.43.11.1.1.7.1.2 = INTEGER: 15
mib-2.43.11.1.1.7.1.4 = INTEGER: 7

mib-2.43.11.1.1.8.1.1 = INTEGER: -2
mib-2.43.11.1.1.8.1.2 = INTEGER: -2
mib-2.43.11.1.1.8.1.4 = INTEGER: -2

mib-2.43.11.1.1.9.1.1 = INTEGER: 0
mib-2.43.11.1.1.9.1.2 = INTEGER: 21
mib-2.43.11.1.1.9.1.4 = INTEGER: 144

Of course,what it means is anyone’s guess right now.

Our ‘firmware’ version is listed in the web GUI as RL9002xNx, which comes up repeatedly:

mib-2.43.15.1.1.4.1.1 = STRING: "RL9002xNx"
mib-2.43.15.1.1.4.1.2 = STRING: "RL9002xNx"
mib-2.43.15.1.1.4.1.3 = STRING: "RL9002xNx"
mib-2.43.15.1.1.4.1.4 = STRING: "RL9002xNx"
mib-2.43.15.1.1.6.1.1 = STRING: "RL9002xNx"
mib-2.43.15.1.1.6.1.2 = STRING: "RL9002xNx"
mib-2.43.15.1.1.6.1.3 = STRING: "RL9002xNx"
mib-2.43.15.1.1.6.1.4 = STRING: "RL9002xNx"

I do hope to do some diff’s over time and see what changes, in the hopes of figuring out what some more of these go to…

Russia’s invasion of Georgia has been hitting the news, but not getting an awful lot of attention.

Much of the attention is has received has been the result of some Americans apparently not realizing that Georgia is a country that happens to share its name with a US state, leading to a handful of people expecting to see tanks in Atlanta [warning: big 1920×1200 PNG image]. (Though I suspect that question may have been in jest, but it really isn’t out of line for Yahoo’s questions site.)

Oh, and there’s the occasional map mixup.

BTW, Georgia (country)’s location reminds me of an old pet peeve: Europe and Asia are the same freakin’ continent.

I never really gave it much thought, but there’s a big dam in Merrimack, next to our central fire station, on the Souhegan River.

But it apparently needed a lot of work, and people realized that it serves no benefit, and then people like NOAA (who I frequently forget is the National Oceanic and Atmospheric Administration) pointed out that, from an ecological standpoint, it was doing more harm than good, by keeping fish from swimming upstream and the like.

So instead of spending the money to repair it, it was decided to take it out.

Of course, this would be a really boring blog post if that was all. But they set up a webcam trained on the dam. Unlike normal 640×480 ‘video’ feeds, this one is a decent camera (Canon PowerShot, from the EXIF data), snapping a photo every 15 minutes. (Jump from, say, August 1st to today to see the difference.) And in between, you can see the work being done. (And then start the slideshow!)

Lifehacker had a poll up, asking what sort of technological knowledge we expect from our President.

One commenter argued that it’s preposterous to expect a President who’s good with computers, asking whether we also expect them to do open-heart surgery or to be able to rebuild engines.

They accidentally made my point for me, though. I don’t want a President who understands why I’m excited about SSD, or a President who’s a hardcore C++ programmer. I don’t want a President who’s a surgeon, or a President who is an auto mechanic. Nothing against any of those people (especially programmers!), but their time honing their skills to become experts in those fields probably leaves them lacking political experience.

The car analogy, incidentally, is perfect. I don’t expect the President to rebuild engines. But I’d like a President that knows what cars are, and who understands highways. I’d like a President who owns a car, and who knows how to drive. I’d prefer that he can even pump gas. It’d be cool if he knew how to do an oil change or fix a flat, but it’s no big deal if they don’t.

I think it’s the same with computers. I don’t need, or even want, really, a hardcore geek as a President. But I think technology is too important to say that the President doesn’t need any technological experience. I want our next President to be computer literate, and to own a computer. I really think the Oval Office is overdue for technology. Imagine weekly podcasts (a “virtual fireside chat” if you will) from the President, or a President’s blog. The Internet has the power to bring overwhelming transparency to Washington, and I think it’s high time for that. Presidents have advisors, true, and I won’t want the President to directly head up these initiatives. But, in the year 2008, I think we need a President who’s computer literate.

Of course, I think anyone raising this question is being somewhat disingenuous. McCain was asked a while ago, “PC or Mac,” and laughing said that he was computer illiterate. Obama carries a Blackberry and runs a campaign website with a thriving ‘social media’ aspect. I’m not necessarily saying John McCain should be dismissed because he’s computer illiterate, but that it’s high time he explored “the Interwebs” and joined us in the 21st century.

I tend to use Google News as my primary source of nationwide news these days. It aggregates thousands of news stories automatically, and is good at making sure I see a ‘blend’ of things, versus getting my news from one source.

It has one strange bug, though: its algorithm for truncating long news titles makes no sense. Sometimes it truncates an article title way too early. Consider the above, for example. I chuckled that the WSJ would publish an article whose title underhandedly mocks Youtube for not having anything worthwhile.

Except that this isn’t the case. The article is entitled “YouTube to Offer Some Content From China’s Olympic Games,” but it got split up across two lines, so Google News only took the first one.

That said, I’d rather watch half the stuff on Youtube than the Olympics. But I’m a grumpy curmudgeon about the Olympics.

A few things I’ve learned about batteries lately:

• Rechargeable AA’s are 1.2V, whereas normal alkaline AA’s are 1.5V. I didn’t believe this at first, but it’s usually printed right on the battery (in unreasonably small print). Where this generally matters is things that take many batteries (in my radio that takes 4, it’s the difference between 4.8V and 6V, for example), although most things will work just fine. (The rechargeables often have much higher capacities, though, so it works out… Unless you get something that’s very nitpicky about voltage.)
• Almost all “normal” alkaline batteries: AA’s, AAA’s, C’s, and D’s, are 1.5V. The typical capacity of a AA is somewhere around 1,000-2,000 mAh, but did you know D-cells are often around 15,000 mAh? (Which is 15 Amps if I’m not mistaken, which means it’s got about 25WH of juice.)
• As a consequence of the above, as far as voltage is concerned, you can use a AAA where a D is called for, or a D where a AA is called for, and they’re all the same voltage. It’s just that, as the batteries get bigger, they last a lot longer. (And good luck sticking four D-cells into your camera so it last longer…)
• “Digital” devices will stop working below a certain voltage, which is usually before the battery is fully drained. Unlike a flashlight, which will just get dimmer and dimmer as the battery drains, electronics (think of cameras, for example) will continue working until there’s insufficient voltage, at which point they shut down. Thus the “dead” batteries from a camera (etc.) may continue to work in other things, like a remote control or a flashlight, though the flashlight would, of course, be dimmer than usual, since the batteries you put in would be low.
• It’s possible to recharge alkaline batteries if they’re not completely flat. But don’t try this at home (unless you have the aforementioned charger or a desire to have boiling battery acid in your eyes): alkaline batteries were never meant to be recharged, so ordinary battery chargers will cause the batteries to overheat, ooze acid, or just flat-out blow up. But if you get a charger specially designed to recharge non-rechargeable batteries, it can be done!
• There’s a AAAA battery, and it’s exactly what you think it is. The AAA is a smaller version of the AA, and consequentially doesn’t hold as much of a charge; the AAAA, then, is a smaller AAA which holds less of a charge. You probably haven’t seen many AAAAs, but that doesn’t mean they’re rare. That’s because…
• 9V batteries are just 6 AAAAs in series. (That said, cut batteries open at your own risk!)
• Your 12V car battery should actually be around 12.6V; a true 12V indicates that it’s largely drained. (Your car’s alternator should recharge the battery by providing ~13.8V when the car is running.)
• There’s a lot of information out there about “memory effects” and such, and thus all sorts of confusing, contradictory information about recharging batteries. NiCd (Nickel-Cadmium) batteries suffered from a strong memory effect: if you routinely recharged them before they were completely drained, you would drastically decrease the charge the battery could hold. NiMH (Nickel metal hydride) batteries reduced this effect, and LiIons (Lithium Ion) eliminate it. Thus “topping off” most newer batteries isn’t in and of itself a bad thing. However…
• Batteries still have a limited “charge cycle,” the number of times you can recharge them. Thus recharging your battery any time it dips below 95% charge is going to wear it out prematurely. Where this really matters is laptop batteries: you charge your battery fully, unplug and shut down to bring your laptop to a meeting, and then plug in there. This is murder on the battery. Some laptop battery systems are “smart” about this and will simply not bother charging a basically-full battery, but as a general rule, if you’re discharging a battery, don’t recharge it until it starts to get low…

Edit: An alkaline battery, being, well, alkaline, won’t actually leak acid, but potassium hydroxide.

It is better to do something average than to wait until it is too late to do something spectacular.

I actually made that up, and I don’t mean to imply that you should aim for mediocrity. It’s certainly best to try to always do something spectacular. But sometimes I find myself spending forever trying to get something “just right,” before I realize that whatever I’m working on is losing relevance.

I can’t remember the source, but someone once told me that a book is never finished, but that the publisher eventually forces the author to send it to the presses.

Work towards something spectacular, but don’t lose sight of the fact that something spectacular that never gets released is, essentially, nothing at all.

This actually isn’t hidden at all, but I spent a while earlier on Amazon looking at various non-fiction books, and they all have dramatic titles like that.

You’re going to buy a computer, and you want something good. These are the factors I think most people look at:

• Processor: number of cores, speed (in GHz) of processor
• RAM: amount thereof (in GB these days)
• Hard drive: capacity (in GB) of the disk
• Screen size (primarily for laptops)

For what I do, processor speed is rarely a bottleneck. Obviously this isn’t true for anyone, but if you’re a normal computer user who does word processing, spreadsheets, e-mail, and web browsing, any new PC is going to have a good enough processor for you.

As far as RAM, although there are lots of technical specs like bus speed and CAS latencies, consider RAM a commodity. (Except that RAM from one computer might not work in another.) Short of literally-broken RAM, there’s no such thing as “good RAM” and “bad RAM.” You just want a lot of it. I wouldn’t buy a computer with less than 2 GB. You can get by with 1GB. I find 2GB to be plenty. I see 3GB a lot. 4GB is the maximum most ‘normal’ (32-bit, Windows) machines can take, and there are apparently some issues that keep Windows from seeing more than 3.5 or so. So aim for 2-4 GB.

Screens: my advice would be to just try it. Screen size only tells you the physical size; what really matters is the resolution. But you also have to wonder about brightness, contrast ratios, refresh rates… The easiest thing to do is play with the computer in the store and see what you think.

Hard drives, though, are what led me to create this post. Most people seem to just look at the capacity: a 100 GB hard drive is better than a 40GB hard drive. Indeed, it holds more, and you need to make sure you get a capacity that’ll work for you. But what I’m increasingly noticing is that no one pays attention to what I think is a more important metric: how fast the hard drive is. In my experience, my hard drive is almost always the bottleneck. Computer takes a while to boot? That’s because it’s reading everything off of the hard drive. Programs slow to load? Waiting on the hard disk! There are a lot of scary metrics you can look at with hard drives, but I’m going to suggest that there’s really only one that matters for most consumer machines: RPM. Depending on who you ask, it’s either Revolutions or Rotations Per Minute, and it’s basically “how fast the disk spins.” Much like a CD (or a vinyl record, which people might be more familiar with actually seeing move), your hard drive consists of several “platters” with information stored in circles around them. (Very oversimplified.) To read or write data, the disk is spun around, and the “head” will read the data. Thus it stands to reason that you want that disk spinning as fast as it can.

For a laptop, the range is generally 4200 to 7200 RPM, though I’ve heard of 3600 RPM drives in the past. Pay a little more if you have to, but get a 7200 RPM disk. You’ll be alright with a 5400 RPM disk, too. But don’t take a 4200 RPM disk, even if it’s a great deal. You’re going to feel the effects every single time you use your computer. A higher RPM means data will be accessed more quickly, which means your files will save faster, programs will launch more quickly, and your computer will take less time to boot. Higher-capacity hard drives often run at the lower end of the spectrum, though it needn’t be that way. But is a 200GB laptop hard drive really any good if the computer’s always going to be miserably slow?

So 7200 RPM is what you want for a laptop, but 5400 RPM might be acceptable. If you’re buying a desktop, though, you can do better. 10K RPM drives exist, though they’re currently very expensive and rare. (10K RPM, and even 15K RPM drives are commonplace with high-end servers, but tend to be extremely expensive and use SCSI/SAS connectors that your home machine almost certainly doesn’t have.) But 7200 RPM drives are very common on desktops, moreso than on laptops. So if you’re buying a desktop, a 5400 RPM should be considered bottom-barrel.

I’m not saying that the speed of the hard drive should be the only thing you look at. Of course you want a laptop with a nice screen, and you want good software pre-installed, and all that. And I really can’t stress how awesome having a lot of RAM is. But if you’re in the market for a new machine, you owe it to yourself to investigate disk speed, because it will make a noticeable difference in your everyday computer usage.