Passwords..

With the recent spate of attacks by LulzSec and Anonymous and the subsequent password leaks, keeping your passwords safe and secure has become an extremely important part of doing anything online. Passwords are used to protect any and all information you put online, and hence are extremely important to ensure that only you are allowed to access and change that information. Of course we know this! And now we also know, that we can’t trust big players like Sony and even some national agencies to do just that. Whatever the reasons might be, it seems mighty easy to allow access to your password database (and sometimes even storing plain-text passwords there). So, finally, the responsibility of keeping our passwords safe lies on us. But sadly, the lazy bums that we are, almost everyone I know has at least one vulnerability in their password generation and management schemes.. Luckily for us (and thanks to the geeks) there are many simple ideas and tricks one can use to make your password much safer and secure. Here are a few…

Secure Passwords?

1.  Stop reusing the same password on multiple websites.

This is the cardinal sin. Doing this ensures that if your password gets leaked by one website/service (like Sony for example), then whoever get’s your password can log into ALL your other accounts!!

So what can you do? Simple! Use a different password for each website. “Does that mean I have to remember as many passwords as I have gmail accounts?” Yes!! So stop registering more gmail accounts or start using a password manager. A simple and awesome way to do this is using SuperGenPass. This allows you to just have 1 (master) password but hashes it with the domain name to give you a different password for each website (that does mean it’s not useful if you want to have 10 gmail accounts either).

2. Use a strong password.

This is very critical. In the cases where your password is hashed when stored on the server (as it should be), the only way for an attacker to retrieve it is to do an ‘offline’ attack. There are two general ways of doing this. Dictionary and Bruteforce.

In a Dictionary attack, a ‘dictionary’ of common passwords based on commonly used words and some modifications (using 1337 symbols, etc) is used to generate the hashes. The hashes are then compared with your password hash. Hence if you had been using one of the words in the ‘dictionary’  your password can be guessed this way. So it’s extremely important that you ensure that you don’t use a dictionary word as your password (‘password’ is a great example of that). But don’t be fooled thinking that ONLY words in a actual dictionary are used. There are many ways of generating lists of commonly (or not so commonly) used words. For example, crawling the internet, and doing all sorts of simple and complex modifications (like concatenation, substitution, reversing, capitalization, etc). The weakness to this attack is that it only works when the password is based on some known word.

Strong Password?

The other type of attacks is Bruteforce. This technique just tries out all combinations. It only works best when you have loads of time (hence only an offline attack), and tonnes of computational power to do thousands/millions of hashes and comparisons every second to try out ALL combinations. So for a simple example, they can start trying out with a,b,c,d,…, A,B,C,D,…1,2,3,4….aa,ab,ac,ad.. and so on and so forth. The exhaustiveness of this method means that ANY password can be theoretically guessed if given enough time. Now how much is enough. Steve Gibson of GRC fame made a great website about how long it will take to theoretically break a password. Play around with the tool and see how strong your password is. The more type of characters (lower case, UPPER CASE, numbers and symbols) you use, the stronger your password becomes. This is a result of needing to try out a lot more combinations for EVERY character.

Also the other way to strengthen your password is to increase the length. The longer the password the more time (even in trillions of years) it will take to crack it, even with technology which 100x faster than what we have today. The GRC password haystacks site shows this quite well.

So knowing the working of these two common attacks, a good password should be not commonly used and long. There have been many ideas about this. But finally it boils down to this. Your passwords need to be a combination of ALL the 4 main types of characters (lower case, UPPER CASE, numbers and symbols), something not based on a commonly used word, and really long (16-20 characters to say the least). A good way to have a password which is not based on any words is using some kind of random word generation to generate a password with the 4 main types of characters in it.

But it’s hard to remember a 20 character password which is a random sequence of characters. So, there is another trick that Steve Gibson just came up with. While it’s important to have all the 4 types of characters in the password, just one instance of the 4 types is enough to add all the strength you can get from the character types. Hence, just having one of each of the 4 types and then the other 16 of a single type is good enough. This allows you to have the complexity of the 4 types and the length combined to give you a strong password. Steve’s idea is to have a random 4 character (of 4 types) sequence and then add 16 letters around it. For example ‘aaaaaaaaaaaa4B(kaaaaaaaaaaaaaaaa’. This makes it long, complex but much simpler to remember.

3. Manage your passwords properly.

If you’re those with awesome memory and can remember each of your 20 character password (maybe you use Steve’s trick) then good for you. For the rest of us, we need something to remember our passwords. There are many tools (including some built into most browsers) to help us remember our passwords. Most rely on one single password (master password) which you have to memorize and which in turn allows you to access a bank of the rest of your passwords. But don’t be fooled thinking that just because you’re using a password bank, all your passwords are safe all the time. Point #1 and #2 above still apply here for ALL your passwords.

The important thing to consider when using such a tool it itself is saving only the hash of your password and not the plain text. Getting such a password bank hacked into is a 100x worse than just having a google account getting hacked, as most of the time the bank also stores which websites the passwords are for. So it’s a sitting duck for the hackers. I personally love LastPass, and the beauty of this tool is that all the hashing and unhashing is done on client side using the password as a key, hence even if LastPass get’s hacked, you will only stand to loose the hashes of your passwords. And assuming you have followed point #2 you’ll be safe.

The other great thing about these tools is most provide a way generate good random passwords, and many plug into your browser so you don’t have to do much copy-pasting.

4. Change your passwords often.

This is also important. Many services force you to change your passwords every few months. That’s great. That stops many types of offline attacks as even though they might be able to find your password, it might have been changed by that time as it can take loads of time to run dictionary attacks (as we have seen).

Some password management tools also have reminders to tell you to change your passwords regularly, which is really useful.

5. Use Multifactor Authentication (if possible).

Multifactor Authentication uses a ‘Out of Channel’ message to verify the authenticity of entity trying to login. This has been done using small tokens which generate random numbers (with limited time validity) and are synced with the server. These numbers allow the ‘Out of Channel’ verification of the authenticity. This has been common in the world of Internet Banking, but recently other services have been using it as well. Most notably Google has started using 2 Factor Authentication using Apps on your smart phones or SMS.

This system ensures that you are in possession of both the password and the device (token or smartphone) at that given moment to authenticate you. This adds another layer, and thus can’t be broken by any types of attacks discussed previously. But one has to be careful to carry his/her device with him/her all  the time and not to loose it. But 2 factors are always better than 1..

So there you go, 5 tips and tricks to ensure your data is safe and secure on the Internet using passwords. Be sure to use them all and stay safe.

 

 

 

Object Orientation in MATLAB

In the world of scientific computing, MATLAB is pretty much a standard. There are ofcourse many other tools, but MATLAB remains the major tool of choice for many Engineering Computations and especially Signal Processing type of work. Since I am doing most of my working in Acoustical Modeling and Signal Processing, MATLAB is my tool of choice.

I remember when I first started using MATLAB back in the undergrad days. It took me hours to get what was going out. The syntax was confusing, the scripts were messy and there were too many ‘hacks’ (indexing and such).. All this, ofcourse, coming from a C programming background.. It took me a few years before I was comfortable scripting in MATLAB..

When I started doing MATLAB once again for my Masters, I was happy to see the improvements in new MATLAB versions over the years. Many new simpler user interfaces, new toolkits, and improved command. However, while thinking of how I could architecture my research project, I wondered if there was a way to Object Orientate MATLAB code. While I knew this was against the fundamental model of what MATLAB was designed to do, and also would probabaly make the whole thing slower in execution, I still wanted to try it out.

So, both my projects have been designed Object Oriented. Atleast as much as I could. There are many small scripts, but the core of it is Object Oriented. Here are some advantages I found using Object Orientation in MATLAB.

1. Simple and Intuitive code. Especially for architecturing.

2. Great way to encapsulate all properties of a single entity (in my case, a resonator) in a model. This allows quick access of the properties, esp for debugging.

3. Getter and Setter methods help to ensure data sanity.

 

Ofcourse, MATLAB was never designed to be Object Oriented, so there are a few negetives I found.

1. Access permissions are complicated and annoying to deal with.

2. Slower in execution (not very noticable)

3. Referencing is not as straight forward.

4. Not great support for objects in most tools/commands. 

 

Overall I am pretty happy with a quasi-Object Oriented design I am using. It gives me enough Object Orientation for me to take advantage of it and still allows me to hack our small scripts for testing out stuff.

If you’re interested in using Object Orientation for MATLAB, you can check out these links to get started.

Music, Distribution and Piracy.

Update: The music was finally released under the Saregama label, and you can find it here..

——–

Recently, a Marathi movie about a very famous Marathi Musical Theatre personality of old, was announced.. Balgandharva. The movie had many ‘up and coming’ names attached to it, including the famous Art Director Nitin Chandrakant Desai (NCD) of Devdas fame producing it.

A few things really struck me about this movie, when I watch the first trailer (be sure to watch it in HD)..

1. It is really well done. For starters, the trailer was uploaded to Youtube in HD. That really helped to grab the mood of movie. Not only that, but NCD did mention in one of the interviews that they had used new cameras and video technology (not sure exactly what they used) to capture the beautiful NCD sets in all their glory. This can be seen in the great control over focus, bokeh and colour that can be seen in the trailer.

2. Even in the trailer, the music was especially well done. High bit rate in the file uploaded was noticeable and so was the significant thought on not only the orchestration but also the ‘polishing’ and ‘mastering’ of the music. Very well done indeed!!

The fact that such effort was showcased in the trailer tells a lot about the understanding, the team behind the movie, has of the technology and media which they are using to capture and display the movie. And yet the movie is set in the early 1900s, but care has been taken to hide the abuse of such technology in both video and music, as we can notice from the trailer.

The other thought came after reading some comments on the Facebook page of the movie (esp. the last comment).

 

For a movie with a theme, which has so much do with music, and furthermore in a market like India, what strategy of music distribution should be adopted?

The soundtrack of this movie has 21 tracks/songs. Most based on the songs of Balgandharva from the yesteryears and they are really well produced. It truly sounds like a masterpiece in making from the trailer. Hence the super heightened expectations from the fans.

However, piracy of music is extremely common in India. I do remember growing up, copying cassette tapes was so rampant, that we didn’t know that it was ‘illegal’. The culture of ‘sharing’ music (and videos) has forced many companies adopt very unusual business models to combat this piracy. You could call me presumptuous, but one can sense that many fans who’re so intent on downloading the music for this movie might not want to pay for it..

So how can the music of such an epic movie be distributed??

As a fan of the production and artists involved, I definitely want them to make as much money as they can off the film. They deserve it for all the work one can see put in.. And someone who doesn’t live in India, I wish I was able to download and listen to the music in high quality as soon as it’s published. So where can be draw the line?

We know that DRM is a broken solution for various reasons (hard to use, expensive, unsustainable, etc). The main reason why most of US and European Music Industry was able to go beyond DRM and freely distribute non-DRM music online with a new model is the support from the infrastructure and society. Fast and ever available internet makes apps like Spotify, Rdio viable alternatives to piracy. Furthermore, the structure of the music industry, (mainly based on bands), makes it easy to have fans supporting single entities, and thus not pirate those bands.For eg. It’s easy to say, I love Nice Inch Nails and I won’t pirate their music as I want to support them.

But in India, 3G has just been launched. Internet has barely penetrated the market. And within the Indian movie music industry is so hard to support a single entity as they change teams with every movie. Furthermore, economics is a big factor, where a 99¢ song makes sense in the US for most people, the same cost is prohibitively expensive for many fans in India.

I don’t have an answer for this. But I do hope that there is one, and we will all be able to enjoy, encourage and support the music (and movies) that we love in the future. But for now, I have $20, right here in an envelope , to drop on a downloadable version of this soundtrack the second it comes out.. Come get it!!

 

 

Point Sources

As Acoustician, we get excited when we hear the word ‘Point Source’. It’s something many engineers would relate to. Just like in other fields of Engineering, Point Sources in acoutics are a simplified model (almost as simple as it can get) of Acoutic Energy sources.

Point sources are represented as a dimensionless point which radiates acoustic power. Being dimensionless makes them usefull as all the other complications of souces with physical dimensions (length, width, etc), like directivity can be conviniently ignored with point sources.

The radiation of the point source is considered as governed by the 3D Wave Equation and hence the pressure follows a 1/r law, as it decreases as the distance from the point source increases. One can imagine as the Power from a source is radiated in all directions in a speherical shape (in all directions), the further it goes, the less ‘dense’ it gets hence the reduction with distance. Such a source is also known as a monopole source. This is done to make a difference with a dipole source which behaves quite differently because of internal interactions. But we’ll look at them later.

The question that begs to be ask though, is when can natural sources be considered as point sources. If we have something that makes a noise (like a loudspeaker) can it be considered a point source? Obviously not! As these sources have physical dimensions which will cause the sound waves to interact with them. For example the waves will reflect off various surfaces, get absorbed by some surfaces, and re-radiated, by other surfaces, in different directions and with various amounts of power. Hence, it gets complicated with real life acoustic sources.

So when can we use the point sources? So as with all things acoustics most models only hold for certain frequency ranges. In this case, the point source model holds pretty well when the dimensions of the source are much lesser than the wavlength of the smallest wave being considered. So given a 20kHz sound in air (smallest wavelength humans are supposed to hear), the wavelength is about 17mm. Anything larger than 17mm is considered too big to be a point source and will interact with the wave.

But none the less, point sources are interesting models and allows us to simplyfy many calculations and ignore many unnecessary details while investigating sound.

Optimization in MATLAB

Continuing on the Optimization problem from the last post. I remembered having read about the MATLAB Numerical Optimization Toolbox. Since the license of MATLAB I have has all tool boxes, I decided to explore it.

The quickest way to to learn about this Toolbox is to use the GUI based tool. The command optimtool will get you the tool. The basic premise of this tool is that you create a function (ObjectFunction) which when given the variables as arguments, will yield the value being optimized (in most cases minimized). Then by calling this function with various combination of inputs, the optimzation tool will decide the optimum values of the input. This might be a very simplistic view, but that’s the foundation.

From here, we get more complicated. You can choose more complicated problem structures (max min problem to find the maximum output value for minumum arguments, etc), you are define linear and non-linear constraints, a multitude of algorithms to solve the problem, and so on. As always the help files and demos are great support to decide what you need and chose the correct solvers,stop conditions, etc.

I won’t say I totally understand how the tool work, especially since I am still unclear about how the solvers actually work, but the tool gives enough data for you to use it to generate some useful results.

Some interesting points I picked up using this tool.

  1. Linear Equality and Inequality Constraints are defined in a matrix form with the equation Ax ?/= b catptures the constraint. Matrix is a n x m matrix, where n is the number of constraints of that tye (equality or inequality) and m is the number of variables, x is the vector of input variables and b is residual factor.
  2. Stop conditions are useful not only to decide when to stop iterating but also to add physical constraints. The stop conditions for x allow the minimum accuracy of change of the input variables to be defined. In my case, the variables indicate phsyical dimensionsm, so setting the accuracy to a value which defines the lower limit of manufacturing, ensure that the solution is manufacturable (no 0.333118m radius of body required)
  3. Various solvers yield different solutions. Since I don’t really get the solving schemes, I tried all of them and found one which gives the best solution
  4. Starting points matters. It’s possible that your problem gives different solutions depending on the starting point used. The tool requires you to submit a starting point. Changing it around your bound range helps to ‘look’ for other solutions which the solver might not be able to find. It’s a little like global vs local minima issue.
  5. Most problems are defined as minimization. Since my problem was a maximization problem, I had to invert the metric which was being maximized.
  6. Vizualization of the solving schemes (Constraint Errors, Step sizes, Object Function evaluations) help to see what’s going on with the solver.

 

Finally, I don’t think my system really needs such complicated optimization ‘firepower’. But it was a good excuse to learn a new tool, and think of approaches to a problem which is quite common in design/research work.