wed, 30-nov-2005, 19:26

A week ago I posted some data from the Statistical Abstract of the United States. On today's local newscast there was a story about cancer rates in Alaska and one of the people interviewed mentioned that cancer is the leading cause of death in Alaska. In the U.S. heart disease kills 26% more people than cancer. But the numbers for Alaska are quite different than the national averages.

Here's the same table I showed last week, except from 2001, and including Alaska, and Alaska's rank for some causes:

[Cause][National Rate][Alaska Rate][Alaska Rank]
(lower numbers are better)
All causes848.5469.41
Heart disease245.895.21
Cancer194.4108.73
Cerebrovascular57.424.91
Lower respiratory43.223.23
Accidents35.754.446
Motor Vehicle Accidents15.416.3
Diabetes25.112.61
Suicide10.816.145
Homicide7.16.0

The values are deaths per 100,000 residents, so they've already got population size factored in. The Alaska rankings are interpreted such that a low number means Alaska has much lower rates for that cause relative to the rest of the United states. Alaska ranks number one (lowest deaths per capita) overall, and for the individual causes of heart disease, cerebrovascular diseases, and diabetes. And we've got the third lowest death rate due to cancer and lower repiratory diseases. Alaska ranks pretty low (high death rates) for accidental death and suicide, however. The extreme environment and very long winter probably contribute to both of these higher death rates.

So more Alaskas do die from cancer than anything else, but relative to the rest of the United States, we have remarkably low death rates. Perhaps there is something to all the open spaces and the clean air and water that keeps the average Alaskan healthy?

tags: Alaska  society 
mon, 28-nov-2005, 18:40
Watershed Opening

I've discussed the problems with our water supply on other pages (going into the tank to clean it, new water tank, watershed) but the most recent pages end just after I finished installing the new tank.

Last winter the outlet pipe that transitions from the base of the tank inside the watershed to the warm garage froze several times. I eventually installed heat tape, but that proved ineffective. Each time it froze I had to disassemble the piping and heat the area with a heat gun until the slug of ice slid out and flow was restored. Not a fun activity at 5 AM when all I want to do is wash my face and make coffee.

This year I tried a new technique -- creating an insulated box around the opening to reduce the cold air flow and a small computer fan to gently blow warm air into the insulated area. I installed an indoor / outdoor thermometer in the insulated space with the probe extending into the shed. As winter approached, the temperature in the shed started declining, but the insulated area stayed right around 50 F.

Yesterday I put my beer thermometer into the insulated area on a whim. The indoor / outdoor thermometer read 48 F in the insulated area and 36 in the shed. But my beer thermometer was reading 30 F! Turns out the battery was close to dead in the thermometer I'd been trusting; the temperature in the shed was actually 26 F, and the temperature in my insulated area was down to 30 F.

I quickly upgraded the fan, and as you can see from the image, it's still 26 F in the shed, but it's a comfortable 52 F inside the insulated area. All the water in the shed has enough thermal mass that it can be below freezing for weeks (by which point it'll be filled again with warmer water) without freezing except around the edges. And the outlet pipe is now a steady 50+ F.

Just goes to show that you shouldn't put too much faith in a single instrument. It hit -34 F in Fairbanks this morning, and if I hadn't noticed it, the outlet pipe would surely have frozen.

fri, 25-nov-2005, 11:06

Following up on yesterday's discussion of making passwords that look random to the computer, but contain some pattern that's easily remembered, I wrote a little password generator in Python. It requires the 'fortune' program (fortune-mod, fortunes packages in Debian), as well as Python. The script takes two optional arguments, the number of passwords to generate, and if the script should create "difficult" passwords.

The output looks like this:

    $ ./fortune_password.py 1
    16422 : 4Dcfpnsfe#
    Don't compare floating point numbers solely for equality.
or if you've chosen the "difficult" version:
    $ ./fortune_password.py 1 d
    55424 : ya8=Ithotmk
    You are in the hall of the mountain king.

The difficult version puts the number, symbol and upper case letter in the middle of the string of letters, rather than at the beginning and end with the simpler version. I suppose the difficult version is slightly more "random" and is better as a result, but there's probably not much difference when it comes to how long it would take to crack it.

Of course, despite the way the passwords look, they're not actually random. So if the cracker knows that you've used a password generator based on the fortune command, they can generate a wordlist based on fortunes and use that in a dictionary attack instead of having to use a brute force attack.

tags: sysadmin 
thu, 24-nov-2005, 10:49

The University has been requring certain departments to sit through a 15 minute presentation on using good passwords. One of the handouts had a chart showing how long it takes to crack passwords by how long they are and how many types of characters they've got in them. I'm interested in the subject because I typically assign passwords to my users when they start work. I wrote a simple program that takes words from the dictionary that are between 9 and 15 letters long, and which don't end in 'ing', 's', or 'ed'. The program then splits the word in the middle somewhere, inserts a random number, a random symbol, and capitalizes one of the following letters in the word.

For example, the script gets the word 'misdirection', inserts a '1' and a '%', and then capitalizes one of the letters in the word. The resulting password is 'misdi1%recTion'.

That password is composed of the letters [a-zA-Z], symbols [!@#$%^&*+=;:?], and numbers [0-9], so the set of characters to search for is 26 + 26 + 13 + 10 = 75. The password is 14 characters long, so the space a brute force attack has to search is 7514 = 1.8 x 1028 which is a huge number.

I did a few experiments with my workstation, which has an AMD Opteron 246 processor inside. Performing a brute force attack requires encrypting all these possible combinations until a match is found. So the type of encryption used is important. My computer can perform about 450,000 encryptions per second if the encryption is the old style DES encryption used on most proprietary Unix platforms. But all of my servers are running Linux, which uses md5 style passwords, and my computer can only do about 3,500 encryptions per second. So 1.8 x 1028 possible passwords / 3,500 encryptions / second means it'll take about 1.6 quadrillion years on my computer to crack it (or half that time on average).

Unfortunately, most passwords aren't cracked using brute force, they're cracked by using a dictionary attack, and since my passwords are generated using a dictionary, that means they're considerably more vulnerable. The question is, does my method of randomly inserting a number and symbol in the middle of a dictionary word (as well as randomly upper casing a letter) defeat a dictionary attack?

I don't know the answer. But I've done some experiments with pathologically bad passwords to see what might happen. On my computer a simple dictionary word is cracked within seconds. And a simple dictionary word with numbers appended (I tried 'barf51') is cracked in two and a half hours. So the jury is still out on my method. But I'll bet that my method isn't as safe as I thought it was at first. It's certainly better than the user that uses her husband's name, the name of the dog, or their license plate number for a password. Most cracking software has information about the typical behavior of users built into it, so it will start by searching the space defined by their username, their domain name, and common names. 'cswingle11' would be a pretty poor choice for me. 'misdi1%recTion' would undoubtably be better.

The only way to really generate passwords is to do it in such a way that there isn't a pattern (like a dictionary word) that the computer can identify and use to reduce the number of combinations the cracking program needs to test. So a better approach to passwords is probably to use a database of common phrases, and pull the first letters from the phrase, insert some random cases, symbols and numbers, and use that. Perhaps the 'fortune' command offers som possibilities here:

    $ fortune -n 80 | head -1
    There is no distinctly native American criminal class except Congress.

So: 'tindnaccec' --> TindnAcceC --> TindnA7#cceC

That's 7512 = 3 x 1022 and because it's effectively random (unless cracking tools learn about the 'fortune' database and how it might be manipulated. . .), it'll take 286 billion years for a computer equivalent to mine to crack this.

Sounds like a Python script in the making.

tags: sysadmin 
tue, 22-nov-2005, 08:43

Earlier today I was reading pragmatik's blog and he mentioned seeing three auto accidents (one fatal) on his way to Baltimore. It's been a subject on my mind recently as a graduate student friend of mine was recently killed in an auto accident. I decided to visit the Statistical Abstract of the United States to look at death and accident rates. Death rate figures appear in Table 102 in the 2004-2005 Abstract. For all Americans, the rates per 100,000 people in 2002 were:

CauseRate
Heart disease240.4
Cancer194.0
Cerebrovascular56.3
Lower respiratory43.7
Accidents35.5
Diabetes25.4
Flu/Pneumonia22.7
Suicide10.6
Liver disease9.3
Homicide5.9

(apologies for the formatting of the table. I can't seem to figure out the column formatting stuff.)

That rate of 35.5 people per 100,000 translates into 102,303 people in 2002 that died by accident. The next table in the Abstract (Table 103) breaks these down into smaller categories. For accidents:

AccidentRate / 100,0002002 Count
Motor vehicles15.544,572
Poisoning5.114,670
Drowning1.23,399
Smoke, Fire1.03,024
Firearm discharge0.3813

Fourty-four thousand people is an awful lot to die on our roads in 2002. That's 122 people every day, or a major airline crash a few times a week. There's no further detail on these accidents, but it would be interesting to know in what percentage of cases alcohol was involved, and what percentage of the fatalities weren't wearing their seatbelts.

On a lighter note (sort of), Table 175 shows the Injuries Associated with Consumer Products, shown as estimated emergency room treatments in 2001. A few numbers: 1,087,546 people went to the emergency room after an incident on the stairs, 349,679 people had trouble with a door that was bad enough they had to see a doctor. 118,501 people hurt themselves with their footwear, and 47,210 people were injured by their televisions. Bizzare. I knew television was dangerous, but I never thought I'd have to go to the emergency room because of it!

tags: society 

<< 0 1 2 >>
Meta Photolog Archives