The Ol' In and Out

When President Bush publicizes his plan for moving ahead in Iraq this week, it will not include a plan for full near- or long-term troop withdrawal. There is a historical precedent for this. The US still maintains a military presence in Germany, Japan, and South Korea 50 years or more after their respective conflicts ended.

I don't believe there ever was an intent for withdrawal. With the dubious reasons given for the initial invasion and occupation, it is obvious that there was a hidden motive. As I have written before, none of the reasons cited by the President stand up to scrutiny. He wanted an excuse to establish a military presence in the Middle East.

The Korean conflict is the closest example to Iraq. It was an imperialistic war and it was fought internal to that nation. In that example, it took 40 years for political stability to take root and democracy to take hold. And technically the Korean conflict is still taking place. There is no peace treaty between the North and South, only a suspension of hostilities.

Iran could be seen as the North Korea to Iraq. At least in the US's imperialistic view, a military presence will more than likely be maintained in Iraq to balance Iran's power in the region. Iraq is a back door to influencing power in the region for the United States.

Why is it that every "jam band" station on the internet uses the phrase "eclectic rock" in its description? I go looking for eclectic rock and I find bullshit. Fucking jam band bullshit has somehow been eking out a genre status for itself, even though it sucks.

I work in IT, and I've tried over the years to keep my passwords secure and safe. Yet the concern with security with most administrators of late has caused a trend that is making it harder for people to have good passwords. My really strong 15-character password takes a back seat to my eight-character junk password that I rotate through all of the systems that enforce changes every few months.

Password policies are constantly being made more restrictive in the belief that more complicated passwords are harder to crack. Of course this is true to some extent, but the complicated rules tend to discourage users from using anything but the bare minimum password.

Start requiring password changes every three months and it gets worse. There are password policies that do not permit reuse of old passwords in later forced changes. There are policies that require the new password to differ from the old by some minimum number of digits. The result is that users devise the simplest, easiest to remember scheme to get by. They find ways to minimize the pain of having to devise a new password that meets the requirements every three months.

Take your kid's name, add a "1" to the end, and increment the number each time you change it. Add a period or an exclamation point. Use a "0" in place of an "o." Do whatever to get the stupid warning to go away. If you forget which ridiculous combination you used last, call the helpdesk. Some helpdesks don't even ask for identifying information, which leaves open the possibility for the password hackers we are trying to discourage to call and get a password reset for someone else.

IT administrators don't seem to understand that password crackers know all the tricks people use to obscure words in their passwords. The password "Angela1" is identical to "4n9e1a1" to a password cracker. It is no secret that people use "4" for "A," "9" for "g," and so on. So the efect of the password policy is to cause hardship for the users but provide nothing in terms of increased security.

IT Security is about prevention and mitigating risks. An argument could be made for adding complexity to password schemes to make the task of hacking passwords more difficult and more time consuming. I question, however, if the payoff for these policies is greater than the amount of headache it causes for people.

The biggest threat to computer security isn't weak passwords, it is human error. It is leaving sensitive data on a laptop that gets stolen. It is with users writing passwords on a post-it note and putting it under their keyboard. It is with people sharing passwords or information over the phone that can be used to gain access to a system. Complicated password policies encourage users to be lax on all of these things.