Monthly Archives: November 2013

A Sociologist Interrogates the Criminal-Justice System #

Great story from the Chronicle of Higher Education about a sociologist embedded in a poor, high crime neighborhood.

Via Next Draft.

iOS 7.0.4 Update Caused Data Loss #

I’m not having much luck with software updates this season.

I happily clicked “Agree” to update my (not jailbroken) iPhone 5 to the most recent software update, iOS 7.0.4. Something must have gone wrong, because it dropped to an error screen that insisted the phone by plugged in to iTunes … and the only this iTunes would do with it was a full restore.

My last phone backup was a month ago. One month of data, pictures, call logs, save games: gone.

Argh.

Jenkins CI Install Failure on OS X #

I’m sampling Continuous Integration (CI) tools for a project I’m working on. One of the most ubiquitous open source options in Jenkins, which comes with a convenient package installer for OS X.

It installed without errors, but when it came time to run Jenkins (browsing to http://localhost:8080/ ), my browser(s) wouldn’t connect.

The installer built its own log files as \var\log\jenkins\jenkins.log, which helped unravel the mystery: Java wasn’t installed.

Huh? I’ve taught courses in Java from this machine. Java was installed.

Turns out, upgrading to Mavericks “helpfully” removed Java without telling me. A placeholder app is still there in /usr/bin/java, but it simply loads an alert prompt to download and install Java … an alert prompt the fails silently when run by a daemon (which by definition can’t access windowing functions in the OS), like Jenkins.

As LaunchDaemon will attempt to re-run the failing Jenkins every 10 seconds, turn it off temporarily if you need to (re)install Java:

sudo launchctl unload -w /Library/LaunchDaemons/org.jenkins-ci.plist

Re-enable by repeating the same command, but using load instead of unload.

CMU Password Cracking Study #

The landmark study is among the first to analyze the plaintext passwords that a sizable population of users choose to safeguard high-value accounts. The researchers examined the passwords of 25,000 faculty, staff, and students at Carnegie Mellon University used to access grades, e-mail, financial transcripts, and other sensitive data. The researchers then analyzed how guessable the passwords would be during an offline attack, such as those done after hackers break into a website and steal its database of cryptographically hashed login credentials. By subjecting the CMU passwords to a cracking algorithm with a complex password policy, the researchers found striking differences in the quality of the passwords chosen by various subgroups within the university population.Dan Goodin, “It’s official: Computer scientists pick stronger passwords”, Ars Technica, 8 November 2013.

One of the funnier conclusions: Those associated with the business school tended to have the weakest passwords.

A very unusual data set, available due to remarkable circumstances:

Plaintext passwords were made indirectly available to us through fortunate circumstances, which may not be reproducible in the fu- ture. The university was using a legacy credential management system (since abandoned), which, to meet certain functional re- quirements, reversibly encrypted user passwords, rather than using salted, hashed records. Researchers were never given access to the decryption key. Mazurek, et al. “Measuring Password Guessability for an Entire University” [pdf], 22 October 2013.

From reading the paper, the “cracking” was based on guessing from pre-composed password lists, based on publicly leaked lists, and experiments with Mechanical Turk.

Super interesting. The steps researchers had to go through to protect privacy and keep the IRB happy are exceptionally thorough, including code review and secure facilities.

We were required to submit all the analysis software needed to parse, aggregate, and analyze data from the various data sources for rigorous code review. Upon approval, the code was transferred to a physically and digitally isolated computer accessible only to trusted members of the university’s information security team. Through- out the process, users were identified only by a cryptographic hash of the user ID, created with a secret salt known only to one infor- mation technology manager.

We were able to consult remotely and sanity-check limited output, but we were never given direct access to passwords or their guess numbers. We did not have access to the machine on which the passwords resided — information security personnel ran code on our behalf. Decrypted plaintext passwords were never stored in non-volatile memory at any point in the process, and the swap file on the target machine was disabled. All analysis results were personally reviewed by the director of information security to ensure they contained no private data. We received only the results of aggregate analyses, and no information specific to single accounts. After final analysis, the source data was securely destroyed.

Ibid.

Professors’ Manifestos: “I Quit Academia” #

A few weeks old, but still worth a link:

Ernst’s Oct. 20 essay [“Why I Jumped Off the Ivory Tower”] is a deeply honest account of his acrimonious departure from what many would consider a dream job: a tenured position as a philosophy professor at the University of Missouri.

Ernst’s contribution is indeed part of a raucous subgenre of “I Quit Lit” in or rather, out of academe, which includes Kendzior’s own acidic “The Closing of American Academia,” Alexandra Lord’s surprisingly controversial “Location, Location, Location,” and my own satirical public breakdown. All of us faced, and continue to face, the impressively verbose wrath of a discipline scorned, which itself is the completing gesture of initiation into the I Quit Oeuvre.

It is still exceptionally rare for a tenured academic to publicly and voluntarily leave the field. To understand the way the concept is viewed by academics, please say that phrase aloud the way you’d say “contract syphilis.”  Despite their widespread and documented unhappiness, most associate professors the rank one achieves upon being granted tenure stick it out until the end, for numerous reasons. First, while tenure does not actually mean “a job for life no matter what,” it does offer a level of security absent from other professions. Moreover, by the time a professor makes tenure, she has usually been so heavily socialized by the “Total Institution” of the Academy that to leave it would be almost akin to death.

Rebecca Schuman, “Quitting academic jobs: professor Zachary Ernst and other leaving tenure and tenure-track jobs. Why?”, Slate, 24 October 2013.

Hire Tom! Hire Tom!