Help for Ethiopian orphans

We adopted a son, Adam Abera, from Ethiopia this year. He's a gift and a delight, and our good fortune in adding him to our family is far greater than his good fortune in being added to ours. However, it is true that we brought him home to material support, comfort, security, and opportunity far greater than what he left behind, and of Ethiopia's five million orphans, only a tiny fraction can or should be supported by adoption into first-world nations.

While we were there, we met the remarkable Dr. Tsegaye Berhe, the director of Wide Horizons for Children's program in Ethiopia—a man who truly loves and strives on behalf of children. He impressed upon us how deep the need there is and told us of their program to offer support to the vast number of children there for whom the proper path is not adoption—orphaned children who have family to care for them in Ethiopia, but who need support.

WHFC's program not only provides basic material support for the children you sponsor, it also makes an investment so their families can found viable, profitable businesses, and so, enable them to progress towards self-sufficiency. You can read more about the program here, including a brochure and FAQ.

This season, I would like to ask you to make a commitment and contribution to sponsor a child. $420/year can pull not only a single child, but a family out of poverty. Right now, go to WHFC's Child Sponsorship site and sign up. $420/year is $1.15 per day.

After you've contributed, please let me know. I've made a commitment that I and my companions in group 79, who brought home a double handful of kids this summer, will sponsor 79 children, and I'd like for your support to count towards that goal.

Thank you!

Tim, Laura, Adam, Lucile and Henry.

Missing the point

Benjamin Black has a service called the tls report that grades web sites based on the quality of their SSL configuration: points are taken off for SSL 2 support, support for shorter keys, etc. While I respect the effort and I value the concern for better security, this is just silly. Extending cryptographic key length is the least valuable thing any site can do to improve the security of people's data. Gene Spafford got it right when he said:

Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench.

Worrying about whether the keys are 40-bit, 56-bit, 128-bit, or larger is the equivalent of worrying about whether the armored car guards are carrying revolvers or machine guns: it entirely misses the point. I'm not aware of a single case, ever, where an attacker stole data from a commercial site by cracking an SSL key of any length. Note also that SSL/TLS has mechanisms to prevent an attacker from forcing you to negotiate a lower grade of security than you ask for, so if you turn off 40 bit ciphers in your browser, an attacker cannot force a downgrade (other than by cracking the server's private key), so a site that supports 40-bit keys does you no harm at all. As such, in addition to measuring something not particularly relevant to security, these grades are irrelevant to the security of users paranoid and well-informed enough to know about them and care. If you're concerned about the security of your data, you should be concerned with how a site handles your account password and your data at rest. Of course, this is harder to observe than SSL settings, so Mr. Black appears to fall into a trap that catches a lot of the security community: thinking about problems that are easier to see and measure, even if they're not the truly significant security problems.

More Important than Excellence

What's the most important skill in playing poker, if you're looking to make the most money?

When I ask other poker players this, I get answers like "bluffing", "reading other players" or "knowing the probabilities".

They're all wrong. The most important skill is table selection—choosing what game to play and who to play against. You could be the 20th best poker player in the world, but if you spend all your time playing against the top ten players, you're going to lose money. Similarly, you can be a mediocre player and still be rolling in dough if you find and play against players you can beat. "Better" and "worse" isn't the only measure. Some people play well against certain styles of play (for example, you might play well in a game where your opponents bet and raise a lot, but not have the skills to adjust to players who play tighter). The most important thing you can do is put yourself into a situation that optimizes your chances for success. Only after does it become important to execute well. Only then do the skills of the game of poker come into play.

This isn't just a lesson for poker; it's also true in business. One of the tenets of venture capital is that it's better to have a bad company in a good market than a good company in a bad market. I know that while I think I'm an excellent software engineer, I've made more money by being in the right place at the right time than I have solely through engineering skill. (Of course, an excellent track record of success has given me the opportunity to be in the right place at the right time.)

I think this is also a valuable reminder that it's frequently not obvious what the rules that govern success are. For example, you might invest in a company because you think their product is insanely great, but it turns out that the important skill they needed to be successful was actually business development, not creating great products. Sigh.

A Secure In-Browser JavaScript Password Generator

This password generator picks random passwords for you. It runs entirely on your computer, inside your browser--the generated passwords do not travel over the Internet and are not known by my server.

The passwords are generated by picking words at random from a dictionary. I like to find a randomly generated password where the words bring to mind a memorable image--these passwords are easy for me to remember, but relatively hard to guess. For example, I just generated the password "social-fuzzy-okay"; I might remember this with the image of a party where stuffed animals are welcome. You can generate new sets of passwords several times looking for one that seems appropriate.

Please wait for the dictionary to load.

First, please move your mouse around in the window. Your unpredictable movement is used to seed the random number generator that is used to generate the passwords.

0% complete (0 bits)

Not yet loaded

Your generated passwords:

Q: How strong of a password do I need?

A: The strength you need depends on what you're going to use the password for and how hard you think someone might work to break it. If you're using the password to encrypt a file or something similar where an attacker could do an "offline attack," where she could try many different passwords very quickly, you would want to choose a very strong password. For most online accounts, you don't actually need such a strong password: it's difficult to check online passwords quickly. Also, many services, particularly security-sensitive ones like banks, will disable accounts where the password is entered incorrectly too many times. This means you can have a much shorter password and still be secure.

Q: What does the number of bits mean?

A: The number of bits (e.g., "3 words - 41 bits") is an approximation of how many bits of entropy there are in a password of that length. This is essentially how many bits it would take to enumerate the number of different passwords that have a certain number of words.
Every extra bit of entropy doubles the number of possible passwords an attacker would have to guess, so a password with 24 bits of entropy is twice as hard to guess as one with 23 bits of entropy, and 25 bits is twice as hard again. 10 more bits of entropy makes it approximately a thousand times as hard to guess a password.
For example, if there were only 5 words in the dictionary this programs uses (say "apple", "bouncy", "castle", "dancing", and "edith"), and you were generating passwords that were 3 words long, there would be 125 different passwords that it could generate (5 x 5 x 5 = 125). This would be approximately 7 bits of entropy, because 2⁷ = 128. (Actually, this program always rounds the estimate down, so it would report this as 6 bits of entropy).

Q: How long would it take to guess my password?

A: How long it would take depends on how hard to guess your password is (its "entropy", the number of bits reported in the menu), and how fast an attacker can guess passwords.
If you are interested in a detailed analysis, there is a guide to how long a key you need for unbreakable security at www.keylength.com.