Saturday, April 28, 2012

Moving an Eircom Pole

Sometimes when you get planning permission in Ireland for an extension to a house there is a requirement to move a utility pool (typically an ESB or Eircom Pole). Either to make way for the new extension or as a condition of the planning permission.

Now the cost of moving the pole falls to the house owner. So how much does it cost? This seems to be shrouded in mystery, and all queries get the response "it depends".

In our case the planning permission conditions required the movement of two poles, one ESB one Eircom. Double trouble. The Eircom pole had nothing to do with the extension, it is far away from the house out on the road. Nevertheless its movement was part of the planning permission, for valid road safety reasons. In other words moving it anyway was a good idea, and this was the planners opportunity to get it moved at our expense by making its movement a condition of the planning permission.

(BTW Cavan County council demand €8K up front for themselves, and also insisted on a completely unnecessary upgrade to our perfectly functioning septic tank. Overall it turns out we would need to stump up about €20K before we paid anything towards the extension itself).

Anyway, getting back to the Eircom pole. The total movement was by 2 metres, We ourselves are not served from this particular pole.

I emailed Eircom and asked for a ballpark figure. They ignored that and told me that first I would have to pay up-front €340.50 for a survey. The cost of the survey would be deducted from the overall cost if we decided to go ahead. Some googling around indicated that the cost would be expensive, with prices fluctuating wildly. On the assumption that only an aggrieved minority post their experiences on the Internet, I guessed it would come in at around €2K.

So I paid my €340.50, and waited. A couple of months later this arrived.







So now you know. The attached invoice indicated that the Labour cost came to an astonishing €3162.50. Note the bit where it says that the final cost may increase (to God Knows What) and that we may have to pay more.

I guess if I wait long enough a passing truck will eventually demolish the damn pole. There have been a few near misses already.










Posted by at 1 comment:

Sunday, April 8, 2012

DIY University Rankings - Take 2

Time for an update on the Scott I-Index of Universities/Major ITs in Ireland, as originally described here

http://begrudger.blogspot.com/2012/01/diy-university-ranking.html

  1. UCD – 58 (+1)
  2. DCU – 56 (-1)
  3. TCD – 55 (+1)
  4. UCG – 52 (-1)
  5. UCC – 36 (+1)
  6. QUB – 34 (-1)
  7. Maynooth  – 21
  8. Limerick – 19 (+2)
  9. DIT – 18 (-1)
  10. Ulster– 14 (-1)
  11. Waterford IT – 14
Change in position in brackets. Not much movement really. Getting a bit bunched at the top, but Euro-for taxpayer Euro, DCU still the best. Even with me gone!


Posted by at No comments:

Saturday, April 7, 2012

Of PINs and Passwords


When it comes to securing things that are important to us, sometimes we are asked to provide a Password and sometimes a PIN. The latter are clearly to be preferred, as they are only 4 digits long and easy to remember. Most of us re-use the one PIN for everything. I don’t know about you, but I have two different ones I use in different contexts.

Passwords are a curse. On the Internet we seem to need more and more of them, and not only that, there is now an insistence that a password should have a minimal length of 8 characters and some of the characters should be Capitals and some should be numerals. Again I have no idea what others do, but I have three passwords I recycle in various forms. If one of them was previously “mongoose” I now would use “Mong00se” to get past the security fascists. But of course such passwords are much harder to remember.

A common solution is to download a free “Safe” onto your computer and store all of your passwords in that, with the Safe itself protected by a single hyper-secure password. For example, see

http://passwordsafe.sourceforge.net/

But of course this is literally putting all of your eggs in one basket. Another nice idea is OpenID. See http://openid.net/. Here the one set of credentials (for example your Gmail or Facebook login) get you into a multitude of sites.

But why does a PIN work in one context, but a password is required in another? It depends on the kind of problem you are trying to set an attacker who is out to get you.

Now a PIN or a password has a certain amount of “entropy”, or unguessability. A PIN has exactly 4 decimal digits worth of unguessibility.  In the worst case it would take an attacker 10,000 guesses to find your PIN. A password on the other hand would be expected to have at least 16 decimal digits worth of unguessability, so it should  take an attacker up to 10,000,000,000,000,000 guesses to crack it. These attacks are sometimes called brute force, or dictionary attacks. The attacker simply works though a list of all possible PINs or all possible passwords. The counter-measure is to make the dictionary simply too big to be attacked in this way. For a PIN it is, roughly speaking, sufficient that a dictionary attack should be hard for a human. For a password, a dictionary attack should be impossible even for a fast computer.

Which you need, PIN or password, depends on the context in which it is used, and how much it costs to make a guess. In short a PIN is used in a context where it is only exposed to “on-line “attacks, and a password is needed if it should be exposed to an “off-line” attack. A PIN can typically be used in the context where an attacker is forced to go on-line to some entity outside of his/her control in order to test a guess.  And that entity can make it costly to make a guess, and can punish a wrong guess. The classic example would be if an attacker were to steal your ATM card. If they don’t know the PIN the only way to test a guess is by trying the card in an ATM machine. And after a few wrong guesses the attacker will be rumbled, and no further guesses allowed. So in practise it would be difficult to even make 100 guesses, never mind 10,000.

But if you are storing data in the cloud, it needs to be encrypted. And encrypted data is only really safe if it is protected by a key created from a suitably “high entropy” password.  An attacker who gains access to the encrypted data (which must be assumed to be possible– otherwise why is it encrypted?) can, at their leisure, program a computer to try a multitude of guesses for the key at computer speeds and leave that program running overnight. Now a computer can attempt one hell of a lot of guesses in 24 hours! Hence the need to hide our needle in a haystack of at least 10,000,000,000,000,000 needles.

The problem here is that computers are getting faster and faster, and can search bigger and bigger dictionaries. And search algorithms can be perfectly parallelized, so 100 computers can complete the search 100 times faster. Which explains the recent insistence on more and more elaborate, and hence less and less easily memorisable, passwords. And the elephant in the room is the fact that 10,000,000,000,000,000 is actually not nearly enough, it really should be 10,000,000,000,000,000,000,000,000 which is reckoned to be the bare minimum for reasonable levels of security against a sophisticated and powerful attacker with massive parallel computing resources at his/her disposal. And to make matters worse the patterns that appear in memorisable text can be exploited to reduce this search space still further. So unless you are using a password like iUy78t^&aB1@ you really can’t be feeling 100% secure.

Conclusion: Wherever possible a PIN is obviously preferred to a password. Systems should clearly be designed so that an attacker must always be forced to go on-line to test a guess.

On a serious note, I would suggest that the whole Internet/Cloud Computing project is at risk until and unless this problem can be solved!
Posted by at No comments:
Subscribe to: Posts (Atom)