Book Review – New York Trilogy

It was during hellish holiday, I was sleep-deprived, and yet there I was in a book store and there’s a certain comfort that comes from having a new book to read. On a “recommended by staff” shelf I found an interesting looking title with terms like “international bestselling”, “dazzling”, “gripping” and “genius” on the cover. I cheerfully left the book store with the book in tow.

It was perhaps the most disappointing book I’ve ever read.

The New York Trilogy

Absurdist and boring

I am not a stranger to the mystery/detective genre, having read most Agatha Christie novels, all of Sherlock Holmes, and in terms of more modern fare, even some Peter Temple and Stieg Larsson. However, while Paul Auster tells three different stories in this collection with a detective protagonist, I admit that none are like any I’ve read before.

I was primed to enjoy them, and I did even for a few pages, but as the pages turned into chapters, I found myself finding more and more excuses to put it down, and then only with reluctance picking it up again. While I didn’t like any of the main characters, I was willing to stick it out, because it held the promise of being good. Perhaps it was only when I reached the end that I’d discover why it was meant to be a work of genius?

Perhaps it was too genius for me. Although, if you’re the sort of person that enjoys stories where different characters have the same name, the author’s name is used in the story, or characters are named in a theme, then this is probably your sort of genius. It was clear that it was meant to be clever, but for me it never translated into enjoyable.

Finally, I felt a bit like one of the characters from the book myself, and wanting to destroy the pages so that no-one else would ever have to read them. I think I’ll just drop it into a charity bin instead. Someone else may want to use it to prop open a door, or something.

Rating by andrew: 1.5 stars
*1/2

Password Strength Misguided

When I sign up to a new website, there’s typically a “password strength” indicator on the page where I submit a login name and password. Usually to get a strong password score, I need to have the password be at least six characters long, include both upper and lower case, and often a number or punctuation somewhere in there, too.

For passwords that I have used at work, this sort of scoring is used, and in addition, a strong password is considered to be one that hasn’t been used for too long (say, isn’t older than 3 months) and isn’t one that’s been in use before (say, within the last 3 years). This is all “hard-wired” into the password change system so that it is difficult to avoid.

However, it looks like mainstream IT media is now acknowledging that these concepts of password strength are misguided, and lead to passwords that either need to be written down somewhere (because they are too hard to remember) or are trivial manipulations of common words to make them comply with the policies (which make them easy for hackers to discover using computer software). Wired Magazine published an article on 13th January describing this problem and suggesting that finally research is being done to come up with passwords and policies that really are secure.

While normally “easy to use” and “secure” are attributes that necessarily lie at opposite ends of the design spectrum, when it comes to passwords, they aren’t too far apart. An easy password is a memorable password, and a memorable password is more secure because it doesn’t need to be written down (or even kept inside a password manager, such as LastPass or KeePass).

There’s a great comic from xkcd that covers that point. It suggests that simply using four common words strung together is both more memorable for people and harder for computer software to crack than typical complex passwords. The analysis used is to consider how many possible combinations exist that computer software would have to try before striking upon the correct password – entropy (measured in units of bits) is higher when more possible combinations exist.

Using this approach, 26 different possibilities (one for each letter) has 4.7 bits of entropy, and 70 different possibilities (lowercase letters, uppercase letters, numerical digits plus four common punctuation symbols) has 6.1 bits of entropy. A password made up of six characters with each of 70 possibilities has six times 6.1 bits of entropy, for a total of ~37 bits.

However, 5,000 different possibilities (one for each of the 5,000 most common words in English) has 12.3 bits of entropy. A password made up of four such words (even if all in lower-case, without any punctuation) has ~49 bits of entropy, which takes over 5,000 times as long for computer software to crack. In fact, just using three such words gets you ~37 bits, for equivalent security.

One problem with this approach is that many password systems have a maximum length, say of 12 characters. It’s not clear that imposing such a short limit increases security, but regardless, many systems do this. Four words strung together are likely to exceed 12 characters, making these passwords impractical on such a system. I wondered if there was some way to retain the spirit of this approach but fit within 12 characters.

I downloaded a list that claimed to be the 5,000 most common words from www.freevocabulary.com (it turned out to have 5,010 unique words) and did some tests on it. If you use the first three letters from words on this list, there are 1,103 different possibilities, which has an entropy of 10.1 bits. Putting four of these three-letter prefixes together would give you an entropy of ~40 bits, which isn’t too bad.

So, while I’m no password security expert, it does appear that you could use a “random four words” approach for most sites, and fall-back to just the three-letter prefixes of those words when a site has a maximum password length that’s too short for the normal password. In any case, this suggests that there is fertile ground for research into passwords that are both memorable and secure.

However, I know that even while such passwords are more secure than the typical complex password, unfortunately they still won’t be accepted when I try to register them at new websites. They’ll fail on the password strength indicators! Sadly, this is a case where both ease of use and security are being let down.

Bulgogi Recipe

I post all the recipes for the dishes that I make for Recipe Club over on its own blog. However, where there’s a recipe I expect to make again, I’ll also post it here to ensure I can easily find it down the track. In this case, we made a Korean-style beef bulgogi again the very next night after I made it for Recipe Club, I liked it that much! It’s largely based on the recipe by Ben O’Donoghue in his book Ben’s Barbecue.

It serves enough portions to feed 6 as an entree, or 3 as mains.

Ingredients

  • 500g rump steak
  • 3 tablespoons (60mL) brown sugar
  • 125mL light soy sauce
  • 4 cloves of garlic
  • salt
  • 100mL mirin
  • 2 tablespoons (40mL) sesame oil
  • 1 bunch spring onions
  • sunflower or vegetable oil
  • 1 medium carrot
  • leaves of 1/2 iceberg lettuce
  • mint leaves
  • ~200g kimchi
  • other korean sauces that take your fancy

Method

  1. Trim the beef of fat and slice thinly. Chop the garlic cloves finely. Slice the spring onions finely.
  2. Combine the sugar, soy sauce, garlic, salt, mirin, sesame oil, and spring onions to make the marinade, and mix the beef slices through.
  3. Leave in the fridge for at least 2 hours or overnight.
  4. When it comes to cooking the beef, bring the beef mix to room temperature, then heat a BBQ hotplate to medium-hot.
  5. Chop the carrot finely while waiting.
  6. Oil the hotplate, and begin frying the meat. Once they’ve begun warming, then add the carrots, and fry everything together. It takes only a few minutes to cook so it’s tender.
  7. Transfer bulgogi to serving dish and place on table together with lettuce leaves, kimchi, mint leaves, and any other tasty Korean sauces that take your fancy. Before eating, place everything on a lettuce leave and wrap into a delicious parcel.

Alternatives

  • Instead of serving on lettuce, it would work also served on rice.
  • Sesame seeds can be sprinkled over the top of the beef before serving, or toasted and included in the marinade. However, with the sesame oil it already has a nice sesame taste.
  • According to Ben’s original recipe, instead of rump steak, sirloin can be used, instead of brown sugar, palm sugar can be used, and instead of mirin, rice wine can be used.