7.6.12

LinkedIn Password fiasco: What you need NOW to do to keep yourself safe online

So if you've been monitoring the news, you would have heard that some LinkedIn passwords have been compromised. (6.5 million passwords to be exact) Hackers posted a file containing encrypted passwords onto a Russian web forum.They have invited the hacking community to help with decryption. The file containing the passwords is now widely available.

LinkedIn has said that the leaked passwords will no longer be valid. Members would receive an email with instructions on how to reset them, the company said. Users would then receive a second email with further details about why the change was necessary.

However, this does not mean you are safe. In fact not at all.

Two things:

  1. If you haven't done so already, change you LinkedIn password RIGHT NOW.
  2. There are some websites including CIO.com offering you the chance to see if your password has been compromised. DO NOT USE ANY OF THESE tools. I will explain so later. (End of the experiment section) Don't bother to check, just go ahead and change that password anyway.

Last year, when the Sony Playstation Network was hacked in similar circumstances, still unknown criminals obtained passwords and credit card information for all users on the service, including me. Now the problem I had was that ALL my passwords are pretty much the same. So whoever had this data had my email address, and the password to get in if they knew what they were doing. Till date, no one has reported a compromise based on this attack. But at the time, I decided to look into getting my online credentials across the internet in order. So anyone who is in a similar situation with this LinkedIn attack might want to do the same. I'll outline what you can do later, but first of all, what information do the hackers actually have?

Do they actually have your password? - An experiment.


What the hackers have is actually an encrypted copy of your password. LinkedIn use SHA1 to encrypt their passwords. Most sites use either MD5, SHA1, or SHA-256. So what the hackers actually have is a 'hash' of your password, generated using the SHA1 algorithm.

This website reckons that it will take 1 X 1066years to crack a 6 character password encrypted with SHA1. However, it works on the assumption that you are trying 700,000,000 different passwords per second. However, this program can try 2,300,000,000 different passwords a second, and is free to download. So this will take 3 X 1065 years to crack. About a third of the time. What about a hacker with access to powerful computers and a more sophisticated program? You'll have to ask them.

But this is just a brute force attack. Why use this when the owner of the password may have already inadvertently done the work for you, or at least made it easier? Or what if the brute force attack is intelligent and tries out 'common' passwords first?

Worst case scenario, what if you're using a simple English password? Let's say your password is 'password' or 'letmein'. How easy are these to crack if you have the hash values?


password is converted to "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8"
letmein is converted to  "b7a875fc1ea228b9061041b7cec4bd3c52ab3ce3"

So let's do something simple. Google the hash values. 

For password, the first few results are linked to 'experiments' just like the one I'm doing. And it's clear, the password is 'password'.

And for the second one, the results also show the password is 'letmein'.  For me, the second result linked to www.hackforums.com, I wonder what they do there.

There are also some reverse SHA1 databases online, so it can check a hash against previously encrypted values.

Again, imagine you're a hacker, someone who does this for a living. What if they have even better ways to check even more advanced password hash values? 

The results of this experiment is clear. You need to change your password to A STRONG password, one which isn't an English word, preferably with a mix of upper and lower case, and possibly some numbers and/or special characters. That way, if hackers get a hold of your password, they won't be able to easily crack it, and just move on to other simpler passwords.Let someone else be the SUCKER !

So why do I say you shouldn't check if your password is in the hash list made available today using any of the tools/sites being publicised today (Including the one I used above) ? Well some of these sites keep a record of all hashes calculated. So by using them, you have given someone the hash of your password. One question, who owns the site? Do you trust them? What if, just what if the site was owned by a hacker? Think about it.

So what next? What I did 


So, as I mentioned. Last year, my password was out there. And it was a very simple English word. And I was using the same password (or a variant of it) across a plethora of websites.

The first thing was to use a secure password. The second was to use a different password across the entire internet. Not an easy task. How do you remember all these passwords? Some people have come up with all sorts of systems. I decided to use a password manager.

I switched to Lastpass, a free password manager. Once you install lastpass, it will collect all the passwords currently saved in your browser, and you can check which passwords are not secure. You can convert these passwords to secure passwords which Lastpass can generate for you. And if you have lastpass installed on all computers you use, it will sync your data across all of them. A copy is also kept online. All these are encrypted, even Lastpass cannot access your data. And all you have to do is remember one master password.

And before you say it, I know Lastpass was possibly hacked last year as well. And the hackers got hold of people's master passwords.

What I do is use Lastpass with multifactor authentication. Google Authenticator (see below) works with Lastpass and GMail accounts. This means that if you log onto a PC for the first time and try to use Lastpass, it will require you to enter a code you can only get on your phone. So the hacker needs your phone and your password in order to access your account. This extra layer of security is invaluable.

I'll explain how Google Authenticator works with Gmail, and then you can check how to use it on Lastpass here.

Multifactor Authentication - Google does it best


Google has a little known feature called 2-step verification, which adds a layer of security to your Gmail login. The video above explains how it works.

If you are logging into a computer that hasn't been 'trusted' you will require a code which is sent to your phone using SMS, voice message or a mobile app (Apps are available for iPhone/iPod touch, Andriod, Blackberry. Once you 'trust' a computer, you won't need to enter another code for 30 days. And if you use an application such as Outlook or iPhone mail, you can generate an Application specific password, which gives the application access to your account without asking you to keep verifying (However, I found that the Google+ iPhone app didn't use this, and kept asking for verification. This was so annoying, I no longer use the app, or Google+ for that matter, but I digress....)

The key thing here is that even if a hacker gets hold of your password and your username, if they don't have your phone, they can't access your account. 

While this sounds like a lot of technical information, and sounds like it will be a nightmare to set up, it really isn't. All the information you need to set it up is here.

And like I said, once you have it up and running, Lastpass can work with Google Authenticator.

In conclusion


There are bad guys out there, and if you're not careful, they will compromise your accounts. I've lost count of all the compromised Facebook accounts sending me all sorts of SPAM. Or email accounts, sending me all sorts of rubbish. You need to be proactive and protect yourself online. Prevention is better than cure.

And LAstpass is not the only password manager out there. Another good one is 1Password

13.1.12

Arithmetic of Fuel Subsidy by Wale Majaro

UPDATE : An updated version of this article appears at http://www.vanguardngr.com/2012/01/fuel-subsidy-removal-tips-for-efcc/

As I write this, Nigeria has been paralyzed by a labour strike for the whole of this week. On New Year's day, the government removed government subsidies on petrol, the price went from N65 to N141. Arguments rage about whether or not removing the subsidies is a good idea. A friend of mine has analysed the problem scientifically, please read his excellent piece below:

Arithmetic of Fuel Subsidy (by Wale Majaro)

The Nigerian government claims that Nigerians consume 34million L of petrol per day. Most experts disagree and give a figure between 20ML and 25ML per day. For this write up, I will use the government figure. The government has also said that N141/L is the unsubsidized pump price of petrol imported into Nigeria, with N131.7 the landing price and N9.3 as profit.

Now, the government has made claims of the refineries working between 30% and 60%, depending on whom you listen to. For the sake of argument, I will assume that our refineries don’t work at all (i.e. 0% Production). Thus, my calculation is based on 100% of petrol used in Nigeria being imported, the worst case scenario. If the refineries actually work at 60% as the government claims, they should be processing 270,000 bbl/day of crude. Each barrel of crude produces 75L of petrol. So, if the government is to be believed, the refineries produce 19.5 million L of petrol a day and we should therefore only import 14.5million L a day. My analysis will ignore this completely.

So here is the arithmetic, using the government’s own figures:

Daily fuel consumption/importation: 34million L
Cost at pump: N141
No of days in a year: 365
Total cost of all petrol imported into Nigeria = 34Mx141x365 = N1.75 trillion

Now, Nigerians have been paying N 65/L for fuel, haven’t we? Therefore, cost borne by the consumers = 34Mx65x365 = N807 billion

Cost of the subsidy borne by the government is:

Subsidy = Total cost of import – cost borne by consumers
= N1.75 trillion – N807 billion
= N943 billion


So, even if we believe the claim that we consume 34million L/day and we assume that the refineries don’t work, the government should still not have spent up to N 1 trillion on the subsidy in 2011. How did they manage to spend N1.3 trillion by October? Since N1.3 trillion was spent by October, then the bill for the full year 2011 (assuming a constant rate of consumption) is: N1.56 trillion!

What accounts for the difference between N943 billion and N1.56 trillion? This is a difference of N617 billion that the government cannot explain. Did I hear a government official claim that the difference is what goes to subsidize our neighbours through smuggling? Time for more arithmetic.

Using figures from Okonjo-Iweala’s World Bank, here are the populations of West African countries:

Nigeria: 158.4 million
Benin: 8.8 million
Togo: 6 million
Cameroun: 19.6 million
Niger: 15.5 million
Chad: 11.2 million
Ghana: 24.4 million
The total population of all our neighbours: 85.5 million


Now, let us assume that fully 50% of the petrol consumed in each of these countries is illegally exported from Nigeria. Let us also assume that each of these countries consumes petrol at the same rate the Nigerian government claims petrol is consumed in Nigeria. I have deliberately ignored the ff facts which show that petrol consumption in these countries will necessarily be considerably lower than consumption in Nigeria:

  1. Some of these countries have stable electricity (eg Ghana) and thus do not depend on petrol-driven generators for power.
  2. Ghana, Togo and Benin are much smaller than Nigeria, thus traveling distances will be smaller.
  3. Niger and Chad are mostly desert and cross-desert transportation of goods/people is mostly by diesel-consuming trucks, not petrol-consuming cars.
  4. Apart from Ghana, the car density in each of these countries is much, much lower than the car density in Nigeria. In Nigeria, there are 31 cars for every 1000 citizens. In Togo and Chad, you have less than 10 cars for 1000 people.
  5. Ghana has started to produce oil and will very likely rely less and less on refined products smuggled from Nigeria, once the Ghanaian local refining capacity is built up.

Rate of petrol consumption in Nigeria = Total consumed/total population
= 34ML/158.8M people
= 0.21L/person/day


Rate of petrol consumption in neighbouring countries is assumed to be same as Nigeria = 0.21L/person/day

Petrol consumption by our neighbours = Rate of consumption x total population
= 0.21x85.5M
= 18.35ML per day


Now, we have assumed that 50% of the petrol consumed in each of these countries comes from Nigeria. This value comes to: 9.18 millionL per day.

Let’s pause here. Think about it again. Is it possible for 9.18 million L of petrol to be smuggled out of our borders and the government cannot do anything about it? The biggest fuel tankers in Nigeria have a capacity of about 36,000L. How many of these trucks do you need to smuggle 9.18 ML of fuel? 254! Our government is telling us that over 250 huge tankers pass through our borders everyday and they cannot do anything about it! Wow! Talk about incompetence! This in itself is an urgent security challenge – if you cannot stop 250 tanker trailers from crossing the borders daily, how can you stop importation of weapons or even an invasion by a foreign army?

But that is not all.

Let’s believe the government and assume that about 9.18ML is actually taken to our neighbours everyday and this is all subsidized by the Nigerian government.

How much will this translate to?

Difference between pump price before and after subsidy removal = N141-N65 = N76
Total spent on subsidizing petrol to our neighbours annually = N76 x 9.18ML x 365
= N255 billion


I have assumed that:

  1. There are no working refineries in Nigeria.
  2. Nigeria actually consumes 34ML of petrol per day.
  3. Ghana, Togo, Benin, Cameroun, Niger, Chad all get 50% of their petrol illegally, from Nigeria.
  4. Ghana, Togo, Benin, Cameroun, Niger, Chad all consume petrol at the same rate as Nigeria.

Yet, the government’s figures still don’t add up! There is N362 billion missing. This is the difference between N943 billion and N1.56 trillion, assuming N255 billion is wasted through subsidizing the rest of West Africa. The government should tell us what/who eats up this N362 billion ($2.26 billion).

These figures simply show the incompetence and insincerity of our government officials. The simplest part of the arithmetic is laid down below:

  • NNPC crude oil allocation for local consumption: 400,000 barrels per day
  • Assuming refineries work at 30%, 280,000 barrels can be sold on the international market. (Remember that I assumed that refineries don’t work in calculating our consumption, to give an absolute worst case scenario).
  • Money accruing to FGN, through NNPC on the sale, using $80/bbl: $22.4m a day. Note that the true price is higher, as oil currently sells for $100/bbl and Nigerian crude sells at a premium to the benchmark Brent crude.
  • Annually, this translates to: $8.176bn or N1.3trillion.

What does this mean? The government does not subsidize our petrol imports, at least not from the Federation Account. The same crude that should have been refined by NNPC is simply sold on the international market (since our refineries barely work) and the money is used to buy petrol. The 400,000 barrels/day given to NNPC for local consumption can either be refined by NNPC or sold to pay for imports. The “subsidy” should be funded with this money, not the regular FGN budget. If the government uses its regular budget for subsidizing petrol, then what happens to the crude given to NNPC for local refining, but gets sold on the international market?

Conclusion

Now that the petrol pump price has been hiked by over 100% and resulted in 100-200% increases in the price of transportation, personal electricity generation and foodstuff, what do I advise the government to do?

  1. Revise the petrol price, not to N65, but to an amount which takes inflation into consideration. Cumulative inflation from 2008 to 2011 is about 27%. A new petrol price of N88 should be a reasonable sacrifice for Nigerians, while the government tries to build trust by sorting out the real issues of the midstream/downstream oil industry and cutting down the cost of governance.
  2. Partner with the International Oil Companies (IOCs) operating in the upstream oil sector to carry out the deregulation of the midstream/downstream oil sectors. Refineries are not very profitable compared to other areas in the oil industry; with profit margins ranging from 0-15% (this is why we don’t see companies queuing up to set up refineries). The government needs to give incentives to these companies to set up refineries in Nigeria, in the form of tax breaks, duty exemptions, crude price guarantees, etc. All agreements should be in place, with an enabling law, by September 2012.
  3. The government has already shown and admitted that it cannot manage refineries. All new Greenfield refineries should use the NLNG model, where government owns enough equity to influence strategy in favour of the Nigerian people, but is not involved in the routine management of the company. This is the best way to get the best out of these refineries while protecting the national interest. The new refineries should come on stream by end of 2014.
  4. Sell the existing refineries to the IOCs and stop spending taxpayers’ money trying to revamp them within the current structure. The IOCs have built and currently operate hundreds of refineries across the world, so refining is their bread and butter. ExxonMobil’s Torrance Refinery is over 80 years old, Total’s Port Arthur Refinery is about 100 years old – these companies know how to manage refineries.
  5. The sale of the refineries should be carried out by September 2012. I know the refineries have been very poorly managed, so we should not expect to make tons of cash from selling them. The main advantages of the existing refineries to a buyer are the existing Brownfield facilities (roads, utilities, power), an existing pipeline distribution system and a skilled workforce. The IOCs should be mandated to revamp these new refineries to 70% nameplate production by January 2014 and 95% by January 2015.
  6. Incorporate PPPRA into DPR by December 2012, with an appropriate legislation (I’m not sure whether this is already included in the PIB). Let us have one strong agency to monitor all activities, including product pricing in the downstream oil industry.
  7. Balkanize PPMC and sell it off to private investors, again with the government retaining a non-controlling stake in the new entities. This should be done by September 2012, in parallel with the sale of refineries.
  8. Increase the fuel price in Jan 2014, not by simply jacking up the prices, but by introducing a tax on imported products. The tax should be deducted at source when making “subsidy” payments to the importers. Jan 2014 is chosen because I expect the output from local refineries to improve to at least 70% within 1 year of operations by IOCs.
  9. Introduce a law that any company that will be licensed to import petroleum products from July 2013 must either be currently running a refinery in Nigeria or be in the process of building a refinery in Nigeria (i.e. project has passed FID stage and execution contracts are signed). The total products each individual company can import must not be more than 20% of the company’s total refining capacity (existing + in construction) in Nigeria. This is the only way to break the importation “cabal”.
  10. Immediately, start prosecuting all companies and individuals suspected of involvement in the royal mess that the fuel importation segment has become. Use the same vigour (or more) that was used in the 2009-2010 reform of the banking sector. Also, all companies and individuals suspected of involvement in the refinery TAM contract scams should be prosecuted.
  11. Immediately, tighten the borders to minimize smuggling of petroleum products to neighbouring countries and sack/prosecute the relevant officials if smuggling remains a major issue. Our petrol will always be cheaper than that of our neighbours, especially if/when local refining reaches/surpasses local consumption. As every economist knows, products will always be cheaper in the source location than other places.
  12. Set up petroleum product trading agreements for surplus products in Nigeria to be sold to neighbouring countries in a legal and transparent manner. All agreements should be in place by July 2013, well in advance of additional capacity coming on stream. These agreements will assure companies building refineries that there is an available regional market for them to legally sell products refined in Nigeria.

With all the above, “subsidy” will disappear by Dec 2014, but in a gradual process, ensuring no price shocks (such as the 100% increase of Jan 2012) re-occur and ensuring that the industry is actually sanitized. Of course, the government also needs to keep to its several promises of improving the power sector and revamping rail lines, two critical developments which will reduce our consumption of petroleum products significantly.

Data Sources:

  1. http://www.nigeriafirst.org/article_11527.shtml Para. 14
  2. http://www.nigerianoilgas.com/?p=518
  3. http://www.pppra-nigeria.org/index.asp
  4. http://www.thisdaylive.com/articles/subsidy-deductions-hit-n1-264tr-say-govs/101264/
  5. http://data.worldbank.org/indicator/SP.POP.TOTL
  6. http://siteresources.worldbank.org/INTPSIA/Resources/490023-1120841262639/Angola_PSIA_vol1_English.pdf
  7. http://www.livecharts.co.uk/MarketCharts/crude.php
  8. http://www.cenbank.org/rates/inflrates.asp?year=2011
  9. http://www.nlng.com/PageEngine.aspx?&id=43
  10. http://www.totalpetrochemicalsusa.com/pdf/F_FactsPortArthur.pdf
  11. http://www.exxonmobil.com/NA-English/PA/about_where_ref_torrance.aspx
  12. http://www.petroleumonline.com/content/overview.asp?mod=8
  13. http://www.marketwatch.com/story/european-refining-margins-negative-in-dec-total-2012-01-05
  14. http://205.254.135.7/tools/faqs/faq.cfm?id=24&t=6
  15. http://data.worldbank.org/indicator/IS.VEH.NVEH.P3
  16. http://cdn.dailypost.com.ng/wp-content/uploads/2012/01/Consolidated-Detailed-Findings.pdf

7.1.12

You'll Never Walk Alone

NO ENTRY TO ANFIELD

I remember the first time I went to Anfield.  It was a pre-season friendly against Lazio, back in 2002.

One of the things that left an impression on me was this sign, all over the stadium:


"Are you telling me that Liverpool fans don't swear?" I said out loud. 
"We frown on that type of behaviour" said a nearby steward who overheard me, "Except of course, it's directed at Alex Ferguson !". 

I have to say, I never felt prouder to be a Liverpool fan. When I told my uncle, who at the time was a season ticket holder at Everton, he said it was impossible. "There is no way people don't swear at a football ground" he insisted. 
The next time I went was a Carling Cup match against Ipswich. Liverpool won on penalties. I was on a high after the game, and while walking back home, ran into some Ipswich fans. I started singing "Liverpool, Liverpool, Liverpool....." at them, somewhat aggressively, rubbing our victory in their faces. I was told off immediately, and told in no uncertain terms that my behaviour was not acceptable. BY LIVERPOOL FANS. I apologised immediately, and went on my way.

Anfield is a special place to watch football. When the crowd sings "You'll Never Walk Alone", you can literally feel the hairs on the back of your neck stand up. The Words of that anthem are powerful, and make you feel like you're part of something, not just a fan of a football club, but a member of a movement. Liverpool's proud history, prestige and the atmosphere at that special ground, that is why I am a fan of the second most successful club in England.


THIS MORNING

This mornings headlines broke my heart.

 Liverpool investigate (racial) abuse aimed at Oldham's Tom Adeyemi

How did it all come to this? That fans of Liverpool got a player so upset, that he was in tears?

SUAREZ, OH, SUAREZ

It all started on the 15th of October, 2011. Liverpool vs. Manchester United, the biggest game at Anfield every season. Patrice Evra alleged that Luis Suarez racially abused him. In support of their team-mate, Liverpool players wore t-shirts with his image on them at their next match.


The FA took their time, investigated, and found Luis Suarez guilty. And it was a truly heavy punishment. A £40,000 fine,and an 8 game ban.

Liverpool hit back. Hard. They were not happy with the decision, and were hit with a 115 page report explaining what had gone into the decision to hand down such a heavy punishment. They released some very defiant statements, with no apology in sight. After the report though, they decided against an appeal.

MY OPINION

My opinion is insignificant, and uninmportant. It doesn't really matter. But humour me, and hear me out.

First of all, I do not believe Luis Suarez is a racist. He's an accomplished troublemaker, and a mischievous person. But a racist? No.

There's a cultural aspect to the insult he gave Evra. Every Uruguyuan has come out in support of their countryman, because in their country, the insult would not be considered racist. Among Suarez's team-mates these days is Maxi Pereira, who is known as "El Mono" - the monkey. It is a nickname which, apparently, is given and accepted with no offence meant or taken. It appears to be used in the same spirit that Alvaro Fernandez is called "El Flaco", which means skinny. Read this excellent piece by Tim Vickery, a British man living in Brazil.

So he's not a racist in my opinion (his grandfather is black by the way), but what he did was wrong. VERY WRONG. He should not have done it.

I have my issues with how the FA handled it, but to be fair to them it was a very delicate matter, and there's no way they could have everyone happy. But that is irrelevant.

Liverpool's reaction to this whole thing has been misguided. The t-shirts in my humble opinion were a massive blunder. Support your player, yes, but do it behind closed doors.

If I was the person calling the shoots, I would have asked Suarez to apologise. Even before the judgment came through. Explain that he didn't think he was being racist, but he apologises to Evra, and to all Liverpool and Manchester United fans, ureservedly. And when the punishment was handed down, accepted it, and promised that it would never happen again. And end it there.

This week of all weeks, when 2 of t the killers of the racist Stephen Lawrence were finally brought to justice, it's sad to hear that football fans are racially abusing a player. Racism is a very ugly thing. We need to stamp it out in all forms.

Liverpool Football Club should have set a better example. What happened last night was not their fault, no. But they have lost the moral high ground. They should have handled the Suarez situation better.

And I just hope that somewhere in the board room, someone has realised this, and that lessons have been learned.