siemens.com/vpe1400
While there are many legacy alarm and notification services that exist in conventional
centralized monitoring systems, quick response to critical issues is often not possible
due to manual processing of these alarms and events. In most cases, network problems
generate local logs or raise error messages to the network management system, where
backend processing or manual analysis are performed on collected data. The lack of
detecting the problems in early stages or of a quick response to critical issues may
cause a network outage or long delays in recovery. This article provides a solution
for Smart Edge monitoring which can be used to build rapid response logic and
improve network reliability.
Edge Computing
Edge monitoring is related to the more generic concept of Edge Computing but
focuses on measuring and monitoring network quality. Edge Computing is relatively
new concept emerging from Cloud Computing which consists of shifting the computing
application, data and services away from centralized nodes towards the edge of the
network. Shifting computing resources near the edge has several advantages,
especially for certain applications that suffer from poor scalability of the centralized
paradigm. Some of Edge Computing advantages are: 1) reduces network latency and
produces faster response time 2) better use of resource, reduces the cost of scalability,
and makes faster data delivery 3) lowering dependency on the corporate data center as
a single point of failure in the infrastructure, hence improving service availability[1].

Enhanced Network Reliability

with Edge Monitoring on

Industrial Routers

Network monitoring applications typically

consist of remote data collection of many

nodes across geo-distributed locations and

performing backend analytic programs.

This type of application can also benefit

from Edge computing, especially from

faster response time and better scalability.

The following sections are dedicated to

exploring Edge monitoring in more

detail and to look into some of the

implementation challenges.

Smart Edge Monitoring

Applying Edge Computing usually requires

some application redesign consideration.

Whether it is a monitoring application or a

manufacturing automation application, we

should decide what part of the application

logic can be pushed to the edge of network

and what part remains at the central

location. This could be a hard decision for

applications requiring heavy analytic power

capacity. For example, we should find out

how much of the analytic computation can

be pushed to the edge of the network,

considering available hardware resources

on the edge devices.

For monitoring applications, redesigning

the application is a somewhat easier task.

Considering the huge amount of data that

could be collected from many devices

in the network, moving part of that

application closer to the source of

information just make sense. On the other

hand there are some demands for allowing

the use of custom logic and third party

applications on edge devices. This comes from

the fact that in every network the end user has

the best knowledge about the system, pitfalls

and maintenance procedures. So they might

be interested in participating in network

monitoring and recovery action plans. This

brings some design challenges that we look

at, in the article.

Network Performance Metrics

• Bandwidth is the maximum rate that

information can be transferred and

measured in bits/second

• Throughput is the actual rate that

information is transferred

• Latency refers to the amount of time

(usually measured in milliseconds) it

takes for data to travel from one location

to another across a network. It is also

referred to as delay, because the

software is often waiting to execute

some function while data travels back

and forth across the network.

• Jitter is defined as a variation in the

delay of received packets. The sending

side transmits packets in a continuous

stream and spaces them evenly apart.

But due to network congestion,

improper queuing, or configuration

errors, the delay between packets can

vary instead of remaining constant

• Error Rate is the number of corrupted

packets expressed as a percentage or

fraction of the total sent

Network Monitoring

Network Monitoring is the process of
measuring and analyzing the values of
these performance metrics. NPMs are
measured by various network monitoring
technologies. The common measuring and
monitoring techniques are active, passive
and SNMP based monitoring.
The Active Monitoring method obtains the
current status of the network by setting
up a test machine at the point which
one wishes to measure, and then sending
traffic from one machine to another. NPMs
can be measured simply by using tools such
as “ping” and “traceroute”. In this method
test traffic may impose a burden on the
network.
Passive Monitoring methods obtain
the current status of the network by
capturing live traffic on the network.
Passive Monitoring can monitor the
network without additional traffic burden.
In the SNMP based method, the SNMP
agent running on the device collects
various measurements and makes them
available to the Network Management
System (NMS).
White paper | Enhanced Network Reliability with Edge Monitoring on Industrial Routers | 20 April 2017
2
There are various standard RFCs for remote
network monitoring such as the Remote
Network Monitoring (RMON) MIB[4]. The
SNMP based solution is easy to use and
scales up well with the number of the
nodes in the network.
Industrial routers play a key role in
mission critical systems, whether it
is power system management,
transportation or industrial automation,
the network must be stable and reliable to
run critical applications. Outages and
downtime are NOT an option, and this is
a key requirement of mission-critical
connected systems.
As discussed with conventional
monitoring, network operators use
different techniques to collect the data,
but this is usually done in reaction to a
system error after the fact. Having access
to various data on the edge device,enables
Smart Edge Monitoring to provide a
proactive solution that can prevent, help
troubleshoot and even predict difficult
network failures. The table above
summarizes the pros/cons of each method.
The goal for Smart Edge Monitoring is to
shift part of the analytic logic closer to the
source of information where it has access
to system data.
This type of monitoring can be done
in different modes:
Analytic mode: In this mode, the goal is
to collect and analyze as much related
data as possible in response to an error
condition to help the investigation later,
such as collecting CPU usage, operational
temperature, error key words in logs,
background traffic, etc.
Fault Isolation mode: In this mode, in
addition to above the application will do
a best effort to isolate the critical failure
before it can destabilize the entire network,
like disabling suspected ports, protocols
or software features.
Fault Prediction mode: In this mode, in
addition to above the application will try
to predict a failure and provide proper
warnings and alarms about ongoing
problems, by finding any patterns (i.e. time
related, traffic type, and hardware related)
in fault conditions.
For example in analytic mode, CPU usage
could be the subject of smart monitoring
where the monitoring application tries to
find the underlying issue by analyzing
the system logs and correlating with the
current operation and the task that occupy
the CPU the most. This gives the network
operator the chance to find the root cause
before the system becomes unavailable.
Having access to various data on the edge device, enables Smart
Edge Monitoring to provide a proactive solution that can prevent,
help troubleshoot and even predict difficult network failures.
The table above summarizes the pros/cons of each method.
Monitoring Method Mechanism Pros/Cons
Active Monitoring Generate test traffic periodically or
on-demand and measure the performance.
Backend analytic process.
Not scalable
Passive Monitoring Capture the current traffic and analyze the
performance. Backend analytic process.
Not scalable
SNMP based Monitoring Using existing SNMP agent to
collect measurements and analyze the
performance. Backend analytic process.
Scalable and limited to specific measurements
Smart Edge Monitoring
(proactive monitoring)
Shift some of the monitoring application
on the edge device, collect and analyze
performance and failures
Scalable, more efficient, can prevent
or predict faults
White paper | Enhanced Network Reliability with Edge Monitoring on Industrial Routers | 20 April 2017
3
In other example, a protocol state change
can be the subject of smart monitoring
where the monitoring application tries
to find and isolate the issue related to a
topology state change and flapping
condition. This can be done by receiving
the state change notification from the core
application and checking if it passes a
threshold level. In this case the monitoring
application can isolate the problem by
disabling a port. This action could prevent
the faulty unit from destabilizing the
entire network.

Integrating Edge Monitoring

into Industrial Routers

Using Smart Edge Monitoring, operators
can capitalize on remote monitoring
applications with ongoing analysis of
system data. With this, system performance
trends are revealed, system failure can
be predicted and prevented in advance of
any alarm sign. However there are some
challenges to integrate such functionality,
especially if we consider a solution where
the end users can also develop and deploy
monitoring application based on their needs
and requirements. This requires a solution
to provide an ecosystem of development
tools, mass deployment and configuration
with end to end security. In this section we
only look into the technology stack needed
for this integration on target device.
The basic requirement of deploying a
custom application on any edge device is
to make sure that it has no negative impact
on device core functionality by providing
proper resource isolation. This could be
isolation for things like CPU, disk storage
and memory. There are well known
technologies in Linux based systems for
this such as Virtual Machine (VM)
or Linux Container (LXC)[5] solutions.
One of the obstacles for any custom or third
party monitoring application is access to
system data. The need for sharing system
data with third party applications is often
not considered in typical products. So some
application redesign is required to provide
proper access to system data and real
time events.
The picture above shows a proposed
integration solution with VM as the base
platform where the custom application is
deployed in its own container. The VM
provides the maximum resource isolation
and the container provides application
packaging. The internal data bus provides
access to system data via an Embedded
Monitoring Agent residing in the core
software. A publisher/subscriber protocol
like Distributed Data Services (DDS)[6] or
similar protocol is a good option to emulate
a data bus where the target application can
communicate with Monitoring Agent.
The DDS protocol provides auto discovery
for publisher and the subscriber nodes,
without a need for any configuration.

The Embedded Monitoring Agent is part
of the core software running on the host
Linux. It provides access to system real time
data by publishing events such as the
following examples. A registered application
can subscribe to these event groups and
receives the events in real time.
The applications can be developed using
any Linux scripting language like Perl or
structured language like C/C++/Java.
The applications can register with the
Embedded Monitoring Agent to receive
system events. They can request a
command to be executed in response to a
system event. The second table below
provides some command examples. All the
commands issued by the applications must
be authorized before they are executed.
The applications can communicate with a
central management application via any
point-to-point protocol such as HTTP
or MQTT[7].

The RUGGEDCOM RX1400 product is an
ideal platform to be used for Smart Edge
Monitoring. The virtualization solution
is already supported on this platform,
known as the Virtual Processing Engine
(VPE) feature. The VPE feature provides
a platform for hosting third party
applications. The picture above illustrates a
sample monitoring application that was
developed on a RUGGEDCOM RX1400 device,
to collect and analyze CPU, memory and
application information using above design
solution. The information is displayed in a
WEB page running on VPE.
Conclusion
Industrial routers are deployed in mission
critical applications where network outages
are not an option and every attempt must
be done to prevent or isolate network
problems. In this article we discussed
Smart Edge Monitoring as a proactive
solution which can facilitate troubleshooting
complex issues or prevent and even
predict network failures. We also looked
at some of the challenges for integrating
this functionality on industrial routers.
The information provided in this document contains merely general descriptions or
characteristics of performance which in case of actual use do not always apply as
described or which may change as a result of further development of the products.
An obligation to provide the respective characteristics shall only exist if expressly
agreed in the terms of contract.
In order to protect plants, systems, machines and networks against cyber threats, it
is necessary to implement – and continuously maintain – a holistic, state-of-the-art
industrial security concept. Siemens’ products and solutions only form one element
of such a concept. For more information about industrial security, please visit
www.siemens.com/industrialsecurity
siemens.com/ruggedcom
Siemens AG
Process Industries and Drives
Process Automation
Postfach 48 48
90026 Nürnberg
Germany
Siemens Canada Limited
300 Applewood Crescent
Concord, Ontario, L4K 5C7
Canada
© Siemens AG 2017
Subject to change without prior notice
PDF
Whitepaper
Produced in Canada
References
[1] H.H. Pang, and Kian-Lee T., “Authentication Query
Results in Edge Computing,” 20th Conference on Data
Engineering 2004
[2] Network Performance Metrics
[3] https://tools.ietf.org/html/rfc6703
[4] Remote Network Monitoring (RMON). RFC3273
[5] Linux Containers. Linuxcontainer.org
[6] Data Distribution Services from OMG
[7] MQ Telemetry Transport from http://mqtt.org/
Figure 2: Sample Edge Monitoring
application running on RUGGEDCOM
RX1400 + VPE1400.
White paper | Enhanced Network Reliability with Edge Monitoring on Industrial Routers | 20 April 2017

FOCUS Funding Opportunities for Fintech We cannot accuse the Horizon 2020 Framework Programmes of being driven by short-term trends, hypes and fads. The development cycle for the Work Programmes is far too long to be influenced by mainstream media or popular opinion. The 3-year time frame of the upcoming Work Programmes, the time between the deadline and the actual start of the projects, and the duration of the projects themselves prohibits aimless activism and requires strategic foresight. Many technologies in the financial technology (Fintech) sector are well advanced in the hype cycle and are already mature enough to be applied in different domains. Horizon 2020 has always been open to projects that use big data and cloud computing technologies to support the financial industry, to proposals that promise to implement innovative financial instruments to finance the use of energy-efficient technologies, and to teams of researchers that are developing efficient and secure means of communication. Even though digital ledgers, smart contracts and other Fintech technologies are mentioned only sparsely in the drafts of the upcoming Work Programmes, there will be many opportunities to create impact using these technologies in different areas. The challenges are to find appropriate topics, form capable teams and write convincing proposals that outline the impact to be created. The upcoming ICT Work Programme will most likely call for proposals on regulatory issues in the Fintech industry and ask for the application of blockchain, digital ledger and artificial intelligence technologies. This is reason enough for the Fintech community to have a closer look at the Work Programmes to be published by the end of October 2017 and to ask the National Contact Points at Euresearch for help in identifiying funding opportunities. Stefan Fischer, National Contact Point ICT & Energy

The Storyteller became offically recognized by his peers

I spent the last two years on telling stories to very important groups of professionals, colleagues and governmental officials that in order to compete and win in the new and circular economy you must personalize your client, customer experience the Mercedes Way. To provide products and services to buyers market it is not enough, technical performance, quality, reliability and guarantee. You must add a part of yourself, something personal to bind customer to your product and or service.
I started to experimenting consciously this additional value after my business partner from Sweden, Mads Larsen, send me a letter of reference. He has noticed that my business attitude (I was CEO and Business Developer at PEP Modular Computers in Germany) was very PERSONAL as he perceived this. Staunchly Scandinavian Professional Entrepreneur himself, was surprised that I did dropped my children accomplishments with business partners in China, India, Korea etc. Like Obama, I often travelled with family on business trip linking business and pleasure, meeting new partners in their familiar surroundings often with spouses. In one instance we trained a son the the ambassador of a friendly country in our company and his second term he spent with Siemens also in Germany. Also my companies were sensitised to cultural differences, I had my engineers training my customers in Germany, and handing over their business cards with two hands, as practiced in many Asian countries.
These little signs on our part made the customer feel more at home than elsewhere. Our extra attention, personal empathy, made meetings, discussions go more smoothly, we could conclude contracts faster than competition, and in the end we won more business.
After I found Unisena Industrial Systems GmbH in Augsburg and IMU GmbH in Zug, Switzerland I instilled the Storyteller methods there, and besides I started to advise on the subject to my business partners in Central Europe initially, and later world wide.
3 years back my board of Directors awarded me a new title Chief Storyteller Officer, and a new business card of which I am very proud.

10 secrets about how employers really screen you

Peter Harris| May 29, 2014 01:28 pm 

Share on email 

We recently hired a new team member here at Workopolis, and she is awesome. However we almost lost out on her because of a red flag that came up when we were screening her. The professional references that she gave us all spoke very highly of her.

However, checking your professional references is only the very beginning of the investigating that employers do into a candidate’s background, reputation, and conduct.

Here are just some of the ways that employers secretly screening you:

They’ll talk to anyone they might now at your former workplaces. This is the one that nearly tripped up our new hire. Someone in HR had a friend who worked at one of the companies on her resume. So of course she asked what the former coworker thought of her, and the response wasn’t great. (We hired her anyway, because that job had been several years ago, and we actually knew other people who had worked with her since who didn’t corroborate the negative review. But it could have been a deal breaker.)
This is why it is important to be professional at all times on the job, make clean exits when changing jobs, and manage your working relationships carefully. You never know who is connected to a place you may want to work in the future.
They Google you. Employers will be looking you up online. So if you have a website or a blog, make sure that you’re not publishing any images or information that you wouldn’t want potential new bosses to see. Similarly, you might want to tone down any aggressive or foul-mouthed commenting or posting you’d otherwise be tempted do on other websites.
They will check your social media profiles. More and more people are on Twitter, Facebook, or LinkedIn (or all three) as well many other social networking sites. Got a YouTube channel? Your interviewer will be watching your recent videos. They’re going to check out your updates and tweets. Make sure that the content you post and share doesn’t cast you in an unfavourable light.
Here is what they want to see.
Your phone manners and voicemail. Did you speak on the phone with the employer? Did you sound friendly and upbeat? How did you answer the phone? The small details matter when someone is getting to know you for the first time. And be sure to have a professional-sounding voicemail message if you’re applying for jobs.
I once called a potential hire, and his recorded voice (in an imitation of Yoda) said, “Not home am I. Patient you must be. Call you back I will.” I didn’t leave a message.
Also, I think everyone knows this by now, but have a professional looking email address for your resume.PimpDaddy69@email.com is going to be judged by his address.
They’ll talk to the receptionist. Were you polite and friendly when you came into the office for your job interview? How was your demeanour while waiting? Everyone you interact with at the company (and not just the interviewer) is part of the screening process.
They’ll judge you by what you’re wearing. We had a candidate once come in for an interview in shorts. That’s just ridiculous. You have to dress professionally to show respect for the interviewer and appropriately for the industry and the role.
How you wear it matters. Employers will also notice if your clothes are clean, pressed or wrinkled, if your hair is unkempt or out-dated, if your shoes are polished or ragged. All of these can be indicators of your personality and of how much attention you pay to detail.
Body language and posture. Employers will be watching how you move and act to see if you appear to be honest, confident and friendly. Slouching, avoiding eye-contact or shuffling around in your seat can all give them the wrong impression.
Your in-person manners. Similarly, do you have a good handshake? Did you thank the interviewer for their time? How did you act when offered water or a coffee? Did you send a thank-you note after the interviewer. Employers want to see that you know the social conventions of polite professional interactions.
In the case of a lunch interview, your table manners. Interviews over a meal create a whole new source of potential pitfalls. Those table manners that your mother used to stress will come in handy. Place your napkin on your lap. Reach for the glass on your right. Order food that you can eat with a knife and fork. (Finger foods can be messy.) Take small bites, so that you don’t get caught being asked a question when your mouth is full. Don’t talk with your mouth full. Don’t fight for the cheque. It’s an interview, not a social occasion; the employer will pay for lunch.

When you’re looking for a job, the last thing you want to do is give a potential employer a reason not to like you. They’ll be looking at more than just your resume and job interview answers, so (unlike Shorts Guy and Yoda Boy) make sure that you pay attention to detail at every step along the way.

See also:
Confessions from the hiring manager’s side of the desk: here’s what most candidates don’t know
The six lies that employers will most often tell you 
Five job interview secrets that employers don’t tell candidates
_______

Peter Harris
- Peter Harris on Twitter

_______

Understanding What Makes Content Go Viral | Scotiabank

Understanding What Makes Content Go Viral | Scotiabank

How to outguess passwords, secutirty is the weakest link

By William Poundstone
Have you ever wasted a few moments with a sketchy website that promises to reveal your Klingon name (wizard name, ghetto name, porn star name, etc.)? Some of these sites are fronts for password-harvesting operations. They’ll ask you for some personal data—mixed in with Trekkie trivia —and prompt you to make up a password. Scammers know that the password you supply is likely to be similar or identical to ones you use elsewhere. They may sell collected passwords on the black market for about $20 each. A password is like the key to your home. There are weak locks and strong locks, but neither does any good when a pickpocket swipes your key. Security is always about the weakest link. Most identity thieves don’t bother with trickery. They pick the low-hanging fruit—the passwords easiest to guess. One recent study found that nearly 1 percent of passwords can be guessed in four tries. How is that possible? Simple—you try the four most common passwords. A typical list would run password, 123456, 12345678, and qwerty. That opens 1 percent of all sesames. Okay, you’re in the 99 percent not using an insanely bad password. You still have to consider the speed of today’s hacking software. John the Ripper, a free hacking program, can test millions of passwords a second. One commercial software recovery program intended for forensic use (on seized computers of child pornographers and terrorists) claims it can check 2.8 billion passwords a second. Initially, cracking software runs through an exhaustive, frequently updated list of thousands of the most popular passwords and then segues to a full dictionary search. It tries every single word in the dictionary, as well as all common proper names, nicknames, and pet names. Most of us have been shamed and browbeaten into adding numbers, punctuation marks, and odd capitalization to our passwords. This is known as mangling. In theory, mangling makes it a lot harder to guess a password. In practice, not so much. Almost everyone’s mind follows the same well-worn mental grooves. When a site insists on having a number, password becomes password1 or password123 with alarming regularity. A requirement to mix capitals and lowercase elicits Password or PaSsWoRd. Mandatory punctuation marks gets you password! and p@ssword. A password that might look secure, like $pider_Man1, isn’t. Everybody is oh-so‑devious in the same ways. There is reason to fear that site-enforced mangling rules cause users to pick simpler, easier‑to‑guess base passwords. Mangling can create a false sense of security. News features on password security invariably cut to the cynical expert who belittles every common or realistic password practice. Many pros subscribe to the “write it down” philosophy. “Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down,” wrote consultant Bruce Schneier in 2005, eons ago in the digital world. “We’re all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.” Even with the paper in hand, it’s a chore to peck out a long, hard‑to‑remember password. Good luck with a mobile device’s virtual keyboard. The gulf between experts and reality is illustrated by my father’s system. He writes his password on a Post‑it note and sticks it to his desktop monitor. The password is nothing fancy, just a two- word phrase with no digits or funny characters. Not only do real people choose insecure passwords, they have a heck of a time remembering them. In their digital wanderings, many users leave behind a snail trail of similar passwords. They try to use the same password for every site, damn the risk. But some sites play nanny, enforcing ad hoc rules about length and types of characters required. Users are forced to customize their usual password and then, when they try to log back in, they can’t remember how they customized it. A lot of what’s known about dumb passwords comes from the December 4, 2009, security breach of RockYou.com, a publisher of Facebook games. A hacker posted the site’s 32,603,388 user names and plaintext passwords. There have been many breaches before and since, but the scope of this one has made it a key dataset for the good guys and the bad guys. The most popular RockYou password was 123456. A reported 290,731 were using that one. There were many differences by age and gender. For men under thirty, sex and scatology supplied popular passwords: pussy, fuck, fucking, 696969, asshole, fucker, horny, hooters, bigdick, tits, boobs, and the like were high up on the list. Elders of both genders leaned toward dated pop-culture references. Epsilon793 might not be such a terrible password, were it not the password of Captain Picard on Star Trek: The Next Generation. The seven-digit 8675309, an inscrutably common choice, was a phone number in a pop tune way back when. Boomers, the eighties called, and they want their passwords back. It’s the easiest thing in the world to create a secure password. Use a random string of characters. You can’t achieve perfect randomness mentally, but you don’t have to do so. Websites and applets aplenty will give you random passwords generated from atmospheric noise. Here are some examples I just pulled from random.org: mvAWzbvf 83cpzBgA tn6kDB4T 2T9UPPd4 BLJbsf6r Problem solved? Sure, for the paranoid mnemonist—or those who use a password manager app secured by a fingerprint reader. Everyone else balks at the prospect of memorizing character soup. It doesn’t help that we’ve been told we need a different password for every account. Most users care more about convenience and less about security than the experts do. I’m not so sure the crowd is wrong. Do you have a panic room in your home? Probably not, though the people who install panic rooms will tell you that you need one. Before you spring for the panic room, maybe it would be better to make sure you always lock your front door. Realistic password threats fall into three categories. Call them casual, mass attack, and targeted. • Casual means people you know. A snoopy coworker or family member may want to log into your accounts. He will be trying to guess your password based on personal knowledge of you (without the benefit of password-cracking software). The casual snoop might know your high school team was the Wildcats and try that. He might be completely defeated by wildCatz1. • Mass attack is like spam, nothing personal. The pro identity thief isn’t trying to break into your account per se, and she knows nothing about you personally. She’s trying to assemble a list of cracked passwords, typically for resale. Password thieves use software and begin by trying to crack the least secure sites, those that permit many guesses. This could be a game site where the password has no financial value. When the software guesses correctly, it tries the same password and variants on more secure accounts like banking. • Targeted means a private or public detective plus software. Should an informed person want to hack into your accounts, and should that someone have money and time (and the law?) on his side, he’s likely to succeed. The only countermeasure is using a random password long enough to guarantee search times of your life expectancy or greater. Don’t be too sure you couldn’t be a target. A small business’s competitors may be willing to steal a laptop and expend the needed resources. So may a high-net-worth spouse in a divorce case. Hackers may take a disliking to someone’s business or politics. Twitter, meaning the whole site, was once compromised because an administrator unwisely chose the password happiness. In 2009 a hacker learned the Twitter password in a dictionary attack and posted it on the Digital Gangster site, leading to hijackings of the Twitter feeds of Barack Obama, Britney Spears, Facebook, and Fox News. Like everything else in life, passwords involve trade-offs. You can’t have maximal security and maximal ease of use at the same time. One of the best of the commonly advised tactics is to convert a phrase or sentence to a password. You pick a sentence, phrase, or song lyric and use the first letter of each word as your password. May the force be with you would become Mtfbwy. You wouldn’t want to use that one, though, and that’s the problem. You’re going to think of a well-known phrase from a movie, a college fight song, or South Park. How many eight-word-or-so phrases do you know verbatim? It’s not even clear that a randomly chosen phrase is harder to guess than a randomly chosen word. Few bother to mangle their pass-phrase acronym. It looks so random! An ideal password scheme would work even if everyone used it. Should the pass-phrase scheme become popular, acronyms of all the pop-culture catch phrases would enter the lists of popular passwords, and cracking software would try these passwords first. Normally, acronyms are all letters and thus less secure than an any-character string of the same length. Some of these drawbacks can be addressed. Never use a “famous quote.” One alternative is to use private jokes. Remember the funny comment the waiter said to Brenda in Cozumel? You do, Brenda does, maybe the waiter does, and that’s it. Should you pick that as your pass- phrase, the odds are high that you’ll be the only one on the planet using that phrase. It’s less certain that the password itself will be unique. Different phrases can begin with the same letters, producing the same acronym. Some letters are more likely to begin words than others, and hacking software could potentially exploit this. The best way to use the pass-phrase idea is to turn the conventional advice on its head. Instead of thinking of a phrase and converting it to a password (that won’t be all that random), get a truly random password and convert it to an easy‑to-remember phrase. I used to use simple, stupid passwords. After one of my accounts was hacked, the site assigned me a temporary password. It was a random string of characters. I was going to change it until I realized that I didn’t need to do so. I could remember a random password. The mind is good at seeing patterns in random data. This is how we remember phone numbers and Social Security numbers. It also works for random-character passwords like RPM8t4ka. I just now got that one from random.org. Though it’s authentically random, the eye and mind instantly spot patterns. In this case the first three letters happen to be all capital, and the last three are lowercase. The number 8 is twice 4. You can easily translate a random password to a nonsense phrase. RPM8t4ka might become revolutions per minute, 8 track for Kathy. I don’t know what that means but I do know that it’s fairly easy to remember. A password, a pass-phrase, a mnemonic—what’s the big deal? The difference is that a random-character password is the gold standard of security. It’s better than any human-chosen password could be. It will still be good even if everyone in the world adopts this scheme. A random-character password of reasonable length is, for practical purposes, unguessable with today’s technology. It won’t appear in a list of popular passwords. A mass attacker could guess a random password only in a brute-force search. With upper- and lowercase letters and numbers, there are sixty-two possible characters. (I won’t count punctuation marks, as not all sites allow them.) That means it would take 62^8 guesses to be certain of hitting an eight-character password. That’s over 218 trillion guesses. That effectively rules out an Internet mass attack and would slow down a targeted attack. Accepting the claim that some forensic software can spit out 2.8 billion guesses a second, it would take about twenty-two hours to make that many guesses. That’s secure enough for most people—should you disagree, you’re welcome to add a few more characters. This doesn’t mean that a random password is invincible. It can’t be guessed, but it can be stolen. The Klingon name scam is one example. Careful folks fall for cons like that all the time. There is high-tech malware that records your every keystroke, and there are snoops using the low-tech method of watching over your shoulder as you type. Hackers may exploit a site’s lax internal security to get its passwords, through no fault of the users and their choices of passwords. I use the “one strong password” philosophy. In view of the importance that passwords have assumed in our lives, it’s worth committing one random-character password to memory. You memorize your phone number, why not a password? Once you’ve got that strong password, “protect the hell out of it,” says security consultant Nick Berry. Do everything you can to keep your computer free of malware, and use the password only for sites you know to be important and trustworthy. For games and unimportant sites, I use a simpler password that is nothing like my strong password. There are so many ways that passwords get stolen that it’s not unreasonable to want a different password for each site. One customization formula is to take the last letter of the site name and tack it onto the beginning of the standard password. For Facebook, you’d add k onto your standard strong password, getting kRPM8t4ka. Though this customization isn’t secure in any absolute sense, it may get the job done. A snoop who sees you enter kRPM8t4ka to access your Facebook account is not going to have a clue how to generate your banking password. A mass attacker will collect thousands of passwords and find that a decent proportion of them work, unmodified, on other sites. He may not care about those that don’t. I don’t have a punctuation mark or non-ASCII character in my strong password. In the rare cases where a site demands one, I add an easy‑to‑remember mark onto the end. Some identity thieves skip passwords entirely. They pretend to be a user who has forgotten a password, and answer the security questions. Should they guess right, they can change the password to one of their choosing. Not only does the crook gain an identity to sell, but the legitimate user is locked out. In 2008 someone hacked into Sarah Palin’s e‑mail account by guessing where she met her husband (Wasilla High). Four years later Mitt Romney’s accounts were breached by someone who guessed his favorite pet. It’s not just public figures who have to worry. Anyone who knows you well will be able to guess many of your answers to security questions. Hackers who don’t know you from Adam or Eve can use lists of the most popular pet names, used cars, team nicknames, etc. Lately, news features have touted the counterstrategy of giving nonsense answers. The idea is that you answer every question in pig Latin, or give the same nonsense answer to every question. Your mother’s maiden name was Jimbob. Your high school mascot was Jimbob. This probably works for the time being. That could change, should enough people adopt this strategy. Nonsense answers are probably as stereotyped as any other kind. I always use honest answers. You don’t encounter security questions much. Years after you first answer security questions, when you have to prove who you are, you definitely don’t want to be in the position of not remembering your answers. Many sites let you choose security questions. I pick questions where my honest answer isn’t a common one or easy to guess. Personal identification numbers (PINs) are the dime-store locks on our personal money machines. Nobody knocks himself out trying to invent a secure PIN. Most automated tellers limit them to four decimal digits anyway. I’m sure you can guess the most common PIN. Would you care to guess how many people use it? Nick Berry estimates that 11 percent of the population uses 1234. There haven’t been many mass exposures of PINs. Hackers aren’t that interested because PINs are useless without the physical card. So Berry took lists of exposed passwords and filtered them to include only four-digit numbers with no letters. He figured that someone who uses 1967 as a password has some special connection to that number and is likely to use it when prompted for a four-digit PIN. The second-most-popular PIN on Berry’s list is 1111 (chosen by 6 percent), and third is 0000 (picked by nearly 2 percent). Taken at face value, that means that a well-informed crook who finds your ATM card stands a 19 percent chance of guessing your PIN in the permitted three tries. After a third wrong guess the machine usually eats the card. Here are Berry’s twenty most common PINs: 1234, 1111, 0000, 1212, 7777, 1004, 2000, 4444, 2222, 6969, 9999, 3333, 5555, 6666, 1313, 8888, 4321, 2001, 1010. All the four-identical-digit choices appear. This isn’t a randomness experiment, it’s an I’m‑afraid‑I’ll‑forget-this-number-and-better-pick-something-really-easy experiment. Berry found these less obvious patterns: • Years. All recent years and a few from history (1492, 1776) are high up on the list. • Couplets. Many pick a two-digit number and clone it to get the needed four (1212, 8787, etc.) Digits in couplets most often differ by 1. • 2580. Some figure they’ll generate a random code by playing tic-tac-toe on the keypad. The only way to get the required four digits is to go straight down the middle: 2580. It’s the twenty-second-most- popular choice in Berry’s list. (For that you can thank the designer of the keypad, Alphonse Chapanis.) • 1004. In Korean the numbers sound like the word for angel. This inspired a pop tune, “Be My 1004.” There are enough Koreans who figure that non-Koreans don’t know this to make it a popular choice. It’s important to pick a PIN that’s not on the popular list. The least popular PIN was 8068, but you don’t necessarily want to use that, either. I would pick a number that begins with 6, 7, 8, 9, or 0 (as all of Berry’s least popular choices do) and has no evident pattern. Don’t use digits from a personal number like a MM/DD or YYYY birthday, driver’s license, or credit card. Those numbers are in your wallet, and losing your wallet is the commonest way to lose an ATM card. Recap: How to Outguess Passwords • Be prepared to memorize one good, strong password. It’s worth the effort. • Go to a website that generates truly random passwords (like random.org). Create a list of five or ten candidate passwords. • Pick a random password that you can convert into a memorable nonsense phrase. Use the phrase to remember the password. Excerpted from Rock Breaks Scissors: A Practical Guide to Outguessing & Outwitting Almost Everybody by William Poundstone, published by Little, Brown and Company. Copyright © William Poundstone. Rock Breaks Scissors will be available in stores on June 3, 2014 (Amazon / B&N / Indiebound / iBooks). Recommend   Published by Little, Brown and Co One of the U.S.’s oldest and most distinguished publishing houses, Little, Brown publishes James Patterson, David Sedaris, Anita Shreve, Malcolm Gladwell & more Follow Updated April 21, 2014 Cover photo: Photo: Florian Klauer via Unsplash Published in

7 Ways You're Unconsciously Undermining Yourself You're crushing it everyday at your job. But are you ruining your chances for a promotion by tapping your pen, checking your phone, and being buddies with your cubemate?

By Gwen Moran
People are judging you. It’s not fair, but when you start to progress in your career, your moves come under scrutiny. And you could be undermining yourself without even realizing it. “There are definitely things that people do that can make others think they’re ineffective leaders and they’re not always aware of them,” says Halley Bock, the president and CEO of Fierce, Inc., a leadership development and training firm based in Seattle. So, even if you think you're doing everything right, check yourself for these seven areas that can be harming your well-crafted image. 1. You Look Like You're Not Listening. Being a poor listener can manifest in a number of different ways, including checking your phone while someone else is speaking, staring off into the distance, or just clearly not following along with the conversation, Bock says. People resent when their thoughts or input is treated as unimportant, which erodes your influence--plus, you’re possibly missing valuable information that can help you lead more effectively. 2. You Don't Follow Through on Promises. If you say you’re going to do something, do it or risk losing your credibility as a leader, says Jené Kapela, founder of Fort Lauderdale-based Jené Kapela Leadership Solutions, LLC. Leaders need to be trustworthy, and “people won’t trust you if you don’t follow through,” she says. 3. You Use the Wrong Tone of Voice. Once you open your mouth, people are forming opinions about your trustworthiness, dominance, attractiveness and warmth in half a second. In a March 2014 study published on online journal PLoS One, researchers at the University of Glasgow and Princeton University found that in the time it takes you to say “hello,” many have already sized up key aspects of your leadership quotient--often in as little as 300 to 500 milliseconds. 4. You Fidget Too Much. Wiggling your foot, tapping your pen, drumming your fingers all seem like minor transgressions, but being fidgety can indicate you’re nervous or uncomfortable and not suited to the role of a leader, Bock says. If you notice yourself doing these things, work on controlling them--at least in settings when you’re trying to exude confidence and competence, she says. 5. You Make Too Little (Or Too Much) Eye Contact. Whether it’s a one-on-one conversation or a presentation to 100 people, we know it’s essential to make eye contact to establish trust and exude confidence. But don’t go overboard, Bock says. Too much eye contact can range from seeming mildly creepy to downright aggressive. 6. You Are Too Self-Confident. While some narcissistic traits can help you command respect and influence for your bold vision and self-esteem, too much has the opposite effect. In a 2013 study published in the journal Personnel Psychology, researchers at the University of Illinois at Urbana-Champaign and the University of Nebraska found that narcissists often emerged as leaders, but if they couldn’t keep their feelings of self-importance and lack of empathy in check, they eventually lost their influence and were seen as exploitative and arrogant--the antithesis of good leadership. 7. You're Everybody's Friend. Effective leaders are often warm and accessible, but beware of becoming too friendly or accommodating, Kapela warns. Leaders need boundaries, especially in the workplace. People are going to have trouble trusting you or looking to you for guidance if you exhibit poor judgment yourself, such as engaging in office gossip or drinking to excess at company functions, she says. “It goes back to professional behavior. Be consistent and authentic and people will respond to you for that and have respect for you as opposed to, if you’re being a friend to someone and then making poor decisions as an employee,” she says. [Image: Flickr user Quinn Dombrowski]

 1 Comments  Email  0  28  437  75  153  Print Gwen Moran Gwen Moran writes about business, money and assorted other topics for leading publications and web sites. She was named a Small Business Influencer Awards Top 100 Champion in 2012 and is the co-author of The Complete Idiot's Guide to Business Plans (Alpha, 2010). She is currently creating Biziversity.com, an information resource for micro-businesses, from her office near the Jersey shore--the beautiful place, not the horrible television show.