Live tweetblogging my holidays

My holidays are about to start and I’ll live tweet it on my blog, right here!

  • 01:30: bedtime
  • 01:00: bedtime… Or another whisky?
  • 23:00: whisky!
  • 21:45: hey mom!
  • 21:37: wait, there is my luggage.
  • 21:35: luggage will take another 15 minutes before they arrive. I’ll text my mom that she shouldn’t wait.
  • 21:18: what, a gate with stairs? What is this? The 1950’s?
  • 21:17: hey, civilization… We are finished taxiing?
  • 21:16: Frodo is about to throw the ring in the fire
  • 21:15: still taxiing
  • 21:13: no, more taxiing
  • 21:12: hey, we stop
  • 21:10: still taxiing
  • 21:05: still taxiing
  • 21:01: let’s start watching Lord of the Rings
  • 21:00: landing on the Polderbaan at Schiphol Airport. The complaints about that deserve a separate blog post.
  • 18:55: boarding the plane – we’re early
  • 18:50: oops, that’s my iPad flying through the air. Still in one piece though.
  • 18:35: another example: I can’t see at which gate I’m sitting now, or what the destination is. (The big blue plane makes it quite clear though)
  • 18:30: the signs on Zurich airport are badly placed: for a lot of people it is not obvious which way they have to go. You can easily distinguish frequent travelers from the people new at the airport: they directly know where to go.
  • 18:15: did my good deed for the day: alerted a guy that he dropped his credit card
  • 17:50: the airport is remarkably quiet
  • 17:35: eating a bit (not the chocolate though)
  • 17:15: the chocolate is not considered to be a security risk.
  • 16:30: on my way to the airport
  • 16:15: my backpack contains 1/3 clothes, 1/3 chocolate and 1/3 camera.
  • 15:30: not really the time to start something new, right?
  • 7:09: Searching for my glasses. Slapstick!
  • 7:08: Packing my stuff. I have one checked bag with clothes and one bag full of chocolates.

IT services and password (mis)management

It has been a while since I last posted to my blog. A pretty amazing thing happened two months ago: I successfully defended my PhD thesis. Together with two colleagues, who had their defenses on the same day as I (three defenses in a row) we had a great party. Still, I’m not a real doctor yet. At the next faculty meeting the profs have to officially grant me the title and then I have to hand in the thesis as a real booklet, within a year or two or so. These administrative and practical issues did not prevent the faculty to invite me to the Graduation Ceremony. As you might have guessed from the title of this post, I’ll not be writing about the ceremony itself. The problem is that to register for the ceremony I have to go to a website and log in. It turns out that five years of PhD does not prepare you to do this seemingly simple step.

At the RUG (University of Groningen, where I was a student) the IT services were simple: everything online could be accessed using your student mail as username and a single password. Everything: email, electronic learning environment, administration… (1) That I look back fondly at the time when I was using Windows XP on clunky CRT monitors illustrates the IT issues at the university where I did my PhD.

When I started my PhD I got three email accounts: my physical chemistry email, my student email and my employee email. That seems to be at least one and probably two accounts too much.
They sent me the password for my accounts by mail… and wrote the password in Comic Sans… There is no time when Comic Sans is a good font. Well, you can use it to announce the discovery of the Higgs particle but that is because the Higgs is so cool that I wouldn’t have cared if they had chiseled it live on (in?) the wall during the presentation. However, when you want to communicate a password it is a good idea to write it in a clear font with a clear difference between l and I or between O and 0 (non-capital l, capital i (I), capital o (O) and the number zero (0), respectively (see what I did here?)).
I’m sure that the IT department is aware of these fonts. Every now and then we got an email that there was a phishing attack attempt on the university accounts. The guy who sent this email had a email signature with an ASCII-art motorbike… (2)

At some point the university thought it was a good idea to introduce a unified email/account system. Good idea! Right? Well, it meant that I got a new email account in addition to my three legacy email accounts. (3) In addition to my student and employee number they also introduced a new long and short name that I could use as a username to log into different services. This means that I now have eight different ways to log into the different services of the university. (actually nine, for a certain service I had to use my student number, without the last digit).
Can there be more confusion? Sure. Because of legacy stuff the passwords were also scrambled. Some services use the same username and a different password, while others use the same password but a different username. The results is that there is no way to reliably predict which username and password you should use for a particular service. (4)
To create some order in the chaos there is a central “Identity Manager” where I can change my passwords without having to contact IT services. Except, which account do I need to change? There are six accounts that use the same short name.

This leads to the final part of this saga. What if I new which account to use and would want to change my password? What kind of arcane requirements does my password have to meet? A partial list:
1. Not allowed characters: 0123456789&-
2. Allowed characters: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+_$/!
3. Required characters: +_$/!
4. Minimum number of numerical characters: 1
Do I need to point out the problem here? How can you have a numerical character when the characters 0-9 are not allowed? Or do they want me to use a hexadecimal number? (i.e. A for the number after 9 etc (hexadecimal 10 is decimal 16)). (5)
But there are other, less obvious problems as well. Some characters are allowed, some characters are not allowed… what about the other characters? Can I use the equal sign? (By the way, these are not the actual character sets that are (not) allowed. Security is already weak enough without writing down the exact sets of allowed/disallowed characters). Finally, do I need to use *all* the required characters? Or do you mean I need to use at least one of these characters?

I’m sure the IT department justified installing this new system by pointing out all the cost savings: “using the identity manager people can reset their passwords themselves, meaning less work for the IT department”. It is of course a stupid solution. People use some accounts frequently and now what username/password to use there. That is not the case when accessing infrequently used accounts. A better system would have been something where people can log in using a single username and password across all accounts and services. I mean, the passwords are already collected in a single identity manager. Why not skip that step for the user and pretend (at least to the user) as if all the services and accounts use the same username and password.
The cost savings are also reduced by the time I (and all my colleagues) waste trying to work out which password to use. I ended up registering for the graduation ceremony by sending an email to the organization. One upside: I didn’t have to fax them. (6)

(1) This was the situation at the RUG five years ago, when I was a student. It may have changed.

(2) These are called monospaced fonts — each character uses the same width, making it easy to align characters on different lines. They are often used in programming, or to make ASCII-art motorcycles. The critical point of using them is however not that they are monospaced, but that you can unambiguously distinguish different characters.

(3) It was executed in a terrible way, but the grand unification did collect the different accounts in a single interface.

(4) Having a lot of usernames and passwords is not a problem in itself. I use, and everybody else should use, a password manager (like 1Password). A manager stores all your passwords in a single place and using a plugin it fills in the passwords for you in your webbrowser. This makes it easy to use different passwords for different accounts — this means that if one website is hacked they can not use it to log into other websites (see this Ars Technica article about attacks on passwords). A password manager does however not help if the combination username/password is not known.

(5) It turns out that the clash between disallowing numerics while requiring at least one numerical character is because I had selected a number of accounts to change the password. One of these accounts doesn’t allow numerics while the others need a numeric.

(6) Yes, we do have a fax machine and yes, we do use it a lot.

Further reading:

  • An Ars Technica article about why there are limitations to the use of characters and size of passwords. Answer: legacy systems, ignorance and laziness.
  • Security is often used to justify to make systems that are user-unfriendly. Ars Technica (again) has an article about how these kind of password rules and other small irritations make people hate computers.

Duke Nukemap3D

In another life I might very well have studied history instead of chemistry. I especially find the period around the Second World War interesting. A lot has already been written about the horrors of the holocaust and the bravery of the soldiers, but I am more curious about the secret part of the war and the transition after the war.

The transition after the war has two sides. On the hand hand there is the recovery of Europe. I started wondering about this after the Americans had invaded Iraq, with a disastrous aftermath. How did this go in Europe, after the victory celebrations had finished? How did the masses of displaced people find a new place in cities ruined by war?
The other transition that interests me is the one to the Cold War. It seems as if it was inevitable that there would be tensions between the US and the USSR, but was it? What happened between the Yalta conference and the building of the Berlin Wall?

With the secret part of the war I mean three things: espionage, breaking enemy encryption and the development of nuclear weapons. The three are not secret anymore, but they have been for a long time and I have the impression that their contribution is not fully part of our picture of the war, which was probably largely formed before these facts became widely known.
My interest in breaking enemy encryption is what sort of lead to me making an Enigma simulator. In this blog post I will write a bit about nuclear weapons. Whereas an interest in the Enigma might be a bit eccentric, an interest in weapons of mass destruction is, frankly, a bit weird – hence the long introduction.

My interest in nuclear weapons has grown recently after discovering the Restricted Data: The Nuclear Secrecy Blog. The blog matches quite closely to the interests I described above: how did people in this transitional period after the Second World War perceive nuclear weapons and how was this perception shaped by the secrecy surrounding the subject?
I am in the lucky circumstance that I don’t know war or violence. I fired a handgun once at a shooting range. Other than that I have no idea about the effects of guns and bombs. (1) I think that nobody can comprehend the effects of nuclear weapons. The writer of the aforementioned blog, Alex Wellerstein, understood this and made Nukemap, an overlay on Google Maps showing how much damage a nuclear bomb would do in a location of choice.

nukemapThe effects of a 20 kT nuclear weapon on Zurich.

Above I “detonated” a 20 kT weapon (like the one on Nagasaki) on Zurich, just north of the main railway station. The rings show the different effects of the weapon. The center yellow is the fireball, red is the radius where most heavy buildings will be destroyed, green the radius where the radiation would kill 50-90% of the people (I live in this radius). In the blueish radius most light buildings will be destroyed (I guess this refers to American suburban houses, not the fortresses that the Swiss build). People in the orange ring would have 3rd degree burns (if they are exposed to the heat). According to the estimate almost 80,000 people would be killed and 175,000 people would be injured. The Zoo and the FIFA headquarters are however safe (right of the outer ring).
Nukemap also allows you to show the effect of fallout and some other cruel statistics. To make it even more realistic, you can also use Nukemap3D, where you can see the mushroom cloud rise above your favorite detonation place.

What I said, a weird interest. Still, I think a tool like this is an excellent way to show people the effect of nuclear weapons. For me, it was a starting point to learn more about nuclear weapons.

First I read up on how nuclear weapons work on the nuclear weapon archive. The formatting is a bit awkward, but it seems to contain the collected knowledge about nuclear weapons. By the way, the secrecy of nuclear weapons is not so much about the physics as the engineering involved. Did you know you can actually buy uranium ore from Amazon?
There are also a lot of videos on Youtube. Some are just a collection of explosions, others are the official military reports from the different test series that have been conducted. Especially interesting are the ones about operation Crossroads (the first nuclear tests after the war) and operation Ivy (the first hydrogen bomb). The latter brushes a bit over the fact that the bomb was 250% stronger than expected and that it wiped out a whole island and caused life threatening fallout on islands 100 miles away.
Update: The reason that I specifically mention these two tests is that they give a nice view of the time. Operation Crossroads was the first test after the Second World War and the video shows how little was known about the effects of nuclear weapons. Ivy Mike was the first thermonuclear weapon tested and the video shows the high expectations of this new type of device. I do need to correct the “brushing over facts” statement. The video clearly shows that the island was blown away. The explosion also had the expected size (although on the high end). I confused Ivy Mike with the later Castle Bravo test, which was indeed 250% stronger than expected and resulted in fallout on islands 100 miles away.

The reason to write this blog post was however because I was reading The Effects of Nuclear War, a report published in 1979. It describes the apocalypse in a matter-of-fact way. Here is for example a description of the short term effects of a limited nuclear attack on major US oil refineries:

If all weapons were ground burst, 2,883,000 fatalities and 312,000 fallout fatalities are calculated for a total of 3,195,000. Table 8 lists fatalities by footprint.

The reports gets a bit bizarre when it describes the long term effects:

More people would walk or bicycle, increasing exercise. Reduced consumption of meat would reduce dietary fats, heart attacks, and strokes.
(…)
Many people say that the United States would be better off if it was less dependent on cars and petroleum. While changing to new patterns of living via nuclear attack would minimize political problems of deciding to change, it would maximize the difficulties of transition.

Are you f*cking kidding me? There are 3 million people dead and the country is in ruins, but hey, biking is healthy! And without the need to break the political gridlock in Washington D.C.! I bet Greenpeace would be proud.

An imponderable is the psychological impact. The United States has never suffered the loss of millions of people, and it is unlikely that the survivors would simply take it in stride. The suffering experienced by the South in the decade after 1860 provides the nearest analogy, and a case can be made that these effects took a century to wear off.

As long as you don’t forget your bicycle helmet.

The report also describes an attack of the US on the USSR. There are some legitimate differences, such as the proximity of targets to cities. But how would the population fare?

Would Soviet shelterers be better off than their American counterparts? They have several advantages. They are more accustomed to crowding and austerity than are Americans, so would probably suffer less “shelter shock”. They would be more accustomed to following Government orders, so to the extent that orders proved correct and were correctly implemented, they would be more evenly distributed among shelters.
(…)
People in hasty shelters, if they could be built, would face worse health problems, despite the legendary ability of Russians to endure hardships.

It reminds me of the scene in Dr. Strangelove where General Buck Turgidson talks about the bravery of the Russian soldiers in the Second World War.

“Joking” aside, the report does go into some detail of describing the effects of an attack. Or rather, it describes the variables and unknowns. Here are some interesting tidbits:

  • The timing of an attack is important. An attack around harvest time will probably mean the loss of the crops (because they are not harvested). An attack in summer will result in more burn wounds because people are more outside and wear less clothes. In the USSR it apparently even made a difference at what time of the month the attack took place:

    Even time of month makes a difference because of the Soviet practice of “storming.” The Soviet factory month in practice divides into three periods: “sleeping,” the first 10 days; “hot” work, the second 10; and “feverish” work, the third. This division occurs because the economic plan calls for a specified output from each plant by the end of the month, but the inputs needed often arrive only after the 15th or 20th of the month. Thus, perhaps 80 percent of a factory’s output is produced in the last 10 or 15 days of the month. (This 80 percent is typically of such reduced quality that Soviet consumers often refuse to buy merchandise made after the 20th of a month.) Hypothetically, an attack around the 15th or 20th of a month would cause the loss of most of a month’s production, and would destroy the large inventory in factories of partially completed goods and of inputs that cannot be used until other inputs arrive.

    Good to know!

  • The altitude at which the nuclear bomb explodes is crucial to its effects. With a surface burst the energy is concentrated in a rather limited area and is “ideal” to target bunkers and missile silos. An explosion higher above the ground will spread the explosive force over a larger area and is more effective against relatively “soft” buildings (i.e. residential areas). The burst height also affects the amount of fallout: if the fireball (the yellow core on the figure above) touches the ground it will vaporize the ground layer and send more dust into the mushroom cloud, resulting in much more fallout.
  • The different effects (blast, radiation, burns) do not scale similarly with distance. A smaller bomb will kill more people by radiation, while a large bomb will kill more people because of the blast.
  • It is not enough to just consider single effects. Third degree burns may not be lethal in themselves, but combined with a lack of treatment because hospitals have been blown away and radiation diminishing the immune system, they might become lethal.

You see, I did some light summer reading.

I’m part of a generation who grew up mostly after the Cold War. (2) I considered nuclear weapons to be bombs. Large bombs, but still bombs. Reading The Effects of Nuclear War, however surreal, brings home the point that they are not: they are extremely large bombs with very nasty side effects. A tool like Nukemap illustrates this effectively.

At the end of the day, my interest is not really in the effects of nuclear bombs in terms of casualties but more how it affected society. How did people perceive nuclear weapons after the first ones had exploded? The Restricted Data Blog has a collected some newspapers of the days after the first one exploded in Hiroshima. The blog contains a lot of interesting material and I recommend giving it a look.

Is there any way to end this blog post on a positive note? Well, we survived the madness of the Cold War. Still depressed? Here is a comic about a dog.

(1) I do know some Serbs who, as little kids, had to hide in shelters during the NATO attacks in the late ’90s. Without exception they are friendly people, but they do have a bit of grudge against NATO. I can’t deny them that.

(2) I’m from 1983. My only recollection of the fall of the wall/German reunification is the fireworks. I remember thinking “silly Germans, why is there fireworks when it is not New Years Eve?”.