Fair warning, this is going to be a long post…

Steve Gibson of GRC.com has created yet another masterpiece of technology. His “Off the Grid” paper-based password generation system is amazing and once printed out, amazingly low-tech, even to the point of being effectively no-tech, as it requires only a piece of paper with the specially generated and one-of-a-kind grid printed on it (I would suggest laminating it with something that is friendly to dry-erase or erasable markers/highlighters). You trace out the path of, to use his example, ‘amazon’ to shorten the URL of amazon.com, using a finger, or something else convenient and which won’t mark-up your grid (thus my suggestion of laminating it).

Here’s one of the unique grids that his system generates:

a grid generated by Steve Gibson's GRC.com secure paper passwords generator
One of a monstrously huge number of possible grids

Now, seeing that somewhat daunting image above, you’re probably thinking “How the hell do I use that?”. I know at first-glance it is daunting. But, if you follow the directions given HEREย (I can’t give clearer instructions than the guy who invented it, so I am not going to try), you’ll pick it up quickly. Go ahead, I’ll wait ๐Ÿ™‚

Now that that’s done… You DID go and look at that site, right?… We can go through and look at what happens when we take ‘amazon’ as an example on the grid above.

First, we go across the top set of blue letters and look for the ‘a’ ย (note that we’re ignoring the letter’s case, for now), finding that, we go vertically to the letter ‘m’, then horizontally to another letter ‘a’, then vertically to the ‘z’, horizontally to ‘o’, then lastly, vertically to ‘n’. No changes here so far, right? Right.

Here’s what we have so far:

What we have so far.

Next, we’ll go through and spell out ‘amazon’ again, also ignoring case, but paying attention to the case of the letters that we capture after we find our key letters. For example:

The encryption path, not including 'overshoot'.

Now, what you see above is not including what Steve refers to as ‘overshoot’ zones. These are the ‘key’ (probably a pun intended there) to the encryption process that he recommends. I’ll show those below:

Grid with both paths, and overshoot for encryption.

Now here’s the fun part. Based on what we have done so far, by pathing this out as we have, is we’ve developed a key for ‘amazon’. What is the key? Follow with me through the grid above, along the green path, pay attention to how the overshoot is read, it’s read according to what you cross first for each one. For example the first ‘a’ in ‘amazon’ has the letters ‘vh’ after it, and read in the order of encounter… I’ll explain further in the next step.

Continuing on to the letter ‘m’ in the green path we see the letters ‘dI’ following it, again note the order that we read those, it’s important for later where I add to this scheme.

Now, if you keep going and following the green path and reading the overshoot letters properly, you’ll get the following results: ‘vhdIKWMpFRLr’. I’ll break that into pairs for you: ‘vh-dI-KW-Mp-FR-Lr’.

Now, using just what we’ve done so far, you already have a very strong encrypted password for use on amazon.com.

What I’ll be presenting from here on is an additional layer to that encryption scheme, using the password that we just generated as the key to that. We can use this additional layer as ‘salt’ for the password, or as a kind of substitution code for the password that we have already.

Here’s how what I have in mind works:

Take each pair of letters as broken down above as a set of coordinates. For example, we’ll take ‘vh’ as the first set, since that is what it is. Then we plot those coordinates using the first row of blue letters on the grid as the X axis, and the first column of blue letters on the grid as the Y axis. We should get the following:

I’ll post each path resultย separately, so that you can follow my logic and reasoning for this idea. Be ready for a lot more images: ๐Ÿ™‚

Grid with vh coordinates plotted.

As a result of plotting out ‘vh’ on the grid above, we get the letter “Q” as the output. Write that down below where you have ‘vh’ written on your paper, if you do.

Now, let’s do the same with the next set ‘dI’:

dI coords plotted out.

Note that for our purposes, the initial coordinates are ignored as to case, this is ok, since the 26×26 grid can’t cover both upper and lower case. We DO want to maintain case sensitivity if using the password as-is without these additional steps. We also want to keep them case-sensitive when using with these additional steps when we go to finally add the ‘salt’, which we’re in the process of generating, to them.

Now, I’ll go ahead and give you the remaining grids, next is KW:

Grid with KW coords plotted.

Now for Mp:

Grid with Mp coords plotted.

Next is FR:

Grid with FR coords plotted.

Finally, we have Lr:

Grid with Lr plotted.

Now that we have all the letters that we need, we need to do something with them…

Remember the password that you originally generated using the grid? No? Well, here it is again: “vh-dI-KW-Mp-FR-Lr”, also we have the results of our salt generation using the password as a set of coordinates: “Qyqcnp”.

What can we do with the salt? We can append it to our password: ‘vhdIKWMpFRLrQyqcnp’

We can replace every other letter of the password with a letter from the salt, to further obfuscate the password we originally generated: ย ‘vh-dI-KW-Mp-FR-Lr’ becomes ‘vQ-dy-Kq-Mc-Fn-Lp’.

We can try any number of other alternatives, which I leave to you to discover.

Thank you for reading this and I look forward to any feedback on this little variant I have on Steve Gibson’s amazing ‘Off the Grid’ paper password generation system.

Until next time, surf safe ๐Ÿ˜‰

Brian

So, are you wondering what the word “ideate” means? Well, I made it up based on normal etymological theory. It roughly means “to create or generate an idea or ideas.”

I suppose that makes it a verb, because it describes the fact of creating an idea.

So, there we are. Now it’s defined somewhere. Please feel free to use it as described. ๐Ÿ˜‰

Brian

Here’s an alternative method for self-verification. For everyone you know, and know to be real through Hangouts or whatever means, mark them, through a checkbox or some-such in their profile (this is hypothetical) as “I verify this person as real”.

This would enable cross-verification through peer-exchange, not through some unilateral demand by a corporation to verify yourself based on some unknown criteria.

To explain the idea further: Let’s say I go to Ryan’s profile page and verify him, and some of his friends do the same. Ryan comes to my profile page (assuming he believes me to be a real person) and does the same for me. This goes on throughout our networks, with those who believe their network associates to be real verifying those associates. This builds a trusted network, through a peer review process, instead of a mandated system of providing personal data.

Someone I know on Google+ had this argument, and I believe that he makes a good point, so we need to find a way to keep the spam-bots out of the network, or at least to a minimum.

Here are his thoughts on the subject:

And spam-bots would happily cross-verify each other. It’s a good way for me to trust that +Ryan Schultz can strongly identify people I don’t know. But it’s not what Google wants. 

I think verification is a good idea — it just needs to be optional. And universal — Anyone want to take the bet that you won’t need to be in the US to be a Real Person™ for the first while?

My reply is the following (edited for brevity, clarity, and to remove irrelevant content):
Perhaps a form of built-in captcha combined with context sensitive image recognition? Combine that with a cryptographically strong ID string which requires some time to generate, similarly to bitcoin…

The idea behind the bitcoin-like key-string generation is to waste spammer’s time and processing power, and to generate a truly strong ID for each system/person.’

I think that this is an interesting subject. I welcome opinions and ideas.

Laptop Power Brick Specification Proposal (WIP)
I’m still working on this; any constructive input is welcome.
For those of us that are more than a little tired of having to purchase new power supplies every year for our laptops, notebooks, etc.

Getting the power done right:
Let’s make this make sense to us, as well as business, or it will not be implemented.
1) The power supply must maintain its own cooling.
  • This one thing alone will help to extend the lifetime of any power supply, especially if that cooling mechanism isn’t dependant upon the circulation of air. I’m half-tempted to suggest some sort of internal gel-cooled method, but that’s probably expensive, and prone to any number of potential issues.
2) The power supply must have a universal ability to detect and provide power to whatever (laptop, notebook, net-book, etc.) system it is plugged into.
  • Working on the assumption that whatever one is plugging it into is something that it has the proper adapter and physical ability to power effectively.
3) The power supply must be designed to last 5 years or longer, given proper care.
  • Anything less than 5 years seems to be too short. I know that most people consider laptops and computers in general to be ancient at that time scale. My question is: “why shouldn’t the power supply be reusable for a new system?”
  • A notebook is still a notebook, and will have similar power requirements over time. So why not re-use existing power supplies? Especially ones that are designed to last a long time. This is more ecologically friendly than tossing out (and purchasing new) power supplies each year, and more cost-effective for end-users/consumers.