Why passphrases are a bad idea

Following my discussion of password lengths, it appears that NIST are concerned about naughty people brute-forcing hashes in stolen password lists. In order to make it more difficult, they’re recommending long passwords, like me. But unlike me, they’re suggesting that they should be made up of randomly chosen words to make them easier to remember because the users could connect them in their mind.

NCSC have their own version, which is basically the same. Originally it was suggested four words would be enough, but it’s often reported as just three.

Leaving aside the chances of someone actually picking random words that are genuinely random, I was curious as to how difficult this would be to crack.

Instead of having the 26 letters of the alphabet to play with, using words gives you a lot more symbols. I wondered how many, so I looked in the obvious place – the BSD spell-check dictionary. That’s a lot of words, but realistically you’d want them to be between three and nine characters long. If you make them too long it’ll take more time to type than people will be willing to spend. Also, looking at longer words, they tend to be made up of smaller ones, or common letter combinations (“anti”, “un”, “ly”, “able”).

So, with a bit of awk, I extracted all the words between three and nine characters. There are a LOT. But on closer inspection, they’re not words I’d have ever picked at random, mainly because I’ve never heard of them. They’re the kind of combinations that cause arguments among scrabble players.

To get some idea how many realistic words there were I extracted 200 at random, and went through to pick the ones I knew. I let proper names count, and it turns out that I knew about 20% of them overall. Whether I’d pick many of them if asked to think of a word at random is another matter; and one worthy of study. However, best-case this extrapolates to about 18,000 unique words in the symbol set. So for a three-word combination the best you’re going to get are 18,000^3 or 6E+12. That’s as good as an nine-character a-z password. A nine-character password can be broken in 14 seconds maximum.

Sorry NCSC, but I don’t like these odds. Let’s go up to the four-word version: That has 1E+17 combinations, which could take a couple of months to crack. But this is still being very optimistic about the choice of words being random.

The rationale behind using a passphrase is that it’s easier for users to remember, and this is a good point. People can create a mind map; a short story or scene using the four chosen words. It is certainly easier than remembering a sequence of random symbols. You can also create a mind map using symbols by giving them meaning (1 = flagpole, 2=swan) etc. But this misses an important point – the sheer number of passwords people have in the modern world. I suggest most people would struggle remembering more than half a dozen mind maps, yet probably have well over 100 unique passwords. The only way to manage so many unique passwords is to store them somewhere, encrypted with one master password.

In short, a passphrase instead of a password only makes sense if its pretty darn long. If you’re going for entropy, a random character password – if you can remember it – will be much, much quicker to type.

Barking Mad.com – Is Bark.com is going to the dogs?





Bark.com launched in 2014 as a web based service matching service providers with customers. Basically, you register as a client, say what you need done and it sends job leads to suitable businesses. A bit like computer dating.

And like any business relying on data matching, it will live or die by the accuracy of its data. It got off to an interesting start by purchasing the data from Dublin-based SkillsPages – 20M contacts of dubious pedigree. I know about this, because in the interests of research, someone registered as a supplier of a highly unlikely service in the name of a very well known science fiction character. No checks were made, but as no one needed  the dilithium crystals realigned in the warp drive in a Constitution-Class Federation starship, no offers of employment were ever received by Chief Engineer Scotty. Until, that is, Bark bought the dodgy data and decided Scotty was an electrician in south London and then the leads started rolling in.

Okay, so we all had a good laugh at their expense before the account is cancelled once the joke had worn thin, but it should be an object lesson in data validation if you’re trying to give potential customers confidence in your “Professionals”.

And then this morning, in the space of 90 minutes, I received a load of emails to a made-up address on one of the domains I look after, but using my name. The emails contained quotes for a job that I had apparently posted. How could this be? I scrolled back down the email and found a “Welcome to Bark” message, giving “my” username and password, and implying I’d just created an account and posted a job request. Obviously someone had, but it wasn’t me.

My first reaction was to read the email carefully, looking for the “I didn’t register this account” link, but there was nothing of the kind. Of course, what they should really do is verify any email address; i.e. check that it actually belongs to the person claiming to set up the account.

Out of respect to the people who’d bothered to quote for the job, I emailed them all back saying “Sorry – someone seems to have done this as a joke”. However, Bark bounced these all back, because I’d sent them from my real email address; one that obviously didn’t match the fake one. So Bark can check email addresses when they want to!

Bark.com is leaving itself open to all kinds of trouble by operating like this. The killer is that the professionals putting in the quotes have paid bark.com to do so, but could claim that bark.com hasn’t taken enough care to ensure the job leads are genuine. By not even verifying the email address, they could be said to be making absolutely no effort at all.

When I spoke to Bark.com and raised this very specific issue, the claim was this rarely, if ever, happens. I provided the details and they promised to refund the people who’d been charged for a false lead, and said “This is not how we operate, this should never happen”, and that “when it’s brought to their attention they close down the bogus account and refund the money.”

How long should my password be?

Don’t worry. I’m not getting into cryptography in any detail, and I’m going to try very hard not to mention entropy at all. There is so much confusion about passwords already, thanks to Hollywood movies and IT professionals parroting technobabble. I’m going to explain this in English.

What’s wrong with passwords?

If you’ve seen a cracker breaking into a computer on a TV programme, you’ll be familiar with the setup. Faced with a “login:” prompt, and imminent discovery by the guards walking down the corridor, they frantically type a few desperate things and suddenly the screen changes to “Downloading data, 15 seconds remaining”.

This is, of course, complete fiction. But how do crackers really steal passwords? Let’s assume they can’t guess it, because you haven’t used your kid’s name, “password” or “letmein” (the most common genius ideas from the 2000s). Weak passwords are still a problem, as is leaving a default password on something after installation. But assuming you’re not crazy enough to have one, there are still ways discover hard-to-guess passwords.

Password “sniffing”

The first method is obvious. If you type in your password with someone looking over your shoulder, it’s no longer secret. This may seem too simple to worry about, but it happens. And watch out for cameras. But it can also be done remotely, and this is what a keyboard logger Trojan does. This simple piece of malware intercepts everything you type on your keyboard, passwords and all.

Most malware you’re likely to be infected with includes a key logger, or may download one once the criminals have control of your device. Why wouldn’t malware spy on you while it’s at it? They’re also found on PCs in Internet cafes around the world. It’s amazing how many people lose control of the Hotmail accounts after accessing their email on holiday.

If your password is grabbed by a key logger, it’s complexity, or lack of it, really doesn’t matter. It’s compromised. The traditional defense is to ensure you use different passwords for each system and change your passwords frequently. The first is vital, the second wishful thinking. Changing your Gmail password before the criminals do is unlikely.

There is another solution – two factor authentication (2FA). When you get down to it, there are two ways to prove you are you. One is something you know (e.g. a password), and the other is something you have (e.g. a key, as in lock and key). It helps, think about the them as being a combination lock and a physical keyed lock in the real world. And a door lock that uses both is A Good Thing.

You may think that having a physical key is a perfectly good option, as the key is (effectively) unique. No one else has the key. But supposing you lost it? With 2FA, no one can use you key without also knowing the combination. And if your combination became known, it’s useless without the physical key.

Another good example is chip-and-pin bank cards.

Incidentally, you may hear people going on about MFA (Multi-factor authentication). What the third or subsequent factors may be is hard say, but for marketing purposes “multi” sounds better than “two”. (Bio-metrics are often cited as a third factor, but it’s effectively using your body as a key. In other words it’s still something you have).

Wholesale pilfering

But I’ve digressed. I was supposed to be talking about the second way of having your password stolen, and it’s also pretty simple: An attacker gets access to a computer containing a list of passwords, including yours.

Although it has been known to happen, there should never actually be such a list of readable passwords. That’d be crazy. If you don’t have a list of user-IDs and corresponding passwords, no one can steal it. If you do have such a list, expect it to be nicked.

But if there’s no list of passwords, how does a computer know if you’ve entered your password correctly? What is it checking your password against to see if it matches? That’s the cleaver bit.

What you do is keep a list of users, together with their hashed passwords. A hash is a code derived from your password, but which isn’t your password. When you log in, the computer derives the hash code from whatever you’ve entered and compares it with the stored hash – if they match then you entered the right password.

So how is a hash derived? How about an example. In our system a password is going to be a number, for simplicity. And I’ll call this number ‘p’ (for password). The resulting hash I will call ‘h’. Our hashing function (number 1) is going to be:

h = p x 7

Applying this to various passwords gives:

User (stored)Password (not stored)Hash (stored)
Tom 123 0861
Dick 200 1400
Alice 321 2247
Jane 567 3969
Table showing passwords hashed using trivial method

So, if Alice comes along and types her password as “321”, the computer hashes it and gets 2247. It then compares this with the stored hash, and open sesame.

If the user list is stolen, the thief won’t know Alice’s password is 321. Unless, of course, they divide the hash value by seven. Hash method 1 is pretty rubbish, as you can work it backwards.

But if instead of multiplying, you divided by seven then you wouldn’t be able to work backwards to Alice’s password if you only stored the integer part. Or the modulus. But unfortunately, one in seven passwords entered would also match. Unless you pick a suitably complex number – how about Pi, and ignore the integer part. If we do this, we end up with the following:

User (stored)Password (not stored)Hash (stored)
Tom 123 1521
Dick 200 6619
Alice 321 1774
Jane 567 4817
Harry???9915
Table showing passwords hashed using the improved algorithm

This is a much better hash, as you can’t reverse the method and retrieve the password. You can’t take Harry’s hash of 9915 and calculate what his password was. But, unfortunately, you can still work it out. If our passwords are all three digit numbers, there are only 1000 possible choices, and a computer could try them all in turn until if found a match. And this is why password complexity matters. If there are enough possible combinations it could take an unrealistic amount of time to try them all.

The next question to ask is “How many combinations are there?” I said at the start I’d keep the maths very simple, so you may want to skip this bit. But it’s not hard.

If you have a single character password that has to be a letter a-z, there are 26 possible combinations. That should be obvious. If you have two letters, the possible combinations are 26×26=676. Three letters is 26x26x26 (or 26^3)=17576 choices, and so on. In other words, if you take the number of possible characters and raise it to the power of the length you’ll have the total number of possible passwords. The following table gives the possible combinations for different lengths of password and sets of symbols.

lengtha-za-z,0-9a-z,A-Z,0-9 a-z, A-Z, 0-9,
~!@#$%^&*_-+=`

|(){}[]:;”‘<>,.?/
126365296
2676129627049216
31757646656140608884736
44569761679616731161684934656
51E+076E+074E+088E+09
63E+082E+092E+108E+11
78E+098E+101E+128E+13
82E+113E+125E+137E+15
95E+121E+143E+157E+17
101E+144E+151E+177E+19
114E+151E+178E+186E+21
121E+175E+184E+206E+23
132E+182E+202E+226E+25
146E+196E+211E+246E+27
152E+212E+235E+255E+29
164E+228E+243E+275E+31
Table of possible permutations based on password complexity and length

If you’re not familiar with the number format 2E+09, it simply means 2 followed by nine zeros. When we’re talking about big numbers, the number of digits is going to be more useful.

On the face of it, the last column, including all the punctuation characters, is considerably better than a simple choice from a-z. But look more closely and you’ll notice that adding a few more simple characters quickly brings the number of combinations up. For example, an eight-character really complex password has a similar number of permutations to a simple ten-character one. Or a nine-character password if you add 0-9 to a-z.

I don’t know about you, but I’d rather type simple characters rather than messing about with shift, capital letters and punctuation. This puts pay to Myth Number 1: using punctuation and suchlike is necessarily better. The extra keystrokes hitting the Shift key are greater than if you stuck to lower-case.

Actually, it’s a lot worse than that. Everyone knows that people capitalize the first letter, use a $ instead of S and stick a ! on the end – or something similar. If they’re forced to change the password regularly they add 01, 02, 03… and so on to the end, which means an attacker can try such likely variations first.

So the characteristics of a good password are, simply, something that’s complex enough that it would take an unrealistic amount of time to brute-force, AND which is easy to type. Forget easy to remember; it’s got to be random. Passwords containing words to bulk out the length are much easier to crack, as words can be checked for early on.

So how complex does a password need to be? Well that depends on how fast an attacker can cycle through all the possible combinations. Using a computer, does 1000 guesses a second sound reasonable? How about a million? In Your Dreams. The fastest password guesser I know of in private hands can test 400,000,000,000 every second. That’s 4E+11. If you used the full symbol set, at random, a six-character password would take less than a second. If you simply have a rule saying “must contain two out of digits, upper-case letters or symbols”, and people have just one of each to satisfy the requirement, it’ll be substantially faster.

Put another way, a fully secure Microsoft-standard random password with no mistakes will take about five hours, maximum. You can bet nation states and serious cyber-criminals are going to be faster still; I wouldn’t be surprised if it was minutes or even seconds.

So how long if I want to be safe?

So how long should your password be? Well I’d like one that can’t be cracked in 1000 years as a minimum. That’s 3E+10 seconds. The cracker runs at 4E+11 a second, so multiply them together and you get around 1E+22 combinations needed.

From the table above, 16 random a-z characters is enough, or 15 characters if you add 0-9. If you want to include punctuation and so on, and you really, really, don’t mind mixing them in at complete random, then 12 will be enough. But this is a minimum, and you’ll probably have to add a character every year.

The smart answer is to abandon passwords and use certificates instead.

Five year old “new” malware discovered “by Kaspersky”

Yesterday Russian security company Kaspersky has released an analysis of what it claims is previously undiscovered malware, which has come to be known as Salron. Kaspersky’s analysis is incomplete, but contains more detail than was generally available in public beforehand. They admit it’s “probably” been around for five years, and this is true; but it’s not exactly unknown. The unknown group  behind the attacks has become known as Strider, and they’re using a backdoor program called Remsec. Details of this were published by Symantec a week ago.

Kaspersky’s conclusion is that this is a “Nation State” level piece of malware. It’s possible, but other than being very competently produced, I have seen no conclusive evidence to back the claim at this stage, but there’s quite a bit that’s circumstantial. According to Symantic, it’s been used to target relatively few organisations – mostly in Russia, with a Chinese airline and an unspecified embassy located in Europe. In other words, that naughty Mr Putin is at it again. Or is it the Chinese attacking their neighbour?

Based on the public analysis, it was written by some very smart people and avoids the mistakes made in previous systems such as Stuxnet. Kaspersky points to it being a rung up the technology ladder as an indication it was another government-sponsored effort, although in practice, anyone could learn the same lessons and produce a new generation.

AV companies have been detecting this for over a week, and it hasn’t thrown up a large number of infections. This is intriguing. Also, the way it works  to circumvent very specific and uncommon high-end security software indicates its in the APT category.

Microsoft, who’s operating systems it attacks, has yet to comment.

Quadrooter – major security bug in Qualcomm Android drivers

Check point software claims to have found what it calls a serious vulnerability in Qualcomm software running on LTE chip-sets used in many Android ‘phones. Apparently they informed Qualcomm about six months ago, and they’ve now modified their drivers to stop it in future, and issued patches, but I doubt many of the 900,000 of the devices already sold with the LTE chips will end up being patched. LTE is two-thirds owned by Qualcomm.

Check Point has released an App to check whether your phone is vulnerable, but it’s up to the device manufacturers to actually push the patch on to their users. The major ones may, but the majority of handsets are of the cheaper variety, sold in third world countries, and not as well supported.

Normally I’d treat stories like this with a bit of caution, and I’ve yet to fathom exactly how ti works. However, Check Point’s description is scary – and the Israeli company isn’t known for hype. Basically, the flawed Qualcomm chip-set drivers have flaws that allow a downloaded App to gain root access without the need for any unusual permissions. This is bad.

Check Points advice is to only trust Apps installed from Google Play, which is ironic given that as recently as this May they released a report saying you shouldn’t trust Apps from Google Play as too many nasty ones crept in.

Parent Pay adds fuel to its fire

Following a disastrous software “upgrade” on 6th June, it appears that ParentPay, the controversial on-line payment system used by many schools, finally appears to have noticed it has a problem. In an email sent to all its 1.7 million victims users today, CEO Clint Wilson apologised that people were having difficulties with the new system and conceding their support service was overwhelmed. He promised to fix the problems and get it right over the summer.

Perhaps in order to emphasise the fact that he really don’t know much about this technology stuff, the email was sent in a Microsoft-only format, with an invitation to “view it in your web browser” if you weren’t using Hotmail, or whatever else it was designed for. It really doesn’t bode well.

The ParentPay website was always awkward, requiring very specific web browsers in order to operate, and using insecure technologies rather than HTML. The latest update relied very heavily on JavaScript and assumed specific screen resolutions, forcing people to upgrade browsers and wait for updates in order to use it – and it looks ridiculous on a desktop-sized screen.

At the same time ParentPay implemented a system where parents were made to pre-pay in to the account and then allocate funds later, rather than paying for the items at the time they were selected/purchased. Subsequently the company has sought to defend this tiresome system as an initiative to help low-income families, although exactly how pre-payment does this isn’t clear. The fact that ParentPay is left holding money for longer before the school gets is probably didn’t even cross their mind.

Parents, already leery about the whole ParentPay system and the way it has been imposed on them by schools in spite of widespread long-standing dissatisfaction, have taken to social media to slag off the crass software update and appalling customer service..

It’s a sad fact that schools and local authorities lack the necessary IT savvy to spot a turkey when its marching up and down in front of them, and instead opt for “safety” in numbers. I don’t actually blame the schools for this – it’s not their job. It’s the government and local authorities that are unable to provide good advice – but local authority and government IT projects are, of course, a byword for expensive shambles.

Am I being phished?

Today I received an intriguing email with a Microsoft Word attachment implying I had money coming to me if I filled in a form. Yeah, right. I was just about to hit delete but I was a bit surprised the sender was addressing me as Prof. Leonhardt. It’s hardly the first time someone’s got this wrong – and to be on the safe side I can see why people might start high and work backwards through Dr. and so on, as people who are about such matters are only offended if you start too low.

But why would a botnet add the title?

On closer inspection I recognised it was a royalty payment enquiry from a publishing company that had actually done a book for about five years ago. I didn’t expect it to sell (it wasn’t that kind of book), so hadn’t thought much about out.

But I still haven’t opened the attachment. The email headers suggest it came from the publisher, but they can be forged. And this could be a clever spear-phishing attempt – after all, if you bought the book, which was largely about email security, you’d have the name of the publisher and my name – and the email address used can be found using Google.

I don’t believe I have ever been spear-phished before, so I’m feeling a bit more important than I did yesterday.

Time to fire up the sandbox!

New mystery “Appear in Court” malware

In the early hours of the morning (BST) I intercepted a large number of emails of the “Appear in Court” variety, but unlike usual, these were not Microsoft documents but JavaScript (stored in a .ZIP file). They end in .doc.js, which means they obviously look odd.

I couldn’t resist running a few, to see what they did, and the answer is not much. They run cmd.exe and I’m pretty sure it does an egg hunt to find some code in core to execute, and it goes looking for DOCUME~1.DOC in various likely locations. But in my sandbox, it doesn’t get anywhere.

These are being spammed from clean IP addresses, no AV currently detects them by signature, so they’re going to get through. But what do they need to run, and what do they do if they succeed? Unfortunately I can’t stick around this morning to check further.

Microsoft Windows Backup Dramas

brokengreenglassAlways take a backup. Everyone knows that. There are plenty of articles on the web singing the virtues of the the new (Windows 7, 8 and 10) backup utility, and how easy it is to use. But none on how to actually restore your data when things go wrong. ‘sfunny that.

A week ago, when my Windows PC decided to scramble its hard disk I felt smug for having followed my long-standing advice. I’d taken an Image Backup of the entire system disk with the applications installed, data files were shadowed on a server (FreeBSD of course) and I had last month’s “User files” Windows backup to bring the system up-to-date (the odd Windows update notwithstanding). And even better, the system was still in a condition to boot albeit with a few warnings about corrupted DLLs, none of which were important.

Ha!

The first stage in any situation like this is to make an exact copy of the trashed drive in case things go horribly wrong. This involves mounting the disk on a working system and copying the drive as data. If you;re reading this because you are having problems, but don’t have the ability to image a drive, please find someone who can do this for you. The remainder of this diatribe assumes that you either know what you’re about, or at least have a safe copy of the disk you’re about to try and resurrect.

Only when the drive is imaged and safe is it okay to to try to boot the machine and run CHKDSK.  No hardware faults were found in this case, but it fixed numerous errors in the directories and it was pretty obvious that nothing on the disk could be trusted. Windows had obviously gone ape and trashed the disk itself. so it was necessary to restore from a Backup Image to ensure the system was clean. And this is where my fun really started.

You have to reboot the PC into recovery mode (Windows RE). This is achieved by holding down a function key on boot  and selecting the “Recovery” option from possible boot disks (details vary by manufacturer), or if you’re running Windows already you can find it under Advanced Options on System Restore – it will reboot to Windows RE mode for you. Then all you need to is select the image you want to restore, which in my case was on the network, so I entered the server details and login as requested. No dice.

Re image Your Computer

An internal error occurred. The following information
might help to resolve the error:

The network location cannot be reached. For information
about network troubleshooting, see Windows Help (0x0800704CF)

The restore utility must be wrong, and a quick Google search threw up some possible explanations. In my case it was nothing to do with the file permissions; it was on a FreeBSD cluster and I’m very confident I have control over the file permissions on that.

So what next? A Windows Image backup (since Windows 7) creates a .vhd file (Virtual Hard Disk). This is Microsoft’s half-arsed equivalent to being able to mount a file as an device and then using an FS on it. You can mount (Attach) a .vhd file from the “Mange Computer” console, using menu that pops up when you right-click on the “Disk Management” part of the tree on the left, which is not obvious. (Even less obvious: to detach it you need to right-click on the left-hand area representing the drive in the partition map on the right).

So, if Windows RE couldn’t read the image across the network I decided to use Windows itself to copy the files back manually by mounting the .vhd from the backup location. This isn’t that simple; you can’t copy the OS back while it’s running so you need to boot from somewhere else before you finish the job, but its better than a poke in the eye with a sharp stick.

Again, no dice.

“This image was created by a different version of Windows”

What? No way! It was created by this version of Windows; on this PC, no less.

This may have been because, for some bonkers reason, you can’t mount a backup .vhd as read-only, at least the first time its mounted on anything. It doesn’t tell you this, it just says that its an incompatible version. You must un-check the Read-Only box; and if you’re like me, you’ll make a backup of the backup before doing this. But it still didn’t work.

I tried again with the backup .vhd I’d made, largely because it had a much shorter name, and bingo! It mounted and all my files were visible. What’s going on? It wasn’t a permissions issue – of that I’m certain. The only explanation I’ve have is that the path name was too long before, with the Microsoft names being a UUID (GUID). Try shortening the name/path if you can’t mount a .vhd.

Armed with this knowledge that the .vhd really was good, I fiddled the file names and associated links and tried Windows RE image restore again, but with the same 0x800704CF error code as a result. A bit more digging, and it turns out this means that basically the system isn’t talking to the network card, probably because there is no driver. Microsoft’s solution is to install the driver with the disk that came with the card. But this Lenovo PC came with pre-installed Windows and NIC – Microsoft doesn’t supply Windows OEM on a disk any more, never mind a driver CD. One might assume, given that Windows RE happily asked me for network credentials as I supplied it with the network address of the image, that it had the network driver pre-installed. But that would be to sensible.

Rather than messing about looking for a suitable NIC driver and burning it to a CD, I just copied the “WindowsImageBackup” folder to the root of a USB-connected and disk and it restored just fine. Actually, it only worked after I moved the USB drive from its normally USB 3 slot to a USB 2 slot, because presumably Windows RE doesn’t have a driver for USB 3 hardware either. A pattern was emerging.

The image was restored; all my software was back. The only snag is that there were more than 200 Microsoft updates; taking another four hours to install. But at least I knot it’s now a clean install, and as a reward for my hard work I was able to put put of installing the Windows 10 “upgrade” nagware (KB2952664 and KB2976978 if you’re interested – it doesn’t identify itself as such).

So what have I learned from all of this? “Don’t Trust Microsoft”? Well I haven’t trusted a Microsoft backup solution since MS-DOS 2.1, and with good reason. But from now on I’ll always take the trouble to use dd image for imaging drives in future, even if that means taking them out of the PC to do it.

Flash Crash (Adobe version)

AGet the dobe Flash (the browser plug-in) is notorious as a security risk, and the current batch of known exploits does nothing to improve it’s reputation. Sorry Adobe.
CVE-2016-1010 is the latest biggie, as it allows remote code execution on all but the very latest plug-in. There’s also CVE-2015-8651, CVE-2015-7645, CVE-2016-0963 and CVE-2016-0993 to worry about.

You should, of course, make sure that you have the latest plugging installed on your browser. Unfortunately the version numbering system varies by platform so I can’t easily tell you which you need.

When looking at multifarious Adobe Flash vulnerabilities in the NIST database I’m always amused to note that it appears to be written in Coldfusion. For the last ten years that’s been Adobe Coldfusion. Oh my!