Hack of Sarah Palin's account shows security questions can be a joke
Those questions so many Web sites ask us to answer -- the ones that let us recover a lost password -- can be a joke. Especially if the person answering them is a public figure. In recent years, at River's suggestion, I've taken to using nonintuitive and/or false answers to as many of those questions as I can.
Posted on September 18, 2008 at 11:06 AM | Permalink | Comments (0) | TrackBack
Google Chrome shows how bad things have gotten
Three thoughts about Google Chrome:
1. Regarding security and performance, come on! What on earth have the other browser makers been doing for the past five years? This is work they should have done. Especially Microsoft, which had the money to do it. Now Google's done it first and Microsoft will be playing catchup not just in search, but in desktop software -- supposedly its core competence.
2. When I was floundering around trying to finish my book, I jokingly suggested to some that I frame it as a comic book. Turns out that was the right medium to explain the pickle we're in, regarding the future of browsers. Well it wasn't the first time I thought of something first!
3. Chrome sounds pretty good, and although I don't jump to adopt things first the way I used to, I'm going to need some powerful reasons not to try it out once it gets traction. Like some new intrusion into my privacy. But Google's already there (although I didn't let the company index my hard disks.)
Posted on September 2, 2008 at 09:39 AM | Permalink | Comments (0) | TrackBack
There's logging out, and then there's logging OUT
Here's an interesting idea...two-tier logouts:
I found this example at Linkedin.com. I wonder if this will become a widespread notion. In these days, could it hurt?
Posted on February 28, 2008 at 08:48 PM | Permalink | Comments (0) | TrackBack
My Digital Signature Adventure, Day Two
Today started with me requesting a digital certificate from Thawte "at the freemail level of assurance" for a POP3 email address I use that's different than the one I used yesterday to create my own digital signature. I intend to try to use both addresses as I continue to explore how digital signatures work.
These certificates are in X.509 format. There's still no Eudora support, so I chose to request one in Mozilla Firefox/Thunderbird format. (It's ironic that down the road, Thunderbird and Eudora will be merging, but they haven't yet.) The first thing I discovered: I can't request the Mozilla certificate from within Internet Explorer (makes sense, I guess).
So I requested one from within Firefox. Then I had to choose which email address to select for the certificate:
"Most mail clients support S/MIME and can use these certificates if you include your email address."
Next, Thawte had this to say:
"Strong Extranet Identities
"thawte offers a very simple but powerful 'extranet certification' system which enables organizations to certify their partners, customer, suppliers or employees, and to use these certificates for access control to secure web servers. The 'Strong Extranet' is the easiest way to migrate from username/password access control to certificate-based access control.
"If you have been certified as a member of any extranets the relevant identities will appear below. Check those you wish to include into this certificate."
None are listed. So onward I go.
"Accept Default Extensions
"The newest versions of the certificate standard allow you to embed a series of certificate extensions into your digital certificate. These extensions will influence how the certificate can be used by applications. You can safely skip this page by accepting the default extension configuration."Advanced Users: Configure Certificate Extensions
"Click "Configure Certificate Extensions" to customize some of the more common certificate extensions. Don't choose this option unless you know what you are doing."
Out of curiosity I click on "configure certificate extensions" and find this scary bit of text that stops me cold:
"Please note that the extension options below are not for the faint of heart. You probably won't trigger a Vogon invasion of Earth if you press the wrong button, but you might cause weird behaviour in some otherwise-normal software. Don't fiddle with this unless you've been told to, or unless you're a born fiddler."
With that, it's back to accepting the default extensions! But there's no "back" button so I have to start the process again and get back to that point.
"Public Key
"Your Personal Certificate will contain a public key. People will use that public key to encrypt information for your eyes only. If the drop-down listbox below does not include 1024-bit keys, then you should update your browser to full-strength crypto by downloading a new browser from Netscape. If for some reason you cannot do that, then try installing Fortify to upgrade your browser to full-strength crypto."
Firefox lets me choose between 1024-bit keys (medium grade) or 2048-bit keys (high grade). I choose 2048-bit keys.
"You can continue your request by pressing "Next" below. If necessary your browser will walk you through the public key generation process."
I continue.
"Confirm Netscape Certificate Request
"You are about to complete the certificate request process. Please look at the following summary and make sure that everything is correct. Once you press "Finish" below you will be unable to edit or alter the contents of this certificate!"The certificate will have a distinguished name that looks like this:
Common: Thawte Freemail Member Email: [my email address] "If you need a certificate with your full name in it, then you need to join the Freemail Web of Trust.
"It may also include at least the following extensions:
"X.509 SubjectAltName
"This certificate contains a set of alternative names for the certificate subscriber. They are listed below:
- Email: [my email address]
"Please note that we will also add a BasicConstraints, and ExtendedKeyUsage and an authorityKeyIdentifier.
"If you are happy with this, press "Finish" below. If not, please use your back button to select the correct distinguished name and certificate extensions for this request."
(Once again, frustration! Firefox opened this dialog in a pop-up window with no back button. What the heck -- forward I go.)
"Personal Certificate Requested
"Your personal certificate request has been committed to our database. You can track the status of all your certificate requests through the Certificate Manager. You will also receive email notifying you of major status changes for this request. For example, when your certificate has been issued and is ready for you to download, or when it is revoked, or when it is about to expire, our system will send you a cautionary message."Certificate Manager Page
"To go to your Certificate Manager page, within your account, click here.
"Your certificate should be at the top of the list. Click on it to view the current status. When your certificate is issued you will download it directly from that page!
"Get the most from your digital certificate with these products and services.
"S/MIME In Communicator And Later
"If you are using Netscape 3.x then you will not be able to use S/MIME for secure email and news. Upgrade now to Netscape 4.x or later to encrypt and sign your email!
"Non-US Users Can Get 128-bit Crypto!
"International users of the English version of Netscape Communicator 4.5x and earlier, which supports only 40-bit encryption, can upgrade their software at no cost to support full 128 bit encryption using the Fortify tool, available from https://www.fortify.net/download.html. Users of of the export version of Netscape Communicator 4.6 and later will have 128-bit encryption enabled already."
So now I wait for an email from Thawte. I'll have to install the Mozilla Thunderbird client in order to test this out, but that's work for another day.
Posted on October 18, 2007 at 04:52 PM | Permalink | Comments (2) | TrackBack
Perfect timing: Moderating the Smartphone Summit security panel
With Apple's announcement of the iPhone SDK, and plans to become a trusted source of certified third-party applications for the iPhone, the mobile phone industry is now challenged not to head back down the same path as the PC did, where malware, spyware and viruses broke the trust that the public once had when downloading applications.
I'm pleased to have a contribution to this conversation. Next Monday, I will be moderator of a panel in San Francisco, "Smartphone & Wireless Security: Steps to Safeguarding Your Business," at 2:00 p.m. at the Smartphone Summit.
The future of downloadable applications is at stake. Can we trust Apple, the other handset makers, and the carriers to do application security right? Will the certificate authorities step in and do it instead? Or will we continue to suffer through countless "trust me?" challenges from our devices? If the answer is the latter, I believe the notion of the downloadable application may be as doomed as so many pundits say it is. And that would make the public and all its most confidential information totally dependent on service providers.
Posted on October 18, 2007 at 08:55 AM | Permalink | Comments (0) | TrackBack
My digital signature adventure, Day One
We learn by doing. Some of us learn later than others.
When I listened to an old Security Now! podcast recently, and Leo Laporte told Steve Gibson that he digitally signed all his emails, I resolved then and there to start doing so myself. If Leo can do it, I can do it!
Of course, I'm still not sure what to tell the recipient of my signed email to do with that signature, but just sending signed email seems to me to be a great start.
My email client's old and out of fashion, the operating system is even older, but before I chuck both and just use Gmail or something, it's time once and for all to see if I can digitally sign my emails for the first time.
My email client: Eudora 7.0. The operating system: Windows 2000. There's probably a lot more of these out there than you might think.
First, I download GPG4Win. I click install. It tells me:
Welcome to the installation of Gpg4Win. GnuPG is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440.
This is GPG4Win version 1.1.0. file version 1.1.0.407. release date 2007-05-24.
I deliberately didn't choose the newest version available, figuring an older one would be more stable. But the Web site gave me no advice on this matter.
I'm installing the following: GNU Privacy Guard (not optional), GNU Privacy Assistant (GPA), Windows Privacy Tray (WinPT), GPG Explorer Extensions (GPGee), and Novice Manual. Installed to c:\Program Files\GNU\GnuPG. Added to Start Menu (Eudora folder), Desktop, and Quick Launch Bar.
When I opened the GPGee Manual, the beginning amused and frightened me:
GNU Privacy Guard, or GPG, is the premiere open source implementation of OpenPGP encryption. It is secure, free and open, versatile, and about as user friendly as toxic waste.
After installation, I wasn't sure what to do next. After I clicked on something one too many times, WinPT suddenly stopped working. Sigh. So I rebooted. This time up came the following dialog box:
I chose to generate a key pair (the option selected above). Doing this launched the key generation wizard:
Then I entered a passphrase to generate my key:
And finally, got this encouraging message:
Again, I wasn't too sure what to do next. But I knew Eudora needed its own plug-in to work with GnuPG and GPG4Win. I saw warnings telling me Eudora 7 didn't work with it, but other contradictory message saying that it did. There were also some old, broken links that didn't point to any Eudora plug-in, but finally I found this one and downloaded the plug-in (eudora-gnupg-plugin-2.0rc1.zip)from there. I unzipped the plug-in and read the English documentation. It told me to copy the file Eudora.GPG.dll into the plugins subdirectory of the directory where Eudora is installed.
When I restarted Eudora, new icons had appeared at the top. I created a test email. The new icon that lets me sign an email is at the top in the photo below, visible as a pencil icon (fifth from the right). Below it is the dialog box that appears when I want to enter my passphrase to sign the message. The "signing key" drop-down offers for me to fill the email address I gave when I generated the key pair:
The PGP signature got attached to my message, and the top of the message now states, "BEGIN PGP SIGNED MESSAGE".
I sent this test message off to my wife River, who received it and asked, "how do I know that's you?"
So that's where I stopped for Day One of my digital signature adventure. Another day, I'll try to find her an answer.
UPDATE: Apple's trying to answer River's question too, in order to open up the iPhone to third-party applications.
Posted on October 17, 2007 at 02:43 PM | Permalink | Comments (0) | TrackBack
Does the iPhone contain a big security blunder?
Steven J. Vaughn-Nichols raises quite an alarm regarding iPhone security:
"Now it seems that all applications run on the iPhone as root. Can you say biggest security blunder of the 21st century to date?"
This raises lots of questions for me. First, do any Mac OS X applications run as root as well? If not, why would Apple choose to run the iPhone applications as root?
Posted on October 3, 2007 at 04:05 PM | Permalink | Comments (0) | TrackBack
Does having a home server make you dorky?
Sun Microsystems CEO Jonathan Schwartz always has something interesting to say. Last night's remarks at a party at Burton Group's Catalyst North America conference were no exception. At one point, he took a straw poll of attendees, mostly CIO types, asking them how many of them had servers in their homes 10 years ago. Lots of hands shot up. Asked how many have one today, few hands were raised. Schwartz said when he arrived at Sun and learned that so many in the Sun community had servers at home, he thought to himself, "What a bunch of dorks." This remembrance prompted lots of laughs. He went on to describe how wonderful it is to have all these new Web services that store our data for us, and no doubt there are lots of advantages to this approach for lots of applications.
But I'm wondering if home servers are really an endangered species or not. Over at Calendar Swamp, I should be rejoicing about the huge number of services (Plaxo being the latest) that offer to manage your calendars in the great Web 2.0 cloud in the sky, right down to the newest devices (i.e. iPhone). But I remain reluctant to put that sort of information on someone else's server. Plaxo, to their credit, has a much stronger privacy policy than Google does, but it is merely dorky to wish, as I do, that I could run my own calendar server? Isn't that what the open source movement was all about? Someone needs to convince me that the same Internet subject to all sorts of security vulnerabilities is the same Internet that can keep my most personal information personal. I'm still waiting for proof. Do I concede that running my own server would be a bigger pain in the neck than I could ever want? Or do I imagine a future where servers just work (maybe because they're not Windows-based) and I don't have to outsource everything just to be secure? Does that make me a dork?
Posted on June 29, 2007 at 08:29 AM | Permalink | Comments (0) | TrackBack
Thawte needs to support more email clients
Nearly two years ago, I wrote this post looking for a cheap, easy way to digitally sign and encrypt my email. Recently I came across Thawte, which provides X.509 digital certificates for individual use, for free. Unfortunately, Thawte only supports Netscape Communicator/Manager, Internet Explorer, Outlook, Outlook Express, Lotus Notes (R5), Opera, and the C2Net SafePassage Web Proxy (acquired by Red Hat in 2000). I'd like to see Thawte support Apple Mail and Eudora, the email software in use in my family (and many, many other places). Or if Eudora isn't in the cards, how about supporting Firefox? Then I could use Gmail. But I won't tie myself to Internet Explorer just to use Gmail.
Posted on May 11, 2006 at 10:38 AM | Permalink | Comments (4) | TrackBack
The 36-hour patch
I timed how long it took Windows Update to run the latest security patch, from first bytes downloaded to installation completed, on my older Windows 2000 laptop. About 36 hours, over broadband! A good thing I didn't particularly care when it was going to ask to reboot the system.
Posted on April 17, 2006 at 10:55 AM | Permalink | Comments (0) | TrackBack
