jump to navigation

NOTE: The spam filter is being unusually aggressive. If you comment does not immediately appear, it has simply been placed in moderation and I will approve it as quickly as possible. Thank you for your patience.

"Murphy was an optimist!"

Please allow your APIs to bypass 2 factor authentication – Mint and Paypal, I’m talking to you! August 16, 2011 1:15 pm

Posted by Doug McCaughan in : Security, Technology
, add a comment

I use and love Mint.com. I use and love my Paypal security key. However, I cannot use the two together. Either I use mint.com without my paypal details (undesirable) or I lower the security on my Paypal account by deactivating my security key (undesirable).

Two-factor authentication (TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are.

[Source, Wikipedia]

What is desirable is the ability for to authorize certain applications to bypass 2 factor authentication in the same way that Google Accounts allows me to bypass their 2 factor authentication for applications that I trust. So, I should be able to go into my Paypal settings and say “trust mint.com without 2 factor authentication” and it would assign a key (guid, long string of characters, whatever) specifically for mint.com that effectively would be mint’s password into my Paypal account.

To make this work, would require cooperation between Mint and Paypal of course. To see this in practice, go to Google Accounts, turn on 2 factor authentication, then set up Gmail on an iPhone, Blackberry or Android. There’s the model.

See also: Google’s Getting started with 2-step verification for a demonstration of application specific passwords.

add a comment

This does not make me proud February 17, 2011 6:34 pm

Posted by Doug McCaughan in : Politics, Security, Touchy Subjects, United States, World Politics
, add a comment

The land of the free, the promised land, the place people once longed to visit or immigrate is quickly becoming the land to stay far away.

going to the US is more unpleasant than going to Soviet era Russia or even Iran 10 years ago. Sure, you sometimes have to bribe people, but at least I’ve not had gear stolen off me during security checks or had people break my gear without at least compensating me.

And taking pictures. Well, let me put it like this: you are 20 times more likely to get hassled for whipping out your camera anywhere in the US than in, say, downtown Teheran.

I offer this as an observation from the outside. The US is isolating itself and it is becoming a very, very unpleasant place to visit. I often talk to fellow travellers and even a lot of business types in nice suits often relate how they’d rather not travel to the US if they could help it and that they’d rather work with people in Europe or Asia. I can relate to that.

[Source, Reddit, Why I stopped travelling to the US and I largely stopped doing business in the US.]

My fellow Americas. Can we please return to the pre-9/11 sensibilities we once had?

add a comment

Well stated! ‘The loss of civil rights happen slowly’ January 7, 2011 12:08 pm

Posted by Doug McCaughan in : Conspiracy, Politics, Security, Touchy Subjects
, add a comment

Take heed!

The loss of civil rights happen slowly, so we are not supposed to take notice. Once our freedoms are gone, they will not be given back to us. [Source, NetworkWorld, The Stripping of Freedom: EPIC vs. DHS on TSA Body Scanners]

add a comment

My Clients Now Get P3P Privacy Policies November 17, 2009 11:15 am

Posted by Doug McCaughan in : Privacy, Programming, Security, Technology, Touchy Subjects
, add a comment

Does your website collect identifying information on your visitors? If you think because you do not sell anything, ie. no shopping cart, and have no subscription services that you are not collecting identifying information on your site’s visitors then you are probably wrong. Most web servers log IP addresses along with the time of the visit and what that IP address read. ISPs keep logs showing which IP addresses were allocated to what users at particular times. Your logs can be correlated to their logs to identify a person. If your site as a comment form then you are definitely collecting information but more importantly that form gives you a name of a person to associate with the IP address without having to involve the ISP.

So now that we are clear that you are probably collecting identifying information about the visitors to your site, do you have a privacy policy? A privacy policy states how you will use that identifying information. For instance, perhaps you sell it to mailing lists. Or perhaps you specifically do NOT sell it to mailing lists but aggregate it to be able to explain to your potential advertisers that 70% of your site’s visitors are women between the ages of 22 and 35.

If you have a privacy policy, as a human, I can follow the link to that policy, read it, and try to interpret it. But why should I do that when I may not even understand what I’m reading? Shouldn’t the browser or other software handle the privacy policy for me? Yes! And on April 16, 2002 the W3C recommended the Platform for Privacy Preferences Project or P3P which is "a machine-readable language that helps to express a website’s data management practices." What this comes down to is that you can set your privacy preferences in your browser and if the website’s policy does not match, the browser blocks cookies from that site. Certainly there is a bit more to it than that but for most users, it boils down to blocking cookies.

P3P is a bit of a pain in the neck but every website (and that means your blogs) should have a privacy policy. This is definitely something I will encourage of each of my clients.

add a comment

WordPress 2.8.3 broken! Upgrade to 2.8.4 immediately! August 13, 2009 7:11 am

Posted by Doug McCaughan in : Blog, Publishing, Security, Software, Technology, WordPress
, add a comment

In case you missed it, WordPress 2.8.3 has a programming error which allows anyone to reset your administrative password and takeover your WordPress blog. With administrative access, the hacker could destroy your content, lock you out, and repurpose your website for wrong doing, spamming, pornography, slander, or whatever they want. Upgrade to WordPress 2.8.4 immediately! Learn more at darknet.org.uk.

This vulnerability could be prevented by securing the /wp-admin directory.

BlogSecurity has recommended before that the /wp-admin/* directory should be password protected or restricted to IP address. This would mitigate this problem. See our advisory here for details. [Source, BlogSecurity, WordPress <= 2.8.3 Reset Admin Password Vulnerability]

See details of the exploit at milw0rm.

add a comment

That itch that won’t go away April 24, 2009 7:54 am

Posted by Doug McCaughan in : Daily Life, Security, Technology
, 2comments

My computer has been performing poorly. So this morning I ran my virus scanner with its toughest settings for piece of mind. Instead I found a virus:

Guess it is time to do a security sweep of the home network. I bet the kids computers are overrun.

2comments

Latest Internet Nuisance March 19, 2009 7:15 am

Posted by Doug McCaughan in : Announcements, Communications, Of Interest, Security, Technology
, 2comments

This morning I received an email from two people who don’t normally send me email. Both emails were almost identical and inexplicable. One was sent to me while the other revealed the 87 or so email addresses it was sent to and appears to have been sent through gmail. I presume a worm, trojan or virus is sending this message to people’s complete address books. If you get one of these, you may want to let the send (not the entire mailing list) know that they need to scan their computer. Click more to see the email. (more…)

2comments

In 10 years, TSA will display your thoughts on screen December 12, 2008 10:54 am

Posted by Doug McCaughan in : Science, Security, Technology, Touchy Subjects
, 2comments

In 10 years, TSA will be scanning your brain. Just saying..

2comments

Has my Google Calendar been compromised? August 26, 2008 8:37 am

Posted by Doug McCaughan in : Security, Technology
, 1 comment so far

This morning as I looked at "My calendars" of my Google calendar I noticed one I did not remember creating. Not in "Other calendars" but in "My calendars" sat Paddy Daly. Since I quit using Google Calendar regularly a while back, I decided to see what notes I’d made about this Paddy Daly calendar I created. But I didn’t create it! And the creator made no notes. The calendar creator is punapaddy at a yahoo.com email address and a Hawii timezone. This makes no sense. There appear to be no events on the calendar either. I do seem to have the ability to delete the calendar.

Who is Paddy Daly?

Paddy Daly, {1888-1960} sometimes referred to as Paddy O’Daly, served in the Irish Republican Army during the Irish War of Independence[1] and subsequently held the rank of Major-General in the National Army in the period 1922 to 1924. [Source, Wikipedia]

So is this some form of vandalism? Political protest or activism? How did it get on my calendar and what security hole in Google Calendar do I need to close?

1 comment so far

Spam on Reality Me out of control July 17, 2008 4:05 pm

Posted by Doug McCaughan in : Announcements, Of Interest, Security, Technology
, 1 comment so far

This weekend I plan to get a little aggressive with controlling spam on Reality Me. Most of it gets blocked but I get so much spam traffic that my Spam Karma logs regularly reach 70MB or more. If you find yourself unable to reach Reality Me, I may have been too aggressive. Just email me at juggler@gmail.com or Twitter @djuggler or Skype djuggler.

How do I plan to fight the spam? Mostly with apache. I’ll post details.

1 comment so far

The War of 2020 between China and the US May 7, 2008 5:06 pm

Posted by Doug McCaughan in : Communications, Economy, News, Of Interest, Politics, Security, Technology, Touchy Subjects
, add a comment

China wins!

You did know we are at war with China, didn’t you?

add a comment

How to have sex while 5 children are in the house March 28, 2008 9:48 am

Posted by Doug McCaughan in : Health, Security, Sex, Technology, Touchy Subjects, War
, 5comments

Someone has finally figured out how to have intimate moments without fear of scaring the minds of your youth by having them accidentally walk in on mom and dad being gross. See this worksafe link for the details. Via BoingBoing.

QSleeper

  • 1.25″ Polycarbonate Bulletproof Plating/Shielding
  • Bio-Chemical Filtered Ventilation
  • Rebreather
  • Control Panel Mode Selection (i.e., Basic System Ops., Intruder Setting, Energy Status, Lock Down, etc.)
  • Cover & Door Actuators w/ Emergency Release
  • One way see through head cover (reflective mirror on 2 sides and front)
  • Safety Features (Proximity Sensor, O2 Sensor, Smoke Det., Motion Det. Ect,)
  • Emergency Communication system (Cellular, Short-wave Radio, CB ect.)
  • Audio Amplifier (Amplify sound from out side unit)
  • Air/Water Tight Sealing
  • External Override Key Pad & Remote Control
  • Battery Backup Power
  • Toiletry system

Source, QSleeper

Please remember the vasectomy campaign!

5comments

REAL ID real scary February 6, 2008 2:28 pm

Posted by Doug McCaughan in : Conspiracy, Politics, Security, Touchy Subjects, United States
, 2comments

Papers please. Thanks Tom.

2comments

Content Theft Worsens October 7, 2007 10:43 am

Posted by Doug McCaughan in : Blog, Daily Life, Publishing, Security, Technology
, 14comments

If you follow my comment feed, then you may have noticed that I am getting huge amounts of trackback spam. Why not just turn off trackbacks? Because these people are stealing my content, and likely your content, for their own personal gain and the trackback is the easiest way to find them. Yes, they generate a link back to Reality Me which in theory should help my page rank but not when it is with duplicate content. I have installed the Antileech WordPress plugin but I am still figuring out how to use it without cutting off my feeds to legitimate readers. If you do end up getting a "this content is stolen" message instead of the actual post, please email juggler at gmail.com and I will fix it. That said, can you confirm which feedreader you use based upon the following:

I am assuming that Blogdigger, Gregarius, and Wasabot are used by content thieves.

14comments

Orweillian of the Day October 4, 2007 1:22 pm

Posted by Doug McCaughan in : Conspiracy, Of Interest, Privacy, Security, Touchy Subjects
, add a comment

All those cameras and now "give us your keys."

People in the UK who encrypt their data are now obliged by law to give up the encryption keys to law enforcement officials…[Source]

Note: I have not confirmed the above against any other sources.

Per capita there are more surveillance cameras in the UK than any other country in the world…

The average city dweller can expect to be captured on film every five minutes…

Source, UK Something to watch over us, BBC News

add a comment