Category: Security

Posted on by 1 Comment

Coin and user interface improvements

Update: Coin already has this covered. They’ve responded to the numerous people asking this question.

One question we’ve been hearing is “What if a waiter/waitress accidentally — or worse, INTENTIONALLY — changes the card you want to charge your meal to?”

Here’s where Coin has you covered: The mobile app will allow you to configure an auto-lock feature that will disable the Coin button to toggle based on proximity; when the waiter walks away he or she will not be able to toggle the card selected.

[Source, Facebook]

I’ve pre-purchase Coin because for years I have said that we should have a single magnetic swipe card for all purposes. I’ve gone so far as to suggest we be issued an id card at birth that becomes our permanent id and holds all our credit cards and so forth. Why have multiple cards when one with a programmable magnetic strip would suffice?

Coin holds 8 swipe cards at once. There is a button on the card which allows you to select the card you want to use. Perhaps card one is your primary credit card, card two is your business credit card, card three is your door entry key for your office, card four is a loyalty card, card five is that rebate card you were sent instead of receiving a check or cash, card six is your department store card, etc. Pressing the button cycles through these. The recurring question being asked is "What if I hand it to the waiter and he accidentally selects a different card?" Coin answers this question in their FAQ:

Q. Can someone accidentally change which card is selected on my Coin?
A. We’ve designed the button to toggle cards in a way that makes it difficult to trigger a “press” unintentionally. Dropping a Coin, holding a Coin, sitting on a Coin, or putting the Coin in a check presenter at a restaurant will not inadvertently toggle the card that is selected.

[Source, onlycoin.com, FAQ]

To me, the answer is inadequate. The user interface could be altered ever so slightly to address this concern.

The solution: For those who want to lock it in, I should be able to program a lock sequence into the button. For instance, make switching cards a short press (that way I can rapidly cycle through the 8 loaded cards). I go to my Coin app on the phone and define a lock sequence of a 3 second press, followed by two tabs, a long press and a final short tap. Now the card is locked on the chosen card. Unlocking works the same way. Because I can define the sequence of short and long presses, I effectively have a pin code for locking and unlocking the card.

Perhaps Coin will consider this in the future.

For those asking, what is Coin? Please read One Card to Rule Them All.

Update: Lauren Puff suggests the use of finger print technology like that of the iPhone 5s. While I think that would be cool, it would require a hardware change to the Coin which would probably add to the manufacturing cost and may not work with the form factor. The lock sequence I propose would use the existing hardware and would be some minimalist programming changes to the device itself and the iOS/Android apps.

Posted on by Leave a comment

Please allow your APIs to bypass 2 factor authentication – Mint and Paypal, I’m talking to you!

I use and love Mint.com. I use and love my Paypal security key. However, I cannot use the two together. Either I use mint.com without my paypal details (undesirable) or I lower the security on my Paypal account by deactivating my security key (undesirable).

Two-factor authentication (TFA, T-FA or 2FA) is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are.

[Source, Wikipedia]

What is desirable is the ability for to authorize certain applications to bypass 2 factor authentication in the same way that Google Accounts allows me to bypass their 2 factor authentication for applications that I trust. So, I should be able to go into my Paypal settings and say “trust mint.com without 2 factor authentication” and it would assign a key (guid, long string of characters, whatever) specifically for mint.com that effectively would be mint’s password into my Paypal account.

To make this work, would require cooperation between Mint and Paypal of course. To see this in practice, go to Google Accounts, turn on 2 factor authentication, then set up Gmail on an iPhone, Blackberry or Android. There’s the model.

See also: Google’s Getting started with 2-step verification for a demonstration of application specific passwords.

Posted on by Leave a comment

This does not make me proud

The land of the free, the promised land, the place people once longed to visit or immigrate is quickly becoming the land to stay far away.

going to the US is more unpleasant than going to Soviet era Russia or even Iran 10 years ago. Sure, you sometimes have to bribe people, but at least I’ve not had gear stolen off me during security checks or had people break my gear without at least compensating me.

And taking pictures. Well, let me put it like this: you are 20 times more likely to get hassled for whipping out your camera anywhere in the US than in, say, downtown Teheran.

I offer this as an observation from the outside. The US is isolating itself and it is becoming a very, very unpleasant place to visit. I often talk to fellow travellers and even a lot of business types in nice suits often relate how they’d rather not travel to the US if they could help it and that they’d rather work with people in Europe or Asia. I can relate to that.

[Source, Reddit, Why I stopped travelling to the US and I largely stopped doing business in the US.]

My fellow Americas. Can we please return to the pre-9/11 sensibilities we once had?

Posted on by Leave a comment

My Clients Now Get P3P Privacy Policies

Does your website collect identifying information on your visitors? If you think because you do not sell anything, ie. no shopping cart, and have no subscription services that you are not collecting identifying information on your site’s visitors then you are probably wrong. Most web servers log IP addresses along with the time of the visit and what that IP address read. ISPs keep logs showing which IP addresses were allocated to what users at particular times. Your logs can be correlated to their logs to identify a person. If your site as a comment form then you are definitely collecting information but more importantly that form gives you a name of a person to associate with the IP address without having to involve the ISP.

So now that we are clear that you are probably collecting identifying information about the visitors to your site, do you have a privacy policy? A privacy policy states how you will use that identifying information. For instance, perhaps you sell it to mailing lists. Or perhaps you specifically do NOT sell it to mailing lists but aggregate it to be able to explain to your potential advertisers that 70% of your site’s visitors are women between the ages of 22 and 35.

If you have a privacy policy, as a human, I can follow the link to that policy, read it, and try to interpret it. But why should I do that when I may not even understand what I’m reading? Shouldn’t the browser or other software handle the privacy policy for me? Yes! And on April 16, 2002 the W3C recommended the Platform for Privacy Preferences Project or P3P which is "a machine-readable language that helps to express a website’s data management practices." What this comes down to is that you can set your privacy preferences in your browser and if the website’s policy does not match, the browser blocks cookies from that site. Certainly there is a bit more to it than that but for most users, it boils down to blocking cookies.

P3P is a bit of a pain in the neck but every website (and that means your blogs) should have a privacy policy. This is definitely something I will encourage of each of my clients.

Posted on by Leave a comment

WordPress 2.8.3 broken! Upgrade to 2.8.4 immediately!

In case you missed it, WordPress 2.8.3 has a programming error which allows anyone to reset your administrative password and takeover your WordPress blog. With administrative access, the hacker could destroy your content, lock you out, and repurpose your website for wrong doing, spamming, pornography, slander, or whatever they want. Upgrade to WordPress 2.8.4 immediately! Learn more at darknet.org.uk.

This vulnerability could be prevented by securing the /wp-admin directory.

BlogSecurity has recommended before that the /wp-admin/* directory should be password protected or restricted to IP address. This would mitigate this problem. See our advisory here for details. [Source, BlogSecurity, WordPress <= 2.8.3 Reset Admin Password Vulnerability]

See details of the exploit at milw0rm.

Posted on by 2 Comments

That itch that won’t go away

My computer has been performing poorly. So this morning I ran my virus scanner with its toughest settings for piece of mind. Instead I found a virus:

  • C:\Documents and Settings\Doug McCaughan\Application Data\Google\mupd1_2_12916358.exe Malware name:Win32-Trogan-gen {Other} Virus/Worm

Guess it is time to do a security sweep of the home network. I bet the kids computers are overrun.

Posted on by 2 Comments

Latest Internet Nuisance

This morning I received an email from two people who don’t normally send me email. Both emails were almost identical and inexplicable. One was sent to me while the other revealed the 87 or so email addresses it was sent to and appears to have been sent through gmail. I presume a worm, trojan or virus is sending this message to people’s complete address books. If you get one of these, you may want to let the send (not the entire mailing list) know that they need to scan their computer. Click more to see the email. Continue reading Latest Internet Nuisance

Posted on by 1 Comment

Has my Google Calendar been compromised?

This morning as I looked at "My calendars" of my Google calendar I noticed one I did not remember creating. Not in "Other calendars" but in "My calendars" sat Paddy Daly. Since I quit using Google Calendar regularly a while back, I decided to see what notes I’d made about this Paddy Daly calendar I created. But I didn’t create it! And the creator made no notes. The calendar creator is punapaddy at a yahoo.com email address and a Hawii timezone. This makes no sense. There appear to be no events on the calendar either. I do seem to have the ability to delete the calendar.

Who is Paddy Daly?

Paddy Daly, {1888-1960} sometimes referred to as Paddy O’Daly, served in the Irish Republican Army during the Irish War of Independence[1] and subsequently held the rank of Major-General in the National Army in the period 1922 to 1924. [Source, Wikipedia]

So is this some form of vandalism? Political protest or activism? How did it get on my calendar and what security hole in Google Calendar do I need to close?

Posted on by 1 Comment

Spam on Reality Me out of control

This weekend I plan to get a little aggressive with controlling spam on Reality Me. Most of it gets blocked but I get so much spam traffic that my Spam Karma logs regularly reach 70MB or more. If you find yourself unable to reach Reality Me, I may have been too aggressive. Just email me at juggler@gmail.com or Twitter @djuggler or Skype djuggler.

How do I plan to fight the spam? Mostly with apache. I’ll post details.

Posted on by 5 Comments

How to have sex while 5 children are in the house

Someone has finally figured out how to have intimate moments without fear of scaring the minds of your youth by having them accidentally walk in on mom and dad being gross. See this worksafe link for the details. Via BoingBoing.

QSleeper

  • 1.25″ Polycarbonate Bulletproof Plating/Shielding
  • Bio-Chemical Filtered Ventilation
  • Rebreather
  • Control Panel Mode Selection (i.e., Basic System Ops., Intruder Setting, Energy Status, Lock Down, etc.)
  • Cover & Door Actuators w/ Emergency Release
  • One way see through head cover (reflective mirror on 2 sides and front)
  • Safety Features (Proximity Sensor, O2 Sensor, Smoke Det., Motion Det. Ect,)
  • Emergency Communication system (Cellular, Short-wave Radio, CB ect.)
  • Audio Amplifier (Amplify sound from out side unit)
  • Air/Water Tight Sealing
  • External Override Key Pad & Remote Control
  • Battery Backup Power
  • Toiletry system

Source, QSleeper

Please remember the vasectomy campaign!

Posted on by 14 Comments

Content Theft Worsens

If you follow my comment feed, then you may have noticed that I am getting huge amounts of trackback spam. Why not just turn off trackbacks? Because these people are stealing my content, and likely your content, for their own personal gain and the trackback is the easiest way to find them. Yes, they generate a link back to Reality Me which in theory should help my page rank but not when it is with duplicate content. I have installed the Antileech WordPress plugin but I am still figuring out how to use it without cutting off my feeds to legitimate readers. If you do end up getting a "this content is stolen" message instead of the actual post, please email juggler at gmail.com and I will fix it. That said, can you confirm which feedreader you use based upon the following:

  • Blogdigger/2.0 (http://www.blogdigger.com/; contact@blogdigger.com) Referred by: http://www.zimbio.com/Jaycees/trackers/7/Blog+Search+Tracker
  • Feedfetcher-Google; ( http://www.google.com/feedfetcher.html; 6 subscribers; feed-id=3701543567382179734) Referred by: http://www.google.com/reader/view/
  • Feedfetcher-Google; ( http://www.google.com/feedfetcher.html; 9 subscribers; feed-id=8604077678671105327) Referred by: http://www.google.com/reader/view/?tab=my
  • Feedster Crawler/3.0; Feedster, Inc. Referred by: http://ranchero.com/
  • Gregarius/0.5.4 ( http://devlog.gregarius.net/docs/ua) Referred by: http://blognetwork.knoxnews.com/feed.php?channel=81
  • Liferea/1.4.3b (Linux; en_US.UTF-8; http://liferea.sf.net/)
  • NewsGatorOnline/2.0 (http:/www.newsgator.com; 1 subscribers) Referred by: http://www.newsgator.com/ngs/subscriber/WebEd2.aspx?fld=0
  • NewzCrawler/1.8 (compatible; MSIE 6.00; Newz Crawler 1.8; http://www.newzcrawler.com/ )
  • SharpReader/0.9.7.0 (.NET CLR 1.1.4322.2407; WinNT 5.1.2600.0) Referred by: http://127.0.0.1:12108/sharpreader/page.html
  • Wasabot/1.4 (+ http://www.wasalive.com ) Java/1.6.0_02

I am assuming that Blogdigger, Gregarius, and Wasabot are used by content thieves.