Linux security guru joins Microsoft

Today we’ve lost a good man.  Noooooooooooooooooooooo.

http://blogs.zdnet.com/security/?p=820

Ohh So Many Passwords

I’ve just cleaned up and merged all of my passwords, keys, etc into a single database. After vigorous clean up (deleted 3 pairs fo credentials) I am left with a happy number of 75. Ouch! I think I can get it down to somewhere within the 60’s; when I get home and confirm that some of the server accounts are obsolete. I think it’s time for wide adoption of OpenID! Pleaseeeeeeeeeeeeeeeeese.

Of course to solve both issues; (a) waiting to get home to confirm network details and (b) adopting Open ID would introduce even more passwords into my life. A few to connect to/maintain the (a) home VPN box and few more for the (b) home OpenID server.

Thoughts Of The Paranoid On The Call Centre Security (updated)

I needed to call my bank today to ask few questions… Called the bank, asked my questions and the lady on the other end asked me if she could put me on hold while she searched for the required information. I don’t generally like being on-hold so I said no and that I would rather wait online. She went a little quiet while she was doing whatever it is that she was doing. Meanwhile, I am sitting there, doodling and listening to all the background noise… Somehow it makes me feel more comfortable than being on-hold. For some reason I tuned into a particular conversation where a call centre person was reading some numbers. They sounded like somebodies credit card number (maybe an account number).

And here is where I start getting a little paranoid: wouldn’t it be possible to call a bank call centre from a monitored (recorded) line, keep the staff on the phone for as long as possible (I don’t think it would be very hard, just keep asking dumb but time consuming questions) until you get tired of it or disk space/tape runs out.

Next comes the tricky part: filtering and isolating the conversations in the recording. Personally I wouldn’t know where to start, however people who are into their music software would probably find it trivial.

This makes me wonders if it could be a new (most likely inefficient but non-the-less) higher-return method of phishing?

UPDATE:
Another alternative is to get a job at a call centre, turnover of staff is high so I don’t think it would be a complicated experience.  Come to work, turn on your audio recorder and you are set to go.

In 6 months

Just a passing thought…

Bring Out The Fanboy! The Fanboy Is Sleeping.

I have just read an article called “Apple is Killing Linux on the Desktop“, originally spotted on the Slashdot.com but hosted on, wait for it, Applematters.com. I never thought it did, but there you have it.

All in all, the article talks about Apples dominance over Linux within the desktop market. It gives some meaningless statistics, pretty graphs and everything else that an Apple fanboy may want from a shiny fashion accessory.

I have to admit though that Apple machines do look sexy, they have the software that I like, the operating system that I am familiar with and it doesn’t get any more user friendly than that. The eye-candy is amazing, it has some research and cataloging software that I would love to have in my arsenal, that is not available elsewhere and on top of all that: Apple had many, many years to perfect their creation. In fact they were the first kids on the block, they are the guys who gave you your first PC!

Hold on a second, something isn’t right here.

They were one of the first if not the first guys on the playing field, they were there from day one and they are still a mere pimple on the anus of the PC market. Yet the article is talking about Apple dominance over Linux?

Well, there are 3 sides to that story. First – no shit! Apple existed since the dawn of time, Linux desktop solutions are quite young by comparison (however Apple fanboys already recognise it as a threat – excellent). Second: the statistics presented in the article are exactly that – statistics, multiple sources present multiple figures – who do we believe (see comments of the original post for details)? Third, this is also taken from the comments of the original post: Apple machines are device that are capable of running Linux and Windows. I.e. even though Mac sales may have risen, the OS that is being hosted on the device could be and at times is Linux or/and Windows, so the sales figures are not actually accurate.

In my opinion an Apple machine is two things to two sets of people, at least for now, although I believe it is going to stay that way for a while:
1. A specialty workstation for the IT professionals who have the actual need for it – very few.
2. An overpriced boutique fashion accessory for the fanboys that love to show it off while sipping babyccinos at Starbucks just like on TV.

Apple could not dominate the market if they were the market! The company (Apple) could not dominate the market at the start, they drop the soap in front of Microsoft every step they take. In fact the only reason Apple has came out of its little gimp box is reactive – they are play catch-up to Vistas marketing machine. They are not dominating now and they will not dominate in the future. They had the chance and they missed it, without even realising what has happened.

Roughly 40 Points Of My Identity

Recently I needed to update my contact details on the Body Corporate file. Actually I did that a while ago but I am just getting around to venting about it now (been busy).

Anyway, needed to update the contact details, instinctively I went to their website, logged in and tried to find the facility to do that: no luck.

Rang them and asked the nice lady at the (what I assume to be) front desk to update my details or point me to somebody who could. Instead of doing what I have asked them to do I was told that they can’t change my details over the phone for security reasons (I should have asked what those reasons were). I was instructed to print out a “change of details” form, available from a public area on their website, fill in the required information and send it back to them by mail or fax.

I really fail to see how that was more secure compared to a phone call, perhaps the form has some identification information that was not public knowledge… Printed the form, filled everything in (surname, new email address, new postal address) and faxed it back. Nothing to authenticate my identity at all (minus the surname)!

Then it occurred to me that I have faxed the form from my work number which the Body Corporate didn’t have on file and perhaps the form would be ignored because of that. So I called them again to confirm the fax and to ask if everything was to their standards. Again I identified my self by my surname, nothing more…

Hello, blah, blah, blah… I’ve just faxed you guys a change of details form, have you received it? Is everything updated? Etc. Response – yep, everything has been updated.

So there you have it people, this is how easy it is to still about 40 points of identity in our day and age.

Valentines Day for Man

Steak and BJ Day (http://www.steakandbjday.com)

I have nothing more to add!

CAPTCHA Killer

When I was reading the CSRF Demystified article (last post) it had a link to CAPTCHA Killer service (http://www.captchakiller.com).

The service requires registration and presents a REST and web interfaces. Basically feed it a CAPTCHA image (uploaded from local disk) and a URL to the CAPTCHA image. Click the submit button, wait for about a minute and presto! Out comes the plain text alternative of the CAPTCHA.

The owner writes that this is a service aimed at visually impaired people and will eventually integrate into screen readers, etc.

I have tested the service with few images: two from Gmail and one from Facebook sign-up forms. Facebook is the complex one since it includes reasonable image obfuscation. Results were very impressive (included below).
Scary shit I say, especially when CAPTCHAs are generally used as a primary bot deterrent. I am however very, very, very interested in how they do it. I have few ideas based on what I know from the way face recognition software work but nothing specific that I could implement myself.

I want, I want, I want!

RESULTS

	Gmail. Result: sploo Processing: 2min 10sec
	Gmail. Result: nesive Processing: 0min 18sec
	Facebook. Result:    Roperapopointments Processing: 1min 19sec

CSRF Demystified

I was just going through my mailing-list emails (it will be a while until I go through all of them) and saw a link to a very good article describing CSRF attacks (CSRF Demystified: http://www.gnucitizen.org/blog/csrf-demystified).

In case you don’t know: CSRF is a very powerful attack that can be executed against a vast majority of web applications that are not even aware of the issue.  The scary part is that this attack doesn’t require a lot of effort for the amount of damage it can cause.

Password Management

Last post described how to make a completely portable and self-contained email backup solution using Portable Thunderbird client. Another great application hosted on PortableApps.com is KeePass (direct link to portable version).

KeePass is a password manager that I use, pray to and sleep with a copy of it under my pillow. If you like me and have a ridiculous number of usernames and passwords to remember, you will love this application. I used to use a different software for many years until I saw this one – moved, haven’t regretted it since.

This is a very complete password manager with an excellent user interface that runs on almost anything. Linux, Windows, portable (USB stick, SD, etc – Windows only), Java enabled mobile phones, etc (it’s not written in Java AFAIK, just the phone edition).

The only minus is that it is so good! I have few personal systems that I use every day (and a USB backup) and each one runs KeePass or KeePass portable.  The problem happens when you add a new record and then need to synchronize it with the rest of the KeePass instances on other machines. My solution (simple things for simple minds) is to keep a master file (perhaps on a file server) and make a note of what record or category I have added to any given instance. Later I just add the same data to the master file when I have access to it.

Additionally, if you use the portable version: you can backup everything onto a self-contained archive (and refer to in case something REALLY bad happens).

SECURITY TIP:
Use passphrases instead of a simple passwords.  For example: a 20 character passphrase is (almost) impossible to crack using any of the current methods. Just make sure it’s not a famous movie quote.

Self Contained Offline Email Backup

A great way to backup your emails from Gmail (or any online email) service is to use Thunderbird Portable email client from PortableApps.com.   The only bad thing about it is that this particular version (portable) of Thunderbird is only released for Windows based systems.

Applications from PortableApps.com are designed to be standalone and run from a single directory on any type of media, such as USB sticks, SD cards, DVDs, etc.  Coincidentally the portable distribution of Thunderbird makes an excellent email backup solution.

All one need to do is: enable IMAP service within Gmail account settings.  Setup Thunderbird to talk to Gmail over IMAP (instructions on how to do that).  Download all of your emails for offline browsing (this is a Thunderbird option) and move the entire Thunderbird Portable directory onto a CD (or other external media).   That’s it.

As a result you’ll end-up with a portable, self contained email archive.  To read, search or sort any of the emails backed-up in this way all you need to do is insert the CD into the machine and run portable Thunderbird directly from the disk.