Monday, September 19, 2011

Hall of shame: Ticketmaster.com

There are many reason why I despise Ticketmaster, such as their ridulous "because we can" fees, "convenience fee for using the website", "fee for printing your own tickets on your own paper, using your own printer, with various ads on it", etc. 

But this series is about security worst practices, so here goes another password FAIL. 

Extra points for having a timer that gives people 90 seconds to fill in the form, come up with a secure password, and read the T.O.S. and privacy policy (each a couple dozen pages).

Tuesday, September 6, 2011

Hall of shame: Priceline.com


When creating an account, I'm asked for my "preferred internet password". 
Seriously?Sound like marketing-speak for "Go ahead and reuse the password here that you use on facebook and bofa.  We don't mind!".

Shame on you for encouraging bad behaviour!

One extra point for "default opt-in"ing the user to the marketing spam. 

Thursday, August 4, 2011

Hall of shame: Mediafire

Let's see:
You have a nice "password strength" meter, but once one submits the form, it repeats back the password in the clear, complains that its too long, and can't have any "special" characters.

Why would that matter, since the password hash would be the same regardless of length? You are securely hashing the passwords, and not storing them in the database as plain-text, right? Right?





Also, can you tell me exactly what the difference is between a special character and a non-special one?  Is it "special" when it causes a SQL Injection vulnerability (which of course you would defense against by properly escaping database inputs), when storing it in the password in plain-text (which of course you don't do) ?

BTW: I don't think I will be trusting you with access to my Facebook account just yet. Hope you don't mind.

Update:
I have proof that they store password "in the clear": The password test is case-insensitive!
You can try this out yourself:
If your password is "joshua", you can log in using "JOSHUA" or "JoSHuA".    This is only possible if the site doesn't use any password hashing at all.   Security 101 FAIL!

Sunday, July 31, 2011

"Google Health" on its deathbed

The google giveth and the google taketh away:

Official Google Blog: An update on Google Health and Google PowerMeter:

"we’ve observed that Google Health is not having the broad impact that we hoped it would. There has been adoption among certain groups of users like tech-savvy patients and their caregivers, and more recently fitness and wellness enthusiasts. But we haven’t found a way to translate that limited usage into widespread adoption in the daily health routines of millions of people. That’s why we’ve made the difficult decision to discontinue the Google Health service. We’ll continue to operate the Google Health site as usual through January 1, 2012, and we’ll provide an ongoing way for people to download their health data for an additional year beyond that, through January 1, 2013."

This means that my effort of codifying my health history, and keeping track of my workout regime and it's effect will still have a function: To remind me and other early adopters not to put too much trust in new projects, even from the biggest companies.


Now hows that G+ profile building coming along....

Thursday, July 28, 2011

New snooping bill: What could possibly go wrong?

House panel approves broadened ISP snooping bill :

"Internet providers would be forced to keep logs of their customers' activities for one year--in case police want to review them in the future--under legislation that a U.S. House of Representatives committee approved today.

The 19 to 10 vote represents a victory for conservative Republicans, who made data retention their first major technology initiative after last fall's elections, and the Justice Department officials who have quietly lobbied for the sweeping new requirements, a development first reported by CNET.

A last-minute rewrite of the bill expands the information that commercial Internet providers are required to store to include customers' names, addresses, phone numbers, credit card numbers, bank account numbers, and temporarily-assigned IP addresses, some committee members suggested. By a 7-16 vote, the panel rejected an amendment that would have clarified that only IP addresses must be stored."
Let's think this through (hey, somebody has to!):

  •  This is billed as a "protecting children from pornography" act.   Where is the official double-speak justification on this?  What part of this could even theoretically protect any kid from pornography? Did the spin-doctor on duty call in sick?
  • This is going to be made available for "police investigating any crime and perhaps attorneys litigating civil disputes in divorce, insurance fraud, and other cases as well".   Are we feeling secure yet?
  • Every other monitoring system of this sort has been abused on a systematic basis.  
  • Who is going to be paying for this?  I see a $6.99/month "snooped data retention" fee coming to a statement near you soon!
  • The ISP is supposed to be capturing credit card numbers, bank account numbers, personal information, which begs questions such as:
    • Who is going to be responsible for storing and safeguarding this information?  
    • Can you imagine what kind of tasty target it would be for a criminal?  How may credit card transactions are flowing through Comcast's network every day?
    • Are the ISPs going to be held to the same data confidentiality laws as everybody else?
      I see PCI, HIPAA and a few others jump out as being applicable here.   Who is going to audit these systems to ensure compliance.
    • (Luckily) nearly every website these days uses HTTPS from credit card transactions.  How is an ISP supposed to capture this information on the wire?
There are so many things wrong with this idea, and they haven't even started implementing it yet.

Seriously? A.k.a. "My adventures with "ePolicy Orchestrator"

From the why-oh-why-do-you-hate-me department:

Seriously? We have to break the official IT computer naming policy because you product refuses to be installed on a system that has a (perfectly legit) underscore in it's name?

I usually don't get frustrated with a product until after I install it.


It only after I change the computer name, that I get this error on my Windows 7 professional installation:


Of course, that document is not part of the installation, only the "product guide" is. 

Update 1:
I now have a super duper "Windows Server 2008 R2 - 64 bit" installation.   Guess what I get when the installation starts?  A new error!

"8.3 naming convention"?  Wait...  Didn't you just force me to upgrade to "Windows super duper"? And then you complain that you don't have the features from DOS in 1981?  And no, the "installation guide" doesn't mention anything about this.


Update 2:
After some Googleing, a registry change, installing MS SQL, configuring port, choosing various passwords (whose complexity requirement are kept a secret), the installer finally got running.

And I was awarded with....

At this point, only 1 comment makes sense:
Update 3:

Wondering if I was running the latest version, I found out

  • McAfee's beta portal is seriously broken
    • it refuses my (stored) password 
    • it doesn't really execute password resets (although it says it does)
  • That doesn't really matter, since there is a an open FTP server from which one can download any beta software they ever released.
  • That also doesn't really matter, since I was already testing with the latest version, EPO 4.6 RC3.
  • The beta seems to expire really quickly, in this case: May 31, 2011 (it was released mid march)
So, saying in the spirit, I used an ancient "hack" technique from the 80s.  It's called "setting the clock back".
Result:
30 minutes of installation dialogs later:


Allow me to say:



Tuesday, July 19, 2011

Pretty Good Ponderings?

Yesterday, I finally got around to generate a new PGP/GPG key pair, and obsoleted 2 old ones.   They were created in 1994 and 1998.   I couldn't even generate a revocation for the oldest one, since the "IDEA" cipher is  no longer supported.

Let me rephrase that in context:

I can mathematically prove that I was active in computer security before many of the attackers that I defend against, were born.


In other news:
Djee, I'm old.  But in this industry, we call that "well-tested and peer-reviewed".

P.S: For those wanted the shiny new bits on their keyring, the magic incantation is:


gpg --recv-keys 0x788a1200b221877e

Thursday, June 23, 2011

Yahoo & speed of innovation

While on my quarterly check of “email address that I haven’t used this decade”, I noticed the congratulatory email from Yahoo.

 

After 13 years of spam-filled ugliness, they are going to upgrade their email interface.    

 

I will get right on using them again! (Around 2019 or so)

Sunday, March 6, 2011

Physchic computer support

Can you help me with my computer?

Is it no longer working? 
Eh... yeah.. weirdest thing...
Did you let your kids use it?
Yeah, little Billies computer was acting up...
And you let him use your login, instead of a "Guest" account?
Yeah, it was just for little while...
And that was a full-privilege administrator account?
Yeah, that's how the computer came...
And you left him alone like that?
Yeah, well, I had to go to work.
So the first thing he did was install "Limewire"?
Yes, how do you know?
So he thought he scored some free music, but nobody told him music files don't end in .mp3.exe ?
Eh... what's an EXE?
So he installed whatever the trojan of the week is, and now your computer won't connect to anything any more?
Yeah, exactly!  How do you know?