Category Archives: Personal

Websites Intentionally Disabling Password Managers

It wasn’t just me.  The folks at Wired have noticed that some web sites are not really very password manager friendly.

I travel fairly often.  Lots of that travel is for work but I do get around on personal business and to get away.  One of my go to sites for travel is Hilton dot com.  I’ve been a Hilton customer for a long time.  I like their hotels.  I think they treat me well where ever I go.  This isn’t an advertisement for Hilton; your mileage (and accommodations) may vary.

When you sign in at the Hilton site you typically see a prompt for a user name and password along with a check box for ‘remember me’; where the site drops a site cookie to your browser.  This window also has ‘forgot your sign in’ and ‘register for site’ dialogues.

The annoying thing is that Hilton has added a check to see if you are a robot.  It seems like if the cookie isn’t found in your browser, the site will add a robot test to see if the session has a user attached.  I found the test usually involves matching text to pictures.  The annoying thing about the test is that if you often clear cookies (like many security researchers and I do) you’ll run into this robot check more often than the general public (many of whom unknowingly tolerate cookies).

If I use my password manager this test comes up after that software has filled in the username and password fields and submits that data; so my login fails.  Once that fail happens I have to complete the form and the robot test manually and then submit.

It is mildly annoying but I’m still spending lots of time at Hilton properties.

 

Respect and the Internet

Perhaps my lowest moment as a user of the Internet came years ago.  Until recently if you searched for me by name on Google and used the keyword ‘Firewall’ you’d see at the top of the search list a reference to an email exchange I had with some anonymous Internet user back in the early 2000’s.  This person was on a Firewall mailing list and making assertions about the Cisco PIX Firewall.  At that time I worked for Cisco and worked closely with the PIX team. This person made the statement that ‘the PIX ran Linux’.   I responded that it did not.  This person then went on to tell everyone that it did and stated some incorrect reason.  I reasserted that it did not.  This went on for several messages.  Finally in a moment that I wish I could take back I wrote that this person “did not know what they were talking about”.

While that may not sound harsh; I escalated the level of confrontation in this conversation.  The other party didn’t just have the facts wrong about the PIX.  They didn’t know what they were talking about.

As I write this; what I did doesn’t sound so bad.  It was.  At that time the Firewall community was smaller and the list this appeared on was important.  What I did was step down to a level lower than I was comfortable with.  I wouldn’t have said this if the person was in front of me or even on a conference call.   I didn’t hide behind a false pseudonym; I had attached my up until that point good name to this message.  Other people saw this and commented back to me that I should not have ‘lost it’.

This was ages ago in Internet time.  Since then my son has grown up on the Internet and I’ve heard way, way worse coming from the speakers attached to our Playstations and xBoxen.  I rarely read the comments associated with news articles for the same reason.  Because we allow anonymity in many forums and don’t require people to attach their real name to their comments; we are left with often vile filed and worthless comments and diatribes.

What I learned from that exchange was an important lesson about respect.  Both respect for other’s and self respect.  I had stooped low.  I should ‘t have.  I’ve learned that on the Internet it’s better to be silent than disrespect another user whether they are anonymous or not.  I now know better that these type of exchanges are too often meaningless in that they don’t change anyone’s mind and only serve to lower other’s opinions.  I learned that I have more self respect than that.

Surveillance Law from Standford University via Coursera

In the past week I completed the work for the first MOOC (Massive Open online Course) that I’ve ever taken.  The course was Surveillance Law which I completed via Coursera. Let me start by saying that this course was fantastic.  The presenter, Jonathan Mayer from Stanford did a great job delivering a series of short lectures that introduced and discussed US surveillance laws from technical and legal perspectives.  The readings were great on that Mayer and the course team choose great materials but also advised participants when to read and when to skim.  The lectures and materials covered topics and news that happened just weeks and months ago; so the overall course was tremendously relevant and informative.

The discussion forums in a MOOC can be pretty daunting.  There were many, many people participating.  I read a number of messages and threads that I felt were off topic and became less interested in participating there.  I regret that now as I later learned that a number of regional, online (Google hangouts?), and over the phone study groups formed.  I would have liked to participate in one of those.  The constant “we’re screwed’, ‘the government is watching us’ attitudes expressed and off topic back and forth in some (many) of the discussions had turned me off.  I realize now they turned me off too soon.

Among what I thought were the highlights of the course:

How to Read a Legal Opinion, A Guide for New Law Students by Orin Kerr was a fantastic read.  Thank you.

Liberty and Security in a Changing World, Report and Recommendations of The President’s  Review group on Intelligence and Communications Technologies. I had seen and read this document before but i reading it again in contect with the lectures i got so much more out of it.

– Jonathan’s great red t-shirt

– An archive of all of the course lectures appears on Youtube!

I would highly recommend this course to anyone interested in criminal justice or surveillance law.  I’d also highly recommend Jonathan Mayer as a course instructor.

 

 

Good References on Securing Mac OS/X

After reading Thomas’ article on re-evaluating the safety of Mac OS/X last week I finally managed to bring most of my Apple equipment up to current.  I checked all the network devices and updated most of those.  My Windows machines are all current.  I do have that one Mac that won’t run a current OS.  I read a great tips article over at Naked Security about bringing that as close to protected as possible.

Password Managers & Escrow

Five years ago I made a decision to move from PasswordSafe to AgileBits 1Password.  As someone in the security field I’ve always tried to practice what I preach and using different passwords for different sites and cycling passwords (changing passwords every N months) is important.  I looked at a number of different password management solutions.  I enthusiastically moved to 1Password as it offered everything I was looking for.  Early on I used a local database but after becoming comfortable with the product I moved to using a shared database stored at DropBox.

One of the other password managers I looked at was PasswordBox.  PasswordBox offers an application that includes the capability to sync passwords back to ‘cloud’ storage at the developers site and is available for Mac, Windows, and mobile platforms.   When I first looked at this my concern with PasswordBox was that there was no knowing how my passwords would be secured given the applications storage model (i.e stored where?).  With 1Password storage is either local or at DropBox.  The 1Password folks have been called out on encryption (Cult of Mac 2012, Lifehacker 2013TraxArmstrong 2013 ) numerous times over the past years.  I followed that controversy and think the AgileBits team handled it well so I have no reservations recommending 1Pasword with DropBox.

Using any password manager one of the harder problems seems to be keeping the browser plug-in alive.  As Firefox has marched through release after release I’ve had to update the plug-in and recently had to uninstall / reinstall the plugin after the 1Password major version change.  That’s just one browser.  I try to keep 1Password running in Firefox, Safari, and Chrome.

Something that I have been looking for as a feature of a password manager has been some way to do password escrow.  That is creating the means to pass on information in my password manager should something happen to me.  The simple way of doing this is to give someone I trust the password to my password manager.  The downside is that the act of giving that password information creates a potentially huge point of friction.  You have to ask yourself ‘Will the person I gave that password to do the right thing at the right time?’.  Giving someone the password also equates to giving them the keys to everything.  You lose the capability to purge some information you don’t want to pass on.  One way around that is the capability offered by an application such as Legacy Locker.

Legacy Locker and other apps like it (Perpetu) offer a service that passes on usernames and passwords that you select to some person or people that you designate in the event that you ‘in theory’ pass away or become permanently incapacitated.  All of these offer some form of credential or service escrow capability.  They solve a very difficult problem that is faced by virtually all Internet based service providers; how to allow someone other than the user who agreed to the terms of agreement and opened the account into an account.

My advice regarding password managers is that more people should use them.  They are an important tool to maintaining one’s individual security on the Internet.  In order to be truly useful across multiple devices a password manager needs to use some common storage point and using Internet Cloud based storage works.  The key to using Cloud based storage and keeping your passwords secure is making sure the manager supports strong encryption.

The End of My Morton’s Neuroma?

So for the past five or more years I have suffered along with pain in my left foot.  At times the outside of my my foot; near the small toe would go numb.  At other times it would feel like someone was using pliers to pull the forth toe out of my foot.  It hurt.  And when it hurt it hurt a lot.  My foot would almost always hurt after walking or exercise.  To alleviate the pain I would take Ibuprofen.  Most of the time it took 800 MG of Ibuprofen to ease the pain.  This was caused by what several Doctors diagnosed as a Morton’s Nueroma.

After seeing two perfectly competent Podiatrists I learned an important life lesson.  You can’t really fix a Morton’s Nueroma without cutting it out.  That was not the lesson.  The life lesson was that not all Podiatrists are surgeons.  Podiatrists seem to believe that you can “cure” a Morton’s Nueroma through the use of orthodics.  While providing some relie (I can alk for 30 minutes without pain with orthodics as opposed to 10 minutes without); using orthodics has never worked for me.  After some short time the pain would return.  My current Podiatrist is also a (great) Podiatric Surgeon.

Last Thursday morning my Podiatric Surgeon performed a surgical procedure to remove the large nueroma in the third inter space on my left foot.  The surgery went well.  I came home and rested.  I’ve had no pain at all.  I had a good deal of swelling which subsided Friday night.  I have had some itchiness near the site of the surgical wound.  My foot feels great.

Questioning the Value of CISSP

What if everyone let his (or her) CISSP lapse?

 

Dave Piscitello is a 37 year networking and Internet veteran who now
focuses on Internet Security who wrote an interesting essay about his
views of the CISSP certification. Good read. Not a rant. He makes
fine points but he really doesn’t completely describe how he would
address these issues.

 

http://securityskeptic.typepad.com/the-security-skeptic/2011/08/what-if-every…

Back from Vacation!

OK.  It wasn’t all vacation.  July saw me in Las Vegas with my employer managing the Security track and speaking at a conference.  I came back to almost three weeks of over due work.  I cleared that all up AND THEN I took two weeks off with the family.  Onward and upward!

The NY State Cyber Security Conference, June 7-8, 2011 in Albany NY

Last week I attended the 14th annual NY State Cyber Security
Conference held at the state office and conference center complex
(under The Egg) in Albany, NY. The 6th Annual Academic Symposium on
Information Assurance ran concurrently with the main conference. This
was my forth year attending the event and I really enjoyed the
conference and symposium this year. They were both very well
organized and presented.