Follow grumpybozo on TwitterFollow me on Twitter, where I write more and shorter
August 10, 2012
And yet more boring advice…

If you have many email accounts (as so many of us do these days) but don’t much use some (as Mat Honan didn’t much use his address,) you shouldn’t be using one that you ignore as a place for any other provider to send password recovery emails.

And at a deeper level, it is careless to be ignoring any working email account. In the teachable moment of the week, the ignored account was an iCloud ( account, which Apple sent a notification message when they reset the password. That may seem silly, but if MH had forwarding set up on that account or had a connected IMAP IDLE session from whatever mail client he uses or even if he just checked the account every 10 minutes with a smartphone, he would have known of the crack in progress faster.  With providers as careless as they have proven themselves to be, mail accounts get cracked. A user who doesn’t keep a trivial watch on an empty and unloved Inbox won’t see a crack when it happens. If you don’t exercise your ownership of an account, you won’t notice it being stolen. 

11:22pm  |   URL:
(View comments
Filed under: security rant 
August 9, 2012
Another Stab At The Apple & Amazon Pwning

Inspired by: Secret Security Questions Are a Joke - Slashdot

So-called “Security Questions” have been spreading in use as a mechanism for password recovery, but anyone who knows anything about computer security knows that they are not about securing anything, they are about loosening security.

That’s not altogether bad. The flipside of strong authentication is that it is easy for users to lose the ability to authenticate themselves. Passwords are forgotten, certificates are deleted, temporal PIN gadgets are lost or destroyed, etc. Having a way to reset the primary authentication mechanism helps mitigate that risk. However, the “security question” mechanisms in broad use are mostly far too loose because they draw on a common universe of research-vulnerable questions (e.g. “Mother’s maiden name”) and in many cases (as with Apple and Amazon) are mediated by humans whose jobs are mostly not focused on security, but rather on low-skill customer support for which their employers pay very little. It is not rational to expect that those workers will follow a rigorous security policy that requires them to take time and risk disappointing customers. No amount of security policy rigor can address the problem that security policy is routinely ignored.

It appears that the case of Mat Honan hinged on absurdly weak security question policy at Amazon and a failure at Apple to follow policy in regards to security questions. The best fix isn’t to tighhten and try to enforce policy, it is to change the nature of the process. Authentication recovery mechanisms need to meet 2 simple criteria:

  1. The secondary authentication information must be truly secret, known only to the user and the provider.
  2. There must be no way for a special pleading to override the formal mechanism short of persuading the people who defined the mechanism that it should be bypassed.

This means that sometimes users will lose access to their accounts because they can no longer provide either the primary or secondary authentication factors. It may mean that sometimes real security professionals will have to listen critically to the sob stories of careless users. 

For the real world where that sort of change isn’t going to happen in most cases at any point in the near future, smart users must adapt to the fact that most service providers have de facto lax security. I included some user-relevant lessons in my last post but here are a few more concrete ways to stay safe:

  • When offered a choice, pick security questions with non-researchable answers. If your spouse or sibling could answer the question, it’s a bad one. If a Facebook “friend” could answer it, it’s worthless. 
  • Answer bad security questions with memorable and unique lies. For example, you might tell Apple that your mother’s maiden name is Wozniak or that you graduated from Cupertino High School, while telling Amazon that she was born a Bezos and you went to Seattle Country Day School (dunno if that even exists…)
  • Use an email service that provides a way to invent working unique addresses on the fly so that you can give a unique email address to everyone who asks for one. This is easier than you may think, since GMail supports “+” tagging and arbitrary insertion of periods in addresses.
  • Don’t let anyone store a credit card number in their system that can be used by any other vendor. I said this in my prior post but it is worth repeating.
  • Shun providers who behave badly. For example, some time ago a provider who shall remain nameless (as they may have changed) tried to “canonicalize” addresses I gave them by doing transformations on parts that might have been tags and trying to send mail to the modified addresses. Because I use my own complex and obscure mechanism for unique addresses this only meant that they bounced a few messages off my mail server, but the result was that I deleted my account and blocked all of their mail on my mail server.
  • Avoid the temptation of making any online identity a “hub” for everything you do online. Especially avoid this with free accounts (e.g. Google, Facebook, Twitter, Yahoo, etc.) because ultimately those are provided and governed at the whim of the provider. Apple accounts are slightly better because their email accounts are associated with you being a paying customer, but they also can have such serious powers (e.g. remote wipe) that it is unwise to have them hooked to anything else (like a GMail account) that might turn out to be part of an attack surface.
  • Be as autonomous as you can be. Having your own domain name is a start, but it’s just the prerequisite for a stack of DIY online services that you may or may not be up to handling on your own. At a minimum, having your own domain can be the basis for varying degrees of control over your email addresses that you really cannot have if you stick to using addresses in domains that you do not own. 

August 7, 2012
The Lessons of Mat Honan’s Very Bad Weekend Are Not Really New

The story is here: How Apple and Amazon Security Flaws Led to My Epic Hacking | Gadget Lab |

This is only news because it happened to a writer for Wired. The “hack” didn’t expose any previously unknown vulnerabilities, the children doing it didn’t demonstrate any significant technical skill or use any sophisticated tools,  it was essentially just a case of random vandals digging around online where they could dig easily and telling a few lies to “customer support” staff whose work can never be worth much more than the sub-median 3rd-world wages they are paid.

I’m NOT picking on Mat Honan here. It’s pretty clear that he’s a gadget guy not a security expert and as a journalist I’m sure he gets more and slicker pitches from hucksters who find security a nuisance than from security experts. Real computer security isn’t cool. It isn’t fun. It isn’t in any sense spiffy. If you think it is, you’re a geek. I do not say that as an insult, just to note that we are not normal. I have given up scolding normal people for not being security geeks. It’s pretty well proven that a lot of generally normal people love gadgetry but have no affinity for system security.Mat Honan wasn’t particularly careless or clueless, he just had never absorbed some clues that those of us who work in security have sadly stopped talking about much. Clues that are among the least cool, fun, or in any way spiffy lessons of computer security:

  • Any secret which you share with someone else so that they can authenticate your identity later is a password. That includes things that are not very secret (e.g. “mother’s maiden name”) that can be used to recover or reset “the” pasword. This means that “security question” access recovery mechanisms are de facto security-weakening tools.
  • Don’t use the same password for different accounts. This is a hard one, since it really is not practical to use a completely different password for every account without using a keyring tool, which ultimately is one password for everything. However, a secure keyring is MUCH better than using just one password everywhere or keeping all of your passwords in a plaintext note in some “cloud” service.
  • Don’t give anyone an unrestricted credit card number or bank account number to store for easy reuse. Yes, I know Amazon, PayPal, Apple, and others all really want this. They are stupid and effectively evil. Really. It’s not in a bad way; they don’t intend to be stupid or evil. That doesn’t make it much better. If you can’t resist easy one-click purchasing, get a Discover or other card that provides single-vendor numbers, so that you can’t break the previous rule with a card number. After all, a credit card number is a password to your money and Mat Honan’s example shows that even a part of a number can become part of a de facto alternative password to your account. The same card number linked to many accounts becomes a common and very weak password to them all and to your money.
  • An authentication system that has a fallback system that lets you recover from a lost or forgotten password is less secure than one which does not.
  • If it can be, human judgment almost always will be the weakest link in any security system. It takes an unusually weak assembly of mechanical security mechanisms to out-fail a person who has the power to circumvent it. If an authentication system includes the ability to call a human and beg for access, that will be the easiest way to break it.
  • Security and convenience are directly and intrinsically opposed to each other. Secure systems are not cumbersome and easy-to-use systems are not insecure as a result of poor design, but by necessity.
  • Using email addresses as unique identifiers for people is irresistible, so they become (sigh) a sort of secondary password. If you use one email address for everything, see the second clue…
  • Incumbent technical constraints are often not seen as part of security but may in fact be critical tacit assumptions for the security of systems that are perfectly functional — but are made insecure —with those constraints removed. Parables of this include WEP, the silly kerfuffle created by Steve Gibson over “raw socket” support in Windows, and a long parade of schemes to stop spam based on assumptions that spammers wouldn’t do things that they so far hadn’t done which basically only demanded audacity and motivation.
  • Email isn’t secure. It can be in specific cases and could be in general with existing tools, but in the real world as it is today the main protection most people have against undetected interception of their email in transit is the fact that there’s so much email in transit all the time and so much of it is pure worthless garbage.  The “needle in a haystack” analogy applies, but a better one would be “corn kernels in the sewer.”
  • Backup is a critical security component because information loss is much more common than and usually worse than information leakage.
  • There are many degrees of security and many degress of attacker. If you allow yourself to be “low-hanging fruit” you will be vulnerable to low-effort attacks from a huge population of weakly motivated opportunists. The other side of this is that very small improvements in how you maintain your own security can raise your vulnerability above where most random vandals will bother.

These boring old truths have implications for “Cloud” services that sell themselves as hubs for a digital life enabled by frictionless sharing and synchronization and yadda yadda yadda. Mat Honan did things that those of us who are Security Geeks have given up warning against. Those warnings make people who wear ties and sign paychecks doze off and wake up grumpy. We’ve spent the past decade or so biting our tongues and taking paychecks and hoping that it would all work out, but it hasn’t. It never will, because it fundamentally can’t. Systems and applications that are most appealing when used in fundamentally insecure ways cannot be made secure. Systems and applications whose security is dependent on end users practicing good security hygeine will not be secure. Systems and applications whose provider-side security is dependent on adherence to policy rather than operation of tools will always be crackable by social engineering.

None of this is news. Back when the press made a big deal of Kevin Mitnick as a great “hacker” it was known by many people who wore that label proudly with no connotation of criminality that he was in fact just a very good con man with unremarkable technical tools and skills. We have had standards, tools, and tested best practices for online security since before most people had heard of the Internet, but still most service providers don’t bother with them. There is a geek subculture where good security hygeine is the norm and then there’s the world at large where many people use one email address and one password and let all of their accounts everywhere interact freely with each other to the extent that losing one to a random script kiddie essentially means losing them all. People who don’t understand that they have to deal with inconvenience as a price of security and that they can’t rely on providers who promote convenience to maintain security will always be the easiest prey for the largest field of predators.


Related articles, courtesy of Zemanta:

May 2, 2012
Obama Is No George Bush.

We got a demo yesterday of how wrong all of the “Obama=Bush” bullshitters are and always have been. 

The agreement he went to Kabul to sign helps cement the plan and timetable that has been in operation since the so-called “surge” in Afghanistan that Obama initiated in late 2009. It’s easy to criticize that plan, but it has the very important features of being a plan with a timetable for ending our occupation of Afghanistan requested by the Afghan government. Last night, the President referred to the ongoing phased reduction in forces that will be complete by 2014 as the end to our “time of war.”

That is a highly significant choice of words. Consider what Bush did with the political and legal leverage of the idea that we were “at war” for 7 years. The war in Iraq was rationalized with an edifice of lies, but at the base of that structure was a truth: we were “at war” with a vaguely defined enemy under a vague Congressional authorization for the use of military force. Bush’s failure to take out bin Laden in battle at Tora Bora was entangled with his strategic goal of launching a war in Iraq. Whether one believes that the failure was merely a consequence of a strategic error influenced by the contingencies of prepping for Iraq and a loss of focus or (as I do) that allowing bin Laden and many others to escape into Pakistan was an intentional choice, it is matter of fact that the consequence of that blunder was the loss of any notional path to a decisive victory in Afghanistan. It became a contest for hearts and minds against an enemy whose leadership was safe from our military: a war that could never be called “over” no matter what we did. Having a war which never can be won or lost and which never calls for intensification is useful to an unscrupulous politician, particularly one who wants to start another war and to justify an attack on domestic civil liberties. Bush used the ongoing and going-nowhere war in Afghanistan politically and legally to justify the invasion of Iraq and the advancement of an authoritarian revolution in US law and public policy. The latter is clear in the rationalizations of torture and the legal arguments over the Guantanamo Bay prison, but it extends to the so-called Patriot Act, “homeland security” projects, and even the uses of the “unitary executive” theory in widespread areas of domestic governance. Agencies like NASA and EPA found themselves with political overseers silencing their scientific work on the pretense that as Commander in Chief in wartime, the President had no limit to his power over the Federal government. The highly flexible authorizations given Bush for both wars were used to expand executive power and weaken the controls on politicization of government functions. The wars without end also provided cover for insane fiscal and economic policies that led to the 2008 collapse and the current political gridlock over the budget: artificially low interest rates, deficits, spending tilted towards military rather then domestic needs. 

Obama has followed through on the withdrawal from Iraq that was negotiated in late 2008 as he was campaigning on scheduled withdrawal and McCain was still rejecting the whole idea. He has negotiated a similar plan for Afghanistan despite resistance from the Right and he has cemented that plan with a long-term agreement for strategic cooperation that is predicated on ending our combat deployment by 2014. Force reductions have started and will continue. He has described this in a major address to the nation as an end to our time of war. Could anyone believe that Bush would have EVER given up the productive tool of a Forever War? John McCain made it clear in 2008 that he wouldn’t. Much of the GOP has been agitating for war with Iran, a project that Obama shows no signs of adopting. You can call this a cynical declaration of victory to cover a retreat but even if it is, how is it a bad thing? Is there anything to be gained for anyone for the USA to frankly declare Afghanistan a lost cause as a premise for withdrawal instead? I think not. Should we pull out as fast as possible and tell the people of Afghanistan that they are on their own in holding the Taliban at bay while they figure out how to govern their country sanely? I think we tried that once, and it was bad for them and for us. 

I think that Obama’s choice of words is important, and that it raises the profile of the real stakes of the election. Those who have argued that it does not matter if Romney wins because Obama has not reversed the damage done by Bush using the excuse of war need to review their estimations. Do anyone really believe Romney would stick to Obama’s plan to give up the excuse of war by 2014? One need only look at the way he has pandered to the Far Right for the past 4+ years and adopted Loyal Bushie neocons for foreign policy advice to change that belief. There will be no end to war with Romney. We have a timetable for an end with Obama. It matters. 

7:21pm  |   URL:
(View comments  
Filed under: politics rant 
Liked posts on Tumblr: More liked posts »