Tag Archives: security

OpenID Connect

By Mack D. Male ·

I’ve been doing some work with OpenID and OAuth lately, making use of the excellent DotNetOpenAuth library. I am pretty much a beginner when it comes to these technologies, but I have been able to get up-to-speed fairly quickly. I was a big fan of Facebook Connect, and I quite like the new Graph API too (which uses OAuth 2.0). Though it was easy to develop against, I think the biggest benefit of Facebook Connect was the excellent end user experience. It was consistent and simple.

In contrast, OpenID is a little more cumbersome, and a lot less consistent. The discussion on how to make it easier and sexier has been going on for a while now. It seems like some significant progress will be made this week when OpenID Connect is discussed at the Internet Identity Workshop. What is OpenID Connect?

We’ve heard loud and clear that sites looking to adopt OpenID want more than just a unique URL; social sites need basic things like your name, photo, and email address.

We have also heard that people want OpenID to be simple. I’ve heard story after story from developers implementing OpenID 2.0 who don’t understand why it is so complex and inevitably forgot to do something. Because it’s built on top of OAuth 2.0, the whole spec is fairly short and technology easy to understand. Building on OAuth provides amazing side benefits such as potentially being the first version of OpenID to work natively with desktop applications and even on mobile phones.

Chris Messina has some additional thoughts on the proposal here:

After OpenID 2.0, OpenID Connect is the next significant reconceptualization of the technology that aims to meet the needs of a changing environment — one that is defined by the flow of data rather than by its suppression. It is in this context that I believe OpenID Connect can help usher forth the next evolution in digital identity technologies, building on the simplicity of OAuth 2.0 and the decentralized architecture of OpenID.

It sounds very exciting – I hope OpenID Connect becomes a reality!

Alberta Budget 2010 website – security through obscurity

By Mack D. Male ·

Tomorrow, Tuesday, is budget day here in Alberta. Like many Albertans, I am curious about what Finance Minister Ted Morton is going to deliver, so I started poking around online. First stop, last year’s budget, available at http://budget2009.alberta.ca/.

Seems logical that the 2010 budget would be at http://budget2010.alberta.ca. So I tried that URL, and was prompted with a login screen. First thing that came to mind was “administrator” and “password”. Voila:

Fortunately for Mr. Morton, the documents don’t appear to have been uploaded yet. You can see all the placeholders though, which is kind of funny. And it seems you can leave feedback.

It does reveal the theme of the budget, Striking the Right Balance. Last year was Building on Our Strength.

This is what is known as “security through obscurity”. It’s not really secure, it’s just hidden. I’d suggest that programmers working at the Government of Alberta invest in Writing Secure Code, a fantastic book on the subject.

I hope this isn’t a reflection of the budget we see tomorrow…cutting corners, etc.

UPDATE: Sometime around 9:45 AM today they changed the password, and I think pointed the virtual directory somewhere else.

UPDATE2: The Journal wrote about this today.

UPDATE3: The site is now officially live with all the budget documents. Enjoy!

Putting my New Year’s energy to good use

By Mack D. Male ·

tasks I’m not really a fan of New Year’s resolutions, though like many people I often feel re-energized at the start of a new year. Instead of putting that energy into a list of year-long tasks or goals that would inevitably be abandoned, I decided this year that I’d try to capitalize on that energy to accomplish a few things I often put off. I settled on three things: passwords, backups, and bills.

I feel pretty good about my strategy for passwords, with one exception – I don’t change my passwords often enough. Sometimes I get lazy and use an existing password when I sign up for a new site, but the important sites all have unique, randomly generated, strong passwords (well as strong as they can be…I still can’t believe that banks don’t allow special characters and long lengths). It’s good security practice to change passwords regularly, but that never seems to happen. Over the last week, I’ve changed all my passwords. I started with the list of sites and services that I use regularly, and changed everything else as it came up. I’m sure there are a few that I’ve missed, and I’ll change them the next time I need to login. It wasn’t as hard as I thought it would be actually!

The second thing I tackled was backups. Despite having pretty good systems in place to backup Paramagnus stuff, I don’t have a good process for my personal stuff. I still don’t, but I did manage to accomplish a few things. First, I bought a new hard drive and copied everything from my existing data drive onto it. I’ll store the old one somewhere safe now. Second, I backed up a bunch of stuff to Amazon S3. It’s inexpensive, fast, and easy. Lately I’ve been using CloudBerry Explorer, it’s a great app! I’m going to try to back up important data more regularly, but that’ll be an ongoing thing.

The final thing I did? I turned off paper bills. I logged into every site that I currently receive something in the mail for and found that almost all of them have a “go paperless” button buried somewhere in the interface (some call it “change notification options” or something similar). I typically shred bills as soon as they arrive anyway, so why receive them at all? I do everything online, and I have no need for the physical copies. Now it’ll really be a unique experience to receive something in the mail!

I’ve got a number of things on the go that require time and energy of course, but these were my “New Year’s tasks” if you want to call them that. Anyone else shun resolutions in favor of accomplishing something right away?

All browsers have security issues

By Mack D. Male ·

ielogo You may have heard in the last day or so about a critical flaw found in Internet Explorer. Microsoft says that “the vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.” The risk is mitigated if you run an account with fewer privileges or if you run IE in the High security mode. As always, you should ensure your machine is up-to-date with all of the latest patches at Microsoft Update (you can also find downloads at the Microsoft Download Center).

Unlike most zero day exploits, this one is actually infecting systems fairly quickly. That’s probably why Microsoft decided to take immediate action. As the Zero Day blog points out:

Researching, fixing, testing, and releasing a security patch within an eight day window is an incredible feat — especially given the need to support all versions of IE across all platforms and languages.  This is an ‘all hands on deck’ response from Microsoft – I don’t think we’ll see this as the norm for less critical patches in the future as it is quite disruptive to their own processes.

Make sure you update soon! Like right now!

When a vulnerability like this is disclosed, a common suggestion is to install and use a different browser, such as Firefox. That’s not a bad idea, but don’t think that will solve all of your problems! All browsers have security issues. Yesterday, for instance, Opera released an update to address at least seven security vulnerabilities. And today, Firefox released updates to both versions 2 and 3 to patch roughly a dozen security holes. And no, Chrome and Safari are not off the hook – just two days ago, they tied for last place in a test of password security.

Always make sure you’re running the latest version with all patches installed, no matter which browser you’re using. On top of that, be careful, pay attention, and use common sense when clicking links and opening files.

Just use OpenDNS

By Mack D. Male ·

warning! Unless you frequent tech publications on the web, you’re probably not aware that a critical flaw in many DNS system implementations was found recently (DNS is what translates www.google.com into an IP address – learn more at Wikipedia). On July 7th, news of the design flaw that researcher Dan Kaminsky discovered started to spread. The next day, many vendors (including Microsoft, which hosted the press conference) participated in a coordinated release of patches. A few days ago the first exploit code started to appear, making it even more critical that DNS systems are patched soon.

As of today, many major ISPs are not patched and remain vulnerable. You can see if your ISP is vulnerable by visiting Kaminsky’s site and clicking the “Check My DNS” button on the right side.

Or, you can just switch your DNS servers to OpenDNS and be done with it. I came across OpenDNS on the day it launched two years ago, and have used them on some machines ever since. Turns out that OpenDNS is one of the few that were unaffected by this flaw:

I’m very proud to announce that we are one of the only DNS vendor / service providers that was not vulnerable when this issue was first discovered by Dan. During Dan’s testing he confirmed (and we later confirmed) that our DNS implementation is not susceptible to the attack that was discovered. In other words, if you used OpenDNS then you were already protected long before this attack was even discovered.

Switching your DNS settings to OpenDNS is really simple and takes about two minutes. To get started, just visit http://www.opendns.com/start and follow the instructions. Or if you know what you’re doing, then the nameservers you want are 208.67.222.222 and 208.67.220.220.

As always, make sure you have installed all of the latest patches for your computer (that would be Automatic Updates for Windows users).

Yahoo and Google become OpenID providers

By Mack D. Male ·

Post Image The OpenID single sign-on project got a major boost this week when Yahoo announced it would enable it’s 250 million users to use their Yahoo logins for authenticating at OpenID websites. And just yesterday, Google announced that Blogger accounts can now be used as OpenID logins. OpenID is definitely gaining momentum.

So what is OpenID?

OpenID eliminates the need for multiple usernames across different websites, simplifying your online experience.

You get to choose the OpenID Provider that best meets your needs and most importantly that you trust. At the same time, your OpenID can stay with you, no matter which Provider you move to. And best of all, the OpenID technology is not proprietary and is completely free.

It’s a really good idea, and works fairly well in practice. I think a major question new users will have is, which provider should I use?

See I think most users have a Yahoo account and a Google account, and many others. There are tons of sites that act as OpenID providers. Which one should you choose? How do you decide which to use as your provider?

I guess it wouldn’t matter if you could combine them somehow. I don’t know enough about OpenID to know if that’s possible. Anyone reading this have any idea?

Read: OpenID

I’ll say it until I’m blue in the face

By Mack D. Male ·

Post ImageThere is no privacy on the web.

Early this morning, Robert Scoble’s Facebook account was disabled because he violated their terms of service by scraping data from the site. That caused a flood of a posts from people saying that either Scoble was wrong or that Facebook got what it deserved. Most people siding with Scoble said that as he owns his data, not Facebook, he was in the right. He should be able to do with it whatever he wishes. Except that he doesn’t own all the data. Would his friends be happy to find out that he was taking their data elsewhere without their knowledge?

Not that it matters. It should be a non-issue. If everyone realized the truth – there is no privacy on the web – no one would be up-in-arms about the whole situation.

Sure there is something to be said about Facebook only sharing data when it makes good business sense for them to do so. Some might say that’s evil, others might say that’s business. Either way, it all boils down to privacy. Facebook gives you the impression that your data is secure, but it really isn’t.

There is no privacy on the web.

Scott Karp rightly points out that data is power. He suggests a war will be fought over control of data. I wonder though, if such a war can ever have a victor? Does Scoble own the data in his account? Does Facebook? What about his friends, don’t they own some of it? What about advertisers, surely they own some of it? Other companies? I think it’s a pointless battle. There’s far too much entanglement.

Forget trying to control the data. Let it flow freely. Forget trying to keep things secret. If there’s something that must be kept private, don’t post it on the web.

There is no privacy on the web.

Don’t fool yourself into thinking you’re safe. With each passing day we give up a little bit more privacy than the last. The bottom line is that we almost always choose convenience over privacy, whether we know it or not. There’s a reason that concepts like identity theft didn’t really exist a hundred years ago. We share more information about ourselves now than individuals did back then, and we think nothing of it. Of course, accessing and distributing that information is easier than ever too, thanks in large part to the Internet.

Everything you think you know about privacy in the physical world is meaningless in the virtual world. The rules of the game are completely different.

There is no privacy on the web.

Read: Techmeme

The Gatekeepers of Privacy

By Mack D. Male ·

Post ImageAs you know, I don’t worry that much about online privacy. In fact, I think it’s a huge waste of time to be overly concerned about privacy on the web. I always keep two things in mind:

  1. There is no such thing as private information.
  2. If someone looks at information online and draws a negative impression about me, I have larger problems than privacy to worry about.

So far my strategy has been working fairly well. To my knowledge I haven’t missed out on any opportunities because of information about me found on the web – quite the opposite in fact.

For some reason though, I am fascinated by the worries and concerns of others when it comes to information privacy. And believe, me there are a lot of worriers out there. So many, it seems, that Global TV‘s troubleshooter looked at the security of Facebook and other popular websites last night (unfortunately they haven’t full embraced the new web, and the video is not available on their site).

They contacted a local “hacking” firm, and asked them to review Facebook, Gmail, and other popular sites. The gentleman they spoke to couldn’t have been more cliché – long hair, super geeky, could be mistaken for a girl, you know the type. Anyway, they apparently spent over 30 hours trying to “hack” into Facebook and couldn’t get in. I just shook my head through all of this. They deemed Facebook “very secure”. Well, problem solved I guess, haha!

Then they spoke to a professor from the UofA (if I remember correctly) who said that living under the assumption that your information is safe is a dangerous thing to do. Finally someone smart! The segment then ended with the anchors asking each other if they were on Facebook (they aren’t, unfortunately). Oh and the suggestion that you should read the privacy policy of every site you visit (yeah, cuz that’s going to happen).

It doesn’t matter how secure Facebook is. Privacy is not about technology. If someone wants to find out something about you, they will. Social engineering, dumpster diving, and many other techniques are far more effective than trying to hack into a site like Facebook. More importantly, there’s no need to – just create your own Facebook account! Chances are, the person you’re interested in hasn’t adjusted their privacy settings anyway.

For its part, Facebook follows two core principles:

  1. You should have control over your personal information.
  2. You should have access to the information others want to share.

A respectable policy, no doubt. Here’s the problem though. Let’s say I give access to certain information only to my brother. No one else (in theory) can see it, right? Wrong. I can give my brother access to the information, but I can’t restrict him from doing something with it.

Technology is just a tool. People are the gatekeepers of privacy.

BitTorrent Exploit Discovered in Opera

By Mack D. Male ·

Post ImageAs much as I love Opera, it is still just software, and that means it too is vulnerable to security issues. Maybe not as badly as IE or Firefox, but vulnerable nonetheless. That said, I’d be remiss if I only posted about Opera’s positives and ignored this bit of news:

It is being reported that Opera v9.20 is vulnerable to an attack which causes it to consume 100% of its host machine’s resources, rendering the PC unusable.

There is currently no work-around so anyone worried about this situation should disable the BitTorrent engine within Opera by following the instructions found on Opera’s site.

Fortunately I wouldn’t have been affected by this. The first thing I did after installing Opera 9.2 was disable BitTorrent downloading in the browser, as I much prefer µTorrent.

Read: TorrentFreak

Windows Vista Exploits Exposed!

By Mack D. Male ·

Post ImageI was going to post something last week about the “fatal flaw” found in the speech recognition feature of Windows Vista, but I never got around to it. And now, thanks to Long Zheng’s brilliant post, there is simply no point. Here’s a snippet:

Last week, the media went schizophrenic over the Windows Vista speech recognition ‘loophole’ which allowed anyone with a microphone to have full access over your computer. Granted, you must also be partially-deaf, turned your speaker volume to full, carefully place your microphone next to the speakers, turn on speech recognition and train your speech profile as if you were someone else.

The rest of the post is quite funny, and discusses other possible exploits such as the mouse and keyboard, and Visual Studio. Definitely worth a read!

Read: Long Zheng