Archive for Security
24th April, 2008 at 08:54 PM PDT · Filed under Security, Software
Although OpenID’s ubiquity is still growing, we already live in a world of “single-sign on,” although in a much smaller scope. Take Google for example: your one Google account authenticates you to your email, RSS feeds, stocks, Adsense, Analytics, and anything else you use. While that makes life easy for you, that one login gives you your life history through all the services you use. Now, if someone else got a hold of your login information, they could change the login password and your alternative email address so that you would be unable to login to or recover your account. Not only that, if your login details were stolen, for example, because you were using Google Talk, it’s not only your Google Talk account that you would have lost: it’s your entire Google account.
However, I think there’s an easy solution to this. Analogous to a well-configured Linux system, you don’t log onto root unless you intend on modifying some important part of the system. By sticking to a lowly, regular user account, you don’t give yourself privileges that you do not need. This model could work just as well for website logins. While you still keep the same login name, services should allow its users to assign alternative passwords that provide different sets of credentials. For example, my 2nd password would only allow me access to my messenger account and nothing more. If that password gets stolen, I can login with my “root” password and remove that compromised login. While all of my contacts may have been deleted or stolen, the attacker never had access to my email account.
I think it’s a novel idea. Now, if only MSN and Google would implement it! That way, I might be able to use one of the only decent IM programs for Pocket PC (they all connect through a company’s proxy).
16th April, 2008 at 12:35 PM PDT · Filed under Design, General, Security
I just noticed that RapidShare had implemented a CAPTCHA with cats and dogs (I haven’t been to RapidShare.COM for a while). Their original one wasn’t that hard to break. The new is interesting because it requires a human to recognize the animal that is shown. Computers can’t do that.
But it looks to be still weak. It appears that Rapidshare uses the same image for the cat and dog for every CAPTCHA. It would be easy for a program to find the cat and dog images on the CAPTCHA, extract them, identify them, and remove them from the image so that the text can be very easily OCRed. Maybe if RapidShare distorted the image, used different fonts, added random lines, and used different images for the animals, then they would have a real chance against those automated download programs. In fact, I wouldn’t be surprised if it already has been broken.
Edit: Well, (unfortunately…) it appears they have now added distortion and blurring… >.>
31st October, 2007 at 03:15 PM PDT · Filed under Security
I recently acquired a new PGP key that you can use to create encrypted messages that only I can open. This move was spurred by my switch to Thunderbird, fueled by GMail’s newly added support for IMAP (now Yahoo! needs to follow along…). To sum it up, PGP (Pretty Good Privacy) uses public-key cryptography to create two keys: a private and a public one. Anyone can use the public key to encrypt a message, but only the holder of the private key can decrypt the encrypted message. You will need a PGP implementation such as GnuPG to send me encrypted messages.
Read the rest of this entry »
31st October, 2007 at 01:46 AM PDT · Filed under Security
Using an encrypted SSH session as a way to tunnel your communications has several advantages: (1) system administrators cannot spy on your activities, (2) you will not become a victim for using an unencrypted wireless access point, and (3) you can bypass website and service blocks. I won’t cover how to setup a SSH server here though. *nix and BSD users already have sshd and man sshd_config to help them, while Microsoft Window users have plethora of articles on the subject.
What concerns me, then, is how to get ssh going automatically, possibly on the startup of your computer, so you have a tunnel ready to use when you need it. I won’t be using the ever popular PuTTY telnet/SSH client though; *nix’s SSH client is far more customizable and it’s available for Windows too. You can get ssh by installing Cygwin (a large package) or just OpenSSH for Windows.
Read the rest of this entry »