Geek(Wisdom).com - Security/Privacy

Check out my awesome video tutorials!

Mon, 12 May 2008 16:07:37 -0400

I currently make how-to videos on computer related topics. Check out my videos at either
Youtube or Revver

Outlook and Outlook Express Users Want to Reply to Digitally Signed E-mail

Fri, 25 Apr 2008 11:17:03 -0400

You are probably reading this post because you are an Outlook or Outlook Express user and you tried to reply to a digitally signed e-mail from me. The result was a warning/error notice stating, "You cannot send digitally signed messages because you do not have a digital ID for this account." or some such thing. You are receiving this notice because Microsoft made a mistake in the default configuration settings when it packaged Outlook and Outlook Express for distribution.

Accounts everywhere!

Fri, 15 Jun 2007 10:47:19 -0400

I've been thinking about all the Internet sites that I've created an accounts on for one reason or another. It has to be in the hundreds. Of those sites I wonder how many of them would let me delete my account completely. Very few I bet. Probably the most universal method of deleting my account--at a site I no longer want to have a relationship with and does not offer a "delete me" mechanism--is to poison the account with bogus information. I could change all the information about me to false information and, if allowed, change my e-mail address to something bogus as well. I guess I'd have to read the terms of use policies but isn't this my account?

Change your e-mail password

Mon, 12 Feb 2007 16:15:34 -0500

When was the last time you changed your e-mail password? If you're like most people, you probably can't remember. That means it's been too long. How about some external motivation? Consider the number of Internet processes that assume you have control of your e-mail account:

e-commerce applications
Web site membership enrollment processes
domain registration and management
hosting providers

What would happen if a bad guy figured out your e-mail password? He could change your password. But why would he do that when he could use your account at the same time as you. He could request a password change from any Web site that uses e-mail confirmations. Perhaps one of the worst things that could happen to you is to lose your domain name. Imagine if the bad guy transferred your domain name to another registrar into an account that he controlled. How much damage would that cause?

Configuring Firefox 2 for Increased Security

Tue, 12 Dec 2006 21:41:28 -0500

Web browsers have become the de facto client interface to Internet based applications. As we travel around the Internet, whether for pleasure or business, we find ourselves creating personal profiles for various Web sites. These profiles usually include access credentials (usernames and passwords). Good password management practice calls for many distinct passwords. But this proliferation of passwords results in the need for strong password storage. In addition to password management we need to give some thought to encrypted communications. We typically just install a browser and start surfing without any thought for the decisions other people have made for us about who we should trust or how we should communicate. The default settings for SSL/TLS are a good example of this.

Java Password Strength Check

Fri, 19 May 2006 14:34:02 -0400

How do you insure your users passwords meet required standards?
For a front end HTML solution to strong password checking see Steve's Javascript example.
On the Java server side or from the command line take a look at PasswordCheck. This code extends Steve's script onto the server side allowing pre-defined rules to determine pass or fail strength checking before the user's password is stored to the database, LDAP or other directory server. Open source licensed.

Mitigate the risks of a stolen laptop

Wed, 15 Feb 2006 16:45:59 -0500

Think about it for a second. What would you loose if someone stole your laptop (or desktop) computer? What kind of damage could be done to you with the information retrieved from your laptop? The theft of a computer brings with it all the problems associated with a failed hard drive plus the added risks of the data on the drive being out of your control and potentially used by an unauthorized person for things that are likely to impact you negatively.

Javascript Password Strength Meter

Fri, 20 Jan 2006 22:49:56 -0500

What makes a strong password? This quick and dirty password strength meter is meant to help users learn how to create stronger passwords. Because it's written in Javascript the password is never sent over the network. Feel free to audit the code and recommend some better regular expressions, weightings, or bug fixes by submitting a comment.

God, Establishing Identity and Authentication

Mon, 24 Oct 2005 22:01:10 -0400

I've been doing a lot of thinking about identity establishment and authentication in the last few years. Today I was reading Exodus--the story of Moses and the burning bush--when I realized that it served as a good example of the issues and provides a number of techniques for dealing with them.

Establishing Identity:

In Exodus God establishes His identity with Moses by appearing to him in a burning bush. God gives Moses a charge to free the Hebrews from Egypt in His name. When Moses asks how he should establish God's identity when he returns to the Hebrews God says, in Exodus 3:13-16, "Say to the Israelites, 'The LORD, the God of your fathers—the God of Abraham, the God of Isaac and the God of Jacob—has sent me to you.' This is my name forever, the name by which I am to be remembered from generation to generation."

God uses a web of trust (three people) to assert His identity to the Hebrews. The Hebrews trust their fore-fathers--Abraham, Isaac, and Jacob--they know that they all worshiped the same God. In this instance Moses is to go to them and say that that same God has sent him.

The Six Dumbest Ideas In Computer Security

Thu, 15 Sep 2005 12:51:20 -0400

We've all been there, some of us actually realized it at the time. Sadly others didn't. I'm speaking of the decisions we make every time we touch, or think about touching, a computer. Did you ever stop to think that maybe, just maybe, the decision you're about to make might be dumb? Go read, The Six Dumbest Ideas In Computer Security. What do you think now? Are you a turd polisher?

AOL techie jailed for selling email database to spammers

Thu, 18 Aug 2005 12:12:25 -0400

AOL techie jailed for selling email database to spammers, it just goes to show that all the encryption, security policies, and peer reviewed code in the world won't help you if you're people can be bought.

Hide your wireless network in plain sight

Wed, 03 Aug 2005 22:01:42 -0400

Imagine that wardrivers are casing your neighborhood. You've suppressed your SSID, you have WEP enabled and you've placed your wireless access point in a DMZ. You limit access to your wireless network by MAC address, block all most all traffic from the DMZ and require all your wireless clients to log into the real network via VPN in order to do anything. Sounds pretty good so far. The fact is that a hacker parked in your neighbor's driveway can still cause problems. How about making his life a little more difficult. What if when he turns on NetStumbler he sees 53,000 access points? Where would he start to look for yours? Enter Black Alchemy's Fake AP. FakeAP makes your Linux or *BSD machine look like thousands of wireless access points by broadcasting thousands of counterfeit beacon frames. This alone won't solve your wireless security issues but combined with the ideas mentioned above it might serve to confuse any miscreants looking to cause trouble. At least you won't be a soft target.
References

Does MasterCard's SecureCode Protect Cardholders or Merchants?

Wed, 20 Jul 2005 12:42:02 -0400

The basic idea behind MasterCard's SecureCode program is that a cardholder can attach a personal message and a password (the SecureCode) to their credit card. When the cardholder attempts to make a purchase using the card at a merchant that supports SecureCode the payment processor--not the merchant--presents their personal message and asks them to enter their SecureCode. After authenticating the SecureCode the payment processor completes the transaction and the cardholder goes on their merry way. If authentication fails the charge is declined and the transaction is cancelled. Bottom line, SecureCode is a way for the card processor to authenticate the cardholder.

Encrypted RSS

Sat, 16 Jul 2005 19:48:20 -0400

Here's an interesting idea for encrypting RSS and then decrypting it in your browser (Firefox). Have a look at Joe Gregorio's article: Secure RSS Syndication

Misplaced Trust or Lack of Education?

Mon, 06 Jun 2005 11:55:50 -0400

The headline reads, "Professor charged with stealing students' IDs." At first glance this appears to be a case of misplaced trust. The professor asks his students to sign into his class by signing their name and placing their social security numbers on the sign-in sheet. The professor then uses the information to open up a bunch of department store credit cards. I submit that this incident happened because students don't know what their social security number is supposed to be used for and the federal government has not done enough to discourage the use of the SSN for non-social security matters.

This whole thing raises some questions. Does the organization--the community college in this case--even know what the SSN is supposed to be used for? What is the student to think? How does the student know whether it's safe to provide the information or not? What could the students have been told in advance that would have prevented this situation? Who should have told them; the college, their high school, their parents, the governemt, who? What is the SSN supposed to be used for anyway?