OhRyan.ca

Yesterday one of two things happened, either a) I completely an entirely forgot my OS X login password or b) OS X refused to accept my password. I have no way of knowing which was the case, but regardless, I was unable to access my computer.

I almost had a major meltdown, until Google informed me that OS X Lion is horribly insecure! Horribly, horribly insecure.

You can gain access to (almost) anyone’s Lion account in 3 simple steps.

1. Restart the machine in recovery mode by holding down cmd+r on reboot.
2. Open terminal in the utilities menu.
3. Type `resetpassword`.

In a recent episode of Build & Analyze Marco Armet (creator of Instapaper) explained that the standard practice of salting a hash is no longer a really good way to secure passwords. CPUs (and GPUs) are so fast that they can effectively guess your salt in a reasonable amount of time*.

The solution, use bcrypt. Essentially, it’s an extremely slow hashing algorithm.

To me this seems a little bit like security through obscurity, every once in awhile – as CPU speed increases - you’ll have to update your algorithm to generate hashes even slower.

See also.

• Marco’s Blog Post.
• His PHP implementation of bcrypt.

*A modern server can calculate over 300MB of hash data per second!

It looks like the privacy hippies were finally right about something, your mobile phone really is a pocket sized tracking device.

Turns out that as of iOS 4.0, iPhones have been tracking your physical movements and logging it along with the phone’s backups.

A small team of researchers have discovered these logs in iTune’s backup files, they’ve released a handy little app that collects all the data from your user folder and plots it on a map. iPhoneTracker.app and further information available here.

Here is the visualization of everywhere I’ve been since Sept 28, 2010:

You can see lots of activity in and around Winnipeg (including trips up to the Gimli and Victoria Beach), a flight to Toronto and subsequent travel around southern Ontario and a road trip to Minneapolis. It’s fascinating.

I’m not sure if this is a terrifying privacy hole or a neat little hidden feature. I’m leaning towards neat feature, since the data is stored locally on your computer and can be encrypted automatically by iTunes.

At this point in time a method for disabling the “feature” does not exist. I expect Apple will be responding in short order.

In October I blogged about a Firesheep, a Firefox plugin that highlights the inherent vulnerabilities in the way that Facebook and other websites handle sessions. TL;DR – Install the extension and with a click of a button you can capture un-encrypted Facebook sessions of any user using a WiFi network you’re connected to (read the full post for all the details). For research purposes, when a friend of mine was at Pearson a few months ago he fired up Firesheep and instantly had access to several dozen Facebook accounts.

This is a bad, very bad.

To combat this security hole, Facebook enabled secure HTTP connections in January. Enabling this feature renders Firesheep useless.

Unfortunately, Facebook’s implementation has one serious flaw. When you use (almost) any Facebook app you’re required to switch back to un-encrypted HTTP mode! You’re presented with this dialog:

The wording used in the dialog may make you think the setting is temporary while you’re using the app. I don’t know if it’s designed that way or if it’s just poorly worded. But in fact clicking “continue” will permanently disable your HTTPS preference!

Sad.

I suspect there’s probably a technical reason for this requirement, something about the way that apps include data from external domains. I haven’t looked into it. Facebook really needs to address this.

My suggestion would be to disable some sort of alert when navigate away from the app, which a one click solution for re-enabling HTTPS.

In a blog post today Facebook detailed some of their new security improvements:

Starting today we’ll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools. The option will exist as part of our advanced security features, which you can find in the “Account Security” section of the Account Settings page.

Enabling this option will effectively prevent you against Firesheep and similar account hijacking methods. I think it’s fairly safe to assume this feature is a direct response to Firesheep, even if it seems to have taken them 4 months to roll out. Though, it could also be a response to Zuckerburg’s account hack yesterday.

I’m going to go one step further than Facebook and say, you should absolutely enable this option as soon as it’s available to you.