From The Archives

Internet Security

There has been a lot of talk recently about online password security. It seems that a lot of people are still using really easy passwords and even more people write down their passwords. This is apparently a major problem. As a solution,”experts” are tossing around some “new” ideas like passphrases and multiple security keys. [i’ve been meaning to write this update for a few weeks now and can no longer find the articles was reading. you’ll have to take my word for this – it’s been all over the internet, seriously] Passphrases, essentially passwords with greater minimum length requirement, are the next logical step up from passwords. Passphrases are a good idea. They’re longer and therefore much harder to crack using brute force (is brute force even a legitimate concern anymore?). Also, users would generally have an easier time remembering a phrase like “go go gadget,” than “98xgE!z” or other cryptic combinations of characters required for a secure password. If it’s easier to remember, maybe people won’t write it down, or so the theory goes.

The idea of multiple security keys is probably already in use by the military and security conscious banks. This authentication method requires a static key, and a rotating key. The static key could be a standard password, biometrics or whatnot. The rotating key is securely transmitted to the users. Also a very good idea. One major issue is the transmission of the rotating key. How do you ensure the key is not being requested by a fraudulent party? Probably by asking for more verification information. For instance, a bank website could employ this method. They could require you to call a phone line requesting further information (bank account #, SIN, etc) before releasing the rotating key. I doubt that something like this will ever be launched, or at least not until 100% of the population is “computer literate.”

All that said, the signal most overlooked security hole on the internets today has got to be “secret” questions. Probably popularized by hotmail (at least this is the first place i recall seeing them) a number of years ago, they are now even used by some ISPs. The questions are always something like “mother’s maiden name,” “favorite pet,” “shoe size.” In theory, secret questions are reasonably secure, they are not supposed to be common knowledge. “Secret” is really a euphemism for “difficult to know.”

In practice, most every secret question is something that could easily come up in conversation and/or a fairly common question that someone – even a stranger – might ask out of the blue. Making secret questions extremely ridiculously easy to “social engineer” out of people.

In conclusion, don’t use services that require secret questions, if you have to fill the answer with gibberish.

I started writing this post a week ago, and I don’t recall exactly where i was going with this…

From The Archives

Windows XP Super Poop Too

I came across an interesting bug with the windows xp sp2 “wireless zero configuration” (WZC) client interface while working on a clients network earlier this evening. This client was experiencing a rather odd problem (my favorite kind): she had two computers connected to the same wireless network, both were able to surf just fine, but they were completely unable to see each other locally. Initially my associate and I suspected a firewall, that lead didn’t pan out. So i decided to load up netstumbler and er…stumbled accross something quite peculiar. Keep reading, I’ve recreated the situation for your education.

Fig. 1-1

[missing in archive]

Fig. 1-2

Figure 1-2, shows the ACTUAL wireless access points in range as discovered by netstumbler. You’ll notice 5 APs here, exonet and ivans we saw above. A third labeled “gf” windows decided not to list (upon further observation this signal was not very strong, which may explain the discrepancy). Fine and good, but what’s this, TWO “linksys” SSIDs?! That’s right.

What we have here folks is a classic example of a Microsoft “feature.” The WZC client is either unable to differentiate between the two signals – even though they are on completely different channels and frequencies – or Microsoft has decided to group them as one listing for your convenience or something. At this point I’m cannot determine how WZC decides which router to use. I attempted to connect numerous time, on every attempt I was connected to my own router.

Now, if you haven’t already connected the dots, I’ll break it down for you. The problem with our client’s network was occuring because WZC saw two APs as one and decided to have each of their computer connect at random. We gave the AP a unique SSID, VOILA problem solved, like magic (internet magic).

A concession. After writting this I realized that the bug may not be a problem specific to Windows, it may actually be an inherent flaw in the way 802.11 connects to access points. I was not able to find anything at all about this sort issue after doing some quick googling and a search of the ms support kb. Although, I did stumble across an interesting article entitled Your computer connects to an access point that broadcasts its SSID instead of an access point that does not broadcast its SSID. Apparently this is also a feature, as “Disabling SSID broadcasts on an access point is not considered a valid method for securing a wireless network. Microsoft does not reccomend this practice for any wireless network.” Right… It is a valid state for an access point to be in, isn’t it?

From The Archives Site News Web Development

Biggest Geek Ever?

You know you’re a major geek when you start examining the entrances of your appartment for security holes. A little while back my buddy Jon and I decided to make a trek to the building #7 in search of a pop machine. The building is connected to my building via a whinding underground hallway and the temperature outside was easiliy -25C, cold enough to make going outside uncomfortable. To make a long story short, the other building appears to a) lack a decent entry system or b) have sophisticated entry security, as there did not appear to be a locked door between the elevator and the entry pedestal. I immediately thought “wow! what a major security flaw.” I should investigate further.

In site news.
Sometimes I amaze myself, early today was one of those times. I whipped up some awesome rss code. This code allows me to enable an rss feed for any section with the click of a button. After familarizing myself with the rss 2.0 specifications it took me an hour or so to write the code. I am teh awesome. You should be seeing an rss icon in your status bar if you use firefox. If someone with a paid livejournal account would like to add my rss feed for syndication that would be just peachy.
I also preformed a “dirty” database rebuild. I updated a few columns in a few database tables to better co-operate with my new code. I did not feel it was worth documenting the changes in an updatable manner – sorry Gen, i lost your comment 🙁
You’ll also notice a couple of new sections. More content is on it’s way.

I’m not really sure of exactly what that content will be. I think I’ll probably talk about my finds and tell you to digg my submissions in true Kevin Rose fashion. Or something. I’ll see how this evolves.

My good friend Mr dot net is presently attempting to attain a press pass to The Junos for our “indie reporter” video experiment. Once that gets underway it will lend itself to much site content I’m sure. This leads me to ask, what would you do with a press pass to the junos?