kottke.org posts about security
I’ve used Bank of America to do my online banking in the past and their SiteKey “technology” always irritated the hell out of me because it led me to believe that Bank of America thought I was:
a) a criminal
and/or:
b) an idiot
instead of:
c) a customer
The basic idea behind SiteKey is that when you log in to your account, you’re shown a photo of, say, an orange kitten before you enter your password so that you know you’re not on the site of a phisher who knows nothing about your orange kitten but wants to collect your login info. In addition, the site makes you verify your identity with a security question โ like “what’s your favorite food?” โ before using the site from a new IP address, which means if you’re on a cable or DSL connection, this happens every couple weeks when your current IP expires…or whenever BofA feels like they should throw up another virtual pane of bulletproof glass between you and your account information. For those who don’t fall for phishing scams โ by accessing sites directly through bookmarks or by typing URLs into the location bar โ SiteKey is nothing but an irritant and a deterrent and there’s no way to switch it off.
On Tuesday, Christopher Soghoian and Markus Jakobsson published a clever method by which password phishers could get around SiteKey. The method takes advantage of a simple hole in the logic concerning SiteKey…that anyone who knows your account’s login name and state of residence can see both your SiteKey image and any challenge questions, no password required. All the phisher has to do is ask for the login name and state of residence, send that info to the BofA site (via a script running on the phisher’s machine), get back a security question, display that, send the answer to the BofA site, get back the correct SiteKey image, display that, and collect the person’s password, all while presenting a nearly seamless Bank of America-like experience to the user.
Hopefully this gaping monster of a security hole will convince BofA that not only does SiteKey security not work, it’s not even security and they’ll soon be rid of it.
Update: Here’s an even easier SiteKey exploit.
I have your password. I did this with a freakin’ Bachelor of Arts degree. It took me about three hours of messing around to get the basics set up, and another few hours to spit and polish. It’s a couple of dumb HTML pages with a few snippets of PHP, and a pinch of Javascript thrown in. There is nothing sophisticated here. I don’t think this even qualifies as a “hack.” I think you should be concerned.
An anonymous author (they cannot legally reveal their identity) describes their National Security Letter gag order. Since the Patriot Act, the FBI has been sending out tens of thousands of these Letters, the recipients of which have no choice but to comply and keep absolutely quiet about it. “Living under the gag order has been stressful and surreal. Under the threat of criminal prosecution, I must hide all aspects of my involvement in the case โ including the mere fact that I received an NSL โ from my colleagues, my family and my friends.”
The must-read item of the weekend: how a bunch of guys got themselves and two full van-loads of materials into the Super Bowl and distributed lights to fans to spell out a special message seen during the halftime show. This is in the hall of fame of pranks for sure. “Super Bowl XLI was a Level One national security event, usually reserved for Presidential inaugurations. We had to get two full vanloads of materials through federal marshals, Homeland Security agents, police, police dogs, bomb squads, ATF personnel, robots, and a five-ton state-of-the-art X-ray crane. It took four months and a dozen people to pull off the prank that ended up fooling the world. This is the Super Stunt.” (via waxy)
TSA travel tip: cheesecake is not a gel. “So, as you’re traveling for the holidays, if you should feel the urge to surprise a loved one with a piece of cheesecake or some other gelatinous food product and are questioned by the TSA, make sure you remind them about the ‘LaGuardia Cheesecake Precedent of October 2006’ and claim your right to bring that cheesecake on the plane with you.” Consider this a companion piece to the security theater article from earlier in the week.
The inept security theater at the airport. “For theater on a grand scale, you can’t do better than the audience-participation dramas performed at airports, under the direction of the Transportation Security Administration.”
Even though the most popular password on MySpace is “password1” (the 5th most popular password is “blink182”), most users’ passwords are pretty good…and better than corporate employees’ passwords.
Bruce Schneier: “It’s time we calm down and fight terror with antiterror. Our job is to think critically and rationally, and to ignore the cacophony of other interests trying to use terrorism to advance political careers or increase a television show’s viewership.”
Faces are now being searched at US airports for suspicious microexpressions. Psychologist Paul Ekman helped set up the program and was previously one of Malcolm Gladwell’s subjects in The Naked Face and Blink.
Q. Is it possible to use a wireless Internet connection on a plane?
A. Yes, if you happen to be flying on an airline that offers the service. International carriers like Korean Air, Lufthansa and Singapore Airlines already have wireless broadband service on many routes; fees for using it vary. Check with your airline to see if it offers in-flight Internet.
So says the NY Times. While it may not be possible to use wireless Internet connections on the plane, it is possible to use wireless connections. Apple laptops can create networks which other computers with wireless capability can join. Bluetooth capable devices like laptops and cellphones can communicate with each other over smaller distances.
Since 9/11, I’ve often thought that this would be an effective way for a group of people to coordinate some nefarious action on a plane without attracting any attention. Five or six people scattered about the plane on laptops, iChatting plans to one another, wouldn’t be unusual at all. Of course, a properly trained group wouldn’t need to communicate with each other at all after boarding the plane. Nor, says Bruce Schneier, should we ban things like cellphones and Internet access on airplanes for security reasons.
Nevermind…the video is fake. This is one of the most insane things I’ve ever seen….graffiti artist/entrepreneur Marc Ecko tagged Air Force One. The US govt can’t even effectively guard the President’s plane…how does Homeland Security expect to do it with all commercial passenger airplanes? (via airbag)
The Onion provides a list of new guidelines from the Transportation Security Administration. “Vermont and New York cheddars can be brought on board, but not Wisconsin cheddar โ by far the sharpest cheese in the cheddar family”.
At the risk (ha!) of missing it, I waited until this late in the game to check out Safe: Design Takes On Risk at the MoMA. Great show. Two of my favorite items:
- Safe Bedside Table by James McAdam. If the need should arise in the middle of the night, the top of the table separates from the leg and can be worn on the arm as a shield while you use the leg to beat the crap out of a surprised burglar.
- Suited for Subversion by Ralph Borland. Don this highly visable suit before heading out for a day of protesting. It’s padded to protect against police brutality, an optional wireless camera acts as a witness to the day’s events, and a speaker amplifies the wearer’s heatbeat, letting those around him know that’s he’s scared, anxious, exhilarated, or simply human.
For you armchair museum goers, what looks to be the entire exhibition is available online.
Also, the MoMA around holiday time, not so crowded. (Well, relatively so. There were still a fair number of people there, just not so many as in the Build-A-Bear store on 5th Avenue.)
Stephanie Hendrick has tracked down the identity of an anonymous blogger (she matched them to a non-anonymous blog) using linguistic identity markers. See also secret sites. (via j/t)
Table of the odds of dying from various injuries. Looking at statistics like these, I’m always amazed at how worried people are about things that don’t often result in death (fireworks, sharks) and how relatively dangerous automobiles are (see, for example, this list of people on MySpace who have died…many of the deaths on the first two pages involve cars).
One of the most interesting things to come out of the secret sites discussion is that people are keeping their private journals on the web instead of in a paper journal under their mattress or in a Word document on their computer. This sounds surprising, but there’s a couple of good reasons for it:
- The tools for writing, organizing, and searching an online journal written with Typepad or LiveJournal are superior to those for writing a paper journal or an electronic diary (in Word or text format) stored locally. Hyperlinks, entries organized by date, mood, category, if you’re used to using these things writing a public site, you might have trouble going back to just text in a Word document for your important innermost thoughts.
- Your diary may actually be more private and secure on the web. A password protected online journal is more difficult for a parent, significant other, or parole officer to stumble upon and read than a document sitting on a hard drive of a shared computer or hidden on the top shelf of a closet, especially if you’re careful with your cookies, browser history, choose a good password, and are more computer savvy than said parent/S.O./P.O.
I bet few would have predicted keeping personal diaries secret as a use of the public internet several years ago.
There’s nothing good about the shooting of airline passenger Rigoberto Alpizar by air marshals. Guns on airplanes โ I don’t care who’s wielding them under what authority โ is a bad idea; some alternative thinking is needed.
The decompression from my trip to Asia continues. I have read through ~8000 items in my newsreader and discarded almost all of them (despite much interest in solving the problem, no one has built a machine that has any idea about what content needles I want out of the media haystack).
However, one item caught my interest (although I can’t remember where I saw it): someone asked their readers how many secret sites/blogs they maintained. That is, sites that no one knows you’re the author of (written anonymously or with a nom de plume) or sites to which the general public does not have access. If I remember correctly, a large number of the respondents not only maintained a secret site, but had several. I have one secret blog, published under my own name, that only a small group of friends can read. I just started it recently (after learning that several friends have been doing this for awhile) and don’t update it very often. How about you…any secret sites? Why keep them on the down-low?
Bruce Schneier on the sorry state of airport security. “Exactly two things have made airline travel safer since 9/11: reinforcement of cockpit doors, and passengers who now know that they may have to fight back. Everything else…is security theater.”
WSJ tech columnist Walt Mossberg on DRM: “media companies go too far in curbing comsumers’ activities”.
With AJAX MAssive Storage System (AMASS) a web page can store large amounts of data on a computer using hidden Flash applets. Brilliant hack, but seems like a potential security concern (an AMASS-like app could just fill up a hard drive without prompting, no?). I just looked at this briefly…would this allow one to run something like GMail offline? (I’m thinking not.) (via waxy)
Witold Rybczynski on perimeter security around prominent public and government buildings. “The problem is that huge hunks of reinforced concrete in city streets are not only an eyesore and an impediment to movement, they’re a blatant and unsightly expression of a siege mentality.”
A citizen’s guide to refusing NYC subway searches. “As innocent citizens become increasingly accustomed to being searched by the police, politicians and police agencies are empowered to further expand the number of places where all are considered guilty until proven innocent.”
Ugh, riders on the NYC subway are going to have their bags randomly searched by the NYPD. “People who do not submit to a search will be allowed to leave, but will not be permitted into the subway station.” What the fuck?!?
Newer posts
Older posts
Stay Connected