RSS

Category Archives: security

Mosh is still a bit of a pit

07 Dec

Some months ago I reviewed Mosh (mobile shell). At the time I wrote the article I was looking at the project as a user with a secure view of the world. Now, with the help of a troll, I have rediscovered Mosh, however, it is still “a bit of a pit“. This time I have some new complaints.

There is a presentation on the Mosh site. The speaker knows the project and is probably the project owner or lead developer. I’m not certain. He tells the audience about what is wrong with standard terminal sessions and how they developed this mobile communication protocol that rides somewhere between the various layers of SSH and so on. Since the website touts that they are more secure… by inheritance they are as strong as the weakest link but this was an earlier argument.

Then he talks about predictive local echo. The idea here is that in a normal terminal session your keystrokes are not actually echoed on the terminal (unless you have local echo turned on) but represent the output of the server application whether it is a command shell, editor, curses app, or something else. Predictive local echo will echo the character to the local console with the expectation that 70% of the text is echoed by the server anyway… and then the PEL will clean things up.

Well, there are a number of problems with this. The first is that PEL really only works in the shell itself. Once you are in vi and changing modes it is impossible to echo properly… and that is why most terminal emulators default to local echo off. Many old-school applications screen scrape terminal sessions and would not be capable of dealing with PEL as it does not effect the byte stream so much as it does the representation in the terminal window. The demo that was presented was a command shell which is the easiest use-case but is by no means proof or substantive.

Next the presenter tweaks Google for doing an adequate job with mobile applications in that Gmail echos to the console. This argument also misrepresents the domain of webapps, network capable apps, and probably MIT’s position on computing all in one statement. SSP is not going to help Gmail be a better app. SSP is not going to make my mobile browser better as I leave my home’s hotspot and head into the wilds of 3G/4G. Re-establishing my mobile session is no different than any network disaster recovery plan within the enterprise.

The only thing that might be interesting about SSP is that the important bits about the connection are being moved from one layer of the OSI to another. (I do not know which is which anymore).

**I went back to the Mosh site to get some more details. Sure Mosh is all about the shell but what about the app? They state that the Mosh server is actually a terminal emulator of sorts and that’s how they get the delta of screen changes to the local console. It’s not until version 1.3 that they implement larger screen buffers… meaning that you’re back to tmux or screen for that.

The big issue for me is the firewall issue plus UDP plus roaming connections. This makes hijacking or sniffing more likely once you break the encryption. And if you can get past all that… it only solves one use-case.

 

 
Leave a comment

Posted by on 2012/12/07 in architecture, security

 

Back on privacy issues

14 Oct

In a conversation with my father in-law this morning…

(a) there was a time when your social security number was truly secret. Now everyone from the cable company, ISP, newspaper boy, lawn service, High School, University, hospital and doctor wants your SSN and we give it freely and without challenge. Who really knows why a doctor or newspaper delivery service needs my SSN. Are they going to sue me into and after I’m buried? In Sweden the SSN is sacred; I’m just not sure how they get around the problems we have. (could be functional and/or legal)

(b) There is no privacy on the internet. Whether your using any of the big name browsers, you never login, you always use other people’s computers or cyber cafes. The challenge is that between the ISP, browser manufacturers, super/affiliate advertisers, search engines; they where where you have been and where you are going. Not even the like of TOR is going to save you. Same goes for the anonymous breadcrumbs you thing you are dropping. They will always lead “them” back to you.

In a side note. If you’ve ever seen or purchased from one of those “as seen on tv” infomercials. The deals are great. Essentially you pay for shipping which costs them much either, however, it does offset their costs somewhat. The “play” for these companies is to get you to buy something. Anything.  This way they capture you personal information which they will resell at a profit. This is how all of these marketing machines work. One interesting thing… I have never experienced an increase in the amount of spam I receive. Hmmm.

Another side note. Over the last 18 to 36 months there have been some data breaches amounting to tens or hundreds of millions of credit card numbers and personal information. So why haven’t more people been complaining about credit card fraud? Why haven’t news programs done additional reporting? I wonder if we’re being marketed to because the credit card infrastructure is just not that sophisticated.

 
Leave a comment

Posted by on 2012/10/14 in business, Complaint Depatment, credit cards, security

 

Is Gmail privacy gone?

11 Oct

There are a couple of things that the average user should know.

  1. There is no such thing as email privacy.
  2. Most email travels through the internet from point to point in the clear
  3. So called legalese on the email footer about intended recipient and communication has not been tested in court and it not binding.

That said, if you have a private email server that you think is secure and you use it exclusively because you want secure email that is not to be seen by the prying eyes of big brother or even Google, Yahoo, Hotmail, Facebook or other… then you are sadly mistaken and misinformed.

Just because you have an uber secure email server does not mean that the recipient has the same. So then the real question becomes… Why not use Gmail yourself?

 
Leave a comment

Posted by on 2012/10/11 in architecture, security

 

Tags:

Who makes your security decisions?

29 Sep

I’m sitting in front of my kid’s Chromebox and I thinking about a password for her. It’s not that big of a deal and I could go crazy if I like. I can also go really loose. But as I’m sitting here I wish I could use this computer to monitor things at work.

For the price or a Chromebox I can go mobile with much less fear about losing my computer because everything is on the network and there is nothing locally. The machine weighs much less than the standard issue laptop. I can also implement a 2 step/part authentication. and so one and so on.

But as I think about security policies. I wonder who is making the decisions and when they make those decisions; what level of friction are they comfortable with. For example if you are a CIO of a company and you have implemented lax security measures and you are compromised then you will likely lose your job and your rank. Not to mention that there is likely to be some legal fallout. So my guess is that if you are a CIO and making the decision there is going to be a lot of end-user friction.

On the other hand if you are a low ranking manager responsible for security you are likely to make thinks geek friendly. Allowing people to connect to the company’s resources with their personal computers or tunnel through the firewall. Reverse ssh from internal computers in an almost wild west setting.

Somewhere in the middle there is the HR policy maker. I’d like to think that this can go either way but usually falls toward the more friction side of the equation.

Who makes your security policy decisions?

  • Federal, State, local laws and ordinances?
  • Bureaucrats, think tanks, Solution vendors, or 3rd party consultants?
  • Company Executives or senior management?
  • Middle management or IT departments?
  • Security by Committee?
  • Technical or Non-Technical employee?

What sort of UX Friction is there?

  • Exclusive VPN with no external access and limited internal access?
  • Dedicated Citrix remote desktop running on dedicated Wyse terminal?
  • Normal VPN with limited access to internal services
  • SSH or Tunnel
  • Robust applications acting as proxy
  • and so many more

I still wish I had the network privileges and tools to do my job from my kids Chromebox.

 
Leave a comment

Posted by on 2012/09/29 in security

 

Tags: ,

When Art Meets Social

26 Aug

The Art of Unix Programming talks about how applications or systems are made from much smaller components and they are stitched together. Kevlin Henney did a presentation where he talked about the discovery of the pipe (|) character in unix systems. The key idea is construction or assembly from smaller parts and it’s also dangerous. In the context of my local system the unix way is awesome. The stitching of apps together to make systems is useful, helpful, easy, and pragmatic.

The new challenge is that many of the new startups want to do the exact same thing. For example; trello.com wants to integrate with your google drive account.  LinkedIn and WordPress want to connect to your Box account to share files. PragProg.com wants to connect to your DropBox account in order to upload your eBooks. EverNote connects to a number of different services. Instapaper and Readability; as well as a number of RSS readers…. It’s just crazy the number of overlapping systems that if they were within the same systems or owned by the same company I would not think twice but since they span companies it looks and feels like a trojan horse.

Let’s not forget the countless numbers of apps that want a facebook or twitter ID before you can login. (read Spotify)

The thing that I realize most is that because I’m connecting all of these 3rd party systems I an on the hook for understanding their individual and collective security issues. For example PragProg mentions that they will upload your titles to DropBox and they go out of their way to say that they are going to be good netizens but I have no way of confirming that this is the case. They wanted and have my uid/pwd and frankly they could do what they want… if they were evil.

So what am I saying? The “unix way” is a pragmatic way to get things done, however, it’s not without risk when you connect disparate entities. So tread lightly and carry a big stick.

 
Leave a comment

Posted by on 2012/08/26 in architecture, security

 

The web of trust is an evil illusion

08 Aug

I did not like how this article was taking shape so I’m starting over. I have a very serious two-part question for everyone.

(Q) Do you install adhoc(non commercial) binary files on your computer?
(Q) Do you install adhoc(non commercial) binary files on your computer with administrator privileges?

In the OpenSource world (no the world that Richard Stallman visits) not all source code is treated the same. For example there are some projects that are source code only (no make files), there are others with source and make files but no docs, and there are others that are so complicated or big to install that you have to install the binary (X11 is a great example); and others still have DEEP dependencies that are not automated.

It’s also important to note that not all operating systems are treated the same. OSX provides Xcode virtually free of charge. The *nix systems have free and commercial toolsets. Visual Studio for Windows, on the other hand, is not free (there is an express version that might be free)

It is probably fair to say that Microsoft’s sandbox is more of a petri dish for binary only malware. However, it is the users responsibility to steer clear. It’s also on the tool vendors to make sure that tools are installed in userspace alone. Using duplicates or diskspace as a reason for installing as admin or root no longer exists.

As the saying goes… “Fortune Cookie: Man who put gum in jockstrap wake up with sticky dicky”.

 
Leave a comment

Posted by on 2012/08/08 in security, Tools

 

Trust in the wake of Stuxnet?

07 Jul

I watched a short report on the Stuxnet bot, virus, trojan, worm, thing. All the super-spy stuff scared the crap out of me. I do not care how sophisticated it is/was. Whether it has really been detected. Or whether or not it’s actually real.

What bother’s me about it is (a) it is said to have been running silent. (b) seemed to know exactly what it was looking for. So I find myself asking a number of questions:

(1) have my computers been infected with something I need to be worried about?

(2) has the infrastructure that I depend on daily been infected or compromised?

(3) what happens if/when Stuxnet-lite or #2 completes the Stuxnet mission?

Two days ago I wanted to FAX a 30 page document. I took my document to the local USPS store. They scanned it and sent it. I also asked them to email me a copy of the same docs. The funny thing is… I have a stack of thumb drives on my desk. I could have easily used one to transport the scanned image home. But I started to think about Stuxnet and it’s attack vector. Thumb drives. Thus the USPS agent emailed my document to me.

Sandboxing as described by Apple is going to resolve a number of security issues but it is not going to solve them all. It’s not going to help if OSX has been compromised with a backdoor from the source. It’s not going to help if there are some bugs in the hardware (think SQL injection to a website). And so on.

The thing that Stuxnet was was supposed to do was provide some plausible deniability. Consider that in the forest of BSOD that Windows receives in a year. How many are real and how many are something else?

 
Leave a comment

Posted by on 2012/07/07 in architecture, security

 

Tags:

Sandboxing OSX apps is a good start

23 Jun

The idea of sandboxing OSX apps is not new or unique. Both OSX and Windows have features that prevent software, particularly 3rd party apps, from accessing various physical and data resources but it’s not without it’s detractors most of which are just haters. What bothers me is that many in this verbal minority have an agenda whether it’s selling more anti-virus services or their one of those users that does not care.

The reality is, however, system or computer security whether it’s in the form of in-built firewalls, Little Snitch, or sandboxing has more to do with protecting the brand rather than user’s data. One other side effect is going to be the cost of support.

(1) the first thing you’ll notice whether you’re installing software using the appstore or downloading directly from the vendor’s website is that the app is being installed as a “shared” app which means that the user needed to be the administrator or have administrator access. And since the installer is built into the application which has been promoted to administrator could install much more than just the application. (think trojan horse)

(2) disk space is relatively cheap these days even though SSD is becoming more prevalent (and is more expensive than the mechanical alternative) prices are falling and it’s still pretty efficient. So having multiple copies per user is not terrible.

(3) Sandboxing means that the user would install the app in their user folder(s) and that the app would only have access to it’s own data. On the whole this is a good idea, specially if you’re talking about something like quickbooks where the application’s data could be encrypted either by the sandbox or the application.

(4) At some point, however, applications will need the ability to bridge sandboxes. It seems to me that bridging is a permissions thing that the kernel is ideally suited for.

What does all of this really mean for the user experience? On the one hand I believe that it’s going to eliminate the biggest problem for most computer users; and that is the dreaded “you need to reinstall the operating system and all of your applications”.

On the one hand sandboxing is meant to protect the operating system from the user applications. On the other hand it’s also meant to prevent one application from accessing other applications for either innocent or nefarious reasons.

 
Leave a comment

Posted by on 2012/06/23 in architecture, security

 

Tags:

Beware of mobile payments

09 May

With the likes of PayAnywhere and Square are making moves in the mobile payment space one should always remain vigilant when handing your credit cards to anyone.

To start. PayAnywhere and Square; while they are a Point of Sale(POS) application implemented on a mobile device they are really a mobile merchant payment device or mPOS. The distinction is going to be important because for the time being these devices are riding the coat tails of the in-app and cardholder facing payment in order to get marketshare.

Cardholder facing payment services and apps require that the cardholder install an app on their mobile device. The vehicle for installing the software is typically a 3rd party like the Apple AppStore which acts as a vetting process for the app vendor.

Merchant facing apps, while it’s a good idea that the apps are installed from a 3rd party like the appstore, it’s not required.  A merchant can, in fact, develop their own application, download a development version of the application to a mobile device, and you’d never know the difference. They could be skimming your credit cards in plain sight.

With an mPOS application, like most traditional devices, you are the mercy of the merchant that they are trustworthy, however, unlike traditional POS devices where there is typically a professional service organization supporting the device. Most mobile devices are self maintained or maintained by amateurs.

The point I’m getting to here… mPOS devices and payments are not any more or less secure than traditional POS systems. Make sure you trust the merchant or the clerk with your card before you hand it over.

PS: Square does offer an interesting alternative. It’s s suite for the cardholder and the merchant that lets the cardholder initiate the payment from the cardholder facing device then is loosely integrated with the merchant facing device.

 
Leave a comment

Posted by on 2012/05/09 in architecture, credit cards, security

 

Tags: , ,

iterm2, tmux and the ever-present security

02 Mar

Being a freelance consultant I worry a lot. I worry that I might lose or misplace my laptop or worse that it falls into the hands of someone with less than honorable intentions. Of course you might also install a trojan, be attacked by a virus through multiple vectors.

As a result my clients’ secret sauce falls into the wrong hands; or maybe my family’s private information is leaked like credit cards or SSN.

This and far worse is possible. Unfortunately there are no absolutes. Not even if you built your OS and applications from scratch. First of all there is not enough time to code review everything you’d need. You are probably not a programmer and if you are there is only a slim chance that you can code everything from a video device driver to a web server and a word processor. (there are only a few on the planet and I’m certainly not one of them).

So the best way to protect yourself is a layered approach.

  • Pay for your hardware from somewhere reputable; HP, Dell, Apple.
  • Pay for your operating system or at least get it from a source with a profit motive. Red Hat, Fedora, Ubuntu, CentOS, Microsoft or Apple.
  • When you are installing Free software. Look for the profit motive. If you find one then it might be safe. If not then avoid it and look for one to pay for. OpenOffice is a good choice because it was once part of Sun but before that it might have been questionable.
  • The same can be said for websites, RSS feeds, torrents and so on.
  • And have some checks and balances. For example I use little snitch and Apple’s firewall software to make sure that applications running on my computer do not have random access to the internet.

The profit motive is a strong magnet. It’s what drives the thieves and it’s also what will protect you.

So as I sit here playing with iTerm2, which I have been using for a long while, and tmux and I’m starting to get a case of butterflies. I’m confident that these programmers are good and lawful but I don’t know them personally. The fact that one of them could put in a key logger and then stream that data to their servers make me sick. (hopefully little snitch will catch it but it’s not foolproof.)

Anyway, practice safe computing.

 
2 Comments

Posted by on 2012/03/02 in security

 

Tags:

Older posts
 
One Page Docs

Creating a library one page at a time.

One Page Bugs

Reducing the friction of writing and fixing bugs or features.

Follow

Get every new post delivered to your Inbox.

Join 223 other followers