Why Do Websites Still Have Such Bad Security?

While going through my password database and giving all of my old entries a refresh I was shocked to notice the password change email that I received from the Where’s George website (remember them?) contained my new password in plain text.  Good thing I used a site specific email address and password for them!  (When is the last time I logged into their site, anyhow?)

So, it got me to wondering… did they just send it back to me in a plain text email (a sin), or are they storing it in an unencrypted form as well (an even bigger sin)?  So, I went to their site and followed the forgotten password link, and sure enough they sent me my password again, in plain text:

Seriously?  That’s a major security snafu!  I thought that sites had gotten passed that ages ago!

With so many cross-site breeches in the news these days they really should move into the 2000s.  Too bad my feedback e-mail bounced back and they probably won’t be answering.

EDIT:  To their credit, they did answer my feedback with:  “yes, we’re working on changing that.”

Password Managers — I want to love LastPass, but can’t

With all of the recent security breaches I’ve been trying to improve my password practices, especially on all of those sites where I used simple “throwaway account passwords”.

For about a year now I’ve been using KeePass for managing my passwords and generating stronger passwords. It’s very nice for that purpose and allows me to also keep track of those pesky security questions, etc. The problem is, it’s not very well integrated with the browser, etc. Sure, you can install a bunch of plugins, but it’s a pain and still leaves you either running various clients on various platforms of varying quality (often in Mono, which is barely a solution, to say the least), or with poor usability.

1Password looks beautiful and looks very powerful, but it doesn’t support enough platforms and is very expensive, so I haven’t even really given it much attention.

That leaves me considering LastPass. It has great integration on almost all platforms, browser plugins, widely supported, etc. I really like it, but can’t bring myself to use it because of a few fatal (IMO) flaws. If they’d just address these flaws I’d be willing to make the jump and pay for their service:

  • They use the same password for your vault as for the normal account maintenance login generic viagra india buy kamagra uk. That feels like a major weak point.
  • They require you to re-enter your password to “change identities”, but don’t allow different passwords for different identities (or, better, completely separate vaults. I want to be able to set it up to have my more secure passwords protected behind a much stronger password that is harder to type, but an easier to type password for my less important identities.
  • They don’t allow you to store your vaults off-site. While they’re theoretically safe if somebody gets ahold of it, they’re still a major target. Being able to store my vaults somewhere else gives me at least a (possibly false) sense of security by the fact that the location is known only to me.

Given how cheap their service is and how nicely their stuff integrates into all of my browsers (even mobile w/ Touch ID integration!) I’m considering using them for my less important “everyday” passwords, but continuing to use KeePass for my more secure passwords that I don’t access nearly as often.

What are your thoughts?

Mac newbie, day 4 (a rant about keyboard shortcuts)

Ugh…. I’m a major keyboard user and avoid the mouse at all costs. While the trackpad on the MacBook, with its many gestures, is SO AMAZINGLY AWESOME that it can ALMOST pull me away from the keyboard, it’s still not as fast as the keyboard for many operations. That said, MacOS seems almost hostile to keyboard users. And I’m not just talking about the fact that they’re all different than Linux (or Windows) — I can adapt (though as soon as I typed that I accidentally hit ALT + ARROW rather than CTRL + ARROW to jump back a few words to edit what I’d typed and almost lost this post because I used the Mac shortcut on a Windows computer, which caused the browser to go back! DOH!).

Here’s an example:

iPhoto… I imported the photos from my phone and then went through and started deleting all of the one-off temporary pictures of receipts, product price tags, etc… Normally I’d do this very quickly with the keyboard… arrow to select the picture, delete, arrow to the next this. A very fast operation. In iPhoto? Forget it! Every time you delete a photo it resets your position back to the very first photo. As far as I can tell, you cannot use the keyboard to navigate efficiently. Another example, in iPhoto, is the inability to navigate back out of an album. Once I enter an album I cannot find any keystroke to go back up a level. I’ve tried everything I can think of and every shortcut that I can find that works in the finder or elsewhere… No such luck.

Maybe as I learn more shortcuts I’ll change my mind, but as of right now I’m giving it a 4/10 score for keyboard navigability.

Mac newbie, day 1

Day 1 as a Mac user.

I picked up my rMPB15 at Best Buy this afternoon. I’d already done my research, so it went fast… in and out. They agreed to match Frys’ price, saving me a bit of a drive.

I get it home and do the unboxing… no pics, there’s already plenty of those online. That said, opening Apple products is always fun as their packaging is a nice as their hardware! Beautifully packed, though I’m surprised that there wasn’t more padding on the box top!

First boot… things aren’t going so smooth! I didn’t do a search yet to see if this was a common problem, but we’re off to a rocky start. After entering my WIFI password (all 32 or so characters of it!) I hit next and it just sits… and sits… and sits. Strange. So, I hit back and try again and then the screen suddenly starts getting corrupted — pages on top of pages, can’t read the fields very well, but manage to get the password re-entered, and get to the next screen, which won’t let me type my Apple ID. Both radio buttons are selected, and I can’t type, it just keeps beeping. Can’t click anything. Back button finally works, back to WiFi password entry again. Long password entered again, same problem, lots of controls layered on top of controls, a complete mess. 3 or 4 tries, getting worried, finally go all of the way back to the first page of the setup wizard and try again… this time it works perfectly. Phew. Not a good first impression Apple!

So… I spend some time playing… I don’t like the bottom dock, takes too much space… move it to the left like Unity and remove some app icons that I don’t intend to use too often. Spend some time walking through every preference page, just to get a feel for what’s up. I tried not to change too much, try it out the way Apple suggest at first, but there were a few things that I still wanted to change:

  • Background graphics
  • Auto hide the dock
  • Not re-arrange my desktops based on last use!
  • Three finger drag (see below, bug #2!)
  • All of the gestures are on (not sure what the defaults were, but they all looked good!
  • Added a printer (took all of 2 seconds given that my Linux box had it shared with CUPS!!)
  • Function keys on by default (I use vim extensively and have a lot of stuff mapped to function keys!)
  • Navigate dialogs w/ keyboard (why wouldn’t anybody want this?)
  • Turn off the ANNOYING volume change feedback (I learned that you can still get it if/when you need it by holding shift while changing the volume)
  • Dictation w/ enhanced dictation w/ fn key shortcut!
  • Show date on title bar buy viagra india
  • Tap to click on trackpad (hidden in accessibility?!?) (see below, bug #3!)
  • …more? that’s what I remember changing! 🙂 …

I guess I did deviate from Apple’s defaults quite a bit!

My search history reveals my frustrations for the day:

  • macbook power button does not sleep (doh! just hold it longer!)
  • osx menu shortcut ( — not as easy as alt+letter for the appropriate menu in Linux & Windows!)
  • osx fill all space/osx maximize window (so the answer basically appears to be to install some 3rd party tool, or “better” just learn to deal with a ‘better’ design. I bought 15″, I want to use 15″!)
  • 3 finger gestures don’t work (see below)
  • FaceTime pause full screen (bug #4?!? yikes! — see below)
  • osx disable volume change feedback
  • airdrop macbook iphone (not possible?!? odd… looks like Yosemite fixes this)
  • osx pgup key
  • more, I’m sure…

Google was definitely my friend today!

So… wrapping this up… my biggest hurdle of the day was getting used to the differences, ESPECIALLY the keyboard shortcuts — being a major keyboard user makes switching harder than it would be for a primarily mouse user.

Also, four major bugs was more than I expected from the hype, but they’re all things I can overcome. Just to summarize the bugs:

Bug #1: Installer Problems

Already discussed in detail above…

Bug #2: Three Finger Drag stopped working!

Apparently I’m not alone in this one… it was nice while it worked, but it went away and I can’t use the 3 finger gesture to move windows around anymore. I’ve tried rebooting, toggling it on/off, etc… nothing.

Bug #3: Tap to Drag

Another bug… tap to drag (hidden away in accessibility) has an option to either stay locked in drag mode, or automatically release when you lift your finger. About half the time it won’t release unless I tap, even though I have it set not to lock. It also takes too long to release, even when it does succeed, meaning that my next operation is often interpreted as another drag.

Bug #4: Facetime pauses in fullscreen

Called my son on his iPod 5 and he reported that every time I went fullscreen my video was paused — though my camera light was still illuminated and I still saw my local video feed.

Anyhow… as I get more comfortable with the differences in keyboard interaction and the general paradigm I’m liking it more and more, but only time will tell.

BTW, as an aside… so far I like X-Code. A little cluttered, but seems to have a lot of power, and it uses Clang++!!!

A Linux lover buys a Mac

I’ve been wanting to do some mobile development for quite some time (all the way back to the original Newton, which I did some experimentation in before they dropped it). I considered doing Android development some time ago, but about the time that I was getting into it I decided to switch to an iPhone, which I absolutely loved — well, there went that plan. 🙂

So, here it is almost four year later and I decided to try again and decided to start with iOS development this time. Problem is, you have to own a Mac. I haven’t owned a Macintosh since the SE! So, after some pondering, I decided to go all out. I’ve been hearing great things about the MacBook Pro, and given that it has the ability to triple boot with BootCamp I decided that it offered the most flexibility, not to mention, they’re just sexy cialis tadalafil precio! So, today I bought a 15″ MacBook Pro, installed Xcode, and started to work my way through the documentation.

I decided I’d chronicle my experiences as a complete MacOS newbie! Maybe some of this will be helpful to others, maybe nobody will read it, maybe somebody will decide to chime in and add some comments showing me the error of my ways, it’s all good!

Having used Windows extensively at work and Linux extensively for both work and personal reasons, I’m finding it to be very different than what I’m used to! (ESPECIALLY keyboard shortcuts!)

Good Penetration Testing Live-CD?

I needed a penetration testing tool to ensure that a particular computer didn’t have any known vulnerabilities. Wanting something that didn’t have to be installed I started looking for live CDs, particularly one with Open-VAS installed… I tried numerous different CDs, all of which had some show stopper issue that made it not work. Most of them seemed to put more focus on making the UI look “haxxor 1337” than actually doing the intended job.

I finally stumbled upon a really good one acheter levitra en france! Don’t ask me how… I’d forgotten the name and tried to find it again, and even knowing a bunch of keywords I couldn’t find it with any of the search engines. Hopefully this link will help raise its position in the search game because it really deserves it!!

http://shadowcircle.org/

Shadow Circle, a PenTesting LiveCD that works!
Shadow Circle, a PenTesting LiveCD that works!

Problems with Cygwin .screenrc file resolved!

I’ve been fighting with my .screenrc file in Cygwin for quite some time… I’d configure settings and either they wouldn’t take (such as turning off startup_message) or I’d get strange errors like Unrecognized command ”.

It turns out that my .screenrc file had dos line endings acrobat xi standard download… running dos2unix fixed it!

$ dos2unix .screenrc

I post this hoping that somebody else will stumble across this when they’re struggling with similar problems. 🙂

 

Print Media vs. Blogs

Are Dr. Dobbs editors asleep at their desks?

I’ve long been of the opinion that print media still has a place in the online world that we live in, if for no other reason than the fact that the longer release cycles allow for a higher standard; peer reviews and editors act as a sort of filtering.

Not that I’m the king of grammar, but I have come to expect print media to have been read by many editors prior to being released.  In online communications, where the pace is much faster, I have come to expect grammar errors to sneak in.  I often go back and read something that I’ve typed later on and see the most boneheaded mistakes that make me wonder what I was thinking, yet I feel excused in that I was focusing more on the content than the presentation.  Print media, on the other hand, must focus on presentation, otherwise why does it exist?

I was disappointed to look at the mail pile today and see this:

Are the editors at Dr. Dobbs asleep at their desks?
Are the editors at Dr. Dobbs asleep at their desks?

If print media allows this advantage slip away, what is left for them?

Murphy says that I probably made a really stupid mistake in this posting. 🙂

Windows’ Impressive Package Management

Wow… I’m speechless.

After a LONG and painful uninstallation process that required far too many clicks I finally get this dialog…

Windows’ Impressive Package Management

This is after previously having just experienced the following: Choose an app to uninstall, get an error message claiming that it’s already been uninstalled by another installer, would I like to remove it from the add/remove list? Yes. Sorry, you don’t have permission to do that! Contact your admin. (if I wasn’t admin, I wouldn’t have permission to even be here in the first place!!!), poof, it’s gone anyhow…

rkerr@twowheels:~$ sudo aptitude purge windows

ASCII line drawing in PuTTY

Yeah! It’s always driven me nuts. I connect to my home computer via SSH and all of the window borders or tree controls in slrn are messed up with strange characters. I finally found a solution!

http://wp.sieker.info/ascii-line-drawing-in-putty

Basically, just set the assumed character set to UTF-8 under the Translation options!  Now I get proper borders and lines!