Need to put Flash on a leash?

25. October, 2010

 

Adobe Flash Player icon

Image via Wikipedia

 

Yeah, you can go to the online config tool for flash and play around with the options and hope.

Or you can use the config file (PDF file; what did you expect from Adobe?).

Try this for starters. It will stop anyone from dumping stuff on your computer to recognize you:

LocalStorageLimit = 1
AssetCacheSize = 0
ThirdPartyStorage = 0
AssetCacheSize = 0
AutoUpdateInterval = 1
LegacyDomainMatching = 0
LocalFileLegacyAction = 0

Kudos go to: Adobe Flash, The Spy in Your Computer – Part 2

Leave a Comment » | Software | Tagged: , , , , | Permalink
Posted by digulla

Simple passwords

6. September, 2010
Credit card

Image via Wikipedia

How secure can a simple password be?

Well, that depends. What do you want to protect and against whom?

Today, there are two main attacks. The first one is by people who are close. Coworkers and relatives. The coworkers need some information or access to some function while you’re not around or because there wasn’t enough money to buy a software license for everyone. The relatives want to spy on you (for various reasons). If your password is something personal, they will figure it out easily enough.

The other attack is by spammers who want to gain access to your computer (to send more spam or to get access to more computers or to your bank account, your credit card number, etc) or your accounts. Credibility (as in Google ranking) can be worth money, so control over a well-known blog or a reputable website is not something a cracker would shun.

These people run professional attacks against logins, so they try words from dictionaries with a few numbers added (like cat123). They have tables with passwords and how often people use them (hint: don’t use 123456 as password).

For big sites, the question isn’t really how “secure” the passwords are but how often they are used. If every password was different, it would be much more effort for attackers to crack enough accounts to make the attempt worthwhile.

That means passwords could be simple enough to remember. As they should be. Or people will have to write them down somewhere — we’re not computers. Which remember everything perfectly. Unless the last backup didn’t work. Or a virus comes along. Or someone makes a mistake.

Related Articles

2 Comments | Software | Tagged: , , , , , | Permalink
Posted by digulla

Forcing users to use insecure passwords

30. November, 2009

Q: What’s the most efficient way to force your users to use insecure passwords?
A: Try to force them to use secure ones.

What’s a secure password? It’s complicated, unguessable, easy to remember, contains several strange characters, different per site, changed often.

But how much security can you buy with that?

Changing your password helps to lock out people who have cracked your password. But unless they are in for long time surveillance, crackers will abuse your account within five seconds of cracking it. In the usual scenario, (i.e. when the crackers is not your better half), changing your password buys you nothing. It’s enough to wait for a mail which says that you account has been cracked and change the password then.

Different passwords for sites looks like a good idea but this only has an effect when a cracker manages to crack your password in one place and has list of other accounts. Usually, they crack your account for a specific purpose, not to compete in a find-them-all contest. So that doesn’t buy us much, either.

Strange characters look like a good idea until you travel and sit in front of a foreign keyboard in an Internet café. Yay, hide and seek! And if you’re using a complex algorithm to build your password which includes strange characters, you’ll encounter the odd site which expects you to either have more or less strange characters in your passwords. Also, unless you’re a software developer, you’re not used to all the strange symbols which your computer can produce.

Easy to remember is at odds with hard to guess and complicated.

Lastly, good passwords don’t protect you against the most common forms of attack: Phishing and keyloggers.

Links: “So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users” (Cormac Herley, Microsoft Research)

1 Comment | Software | Tagged: | Permalink
Posted by digulla

Adobe Flash 10 Just Sent me Through the Roof [Update]

17. September, 2009

I just got the latest security fixes for Firefox 3.5.3. Finally, the browser warns me about outdated and insecure plugins. I like it!

Top of the list? Adobe flash player. Hm. The page needs JavaScript. Guys, other people managed to build click buttons with an image without JavaScript. *sigh* “Temporarily Allow adobe.com”. Huh? What’s that? “Free McAffee security scan (optional)”? Optional my a**! Die, die, die!

So I click the link. “get.adobe.com tries to install software on your computer. Enable?” Sure.

WTF? What the hell is “getplusplus”? And what’s it doing on my computer? *lot’s of swearing and cursing that you don’t want to hear* I hate it when someone smuggles unwanted software on my computer. Adobe, if you’re listening: THIS IS MY F***** COMPUTER! SO HANDS OFF!!!

After a restart, I can finally download … ah, crap, again this stupid McAffee! *ARGH*

Ok, it’s downloading. *grmbl* … installing. Hm. Well? Now, what? Anything happening anymore? Let’s check … nope, FF is still unhappy and about:plugins says 9.x.

Again. “Installer was already downloaded”. Really? So why isn’t it installed? Has Adobe finally managed to write software that can lie? Great. That’s what I really needed first thing in the morning.

Okay, np_gp.dll obviously isn’t worth the disk space it occupies. But since Adobe managed to infest most web pages on the Internet with their flash crap, a solution is necessary. Here goes:

The download shit from Adobe puts the files into %ALLUSERSPROFILE%\*\NOS\Adobe_Downloads\. Replace “*” with “Application Data” or “Anwendungsdaten” or your local name for that folder. In that folder, you should find a file “install_flash_player.exe”. Save that somewhere.

Open the addons and delete “getplusplus”. Exit Firefox. Now delete “np_gp.dll” in the plugins folder of Firefox. That should get you rid of that unwanted crap.

Before starting Firefox, run the installer manually. Check the details. Make sure that the installer installed the plugin in the Firefox directory instead of somewhere else. On my computer, it ended up in Opera’s plugins directory. If that’s the case with you, too, then copy the files “NPSWF32.dll”, “NPSWF32_FlashUtil.exe” and “flashplayer.xpt” manually.

Start Firefox and open about:plugins again. Search for “flash” and make sure that the version is 10.x. To make 100% sure, visit http://en.www.mozilla.com/en/firefox/3.5.3/whatsnew/. The security warning should now have gone away.

[Update] Apparently, the download manager is a security risk. So remove it ASAP.

Leave a Comment » | Software | Tagged: , , , , | Permalink
Posted by digulla

You Have Been There

22. July, 2009

The first step in an attack is to gather information. You’re probably browsing with Firefox, have all the usual plugins installed (AdBlock Plus, NoScript), you’ve disabled cookies and you think you’re safe.

Security doesn’t work like that. Let me give you an example. You may already know that servers save little bits of information on your computer to recognize you when you return. Cookies.

But there is another way to know where you’ve been. Can you guess it? No? Look at the links. Still nothing? The color? It changes after visiting a site?

So the solution is to use a piece of JavaScript (and almost every site on the ‘net needs JS these days) and examine the color of your links. Gotcha.

Next time, disable your browser history, too. And the cache. And the proxy. And JavaScript. Better yet, don’t start it anymore.

Leave a Comment » | Software | Tagged: | Permalink
Posted by digulla

Taking Security Seriously

16. July, 2009

Security of todays operating systems is slowly getting better, meaning that it becomes more and more hard for some fraud to get your credit card number by asking your computer. Asking the person in front of the computer still works. But I digress.

On the DailyWTF is a report how the military handled the problem.

While the idea to actually carry vulnerable parts of the computer away when someone not trustworthy comes close, the solution is really what the military is all about: Make it work, no matter what might go wrong. And be creative about what could go wrong but take the most simple solution (which is the main difference to geeks: we almost never pick the most simple solution).

Which also explains why they clipped parts away from the printouts: Just blackening them might be undone (just holding the paper against the light might be enough) but data, that isn’t there, can’t be abused.

A pity that this simple idea is shunned today. Instead of collecting as little data as possible for a job, as much data as possible is hoarded.

Leave a Comment » | Fun, Philosophy | Tagged: , , | Permalink
Posted by digulla

Trojan on ATMs

2. May, 2009

A few weeks ago, I stumbled over this: It appears that criminals have managed to install a Trojan on Russian ATMs. The Trojan would collect card data and pin numbers over the day and during the night, a “money mule” would collect a receipt with the numbers (which would look inconspicuous since a lot of people ask for a printout of their transaction). But this kind of attack is a new quality.

Home computers are administrated by … well … ignorants. People who want to use a computer, not understand it. For them, this box eats electricity and magically produces fancy graphics on the screen. They know how to email but they have no idea how mail works, they are oblivious to what actually happens when the computer sends an email. So it’s little wonder that most computers out there are infected with various kinds of viruses or Trojans and why “MAKE MONEY FAST” schemes still work so well.

The guys who build ATMs, on the other hand, are no ignorants. They ought to know exactly what they are doing and that someone can tap into the process is a new dimension. This is the difference between mugging innocent night owls and planned bank robbery. Computer crime has become as professional as the non-virtual counterpart. My guess is that we’ll need much more powerful computers in the near future which can store and access petabytes of data. Computers who can tell a legitimate operation from an illegal one and who can protect themselves against abuse. Computers who are powerful enough to watch every operation they are processing. Instead of only being able to crunch numbers, they need to understand what they do and how far reaching the consequences of an operation are.

It’s time for an immune system for computers. If we’re wiped out by Skynet in the not-so distant future, we’ll have to thank the mob.

Leave a Comment » | Software | Tagged: | Permalink
Posted by digulla

The Cost of Safety

6. February, 2009

Worried about your safety? The safety of your wife/daughter/son/house/car/whatever? If you did worry about something like that in the past, when considering options to make something more safe, did you consider the cost?

Paul Graham wrote a nice essay “Artists Ship” (after the remark by Steve Jobs). Please ignore his “only programmers love to work hard”. The rest of the argument is very convincing. When people talk about “improving” some situation (crime rate, child abuse, revenue streams), they often propose solutions but there is little to no discussion about the cost of said “solution”.

So we want to protect our children against molesters. Fair enough. Only in the discussion, you can’t argue with reason because it’s so emotional. People don’t know anything about the reasons why someone becomes a pedophile or how (and if at all) this can be treated. They want a “solution”, completely ignorant of the cost. It’s a fact that “better” solutions (which will catch more violators) will always harm more innocent people.

Let’s look at a related case. Make up your mind about this case: “Julie Amero, a 40-year-old substitute teacher from Connecticut is facing up to 40 years in prison for exposing her seventh grade class to a cascade of pornographic imagery.” (more). Guilty? Innocent? What’s “exposing” supposed to mean here? Did she show them intentionally? Such a simple case and so many questions …

Say I want to write a program that automatically searches the Internet for child pr0n and sends alerts to the authorities. I can’t. It’s not possible anymore in any western country because I could neither test my program nor use it: Even the download of child pr0n is illegal. It’s illegal before a human can see it. I wonder how all those web filters work … Maybe they build them in a country where child abuse is not illegal.

So you like to watch pr0n but don’t want to pay? The Internet is full of “free” ware. But downloading “good.jpg” might get you into jail, depending on what you might find in the image afterwards. Guilty? Innocent?

Most computers on the Internet are vulnerable to all kinds of attacks. It’s ridiculously simple to spread viruses and worms which effectively take over your computer. Who is guilty when a cracker puts illegal pictures on your PC? You, because you didn’t understand the technology? You, because it is too hard to catch the cracker? You, because the prosecution doesn’t understand the technology, either? You, because the jury can’t follow the explanations of the experts anymore?

On the other hand, a clever pervert might infect his computer deliberately, so he can always say “it was the virus!”. With todays paint software, how hard is it to replace the head of an adult with one of a child and reduce the cup size? How hard is it to prove that the picture is real? How about pencil drawings? You do know that most paint programs come with “artistic filters”.

Such topics tend to become witch hunts where anyone can potentially be as guilty as we want them to be. Justice isn’t blind to protect the successful criminal, she’s blind in order to protect the innocent against prejudice.

So next time, you ask for a new rule, think about the cost, first.

Btw. During the research for this article, I googled for “teacher england hacker child porn“. Condemn me.

Links (in the order in which I stumbled over them):

Leave a Comment » | Philosophy | Tagged: , , | Permalink
Posted by digulla

How to Hide a Virus in Source Code

28. January, 2009

I’ve been looking for quite some time for this article: How can you hide a virus in the source code? Basically, you create a binary of a compiler which contains the virus and which is patched to infect other programs as it compiles them. This is a feature of bootstrapping a compiler.

Reflections on Trusting Trust by Ken Thompson.

Leave a Comment » | Software | Tagged: , | Permalink
Posted by digulla

I Have Nothing to Hide … I Think

10. November, 2008

So it has happened again. Someone put a nice web site online and when it came to pick and chose between security and comfort, guess who won. Alas, those who do as you shouldn’t still server as a bad example. What has happened?

DHL, a German parcel delivery service, offers a web site where you can track where your brand new gadget is now so you can guess how long it will take until you rip the wrapping off it. That good.

Not so good is that all customers of DHL get the same default password.

Bad is that DHL reuses the tracking numbers after roughly six months (depending on the amount of parcels that go through the system; if there are less, you can look further into the past).

Really bad is that part of DHL’s tracking number of fixed. It’s based on the DHL customer number. That’s not you, this “customer” is the guy or company you ordered from (DHL renders a service for them).

So this leaves us with a convenient way to check who else has ordered anything from those that shop.

Now imagine you ordered something innocent … oh, maybe porn or “adult toys” or something from company B which is the arch enemy of company A which incidentally pays your wage. All of a sudden, a couple of innocent bits of information have turned ugly.

Whenever you put something out to the world, step away for a few moments from your dreams how much good someone could do with your service and think how much bad someone could do with it. And if you can’t think of anything, you should be very, very worried.

Leave a Comment » | Philosophy | Tagged: , | Permalink
Posted by digulla

« Previous Entries
Next Entries »