So this came out today:

“Severe” password manager attacks steal digital keys and data en masse

There are lots of nifty helpful password manager tools out there, that will seamlessly allow you to create and use your passwords across all your devices. I don’t use any of them.

I do use a password manager (DataVault, if you are interested.) It has some nifty cloud features that I ignore. I sync by WiFi, on my local network. Only. I had problems with the browser integration, so I don’t use auto-fill. I go to the app, find the password I want, and copy it.

It takes some effort, but it’s not going to be compromised by someone’s poor site security. It’s not that I think all those other people are bad programmers, it’s that they are people and they are programmers and bugs and other problems happen. Even without the slightest bit of poor coding, there could be a weakness in a 3rd party library, operating system, hosting service, or other thing the system is dependent on.

If you think I’m a horrible Luddite disparaging the wonders of modern hosted services, Spouse keeps his passwords as a text file saved in his system keychain and only accesses certain sites from his primary laptop in a secure location. Another perfectly acceptable solution.

Folks who follow me elsewhere have already heard this, so I won’t repeat the whole sordid story. My wallet was stolen on the bus yesterday, by a pair of men who trapped me so I couldn’t move and then unlatched my designed to be secure bag.

What they took was the wallet that had my stored value transit pass, cash, and various random items. A different wallet, in a zipped pouch and tethered to the inside of my bag by a cord, was in the bottom of the same compartment. That has my credit cards and ID, and was not taken. I shouted down the thief and got my phone back, which was much more important to me, but it was less immediately obvious that the transit wallet was also missing.

The cash is long gone and cannot be recovered. The access badge has been invalidated and replaced, as has the transit pass. (I wonder if it wasn’t used because it was a very, very old one: differently branded but still functional. The agency can’t invalidate a card until early the next morning.) Of the remaining stuff, there were business cards, postage stamps, a few “buy 10 get something” cards, and other things.

It’s the “other things” I wonder about. There were business cards with my phone number and mailing address. Credit card receipts, maybe an old doctor appointment reminder or two. None of which I would, by my usual practice, dispose of without being destroyed.

What else? Well, I don’t remember. Sometimes I write notes on scraps of paper and shove them in there. Occasionally I’ve had documents I need to carry copies of. A few months ago the stack was getting pretty hefty and I cleaned it out, but who knows what I was carrying around yesterday.

The good stuff:

The bag, a Pacsafe shoulder bag, worked, for some value of worked. The thief got it open, but it took effort.

The inside bag (another Pacsafe, yes I like them) was further inside and less easy to grab. This is where all the really important stuff is, the strap is clipped to the inside keyring so it doesn’t come out easily.

That both these bags have RF blocking pockets didn’t play a part in this crime, but I have them anyway because it’s an easy thing to do. (Both wallets were RF shielded, and the access card was additionally inside a shielded envelope.)

Now what?

Don’t discount purpose-designed physical security. The police said I should have had my bag at the front of my body, but if you’ve ever carried a cross-body bag you know they bounce around. And being trapped, I could not move it to a safer position. But the latch made it difficult enough to open that I knew immediately what was going on.

Don’t carry things you don’t need. That’s an obvious statement, but as a realistic matter not exactly what it sounds like. I don’t know anybody who routinely selects only the cash or cards they expect to need for the day to put in an otherwise empty wallet. It’s a good technique for special occasions (clubs, festivals, some kinds of travel) but hardly reasonable every time you walk out the door. What that does mean, is clean it out once in a while if you tend to collect junk in your wallet. Don’t keep any sensitive information you don’t absolutely need, like a Social Security card, passcodes or passwords, and account numbers.

Protect different things in different ways. I have the transit wallet and phone easier to access because I need them constantly. The second wallet is harder to get to, but I need it less. The larger, more secure, compartment has things even more a problem to replace like keys. (I have duplicates of frequently used keys on a chain in an outside pocket.)

I’m not hopeful that I will ever hear anyone was arrested, much less convicted. My fellow passengers were yelling at me because confronting the thief was holding up the bus. Not a single person volunteered assistance or information. The bus driver was spectacularly unconcerned (annoyed was more like it) at being informed I had just been robbed on his bus. The video cameras may or may not have worked, and my attempts to confirm the bus number with the transit agency have so far failed. (I did write it down at the time.) The nearby police officers told me I had to go to the main station some distance away to file a report.

So here I am, out $80, a wallet I custom made, more money and time in replacing stuff, and a case number that will likely never see the light of day. Oh, and yet another anxiety attack after dealing with it all.

I read an article this week about identity theft by theft of personal information by employees. That’s been going on for years (likely how my Social Security number was compromised) but now the increase in linked data means when something fails, more goes down with it.

Here’s the article:

Can we trust anyone with our personal info?

That made me consider something I’ve been doing when I travel domestically: I don’t use my Drivers License as an ID. It has my address on it, something the person at the security checkpoint has no reason to know. Since I already keep all my travel-related documents/cards together in one place, I just grab that and use my passport. Sure, someone could still look up my address if they had access to the right database (an airline employee certainly would, not sure about TSA.) But it wouldn’t be just sitting there for anybody to see. (In my case they would only get my mailing address, but still.)

And now, since I have the Global Entry card, I use that because it doesn’t show my birth state (which can be used to validate other information like certain Social Security numbers.)

Dear Every Product Marketing Team in the World:

when you try to convince me I need to be able to access my toaster from anywhere on the Internet, this is what I hear:

Hacker taps into baby monitor, shouts at sleeping infant

A family’s baby monitor is compromised by someone who uses it to look around the room and shout at people. And, btw, the manufacturer designed the device such that all logs are lost when powered down.

All software has bugs. If you are lucky, the manufacturer has a process to try to find and respond to those bugs as rapidly as possible. It can never be as rapidly as necessary, however. Choose wisely what you put on the network.

My slow-motion password change-a-thon was interrupted today by a much-anticipated package. I ordered some stuff, and it arrived right on schedule. Yay!

My stuff is great, but I want to mention a little something about the packaging. This seller recycles all sorts of packaging, a good thing. But certain things should not be recycled.

Here is what was on the back side of the printed-out shipping label:

creditreportfail

Yup, that is a page from someone’s personal credit report. (Amex tried to sell me that service as well, but I’m not interested in paying for it.)

It doesn’t have a Social Security Number or address, but a full name and details of several credit accounts. Maybe the sender is fine with that. But it’s not stuff I would want floating around. And it’s now going straight into our shredder.

I’ve been meaning to mention this, but with my declining use of Facebook I didn’t have an example to show. This happens all kinds of places, but I’ve found Facebook to be one of the worst offenders.

So someone posts a link to something you want to read. Being a little paranoid, you copy the link and paste into your other browser.

http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.businessinsider.com%2Fsan-francisco-bagel-store-sells-nyc-bagels-2014-2&h=wAQEFDrUN&s=1

But what is all that junk? Some of it is tracking, so Facebook can tell what you clicked. Maybe it’s just the source website and not you personally, but you can’t tell. The rest is character encoding that obscures matters even more.

For some reason this happens to me even more with mobile browsers, where the lack of tools makes it annoying to escape.

First, get rid of the character encoding:

Eric Meyer’s URL Decoder/Encoder

Go to that page, paste your junky url in the text box, and click “Decode.” There you go, actual readable text. It’s a bit of JavaScript that converts the encoded characters back to normal ones.

Next, copy just the part that is the actual url and paste that into your other browser. If you can figure it out, at any rate. This example is pretty simple, it’s everything from “http” to just before the “&”. In http-speak, the & means the stuff after are parameters. Maybe you need them to find the right page, but a lot of times you don’t. But they sure are handy for tracking stuff.

So when you get down to it, the actual thing I wanted to read is at

http://www.businessinsider.com/san-francisco-bagel-store-sells-nyc-bagels-2014-2

If I were so inclined, I could write a little script that would strip off all that other stuff. Ideally, it would be something I can host on a trustworthy server and would semi-automatically load the desired page after deciphering the location.

I read an article this week, and thought of it last night when I was at Bed Bath & Beyond, a chain housewares store.

Has Privacy Become a Luxury Good?

It was a last-minute thing and I didn’t happen to have one of the discount coupons that occasionally show up in our home mailbox addressed to “Neighbor.” So I paid full price for something I might otherwise have gotten a discount on.

But at the store there was a sign saying I could send a text message to some number and get a discount coupon on my phone. If I’m not going to give them my mailing address for one, I’m certainly not giving them my mobile number.

So I didn’t get the discount. It might not seem that way at first, but it’s paying for privacy too.

Another way to handle it is like “my” Safeway loyalty card (or the phone number linked to it, anyway.) A friend signed up years ago, and since then several of us have used the same phone number to access the discounts at the store and she gets any associated with card activity. I’ve used that phone number at stores all over the place (including Canada.) Sometimes I give that as my phone number when I have to provide one for a store account (like Fry’s rain checks.)

I’m usually kinda lax on installing OS updates, but I just came across the iOS 7.0.6 announcement. It’s pretty scary:

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

Apparently this allowed a certain category of attackers (“with a privileged network position,” so not just anybody) to see or modify data ostensibly protected by SSL. How could the session not be properly validated?

I don’t see many details online yet (look at the CVE site later) but now that a patch is available there will presumably be more discussion soon.

In the meantime, I’d be making with the updating…

Just found this, some mostly unnamed researchers have looked at the patch and determined OS X has the same problem. Ouch.

Apple security flaw could allow hackers to beat encryption

Update the Second: Well isn’t this interesting…

Apple’s SSL/TLS bug

The issue is a programming error, one that circumvented a necessary verification condition with an errant line of code. Every single programmer ever has made this error at some point, sometimes after an embarrassingly large number of years of professional work.

The hard part is making sure something or someone in your process catches it before it ships, because even the best programmers get tired and miss something. And that is a subject for an entirely different blog.

Ars Technica’s Lee Hutchinson has only posted the first installment, but this looks to be a seriously good piece on self-hosting email:

How to run your own e-mail server with your own domain, part 1

He starts off with a good dose of reality: it’s a lot of work, and when you screw it up you can make your online life really miserable really quick.

If you want to run a Linux mail server, either on your own physical server or a virtual hosted one, start reading. I’m collecting parts for my new server and I expect this to be useful even if I’m running OS X.

If you have never considered running a mail server, I’m not going to try to talk you into it. Maintaining your own for a few users is smaller in resources than a corporate server, but only somewhat smaller in complexity. You might, however, want to read how it works just to understand how email can be so broken.

I’m not typically a joiner on the whole change-your-userpic/post-this-banner thing, but I wanted to mention the upcoming day of online protest against surveillance. To participate, you can find info on the The Day We Fight Back website.

I’ll be honest, when I first heard of it it sounded like a movie promo. Didn’t Independence Day have a tagline like that? Anyway…

Just changing your Facebook picture isn’t going to accomplish a whole lot, but a few things I’ve seen encouraged are much more practical:

First, and most important:

Write your Senators and Representative and tell them (politely) what you think about the NSA getting all up in everyone’s business. (They are doing it to everyone, including your Senators and Representative. You could mention that.)

If you are a US citizen, this is the single most useful thing you can do (presuming you don’t also have a boatload of money to follow it up with.) If you are in California, we have the special pleasure of being represented by Senator Feinstein, the chair of the Senate intelligence committee. And, no, I haven’t exactly been agreeing with her statements on this topic.

A comment on sending emails to politicians is in order, however: use an email address you don’t mind being forever subscribed to their mailing lists. Because you will.

Second, use HTTPS wherever possible (and if you run a website, get a cert and enable it for your users.) Most people don’t use encryption, and some law enforcement agencies have straight up said they consider encrypted communications to be suspicious on that basis alone. The more we do it routinely, not only the less unusual it is but also the harder it will be to lump everyone in as a terrorist-by-association.

Getting certs for my domains has been on the to-do list for a while, although I admit I haven’t done a whole lot about it. Paying for yet another thing is kinda annoying, so I haven’t gone that route. I tried to get a free one, but ran into problems because I don’t use the “correct” email as my domain contact. (You wouldn’t either, if you had a choice: spam galore.) One of these days I’ll figure that out.

Putting a banner on your site or posting to your own social media accounts is only valuable if it has the chance of encouraging someone else to do one of the above. Write your own tweet, blog post, interpretive dance, whatever, if that is your thing. Awareness is important, nothing starts without it. But action is what changes things. And technologists have for too long ignored how politics works.