Doomed for Insecurity

I was attempting to explain the importance of computer security and the use of password managers instead of writing down passwords. I made a password manager called PasswordStore with the aim of simplifying usually complex password managers to become easy to use. 


PasswordStore is actually really simple and mostly self sufficient and the setup procedures are near to none except stating your username and password you prefer on the first use.


No matter how I try to convince others the use of NOT WRITING DOWN PASSWORDS ON PAPER AND LEAVE IT IN PLAIN SIGHT, there are always people who would always want to write down their passwords and NOT PROPERLY PROTECT THEIR PASSWORD PAPER.


Besides the password cases, there are always people who are ignorant to security despite warnings. A few of the examples are listed below:

• Leaving computers not locked (lock screen) when going to somewhere else.
• Sharing / lending passwords for sensitive accounts (e.g. emails, web portals ...etc).
• Installing suspicious looking programs despite warnings.
• Willing to leak personal information on social sites.
• Belittle the consequences of their accounts being compromised.

Above are the few scenarios I met of people who are hard-headed in their ways towards computer security. I believe most people bare the same attitude to a good extend. If such attitudes are applied into a larger context (organisations and companies), it would invite attention from hackers. The "ordinary" people who would love to persist in such attitudes of continuing their ignorance to security would also invite troubles from hackers and law enforcement agencies (when the hacker implanted a backdoor into their computers and have "zombied" their computers to attack or help attack someone else).

Such whom are ignorant and continue to be ignorant to security truely deserves the doom and trouble they have asked for by their ignorant attitudes.

Real Names Online

Read:

• https://www.eff.org/deeplinks/2011/08/randi-zuckerberg-runs-wrong-direction-pseudonymity
• http://www.wired.com/epicenter/2011/07/google-plus-user-names/
• http://www.washingtonpost.com/business/technology/another-reason-facebook-wants-a-web-of-real-identities-commerce/2011/08/01/gIQAnH7znI_story.html

There are people who do not mine their names and privacy be exposed to everyone else in the public but there are people who value privacy more than those who don't. Give those who value privacy, a thought for them. Protect their identities.

One thing I never liked nor understood about social media technologies like Google+, Twitter, Facebook, LinkedIn...etc... they simply DO NOT RESPECT YOUR PRIVACY AND COMPROMISE THEM INSTEAD. They do not protect their databases sufficiently as we have seen many leaked user credentials from compromised social media website databases. You may not mind your accounts becoming compromised but you would inevitably allow your compromised accounts become stepping stones that leads to compromising other accounts and systems (think of password reuse as an example).

Quoting Randi Zuckerburg saying:

I think anonymity on the Internet has to go away. People behave a lot better when they have their real names down. … I think people hide behind anonymity and they feel like they can say whatever they want behind closed doors.

I don't think that's a good way though. Why not remove login functions, remove security protocols and just let people in ? That's the same idea. We need some privacy. We need some locks to secure ourselves and our assets. We want to protect ourselves. Names can and have been forged. People have used other's name to create accounts for malicious users to frame and shame their victims. It's inevitable that the use of "real names" is flawed from the start unless some international mechanism is assigned and ensured each individual is who they are (and assuming the design have not a single technical flaw - which is impossible). 


If privacy and security are not respected and properly implemented and something happens, it's really hard to tell what exactly happened.


Therefore concluding....

PRIVACY MUST BE RESPECTED !!!

Ban common password for security

Read:

• http://arstechnica.com/microsoft/news/2011/07/hotmail-banning-common-passwords-to-beef-up-security.ars

Hotmail's idea isn't really a bad idea but the problem is with the users after all. If the user wants to be careless, there isn't anything to stop them being careless. Banning common passwords would simply add a bit more security only and is nothing radical enough to push security levels up another notch.

Don't trust a device

Read:

• http://www.schneier.com/blog/archives/2011/06/yet_another_peo.html

Any thumbdrive / USB flash drive / USB flash stick you found is not automatically danger-proof. There are known incidents whereby the manufacturers themselves have faulty systems that introduce the malware / viruses ... into the thumbdrive / USB flash drive / USB flash stick during the time of manufacturing the product. Treat all devices with suspicion. Disable the auto-run feature and always scan the device before using if it's not a device you trust and own. For more paranoid measures, regardless of any device, simply scan them (even your own trusted devices).

Loving LulzSec

Read:

• http://risky.biz/lulzsec

LulzSec simply lifted up the rugs of Sony and there we are, finding so much holes in their "secure" system.

Anonymity of Voting in Singapore

Watch:

• http://www.youtube.com/watch?v=jDeIFUw1K1o

How secret is our vote that we are promised ? From the video, we know that our identity are linked to a serial number for the vote and the voting paper contains our serial number. Therefore, when we cast a vote using the paper, it is extremely likely there would be much idea of and the ability to be most accurately know who voted for who by tracing the serial number of the voting paper which is linked to each individual.

Is this an anonymous voting pracise they promised ? NO !!!! You DO NOT NEED our serial number on the voting paper slip. This would improve anonymity.

Credibility of Stop Forum Spam

About the topic

Below is a screenshot from the page to add an IP address for blocking spam:

As you can see, the fields are so little and there is only a text box to allow you some flimsy evidence of forum spamming. Do note that computer forensics is a mammoth task and a pain. How would a small text box for evidence justify or proof wrong doing ?

We know that IP addresses are dynamic and have no credibility at identifying individual users and chances of proxies, secret proxies, accounts compromised .. etc... are very high. Email addresses can be re-made and can be spoofed.

How do you call to credibility of this architecture of preventing forum spams by Stop Forum Spam ?

The operators of Stop Forum Spam wouldn't check anyway, as it would be a trouble to wade through every case to vet... so they would simply just let all pass. 

Possible Routes of Attack

A vector of attack on Stop Forum Spam would be using proxies and gateways privately or quietly hosted or maybe through Tor as well. Fake accounts made with Stop Forum Spam could be created and used. The flimsy way to add "spammers" as shown above, could be falsified and no one would know how true it is. 

How would any staff at Stop Forum Spam verify the accused ? The so called admin of a forum (who is in fact an attacker who falsify his identity), could falsify computer logs and even metadata to show that the accused is really the spammer.

Making The Attack a Step Up

Now, let's apply to real world scenario with a malicious twist. Most forum do not protect themselves with the minimal form of protection via the flawed SSL/TLS connection (by the way, SSL/TLS is already broken), sniffing of passwords and login credentials could be done - especially to forum admin accounts. 

With the login credentials of Super Users of the forums, the attacker could do a database dump of the members credentials and IP addresses and maybe use an automated script to post all the credentials to Stop Forum Spam with some variation of evidences. It is possible that the mass upload of credentials would cause suspicion and the attacker may have already figured that out, so an artificial intelligence in the script could regulate the amount of loaded credentials and falsified evidences.

The attacker may register with different accounts user of the Stop Forum Spam and subsequently, could upload more credentials. 

Finally, to inconvenience the forum admins that he have attacked, he could have placed all the forum admins credentials onto Stop Forum Spam too and fully lock out the owners and admins of the targeted forum they own.

Conclusion

The model used by Stop Forum Spam is extremely flawed and not trust worthy because of the nature of the Internet. It is a broken model in an attempt to fix something but fails very badly at doing so.

Solutions

The only solution that would make Stop Forum Spam, is for forum owners to register themselves and proof their ownership of the domain or website. 

All forums need to have the use of SSL/TLS or better security to protect their accounts from attacks.

For the owner of a forum to report an incident to Stop Forum Spam, the owner MUST produce database files (yes... the physical database files as it contain metadata) while redacting the sensitive credentials of all users. A fully qualified computer forensics staff would do the job of proving or disproving the entry of an incident. Stop Forum Spam and the reporting owner of a domain MUST enter into a legal contract of not revealing any details of the database files and protect the database files with utmost security and when the investigation is completed, the database files must be encrypted as best as possible with the highest security.

LastPass

Here's my personal take on LastPass Password Manager. I am not a user of LastPass myself but from the website, theoretical knowledge and video, I make my deductions.

LastPass Sesame Youtube Video: http://www.youtube.com/watch?v=-q-4Flnt9Hw

If you have watched the above LastPass Sesame Video, you may just end up confused by the complicated steps to simply setup LastPass sesame on your portable executable device (thumbdrives, flash storages...). You had to also use a web browser to access an email sent by LastPass to verify your setup devices and all sorts. It really is so complicated, my thought of trying LastPass sesame got put down by that video.

LastPass technology page: https://lastpass.com/whylastpass_technology.php

According to LastPass's technology page (link above), LastPass have a data centers keeping a store of your passwords and you have a local copy too. The idea of having your passwords in LastPass's hands is simply absurd. Would you trust your passwords in someone else's hands ? Anyone can claim and vow that they have encrypted your passwords and whatever in a way only you can decrypt and they can't. Anyone can vow that they don't know your master password and only you know it. I think even if it's really true, it technologically possible for LastPass to betray that trusts if they want secretly and thus putting users at a huge risks.

I am a huge advocate against leaving sensitive personal information, especially passwords, in someone's hands or servers.

For those who need solid portable password managers, you are best off having a cross-platform (better if it's Java-based) where you can simply have one running on your main desktop or work computer and the other one on your different portable devices. The password manager requires a synchronization capability where you can sync up your portable device password manager and main computer password manager. It is very inconvenient in terms where you have to keep synchronizing the password managers but at least you don't have to rely on someone's servers. You can have your password managers have different master passwords (making it hard to inflitrate all your password managers) or simply just have a single master password to all of your password managers.

PasswordStore, a password manager I built with the intend of it being portable (it's still lacking the portable and sync portion) is an interesting and useful example to review.

Wiretapping in an Illegal way.

Read:

• http://www.nytimes.com/2010/09/27/us/27wiretap.htm?_r=1

Imagine installing backdoors inside communications. The problem is that any sort of backdoor, no matter how secure, when a hacker finds it, it's sooner or later gonna be GG. Clipper chips... whatever have you, do not think that "SECURITY BY OBSCURITY" is gonna do any good. 


Modifying all software programs and protocols including F2F, P2P ...etc.. to have a backdoor or unscrambling capabilities is also absurd. It makes the programs and protocols even more insecure.

Most government softwares are using those tools developed by the public domain and outsourced. Imagine one of these loopholes and backdoors slipping in. If they meant that ALL protocols and softwares have to provide loopholes, how would they feel if their softwares and protocols have to abide by the same rules and have loopholes and backdoors too ? That would be absurd isn't it ?

They need to have better judgments before making such absurd laws and rules. It would not only hurt others but themselves. 

Look at this points found in the article.

¶ Foreign-based providers that do business inside the United States must install a domestic office capable of performing intercepts.

¶ Developers of software that enables peer-to-peer communication must redesign their service to allow interception.


This is pretty bleak. Seems like the once infamously free nation is sinking into some kind of "Soviet style Iron-Curtain" rule where everything is controlled and no free will is allowed.

What if non-US developers are providing softwares, e.g. open source softwares hosted on Sourceforge or those free and open source hostings ? Are they gonna get the foreign government to arrest those 'dissident developers' and send them to US for torture ? Or maybe they would send out CIA operatives to those countries to execute them ? These are purely exaggerations but according to article here, the US Govt. could do it.

The main point is, stop making those stupid rules and returning to Clinton's clipper chip era or those past eras where encryption and security is only for the military and everyone else should suffer.

Security and Free-Will are everyone's birth rights. Stop taking away security from others. Stop removing free-will of others.

Intel's Harkins knows nothing of open source

Read:

• http://www.networkworld.com/news/2010/091610-intel-security.html

And look closely at the line says the following...

Harkins cited mobile apps: "What kind of security do we think is in something that sells for 99 cents? Not much."

Wow... he doesn't know the power of open source. Really... he needs to know something before he starts speaking. Look at Bruce Shneier's PasswordSafe or look at AxCrypt software or look at. Maybe how about TrueCrypt, FreeOTFE or how about GPG? Aren't these good examples of FREE AND OPEN SOURCE and some are even FOSS approved.

So don't look down on open source or 99 cents apps. Free (inclusive of FOSS defined Freedom) apps can be really hard to crack or defeat. That is partially why the US government is afraid of strong encryption and security in the hands of everyone and maybe still is having that very fear.

So don't blindly state a statement unless you have a damn good explanation and good backing and concrete evidence.