Thoughts on Systems

Emil Sit

Jan 7, 2009 - 1 minute read - Technology Thoughts password security twitter

Twitter had no rate limit for failed authentication

Reading the Wired writeup on the Twitter password hack, I’m incredulous to read that there was no rate limiting on failed authentication. Given Twitter’s stringent rate limiting for API requests, this seems surprising. Not to mention that online password attacks are practically older than time. Fortunately,

As for addressing the security issues that allowed the breach, [Twitter co-founder Biz Stone] wrote in a follow-up e-mail that the company is doing “a full security review on all access points to Twitter. More immediately, we’re strengthening the security surrounding sign-in. We’re also further restricting access to the support tools for added security.”

Thank goodness. I feel safer already.

Dec 23, 2008 - 1 minute read - Rants Technology moinmoin wiki

MoinMoin sub-page linking is confusing

MoinMoin supports sub-pages, which is a great thing for organizing the lots of wiki-pages. However, the way you write links violates the principle of least surprise: to specify an absolute link, you simply write the target name (e.g., HelpOnLinking), but to specify a relative link to a sub-page, you prepend the sub-page name with a slash (e.g., /Errors). This is of course precisely the opposite of the behavior for standard file systems where absolute paths begin with a slash and relative paths do not.

I don’t know if other wikis exhibit this problem but it wouldn’t be surprising if they did.

Dec 20, 2008 - 1 minute read - Technology clipperz lastpass mashedlife passpack password security

Considering MashedLife and LastPass

After my review of Clipperz and PassPack, I received comments and e-mails suggesting that I consider Mashed Life and LastPass as well.

The most interesting feature of Mashed Life is that it supports logins with a YubiKey–a USB dongle that Mashed Life uses as part of either one or two-factor authentication. This is a very cool feature, as two-factor authentication is harder to beat even than PassPack’s (now potentially weaker) packing key: an attacker must literally have your YubiKey to login as you. But, the downside of the Mashed Life architecture is that it relies on the security of their servers, which, as far as I can tell, have an unencrypted version of all your authentication data–the despite any secret splitting they talk about in their FAQ (Q6), it must be programmatically possible to extract your password since the login action retrieves your password from their server over SSL. Of course, this is probably what enables them to provide an API for synchronization with KeePass and Password Safe, but for me, this is a show stopper.


Dec 19, 2008 - 2 minute read - Rants Technology friendfeed social networks twitter yammer

Porting social networks into FriendFeed

The other day, I complained on Twitter that it was impossible to check-in occasionally to see what people I know had been up to, and separate all that activity out from the prolific people that I’ve followed just because they occasionally say interesting things. And just to prove that fact, I totally missed the two replies to that tweet for several days. One commented that FriendFeed was the solution because of its friend lists. I quickly discovered two things:

  1. It is not trivial to find the FriendFeed usernames of people you are following on Twitter. The best solution seems to be from Internet Duct Tape but it is Windows only, not open source, and also doesn’t create imaginary friends for people without FriendFeed. Not useful.
  2. You can’t import your friends with private Twitter feeds that require authorization.

Arguably this is just an example of the problem of re-creating the same social networks over and over again. A huge problem of APIs, data formats, trust, … FriendFeed in this case could make it easier by at least recognizing people by their other service profile URLs and hey, even offering Twitter (and FaceBook) import instead of just a few e-mail services.

Somewhat tangentially, I’ve been playing with Yammer at work and they make it very hard to miss a message: compared to Twitter, your home screen auto-updates via AJAX and you can get an daily summary of activity e-mailed to you. Not bad.

Update (22 Jan 2009): Importing your Twitter followings is now a solved problem. Yay! I am definitely pleased with how fast FF is able to improve, as opposed to how slowly core Twitter does (e.g., Twitter search still doesn’t appear on the main web UI page.)

Dec 18, 2008 - 1 minute read - Research Technology Thoughts chord dhash dht erlang glacier ringo

Ringo: A DHT in Erlang

Seen via High Scalability, this seems related to my Chord/DHash work – Ringo: Distributed key/value storage for immutable data. A cursory glance at the Erlang source (a language I don’t actually know), suggests that Ringo does simple successor only routing. I think it uses something like Merkle synchronization trees though there are also comments about potentially switching to Bloom filters (a la Glacier). Also, as of this time, no changes to the core Ringo code since May. For the Erlang DHT aficionados, see also CouchDB, which may be a bit more complete, though with a very different API and possibly (last I checked) less focus on resilience.

Dec 15, 2008 - 1 minute read - Technology Thoughts authentication clipperz javascript passpack security

Upcoming talk on password managers

On Wednesday (1217), Collin Jackson will be giving a talk at MIT titled, “Extracting Passwords from JavaScript Password Managers”. I can’t go due to scheduling conflicts but it seems worth considering if you are local and interested in my post about PassPack and Clipperz. I didn’t see any obvious papers from Collin’s website about the attacks he is describing but there are some that look worth reading.

Dec 9, 2008 - 2 minute read - Technology firewall git proxy tools

How to use the git protocol through a HTTP CONNECT proxy

Many corporate firewalls prevent git from using its efficient binary protocol by blocking outbound network connections. Sometimes, you are lucky and are trying to clone a repository that is hosted on a site like github which exports their repositories over HTTP, which would enable you to get through the firewall using the http_proxy environment variable. However, you are usually not that lucky and are only given a git:// URL to clone from.

Fortunately, most corporate firewalls allow for tunneling connections through their HTTP proxies, using HTTP CONNECT. This is normally used for allowing browser to connect to secure websites (using SSL over port 443), but if you are lucky, you can have your firewall administrator configure the proxy to also allow CONNECT for port 9418, which is the port used by git.

Once they have appropriately configured the proxy, you should then be able to use tools like netcat-openbsd or socat to connect through as follows…

  1. Install socat. For example, on Debian/Ubuntu, just sudo apt-get install socat.
  2. Create a script called gitproxy in your bin directory; You will need to replace with the name of your proxy host and the port with the port used by the proxy (common ports include 3128, 8123 and 8000). (If the javascript is broken, visit Gist 49288 and download the raw file; or use the original commands as reproduced in the comments.)
  3. Configure git to use it:
    $ git config –global core.gitproxy gitproxy

That’s it! Your git clone commands should now transparently accept git:// URLs.

Update: Fix quoting and add link to Gist 49288.

Dec 8, 2008 - 2 minute read - Technology dban delete eraser howto security tools

How to securely delete files before returning a computer

A friend of mine who is switching jobs has asked how to delete all personal information from the company computer before returning it. Simply deleting files can prevent the casual observer from finding your data, but file deletion typically does not (to make an analogy to paper) shred the file but merely throws away the information that tells you how to find it. A sufficiently dedicated person could indeed search through every possible place on your computer’s drive and re-construct your deleted files.

In brief, the best tool I am aware of to prevent this is Darik’s Boot and Nuke (dban). This software goes on a floppy or bootable CD image that you create and then completely overwrites every place any file could have ever been stored with garbage data. This is the ideal solution if your employer has a standard software image that they will use after you return your computer.

If you need to be a bit more precise (e.g., your company really needs that one Windows license and can’t re-install), you may need the Heidi Eraser which runs in Windows. This uses the same secure wipe methods as dban, but can be applied to “empty” space on your drive. Thus you can manually delete your user account and wipe any windows cache directories (e.g., everything in C:\Documents and Settings\YourUsername) and then run Eraser as the administrator user to clean off any bits. Heidi Eraser includes dban so you need only download one

Secure deletion takes a long time (many hours!) so be sure to budget sufficient time to do this.

Nov 16, 2008 - 3 minute read - Technology authentication clipperz passpack password security

The difference between Clipperz and PassPack

Clipperz and PassPack are two web services that store your passwords for you, and provide one (or two) click login to those sites whose passwords it keeps. In doing so, these services hopefully encourage you to select strong passwords that you wouldn’t otherwise be able to remember and thus improve your overall security. Aiming to be the one basket in which you keep all your eggs, both services work very hard to provide you with adequate security.

There are clearly technical differences in the services. PassPack has more user visible phishing protection; Clipperz doesn’t transmit your password anywhere providing mutual authentication using SRP. PassPack requires much longer passphrases; Clipperz has a better (though somewhat harder to set up) system for automatically logging into remote sites. PassPack autolocks your data, though it’s not clear what that does in a technical sense (e.g., does it scrub memory?) But both only store encrypted data and have your browser do all the crypto, which is (for me) a major attraction.

I find some more interesting differences in their terms of service. For their protection, both PassPack and Clipperz use standard lines such as: “You expressly understand and agree that Clipperz shall not be liable to you for any direct, indirect, incidental, special, consequential of exemplary damages […] resulting from unauthorized access to or alteration of your transmissions or data” (taken from Clipperz’s Terms of Service). That is, you are allowed to store access to your million dollar retirement assets but please don’t hold Clipperz responsible if somehow your use of Clipperz results in those assets being stolen. However, PassPack’s User Agreement has an interesting caveat: > If your Account is provided to you without charge, you will not use the Service to handle financial data, information and credentials for accessing bank accounts or services provided by financial institutions, including brokerage services;

It’s not clear to me what additional CYA this is supposed to provide. It’s impossible by design for them to verify compliance and it should be a user choice whether to trust PassPack with encrypted credentials to their financial data. To me, it seems more secure than say

Clipperz and PassPack differ in whether you are allowed to audit their service. Clipperz: > Clipperz grants you a license to use the source code related to the Service for the sole purposes of performing security reviews of the code or enhancing the interoperability of other products and services with the Service.

whereas, PassPack: > You are prohibited from violating or attempting to violate the security of this Site, including, without limitation, (i) accessing data not intended for you or logging into a server or account that you are not authorized to access; (ii) attempting to probe, scan or test the vulnerability of a system or network or to breach security or authentication measures without proper authorization; […]

Clipperz’s terms in this regard are the most reasonable I think I’ve ever seen.

The other main difference is that PassPack is a commercial service so you put your trust in them by establishing a contract. As the Digital Railroad failure fiasco shows, that’s no guarantee. Clipperz is currently not a paid service but is open source; you trust their goodwill and can always roll your own in case of emergency. On the other hand, PassPack has revenue, which means they can continue to innovate whereas Clipperz needs investors or volunteers.

It’s a tough choice. I’m leaning towards Clipperz philosophically but there is a lot to like about PassPack as well.

Nov 10, 2008 - 1 minute read - Photography Thoughts flash neil van niekerk strobist

Strobist meets Niekerk

Continuing in the photography/lighting vein… Neil van Niekerk’s techniques are geared towards the time-limited on-the-go (wedding) shooter; David Hobby tends to prefer carefully constructed off-camera light. He’s been exploring on-axis fill recently and his “run and gun” post is where I’d like to go next with lighting: using a single off-camera light with on-camera light, and using TTL for speed. Too bad Canon built-in flashes can’t act as TTL masters; that’s a nice plus for Nikon users.