April 2005 Archives
Elektron 1.0.2 is only needed for new installs on Tiger. The only change from 1.0.1 is the startup script — if you're already running Elektron 1.0.1 on Panther you don't need it, and if you are upgrading your Elektron 1.0.1 machine from Panther to Tiger, you shouldn't need it. The Tiger installer fixes the file ownership on system startup items during the upgrade process automatically (or so I've been told — I haven't tested it myself).
By Chris on April 29, 2005 9:56 AM
By Chris on April 28, 2005 11:57 AM
Why on earth are they saving these numbers? Chipotle Mexican Grill was listed as one of the companies that suffered a card number-related security breach. Do they really need your card number after you bought your burrito? I have absolutely no sympathy for these companies — retaining sensitive information for no reason other than "because we can" is just asking for trouble. At our own online store
, we never store full credit card numbers, just the last four digits. That way, in case a customer needs to make a return, we can let them know which of their cards they used to make the purchase (we'll still need to have the full card number given to us again to make the refund, which again we won't retain).
On a side note, am I the only person who sees "POS software" and thinks of something other than point-of-sale? How did that acronym get popularized?
By Chris on April 27, 2005 10:02 AM
It appears I spoke too soon
when I described Elektron's Tiger compatibility. It turns out that Tiger likes its startup items to be owned by root with the group set to wheel, while Elektron installs its startup item with root ownership and the group set to admin. This causes Tiger to kvetch about permissions on launch. To fix this, in Terminal.app issue the command:
sudo chown -R root:wheel /Library/StartupItems/Elektron
You'll be prompted for your password. We'll fix this in Elektron 1.0.2 by the 29th.
By Chris on April 26, 2005 11:04 AM
Glenn Fleishman discusses passwords
. Password policy enforcement is tough — as a network administrator, you want your users to have long, unguessable passwords. Your users, on the other hand, just want to use their computers. Basic password testing is relatively easy, just check that the password is long enough (eight characters is a starting point), contains mixed-case characters and at least one number or symbol. Bonus points: check that there are no dictionary words contained in the password. For instance, "1Password!" meets the criteria outlined above, but is not too hard to guess.
If you are stuck with a password-only authentication system (that is, you can't deploy two-factor authentication like smart cards), one solution could be to have administrator-generated passwords. For the new web store
we are developing, we have a password reset feature that generates a new password when the user forgets the old one. We used a generator similar to this one
, which creates pronounceable passwords that aren't actually words, for instance, "ideffite" and "aternyma". We add some punctuation to mix things up a bit. It's far from perfect, but just about the best we can do under the circumstances — we can't very well require that everyone have a Corriente-issued SecurID
token before ordering from our store.
By Chris on April 25, 2005 5:23 PM
By Chris on April 22, 2005 12:19 PM
What does it all mean? Even vaunted open source software has bugs. The original article makes this point, and the rebuttal acknowledges it. When it turns out that your software has bugs (and it does!) the correct response is not say "oh yeah? well our competitor has more bugs!". You need to acknowledge the bugs and fix them, something that both Microsoft (in recent years, at least) and the Firefox developers have been very good at.
By Chris on April 22, 2005 12:02 PM
It's entertaining, but probably a load of BS. Look at the claims: "the people in Redmond Washington were very interested to know why it was that the same version of Windows was being signalled to them from two different computers." Windows activation only occurs at installation time; once the OS was installed on the laptop, it wasn't phoning home like the professor claimed. How about "The thief also did not inactivate either the wireless card or the transponder that's in that computer." A transponder, like LoJack
for your laptop? I'm pretty deeply involved in computer security, but I've never heard of such a thing. I do believe the part about the Wi-Fi card allowing tracking — the campus IT guys could conceivably see the access point to which the laptop was connected, which would give them a reasonably clear view of where the laptop was located. This in turn would allow the campus police to arrest the thief if he were sitting alone in a remote corner of the campus library. However, if he's sitting in the student union with a couple of hundred other students on laptops, good luck picking him out.
It's a bluff, maybe it will work, maybe it won't. I have to guess that anybody with the temerity to steal the professor's laptop from the classroom is not going to be cowed by these threats. If I were the FBI agent investigating this crime, I would have some questions for the professor as well, like "why did you leave such sensitive, top-secret information sitting unencrypted on a laptop that you couldn't be bothered to keep an eye on?"
By Chris on April 21, 2005 10:21 AM
By Chris on April 21, 2005 9:41 AM
By Chris on April 21, 2005 9:34 AM
He told the Chronicle editors that consumers have "unrealistic expectations about a wireless service working everywhere. Why in the world would you think your [cell] phone would work in your house? The customer has come to expect so much. They want it to work in the elevator; they want it to work in the basement."
Umm, the reason I got the idea that my cell phone would work in an elevator is the Verizon commercial I saw last night featuring a man talking on his cell phone in an elevator!
By Chris on April 20, 2005 10:58 AM
begins with an attention-grabbing title, but as you read down you find it's not that bad — or at least it's not wireless specific. VoIP is not a wireless security threat because of any idiosyncratic interaction with wireless technology, but rather because VoIP requires additional ports be opened on a company's firewall, which, of course, makes it just as much a threat to traditional non-wireless services.
So why the alarmist headline conflating wireless and VoIP? It's two, two, two buzzwords in one!
By Chris on April 19, 2005 10:15 AM
By Chris on April 18, 2005 11:59 AM
Finally, a weekend off! We just posted the first public beta of Elektron Enterprise Edition. It's available from our download page
. The new features in this version of Elektron include:
- Basic RADIUS protocols like PAP and CHAP
- Server replication
- LDAP user authentication
- User account storage via ODBC
- Authenticate users against another RADIUS server
- Policy based authorization
- RADIUS accounting
- Extensive logging options
By Chris on April 15, 2005 6:28 PM
For IT managers, this increases confidence that their chosen Wi-Fi authentication protocol will work with their equipment. In theory, WPA-capable Wi-Fi hardware should work with any EAP method capable of generating encryption keys (including PEAP, EAP-TLS, EAP-TTLS, EAP-FAST, et. al.). This new test suite ensures compatibility rather than relying on theory.
By Chris on April 14, 2005 10:34 AM
By Chris on April 13, 2005 11:18 AM
A friend once had a great idea for a fun prank: you can buy $2 bills in sheet form
. Take a sheet of money and a pair of scissors into a store, and when you check out, whip out the the sheet and the scissors and start cutting off individual notes. Perfectly legal, but apparently not funny in the "post-9/11 world".
By Chris on April 8, 2005 11:13 AM
Google released the satellite photo service that works in conjunction with Google Maps
to much fanfare this week (as with pretty much every Google service, it's a "beta").
So what's the security angle that warrants a post to this particular blog? Zoom in on 1600 Pennsylvania Avenue
. Notice that the roofs of the White House, the Old Executive Office Building (to the left) and the Treasury Department (to the right) are blacked (well, browned and greened) out.
By Chris on April 7, 2005 11:32 AM
After about three minutes of capturing and cracking, the FBI team found the correct WEP key, and displayed it on a projected notebook screen. Agent Bickers, still speaking to the audience, turned around, looked at the screen and was surprised, "Usually it takes five to ten minutes.
They didn't use the NSA's basement full of supercomputers for the crack, just an off-the-shelf laptop and widely available WEP cracking tools
By Chris on April 6, 2005 2:57 PM
Mac OS Wireless Adapter Compatibility List
. Awesome resource. I can vouch for the Linksys WPC-54G working with the Apple AirPort software on a pre-AirPort bronze keyboard Powerbook G3, and for the IOxperts
driver with a Lucent WaveLan Silver (note: no WPA security with that one, it's WEP or nothing).
By Chris on April 5, 2005 12:28 PM
In this week's TidBITS
, Adam Engst details having his credit card number stolen
, likely as a consequence of online shopping. I've had credit card numbers stolen twice. The first time was by an old-fashioned dumpster diver. Five years ago my AMEX number was obtained by somebody digging through my trash who used it to buy thousands of dollars worth of A/V gear over the phone. The police has no trouble tracking the guy down since he was stupid enough to have the equipment shipped to his home address. The theft didn't cost me anything but the price of a paper shredder, which I now use religiously.
The second theft was more insidious, and is demonstrative of the pervasive lack of privacy today. My MBNA Visa card was used to charge large amounts of money at retail stores in the Atlanta area. I don't carry my Visa card with me, and I hadn't been to Atlanta in years. Not coincidentally, MBNA's Southern Regional Headquarters
is located in Atlanta. It was an inside job all the way, which is the risk you run when you give thousands of employees access to the private records of millions of customers. The overwhelming majority of MBNA's employees are honest, but all it takes is one bad apple. A look at the weekly parade of privacy abuses shows that something needs to be done.
By Chris on April 4, 2005 11:32 AM
We've been periodically testing Elektron
against development builds of Tiger
, as we get ready for the next version of Mac OS X
. In earlier builds, everything worked great except for a slight user interface glitch. We figured we'd wait until Tiger got a little closer to shipping to deal with it. Now that Tiger's release may be imminent
, we spent the day yesterday re-testing. Lo and behold, the bug was in Tiger, not Elektron. Everything works great, no work necessary on our part. Like Hannnibal
used to say, "I love it when a plan comes together!".
By Chris on April 1, 2005 11:09 AM
By Chris on April 1, 2005 11:01 AM