I’ve seen several people recently discussing how LastPass protects your LastPass master password and your encrypted site password data (a.k.a., your vault). If what some of those people were saying were true, then LastPass wouldn’t be as secure as I thought it was. This gave me pause, since I use LastPass to store all my passwords, so I decided to do some research to try to understand for myself exactly how it works. Now that I’ve done that, it seems to me that others might benefit from my research, and in any case writing it down will clarify it in my own mind, so here it is.
Archive for the ‘Computers’ Category
Those of us who help create and maintain “the internet” that everyone benefits from are now tasked with helping the world recover with one of the biggest, if not the biggest, security holes in the history of the internet.
To be certain they aren’t vulnerable, users need to change their passwords at every site that was at any point vulnerable to a Heartbleed attack. But a site has to be patched, and its SSL certificate has to be reissued with a newly generated secret key, before its password should be changed; otherwise, the new password is just as vulnerable to Heartbleed as the old one was. What’s more, you can’t just look at the start date of an SSL certificate to determine whether it was reissued, because that doesn’t tell you whether the site was patched before the certificate was deployed, and worse than that, some CAs (e.g., Digicert) quite reasonably re-key certificates without changing their original start dates.
I have passwords at over 500 sites. I’m sure there are people who use many more sites than that. Manually figuring out which sites need their passwords changed, and when to change them, and keeping track of which ones have been changed, is an impossible task.
What we need is a standard, widely adopted way for web sites to indicate, in a way that can be easily interpreted by software, whether they were ever vulnerable to Heartbleed, and if so, when the vulnerability was patched. Then browsers and password keepers such as LastPass can easily determine and track which user passwords need to be changed, and warn the user.
Don’t use a self-signed SSL certificate for your web site.
Way to go, Incapsula!
Android phones have this awesome feature whereby your list of installed applications, your application settings, your Wi-Fi settings, etc., are backed up automatically inside your Google account, such that when you set up a new phone and link it to your Google account during the initial setup, all that stuff gets restored automatically, making for a lot less work for you returning your phone to the condition you want it to be in.
However, if you have two-factor authentication enabled on your Google account, it doesn’t work properly, or at least it didn’t for me. Here’s what happened:
- I turned on my newly factory reset phone.
- During the initial setup process, I entered my Google account username and password.
- The setup app told me I had to log in on the internet (i.e., through the browser) because of my two-factor authentication.
- I logged in on the internet, including entering the two-factor authentication code I received as a text message.
- The setup process proceeded to completion.
- I discovered after it was done that my Google account had not been successfully configured into the phone.
- I configured the account again. This time it worked, but my apps and settings were not restored.
- I couldn’t find any way to tell the phone to restore my apps and settings at that point.
Moral of the story: if you’re setting up a new phone or resetting and rebuilding your old one, and you want your apps and settings to be restored, then turn off two-factor authentication completely until the phone is set up, and only then turn it back on.
Today, I embarked upon a magical journey, a journey of discovery, a journey of oneness with the environment. In a word, a journey of recycling.
For several years, I’ve been accumulating junk of various sorts on a shelf under my workbench with the intention of eventually figuring out how to dispose of it in an environmentally sound way. Today, I decided to throw it all into boxes and try to get rid of it.
The email identity thief who has been using my email address on-line for years, who apparently goes by the name Diallo Mamadou Oury in real life, has just posted this inexplicable comment on my blog. I posted a response, but I somehow doubt he’ll read or respond to it.
I sure wish I knew what the hell he gets out of all this.
Because I am a boring old fuddy-duddy, I was spending the minutes leading up to the New Year trying to reconcile my 2013 medical flexible spending account (FSA), i.e., to match up the FSA transactions listed on the Paychex web site with those listed in my financial management software and confirm that there were no incorrect transactions in either location.
Alas, after several passes through the transactions, there were, in fact, several that I couldn’t reconcile, and even taking those into account, the reconciled balances were not matching up. However, rather than make yet another pass at trying to make them come out even, I decided to go watch the ball drop with my kids.
When I came back to my office, I had been logged out of the Paychex web site due to inactivity, and the transaction history page I’d been looking at was wiped clean. It wasn’t even available in my browser cache, because the Paychex web site is *shudder* entirely implemented as a Flash application. “No problem,” I said to myself. “I’ll just log back in and bring up the data again.”
Alas, when I logged in, I discovered that the web site had rolled over to my 2014 FSA, and none of the data from the prior year was accessible any longer on the site. (more…)
I recently recommended a flash charger for cell phones and other devices, being sold by NoMoreRack.com for a great price.
I stand by recommendation of that particular product, but I find it necessary to withdraw my recommendation for NoMoreRack.com.
They strongly encourage their customers to recommend their site and products to friends and relatives, and they give customers a $10 credit for each referral that results in at least one purchase. However, they don’t mention anywhere in the various screens urging people to refer others to their site, or in the emails that get sent out whenever a referral credit is generated, that these credits expire after 48 hours. Other credits they give occasionally display the expiration date prominently, which suggests that the concealing of expiration times for referral credits is intentional.
Their inventory doesn’t change often enough for anybody but a shopaholic to be likely to want to buy something from their site within 48 hours of every referral credit. Therefore, their business model for finding new customers is apparently predicated on (a) actively concealing how long referral credits are good for and (b) not actually paying out most of the referral credits that are generated, since they expire before they can be used.
This is an incredibly shady and dishonest business practice which borders on fraud. I don’t do business with companies that do stuff like this, and I discourage others from doing so.
I have no idea why Diallo Mamadou Oury, who lives in Dakar, Senegal, insists on using my email address to sign up for services and web sites all over the Internet (previous postings). But since he apparently feels entitled to share my personal information without my consent, I have no compunctions about sharing his. Here’s an email message that landed today in my inbox: