Archive for the ‘Internet’ Category

How LastPass protects your data

Thursday, April 10th, 2014

I’ve seen several people recently discussing how LastPass protects your LastPass master password and your encrypted site password data (a.k.a., your vault). If what some of those people were saying were true, then LastPass wouldn’t be as secure as I thought it was. This gave me pause, since I use LastPass to store all my passwords, so I decided to do some research to try to understand for myself exactly how it works. Now that I’ve done that, it seems to me that others might benefit from my research, and in any case writing it down will clarify it in my own mind, so here it is.

(more…)

We need a “/heartbleed.txt” standard, and we need it ASAP

Wednesday, April 9th, 2014

Heartbleed LogoThose of us who help create and maintain “the internet” that everyone benefits from are now tasked with helping the world recover with one of the biggest, if not the biggest, security holes in the history of the internet.

To be certain they aren’t vulnerable, users need to change their passwords at every site that was at any point vulnerable to a Heartbleed attack. But a site has to be patched, and its SSL certificate has to be reissued with a newly generated secret key, before its password should be changed; otherwise, the new password is just as vulnerable to Heartbleed as the old one was. What’s more, you can’t just look at the start date of an SSL certificate to determine whether it was reissued, because that doesn’t tell you whether the site was patched before the certificate was deployed, and worse than that, some CAs (e.g., Digicert) quite reasonably re-key certificates without changing their original start dates.

I have passwords at over 500 sites. I’m sure there are people who use many more sites than that. Manually figuring out which sites need their passwords changed, and when to change them, and keeping track of which ones have been changed, is an impossible task.

What we need is a standard, widely adopted way for web sites to indicate, in a way that can be easily interpreted by software, whether they were ever vulnerable to Heartbleed, and if so, when the vulnerability was patched. Then browsers and password keepers such as LastPass can easily determine and track which user passwords need to be changed, and warn the user.

(more…)

How not to run a computer security company

Thursday, March 20th, 2014

My email identity thief is at it again

Tuesday, February 11th, 2014

Das Keyboard comes from behind for the win

Saturday, October 5th, 2013

I recently received a package from Metadot, the creators of Das Keyboard. It contained:

T-shirt, magnet, note pads, note of apology, daskeyboard Space Pen, daskeyboard pens

Here’s what the enclosed note says:

Jonathan, We're sorry we messed up! Please accept these goodies as our thank you for being honest and patient with us. Das Keyboard

The day before, I’d received another package from them, containing a brand new Das Keyboard.

From the “We’re sorry we messed up!” you might suspect that there’s a less positive back story leading up to the seemingly happy ending, and you’d be correct. But I told the ending first for one simple reason: what Metadot did at the end made up for everything that came before, in a way that most companies nowadays just don’t seem to understand. Yes, they made a mistake (quite a few of them, actually), but they acknowledged and apologized for it, they didn’t make excuses, they fixed it, and they went the extra mile to show they were sorry.

Here’s the whole, long story… (more…)

Canceling my previous recommendation for NoMoreRack.com

Wednesday, July 31st, 2013

I recently recommended a flash charger for cell phones and other devices, being sold by NoMoreRack.com for a great price.

I stand by recommendation of that particular product, but I find it necessary to withdraw my recommendation for NoMoreRack.com.

They strongly encourage their customers to recommend their site and products to friends and relatives, and they give customers a $10 credit for each referral that results in at least one purchase. However, they don’t mention anywhere in the various screens urging people to refer others to their site, or in the emails that get sent out whenever a referral credit is generated, that these credits expire after 48 hours. Other credits they give occasionally display the expiration date prominently, which suggests that the concealing of expiration times for referral credits is intentional.

Their inventory doesn’t change often enough for anybody but a shopaholic to be likely to want to buy something from their site within 48 hours of every referral credit. Therefore, their business model for finding new customers is apparently predicated on (a) actively concealing how long referral credits are good for and (b) not actually paying out most of the referral credits that are generated, since they expire before they can be used.

This is an incredibly shady and dishonest business practice which borders on fraud. I don’t do business with companies that do stuff like this, and I discourage others from doing so.

Since Diallo Mamadou Oury is so insistent on sharing my personal information, here’s some of his

Tuesday, July 30th, 2013

I have no idea why Diallo Mamadou Oury, who lives in Dakar, Senegal, insists on using my email address to sign up for services and web sites all over the Internet (previous postings). But since he apparently feels entitled to share my personal information without my consent, I have no compunctions about sharing his. Here’s an email message that landed today in my inbox:

(more…)

Dilbert was broken, now fixed in comics aggregator

Wednesday, June 26th, 2013

Yesterday, the folks over at Dilbert.com changed their RSS feed, which is what the comics aggregator was using before to fetch Dilbert, so that method no longer works. Therefore, I had to refactor the Dilbert support in the aggregator. It should be working again. Please let me know if it isn’t. And please consider supporting my work on the comics aggregator if you benefit from it.

Mamadou Diallo still, inexplicably, using my email address all over the internet

Tuesday, June 18th, 2013

For some inexplicable reason, some guy who identifies himself as Mamadou Diallo, a.k.a. Bouba Diallo, has been creating accounts all over the internet using my email address for over two years now. I’ve written about this several times before.

It’s still going on… I just got email indicating that he created a Yahoo! account (“m.diallo76″) on May 6 using my email address. Needless to say, as has been my practice, I took over the account and closed it.

I wish I knew what the hell was going on here or what the perpetrator hopes to gain by doing this. I’ve wracked my brain but haven’t been able to come up with any ideas for how this might benefit him. Someone purporting to him posted a comment on my blog in November 2012, but it just made things weirder, without shedding any light on what’s going on. That comment probably really was posted by him, since the IP address it came from shows up as Dakar, Senegal in GeoIP lookups, and that’s where he claims to live in the accounts that he creates.

If anybody has any ideas about what might be going on here, I’m all ears.

 

Johnny Monsarrat link round-up

Tuesday, June 11th, 2013