I’ve seen several people recently discussing how LastPass protects your LastPass master password and your encrypted site password data (a.k.a., your vault). If what some of those people were saying were true, then LastPass wouldn’t be as secure as I thought it was. This gave me pause, since I use LastPass to store all my passwords, so I decided to do some research to try to understand for myself exactly how it works. Now that I’ve done that, it seems to me that others might benefit from my research, and in any case writing it down will clarify it in my own mind, so here it is.
Archive for the ‘Internet’ Category
Those of us who help create and maintain “the internet” that everyone benefits from are now tasked with helping the world recover with one of the biggest, if not the biggest, security holes in the history of the internet.
To be certain they aren’t vulnerable, users need to change their passwords at every site that was at any point vulnerable to a Heartbleed attack. But a site has to be patched, and its SSL certificate has to be reissued with a newly generated secret key, before its password should be changed; otherwise, the new password is just as vulnerable to Heartbleed as the old one was. What’s more, you can’t just look at the start date of an SSL certificate to determine whether it was reissued, because that doesn’t tell you whether the site was patched before the certificate was deployed, and worse than that, some CAs (e.g., Digicert) quite reasonably re-key certificates without changing their original start dates.
I have passwords at over 500 sites. I’m sure there are people who use many more sites than that. Manually figuring out which sites need their passwords changed, and when to change them, and keeping track of which ones have been changed, is an impossible task.
What we need is a standard, widely adopted way for web sites to indicate, in a way that can be easily interpreted by software, whether they were ever vulnerable to Heartbleed, and if so, when the vulnerability was patched. Then browsers and password keepers such as LastPass can easily determine and track which user passwords need to be changed, and warn the user.
Don’t use a self-signed SSL certificate for your web site.
Way to go, Incapsula!
The email identity thief who has been using my email address on-line for years, who apparently goes by the name Diallo Mamadou Oury in real life, has just posted this inexplicable comment on my blog. I posted a response, but I somehow doubt he’ll read or respond to it.
I sure wish I knew what the hell he gets out of all this.
I recently recommended a flash charger for cell phones and other devices, being sold by NoMoreRack.com for a great price.
I stand by recommendation of that particular product, but I find it necessary to withdraw my recommendation for NoMoreRack.com.
They strongly encourage their customers to recommend their site and products to friends and relatives, and they give customers a $10 credit for each referral that results in at least one purchase. However, they don’t mention anywhere in the various screens urging people to refer others to their site, or in the emails that get sent out whenever a referral credit is generated, that these credits expire after 48 hours. Other credits they give occasionally display the expiration date prominently, which suggests that the concealing of expiration times for referral credits is intentional.
Their inventory doesn’t change often enough for anybody but a shopaholic to be likely to want to buy something from their site within 48 hours of every referral credit. Therefore, their business model for finding new customers is apparently predicated on (a) actively concealing how long referral credits are good for and (b) not actually paying out most of the referral credits that are generated, since they expire before they can be used.
This is an incredibly shady and dishonest business practice which borders on fraud. I don’t do business with companies that do stuff like this, and I discourage others from doing so.
I have no idea why Diallo Mamadou Oury, who lives in Dakar, Senegal, insists on using my email address to sign up for services and web sites all over the Internet (previous postings). But since he apparently feels entitled to share my personal information without my consent, I have no compunctions about sharing his. Here’s an email message that landed today in my inbox:
Yesterday, the folks over at Dilbert.com changed their RSS feed, which is what the comics aggregator was using before to fetch Dilbert, so that method no longer works. Therefore, I had to refactor the Dilbert support in the aggregator. It should be working again. Please let me know if it isn’t. And please consider supporting my work on the comics aggregator if you benefit from it.
For some inexplicable reason, some guy who identifies himself as Mamadou Diallo, a.k.a. Bouba Diallo, has been creating accounts all over the internet using my email address for over two years now. I’ve written about this several times before.
It’s still going on… I just got email indicating that he created a Yahoo! account (“m.diallo76″) on May 6 using my email address. Needless to say, as has been my practice, I took over the account and closed it.
I wish I knew what the hell was going on here or what the perpetrator hopes to gain by doing this. I’ve wracked my brain but haven’t been able to come up with any ideas for how this might benefit him. Someone purporting to him posted a comment on my blog in November 2012, but it just made things weirder, without shedding any light on what’s going on. That comment probably really was posted by him, since the IP address it came from shows up as Dakar, Senegal in GeoIP lookups, and that’s where he claims to live in the accounts that he creates.
If anybody has any ideas about what might be going on here, I’m all ears.