We need a “/heartbleed.txt” standard, and we need it ASAP

April 9th, 2014

Heartbleed LogoThose of us who help create and maintain “the internet” that everyone benefits from are now tasked with helping the world recover with one of the biggest, if not the biggest, security holes in the history of the internet.

To be certain they aren’t vulnerable, users need to change their passwords at every site that was at any point vulnerable to a Heartbleed attack. But a site has to be patched, and its SSL certificate has to be reissued with a newly generated secret key, before its password should be changed; otherwise, the new password is just as vulnerable to Heartbleed as the old one was. What’s more, you can’t just look at the start date of an SSL certificate to determine whether it was reissued, because that doesn’t tell you whether the site was patched before the certificate was deployed, and worse than that, some CAs (e.g., Digicert) quite reasonably re-key certificates without changing their original start dates.

I have passwords at over 500 sites. I’m sure there are people who use many more sites than that. Manually figuring out which sites need their passwords changed, and when to change them, and keeping track of which ones have been changed, is an impossible task.

What we need is a standard, widely adopted way for web sites to indicate, in a way that can be easily interpreted by software, whether they were ever vulnerable to Heartbleed, and if so, when the vulnerability was patched. Then browsers and password keepers such as LastPass can easily determine and track which user passwords need to be changed, and warn the user.

Read the rest of this entry »

How not to run a computer security company

March 20th, 2014

An open letter to the owner of The Chubby Chickpea Food Truck

February 26th, 2014

Dear Avi,

“You know what the great thing is about owning your own business? You don’t have to do anything you don’t want to.”

That’s what you told me this morning when your food truck arrived 10 minutes past its scheduled opening time and still hadn’t opened 10 minutes after that. That’s what you told me after I waited for you in 10-degree weather for 20 minutes, until my gloved fingers had lost all feeling. That’s what you told me when I commented to you, “You know, when it’s this cold, you really have to be here on time.”

Read the rest of this entry »

TURN OFF two-factor authentication before restoring an Android phone

February 23rd, 2014

Android phones have this awesome feature whereby your list of installed applications, your application settings, your Wi-Fi settings, etc., are backed up automatically inside your Google account, such that when you set up a new phone and link it to your Google account during the initial setup, all that stuff gets restored automatically, making for a lot less work for you returning your phone to the condition you want it to be in.

However, if you have two-factor authentication enabled on your Google account, it doesn’t work properly, or at least it didn’t for me. Here’s what happened:

  • I turned on my newly factory reset phone.
  • During the initial setup process, I entered my Google account username and password.
  • The setup app told me I had to log in on the internet (i.e., through the browser) because of my two-factor authentication.
  • I logged in on the internet, including entering the two-factor authentication code I received as a text message.
  • The setup process proceeded to completion.
  • I discovered after it was done that my Google account had not been successfully configured into the phone.
  • I configured the account again. This time it worked, but my apps and settings were not restored.
  • I couldn’t find any way to tell the phone to restore my apps and settings at that point.

Moral of the story: if you’re setting up a new phone or resetting and rebuilding your old one, and you want your apps and settings to be restored, then turn off two-factor authentication completely until the phone is set up, and only then turn it back on.

 

A journey of searching and renewal

February 16th, 2014

Today, I embarked upon a magical journey, a journey of discovery, a journey of oneness with the environment. In a word, a journey of recycling.

For several years, I’ve been accumulating junk of various sorts on a shelf under my workbench with the intention of eventually figuring out how to dispose of it in an environmentally sound way. Today, I decided to throw it all into boxes and try to get rid of it.

Read the rest of this entry »

Globe Direct: Hey Boston, here’s 34 tons of trash per week on us!

February 12th, 2014

What would you say if I told you that there’s a Boston business that adds more than 34 tons per week of trash to the City of Boston’s waste stream*, trash that the residents of Boston end up paying to dispose of to the tune of >$100,000 per year**? What would you say if I then told you that the business that does this has managed to figure out how to get other businesses to pay for it, ripping them off in the process?

Ladies and gentlemen of Boston, say hello to “Globe Direct in association with RedPlum”!

Read the rest of this entry »

Boston Herald rude sales people won’t leave us alone

February 12th, 2014
To: Boston Herald home delivery department
Subject: Rude sales call from Boston Herald

My wife and I (you can find us in your records under our home phone number [elided]) are no longer Boston Herald subscribers. We currently have no desire to resume our subscription. Since we canceled our subscription, your sales department has called us several times trying to get us to resume. This needs to stop. The most recent call, a few minutes ago, was incredibly rude.

Read the rest of this entry »

My email identity thief is at it again

February 11th, 2014

FTR, you *CAN* be sued for outing a creeper on the internet

January 29th, 2014

twistpeach@LiveJournal recently published a 100% awesome journal entry, which went viral, about her experience with a creeper at Arisia 2014 and what she did about it. There is so much good in what she did, and what she wrote about it, that if you have anything to do with SFF Fandom, and probably even if you don’t, you should go read it right now if you haven’t already.

However, I feel I must take issue with one thing she wrote in a follow-up journal entry:

3) There was much discussion of libel and slander in the discussion of the deleting, which honestly made me laugh. I support anyone who doesn’t want to host a discussion of my blog on their blog. But the idea that someone who DOES wish to host this discussion might be in legal trouble for slander is ludicrous. First of all, I don’t have to prove that my version of events happened (even though I have ample evidence and witnesses to do so). Slander and libel require that the story be demonstrably false. And the blog alone includes confirmation from the Arisia con chair of my report.

I have two concerns with spreading this kind of information to people who might have experiences similar to twistpeach’s and need to decide after the fact what to do about it. First of all, “Slander and libel require that the story be demonstrably false,” is hardly a universally true statement. Second, whether or not you actually committed slander or libel, you can still be sued, and it can cost you a great deal of time, money, and stress extricating yourself from such a lawsuit.

Before I go into more detail about these concerns, there is one thing I want to be absolutely, 100% clear about. I think that outing creepers like twistpeach’s did is absolutely, positively the right thing to do. I am in awe of her for doing it, and I think if more people with similar experiences reacted similarly and outed the perpetrators, there would be fewer of them and less social acceptance of their actions.

Read the rest of this entry »

Another reminder of why I so “love” Paychex

January 1st, 2014

Because I am a boring old fuddy-duddy, I was spending the minutes leading up to the New Year trying to reconcile my 2013 medical flexible spending account (FSA), i.e., to match up the FSA transactions listed on the Paychex web site with those listed in my financial management software and confirm that there were no incorrect transactions in either location.

Alas, after several passes through the transactions, there were, in fact, several that I couldn’t reconcile, and even taking those into account, the reconciled balances were not matching up. However, rather than make yet another pass at trying to make them come out even, I decided to go watch the ball drop with my kids.

When I came back to my office, I had been logged out of the Paychex web site due to inactivity, and the transaction history page I’d been looking at was wiped clean. It wasn’t even available in my browser cache, because the Paychex web site is *shudder* entirely implemented as a Flash application. “No problem,” I said to myself. “I’ll just log back in and bring up the data again.”

Alas, when I logged in, I discovered that the web site had rolled over to my 2014 FSA, and none of the data from the prior year was accessible any longer on the site. Read the rest of this entry »