security

The Identi.ca developers were very responsive in addressing exploit mentioned in this blog post. Thanks for visiting. Please leave your thoughts in the comment section below.

I'm a huge fan of microblogs. One of the most impressive sites in the microblog space right now is Identi.ca. If you haven't checked it out, you should. It's an open source implementation of a protocol called Open Microblogging.

OMB is an open protocol that provides an alternative to Twitter and friends by allowing a distributed group of servers to handle the social network. A user at one site can easily subscribe to a user from another site, and they all just get along. Imagine if you didn't have to sign up for Pownce or Jaiku to follow friends who preferred those platforms. This is huge.

But like any other platform, there are bound to be flaws. The first patch has already been released, and this was a huge bug: all Identi.ca users authenticating via OpenID would have their password set to blank, and anyone could log in using that username...

Identi.ca users, I'd like to hear from you. If you knew there was a huge security hole in the platform, would you want it plugged? Is recognition and timely response from a free, open source project too much to expect? Or should users be expected to troubleshoot and patch the platform themselves to ensure its security?

Let me know what you think (comment below!).

And feel free to follow me on Identi.ca :)

answers to a few questions from my server logs:

• where does the justin come from?
  i'm from the southeastern end of washington state, but i currently reside in utah county, utah.
• is your space cooler?
  yes, my space is cooler than yours.
• how do i carry a loaded gun?
  i wouldn't suggest carrying it in your pants, unless you want to become another strange google search result
• why don't my msplinks work?
  it could be a couple of things. first, msplinks are intended to save myspace users from spammy sites. if myspace (in their infinite wisdom) decided that the site you're linking to isn't kosher, they could have blocked it. second, myspace seems to be sniffing referrers. this means that if you post a msplinks link on any page other than myspace.com (like my blog, for example), it will be redirected to myspace.com...
• what is this msplinks.com?
  msplinks.com is an anti-spam attempt by myspace that rewrites any URL posted on myspace into something that looks like http://www.msplinks.com/MDFodHRwOi... i talked a bit more about the effect of msplinks.com on SEO a couple of months ago.
• have you ever seen a mothball?
  yes.
• is drupal cron.php secure?
  i wouldn't worry too much about it. cron.php just triggers events for modules you've enabled for your site. it grabs all it's instructions from the database and from php files stored on your server, so there's no way to pass it anything sketchy to execute. if someone messes with cron.php, it will just execute the cron jobs a bit sooner than they would otherwise run.
• what do you say when you meet someone?
  i usually say "hi" or "good to meet you". but that's pretty region specific. in texas they might say "howdy"...
• why do i suck with girls?
  i'm not sure of the exact cause, but it might be related to the fact that you go to the internet for your answer.
• is msplinks a virus?
  nope. see the article i linked above.
• is drupal secure?
  is anything really secure? drupal has a very active developer community, bugfixes and security patches are released in a timely manner, and most of the security updates i've received since installing were for third-party modules, not for the drupal core. i think drupal's doing alright.

inspired by Philipp Lenssen.

one of the most annoying things about sudo is the inevitable game of "Simon Says". today i learned a coping technique. the Ubuntu wiki says:

sudo !! will repeat the last command entered, except with sudo prepended to it.

My bank has the worst security for their online banking. Honest.

For years, the only security feature (if you can call it a feature) was the password: seven letters or less, alpha-numeric. You couldn't even use punctuation symbols.

I guess there was one other security feature: if you messed up your password three times, it would lock your account. Once locked, an account had to be reset by calling the bank during business hours and talking to a teller...

At some point the bank decided that this security was insufficient. But instead of improving their existing security (i.e. by letting me use a password of sufficient length), they decided to supplement it.

i just finished a fresh windows xp sp2 install... now it's doing the 65 critical security updates that have been released since sp2.

wow.

I love the Drupal CMS. One of my favorite features of Drupal is the ability to do a multisite install. This site and my other blog, i <3 stella, are hosted on the same box, using the same Drupal install. Several sites can share one codebase. Updates are easily rolled out to every site simultaneously. Overall, it's a wonderful idea. But I have some problems with the implementation...

drupal secure multisite tutorial after the jump.

Cliff Stoll, the author of The Cukoo's Egg points out that the most common vulnerabilities are the ones that come by default on a machine. DEC's Vax computers came with three system accounts, all with a default password. The system never forced the administrator to change them. For the most part "Hunter," the hacker he chased for over a year, didn't use sophisticated tools or brute force. He tried the front door, which was usually wide open.

The modern day front door is a wireless router. Cracking wireless security has become almost trivial. There are utilities that do it automatically. But as easy as it is, it's even easier to find an unsecured network. If you want free internet, look for a network called "linksys," "default," "Wireless," "NETGEAR," "belkin54g," or "Apple Network 0273df." Those are the default network names for the most popular routers. The owner will most likely have left it wide open, with no encryption of password.

The other day a friend decided to help out his neighbor. He had noticed that the internet connection he was "sharing" still had the default administrator password, so he changed it to something a little harder to guess. Had he been malicious, he could have done far more. He could have enabled MAC address filtering on the router, so that it would reject any computer except his own, and the owner wouldn't have known what happened. He could have secured the router and given the passkey only to his friends. He considered locking the owner out of his own network to teach him a lesson, but decided that was a bit extreme.

Nearly every new cellphone sports Bluetooth technology. But many users don't understand that their phone could pair with most other Bluetooth devices without so much as a password. They leave their phones in "discoverable" mode, not realizing that this leaves them wide open to attack. The amount of damage to be done is relatively small. Crackers can siphon data being transfered to the phone, or can use the handset for their own data connection. This has spawned the term "war nibbling," a take-off on war driving. instead of cruising for open WiFi networks, nibblers find unsecured or unpatched Bluetooth connections.

How do you protect a user from their own stupidity? Ubuntu Linux disables the root account by default. They give the first user account enabled sudo access. A cracker trying to brute-force their way into an Ubuntu box might try the root account, but they don't know the name of the account with real power.

Windows Vista takes an interesting approach: Hit the end user with a deluge of popups. "You appear to be trying to do something. This could be dangerous. Are you sure you want to continue?" This can only protect a user from certain types of stupidity, however. Windows users already have all sorts of popups that warn about the harmfulness of certain actions—a simple download requires two to three clicks before you can run it—but this hasn't stopped many users from merrily clicking OK to offers for free iPods, or (ironically) popup blockers and computer security scans.

This sort of security is dangerous, however. I regularly use a Linux box that requires confirmation for each file in a recursive delete. This can be tedious, so, rather than encouraging more thoughtful use of the function, it encourages me to use rm -rf by default. Excessive security features or warnings can cause complacency or even circumvention.

Ultimately, who is to blame for an unsecure system? Should the vendor force users to run a secure system? Many websites run algorithms on passwords to ensure that they are sufficiently hard to guess, and that they change on a regular basis. Perhaps an operating system or network should enforce similar standards.

There are entire industries that capitalize on our insecurity about security. These companies prey on our fears as a society by exaggerating both the probability of an attack and the effectiveness of their solution. we need an illusion of security.

It always amazes me how often people assume that they've been hit by a virus. In actuality, these "virii" are usually user error, corrupted critical files or random chance. Hanlon's Razor seems to apply quite well here: "Never attribute to malice that which can be adequately explained by stupidity."