Insisting on security risks – revisted

A while back I wrote a post about companies insisting we put our accounts at risk by forcing us to answer silly questions that would serve as a backup in case we lose a password. You know, like what our favorite color is, where we were born, and other commonly available items.

Thanks to Bruce Schneier’s post on Secret Questions I’ve learned about some research people have done on the subject. Yep, it’s just as stupid an idea as I originally thought, and they point out something I hadn’t noticed – people often forget the answers they give. Who has the same favorite color or movie forever?

Since I wrote my post on the subject, I’ve taken to using a very long password to these questions, which are becoming increasingly popular – even with companies that should know better.

A parking lot is the answer

I just read a post about how voting machines in Ohio are going on sleepovers before elections. Whether they’re being protected or hacked is up to you, but clearly physical access to voting machines is considered to be an influence on their validity.

How about this: Put them all in a large group in a parking lot. Then put some simple barrier – maybe police line tape – around them. Then alert media, activist groups, and everyone else that they are there. I’m guessing you’ll end up with enough witnesses and video that any attempt at tampering will end up on tape from several angles. Problem solved. For free, and to everyone’s satisfaction.

A Critical Element in BlackBerry vs. iPhone

Or maybe “Should Be A Critical Element…” Because American business by and large doesn’t really care about security very much.

Thanks to Bruce Schneier we learn that the Indians are pushing to get the encryption keys to RIM’s BlackBerry system. What this means is that the messages sent to BlackBerrys in the field could be decrypted by the Indian government. Strangely, only non-corporate users are at risk for now.

How long do you think it will be before other governments get the keys in exactly the same way as the Indians did? How long do you think it will be before a corporate user is thought to be enough of a security concern that even corporate users must turn over keys?

The reason why this is significant for the BlackBerry vs iPhone situation is that the iPhone works differently. It doesn’t pass all messages through a server. It behaves like a computer connected to the internet, with a regular email client. So, as soon as someone is allowed to create an email client with encryption capabilities we will have secure mobile email. Apple has released the iPhone SDK, and is expected to unveil applications along with an improved version of the iPhone in June. It might even happen that Apple builds encryption into the mail client themselves.

The problem for RIM is that there is no way to do full decryption on the BlackBerry without doing it on their server, at least with their current software. Creating this after making deals with governments to provide access will be impossible.

So, if you believe in having privacy, and you conduct business overseas, it looks like BlackBerry isn’t the best choice.

Why do companies insist on security risks?

Why do companies insist on making our accounts less secure?

I just tried to log in to Lowes, and got the password wrong and they then asked me the stupid questions that they build into the system to try to avoid having to deal with lost passwords. Idiotic questions like “What was the name of your first pet?” and “Where did you go to high school?” When I’m forced to provide answers to these security risks I usually just enter 30 to 60 characters of gibberish. I figure if for some reason I cannot recover the password I can talk to a human being at the company and regain access that way.

The normal and professional way to handle lost passwords is:

  1. Send the lost password to the person’s registered email address. This is the most sensible way, as long as you give the password loser the chance to back out if they know their email account is compromised.
  2. Make them call and talk to a human being.
  3. Email them a new randomly-generated password.

Not at Lowes – if you don’t remember what you put down as your high school (I went to two) then you’re screwed. The idiots at Lowes make you re-register. Re-registering is bad enough, but my old account is still out there somewhere.

So, I guess the only sensible thing to do is just treat these stupid questions like a password prompt, and come up with a 20 character answer to give all of them. I’m sure as hell not going to tell the truth. Seriously – how hard would be to get anyone to give up the name of their high school or their first pet? If I wanted to break in to, say, a coworker’s account, all I’d do is try to get to find the questions, and then ask the coworker. Do you think anyone’s going to balk at talking about their first pet or their high school days?

New online forum –

While I was at the SCIP conference I was able to meet several folks from Strategy Software, who make several products I use. We talked about their products and their features, and we also ended up talking about creating a user’s group.

There were a few of us “power users” there, and everyone seemed to think it was a good idea. It was one of those discussions where everyone’s nodding, but no one is talking about what they’re going to do, so I volunteered to put it together.

So on the way home in the airport I found a spot with free wi-fi and set to work. One of the things I really love about the internet is how quickly things can be done. In less than an hour I had found software (PHPBB) and had uploaded it to my web servers, defined the forums, thought up a name (poorly chosen and later changed), written posts, and emailed the others about it.

That was Friday, and Saturday I registered a domain, cleaned up the site, set up security on the Strategy Software forums (they’re for licensees only) and wrote more posts. Since then the domain as changed to The folks from Strategy Software have been participating, and now we have 48 articles and 10 users.

But that’s not enough!

So, please come and have a look when you can! is a place where CI professionals and others involved in research or information security can network and discuss issues that are important to them, as well as their experience with Strategy Software products. It’s still in it’s infancy, so now’s the time to get in on the ground floor!

More on Email Encryption

I’ve been doing a lot more experimenting after my last post, and looking back I realize now that I came into this with a very strong PGP bias.

Don’t get me wrong – I still think PGP is neat. It’s the most flexible in pure terms, and because there are open source versions of it there is a solution for almost every need. The problem is that in day to day use, they almost all get pretty tiresome pretty quickly.

I also realized that while Thawte’s process for getting a key is a bit lumpy, it’s really not as bad as I thought. First, you can have multiple ID’s in one key. Second, you can export the keys from one application to another. True, you do have to enter the password three times but the reason is that two of those times are because it’s offering to let you choose a new password.

Thunderbird with Enigmail is the most graceful solution for free. It is really slick, with the PGP part working as smoothly as the Digital ID – s/mime part. If I had to use both, it would be my first choice.

The thing about s/mime (what I was improperly calling Digital ID) is that it’s really quite transparent in daily use, but not so invisible that you don’t know if it’s working or not. A small lock or ribbon icon on an email confirms that it’s secure, while in Outlook it even prevents you from viewing the email in the preview pane.

Transferring keys is different as well – the software can be set to send your key (they call it a certificate) when you send a signed email. This allows the recipient to pull your key in and use it to send you encrypted email in the future.

Key management isn’t as bad as I thought. While they may expire (I’m not sure they all do) the system keeps track of them more or less automatically – at least in my brief experience it seems to. They are reasonably easy to back up as well, and don’t seem to be computer-dependant as I had originally thought.

So, while I had thought PGP was the easier method, I now believe s/mime is easier – at least it has been in actual use.

Encryption: OpenPGP vs Digital ID

Note: Since writing the article below I’ve found that many things I wrote were incorrect. I have corrected them here.

From time to time I think about email security. We don’t tend to think about it much, but our email is essentially like sending a postcard – it’s in the open and anyone with the right tools can read it. The answer is encryption, but these days it’s easy to feel as though using encryption is somehow wrong, as though we have something to hide. Well, we do have something to hide, and there’s nothing wrong with that. It’s called having privacy.

Anyway, so I’ve got a bee in my bonnet to encrypt my email. This is one heck of a lot more complicated that you might think, because there are a lot of places and ways I get email:

  • On my machine at work, via Outlook and also via Fastmail’s web interface – Fastmail rocks, by the way.
  • On my machine at home, again via Outlook, synchronized via VPN with work, and also via Thunderbird and web interface to Fastmail.
  • On my Palm, using Snappermail.
  • On my machine at home using Linux, via Thunderbird.

So far, I’ve learned the following about two approaches: OpenPGP and Digital ID. Incidently, OpenPGP is available as both freeware and commercial products. The commercial version has the most sophisticated approach (uses a web proxy) and the smoothest interface, but is $100 (although free to use in a limited way for non-commercial use). The rest are free.

Digital ID is not available as a separate product. Instead, the funtionality is built in to just about every email app out there. However, it doesn’t do file or disk encryption, where OpenPGP does.

Cost of Keys. OpenPGP is zero, Digital ID’s range from free to expensive depending on the features desired. Thawte does it for free, Verisign wants $20/year for a “Class 1” ID. ID’s are burried sufficiently well on the Verisign site that I couldn’t find anything past Class 1. When you consider that Digital ID’s are good only for a single email address, this could be more expensive yet.

Ease of Key Management. OpenPGP keys are portable, support multiple User ID’s (email addresses) and work with any OpenPGP application. They can be stored on a USB drive for more security, and since you create them no one else has the private key for even more security. You can change the password on the key at will. You can add User ID’s at will. You can revoke it, and un-revoke it (via a backup). All of this can be done using a key management application which facilitates this pretty well. It also make searching for public keys for others much easier via keyservers.

None of this seems to be possible with Digital ID – at least, I can’t find how to do it. Digital ID keys are application specific (at least, when getting one you have to specify what application you use) and User ID specific, so if you have three email addresses that’s three keys you’ll need. Getting a key means going to a site and either requesting or buying one. The ID/key (both private and public parts) is created and then sent to you. The downside is that someone else has the key, the upside is that if you lose it, you can get it back pretty easily and don’t have to worry about backups.

I haven’t yet experimented to find out how application specific the Digital ID’s are, but I had to kind of cheat the system to get one on my Linux system – it kept downloading it into Firefox. I can’t imagine why because FF has no email capability. Anyway, I had to export it and then import it into Thunderbird because the Verisign site had no “Download for Thunderbird” button. Here’s the funny part: In order to export, you have to enter your password twice. I don’t know why on earth it’s necessary to enter it, let alone twice, since you need the password to use it, but there you go. Then, when you go to import it into another program it asks you to create a new password! Sheesh!

A thing about passwords: OpenPGP takes them very seriously, and even calls them passphrases to encourage people to make them long and truly strong. Mine is over 15 characters, and it still wasn’t considered strong. The Digital ID folks, on the other hand, don’t seem to care other than to put a short blurb about how it shouldn’t be a word, and should have numbers and punctuation.

Ease of use. Digital ID has the upper hand here because it is built in to Outlook and just about every other email application. OpenPGP can be installed in such a way that it’s very painless for users, but that really only works in a multi-user environment. The other OpenPGP-based methods are not painful to install, and are fairly easy to use once you understand what they do, but for users who are encryption-ignorant and want to stay that way it’s not the smoothest.

However, if you are using Thunderbird, and if you are using POP or IMAP you should be, you can get a really slick extension called Enigmail. It’s very, very nice.

Long term workflow integration. The real trick is not to send and receive a few encrypted emails. The trick is for it to be part of the overall communication system over the long haul, and here OpenPGP rules.

Digital IDs expire and have to be replaced. This happens more or less automatically, but it means that email from 4 years ago will require a key from 4 years ago to read. That could be 40 keys ago. More if you include more User IDs, more email systems, etc.

In OpenPGP it would be one key if you like, or more if you like. You can make a copy, put it on a CD, stick it in a safety deposit box and rest assured it will work when you need it to.

Mobile Applications. PGP Corp used to make PGP Mobile, but it’s no longer available. I hope they’ll put it in the public domain. There is a freeware version, but it is not compatible with later Palm OSs.

There is an app or two available for Windows Mobile – one I’ve seen just creates a console to use the command line version of PGP on.

I don’t believe, but someone please correct me, that either support Digital ID.

I’ve chosen OpenPGP for now. Since I have the old PGP Mobile for Palm, it provides a nice palm solution. It’s also included in Linux, and is available in so many apps there’s bound to be one that fits. Last but not least, key management while a little daunting at first is much better.

I tried the 60-day trial for Verisign, and for my work stuff it seems ok. The problem is that moving it to any other system is a misery and even so it’s not going to work with any other email address. It’s also $20/year, which isn’t much for a single address but starts to mount when you consider 4 or 5. I thought for a while that I would use Digital ID for work stuff because it’s so well integrated into Outlook and exchange, but the key management is so obscure I don’t think I could reliably explain to anyone how to get to my mail after I left. OpenPGP will be much easier.

So why aren’t these solutions more widely adopted?

I think the fundamental problem is that as much as we care about our privacy, we don’t care enough to use the tools required to preserve it on the internet. After all, the threat is invisible – where an envelope shows evidence of being opened, an email does not. I suspect that the only market for these tools exists in large corporations and the government, and therefore the marketing and support is non-existent. Nearly so, PGP Corp. does a pretty good job of educating people who seek to be educated.

I don’t want to sound like some crazed guy from the backwoods of Montana, but I’d like to ask a favor: Pick one and use it. If we don’t use this stuff, someone in Washington will get the idea we don’t need it. We do. ID theft is still mostly a paper-based thing, but it won’t be forever. We can either have encryption now on our own terms, or later on someone else’s. You choose.

Encryption – Evidence of Criminal Intent?

Schneier on Security has a post about the presence of encryption software being considered evidence of criminal intentt. He’s speechless. So am I, but possibly for a different reason.

The subject in question was accused of child pornography, and the presence of the encryption software on his computer (along with other evidence) was accepted as proof of his intent. That itself doesn’t upset me too much, as long as there was other compelling evidence. What upsets me is that if encryption itself is proof of criminal intent, then I guess I am a criminal – I use Windows XP, and Windows XP has built in encryption. You can check it out by going the properties of any directory, and then hitting “advanced”.

Electronic Passports are scary

Folks, this stuff is scary. Now I am in favor of doing all reasonable things we can to stop terrorism, but I draw the line at putting information that can be used to steal my identity out there where people can get it. I know the feds will say that it’s not possible, but if business has done anything in the last 10 years, it’s under estimated the ability of hackers & crackers to do their respective tasks. I doubt it will take long before anyone with sufficient funds can scan a passport from a reasonable distance, and get what data they need, or perhaps just erase what’s there. I just hope the hackers get there before the crackers do.

Folks, what’s need in the war on terrorism is two things: First, better management of our relationship with the world. Second, a shift from doing what looks effective to doing what really is effective. In case you’re wondering, I’m not holding my breath 😉

SHA-1 – What does ‘broken’ really mean?

Over on Bruce Schneier’s blog there’s a post saying that SHA-1 is now broken. SHA-1 is a hashing algorithm that takes a string and converts it to a “unique” unintelligible hash of characters. I put unique in quotes because given that the hash length is shorter than the string, there’s obviously more than one string that will create the same hash. Since this algorithm is use for digital signatures, if someone finds a way to change the message and leave the hash the same, well that’s clearly a problem.

This Chinese team seems to have found a way to do that in less than the full number of operations one would expect for a “brute force” attack. More specifically, they’ve found “collisions”, which means they’ve found a string that will produce the same hash. They did this in 2 to the 69th operations, which is a really huge number, but significantly less huge than the expected 2 to the 80th operations. There’s no mention of what computing power was used, but it’s way, way beyond what anyone but research teams and governments can lay their hands on easily.

While I’m sure this is shaking the crypto world, I think it’s a little early to worry about your coworkers forging your signature in a nasty email to the boss.