Technobabbles I try to sound like I know what I'm talking about. Don't be fooled.

30Apr/101

Fraud Much: Follow-Up

Looks like having my credit card number stolen hasn't had too bad an effect on my life. I received and activated my replacement credit card about two weeks ago. Also, in the interim, I found out that my dad had one of his cards disabled, too.

The people who called my dad about his card explained that the latest scam going around is just to generate random card numbers. Looks like my research was right; that was one of the top possibilities I found browsing through discussions around the Internet. Unfortunately, algorithms for creating random, valid card numbers do exist for testing purposes. Since both of us had our cards compromised within a week of each other, I think it's safe to believe that we both were victims of the same scam and there was nothing I could have done to prevent what happened to me.

What kind of grossly inadequate security must credit card processing systems have that someone can successfully (attempt to) authorize a transaction with nothing but the account number? There must be another piece to the puzzle…maybe shady merchants who don't bother verifying any of the information, or something like that. For now, I'm quite thankful that fraud-detection departments are so vigilant.

Even though I was probably just a victim of a random number generator, I'm still going to see if my card issuer supports generating temporary account numbers for use in online shopping. That seems like a good idea: If one of the numbers is compromised, I can just kill it, rather than dealing with deactivating and reissuing the card. (I have long used this same principle for email addresses. I used to use Gmail's "plus-addressing" feature to add keywords to my incoming mail; now I give most sites a unique address at technobabbl.es. Both approaches also allow me to track data leaks — which usually result in increased spam — directly to the responsible party. :D)

Filed under: musings, security 1 Comment
15Apr/101

Fraud Much?

So. Last Friday afternoon I got frantic calls from both my Falcon office and my bank. Some jerk stole my credit card information and tried to buy $1,300 worth of jewelry1 with it on Wednesday. Nice try. It set off the fraud alert.

It helped that on Thursday, I tried to renew my cell phone's air time without actually getting the card out of my pocket and mis-remembered my CVV the first time. Then the crook made a $1 pre-authorization at Apple on Friday, which was enough suspicious activity for the card company to call me.

After I confirmed that yes, I bought the Net10 air time, no, I didn't try to buy $1,300 of jewelry or visit Apple, they shut down the card. I won't get another for about a week. Joy. Meanwhile, next thing on my agenda is to find out what happened to the charge for the air time I bought on the day in between fraud attempts. I don't want Net10 to kill my account because of a chargeback, but it should be OK because I did tell the Falcon office that, of the suspicious transactions, that one was legitimate.

The list of possible "mea culpa" breaches is very short: My credit card information was stored in only a few places online. Many more brick-and-mortar merchants' employees have had access to it since the card was activated last June. From Internet research, I see that I'm not alone in having this happen. I also see that there are myriad ways the crook(s) could have gotten my information.

Random guessing is pretty high on the list. Algorithms exist to generate valid card numbers for testing, and mine might have just randomly come up. I use library computers a lot, so one of them could have had spyware on it that was monitoring the information flow. Maybe Net10's website isn't as secure as I thought. Perhaps an employee at one company or another abused data access privileges and stole card information from customers. Could be that a company I bought from was hacked, or the payment processor was. Google Checkout might not be as secure as it claims to be. Maybe funds transferred from bank to credit card company are sent unencrypted and the crook grabbed info that way. (These are getting less and less likely, to the point of pointless speculation.)

Thing is, I don't believe the CVV was stored anywhere except the back of the card and my memory. Armed with only a name, billing address, and an account number, what are the possible ways an attacker could use the stolen information? I don't believe a billing address or CVV are required for telephone purchases, but then how to explain the Apple pre-authorization?

Whatever happened, I've placed a 90-day fraud alert on my credit report (as recommended by the FTC), changed several passwords and removed the deactivated card from all online accounts. Apparently this happens to some people every few months, but that just makes me curious about how lax such individuals are with their information security. I intend to be even more careful than before.


Notes:
  1. Way over my limit. []
Filed under: musings, security 1 Comment
27Apr/094

How To: Safely Use Twitter Notification Enhancement Services

Latest update: 2010-11-20: Twitter tweaked the addresses again. Remove the twitter- part of the addresses in your filters if you've set them up.

Update (2010 – 11-11): Twitter changed their addressing scheme again. See below for instructions.

As you all have probably heard, Twitter is gaining popularity in leaps and bounds. All the new users mean more follower notifications arriving in my inbox, and Twitter's default messages aren't very useful. (The direct message notifications are pretty bare-bones, too, but I don't get many of those so it wasn't a priority.)

Update (05/06): Twitter prettified their emails, but I still think Topify's are better. Unfortunately, Twitter also went back to using the same address ([email protected]) for all users' notifications, putting the email-address – specific addresses in the reply-to header. So the filter setup in this post doesn't work any more. I had to come up with a new, more complicated filter… Stupid Twitter…

Update (05/07): Twitter went back to the old From addresses, so the filters from this post should now work again.

The Beginning

The first enhanced-notification service I discovered was Twimailer, created by a British developer named Jon Wheatley (and apparently later sold—shortly after I signed up — to a Romanian named Toni).

Despite the admonitions in the article above (on ReadWriteWeb) about changing passwords and all kinds of security precautions, I'm not worried about my own account. There's one simple reason for that: I never actually switched my email address in Twitter's settings. Instead, I created a Gmail filter to auto-archive follow notifications from Twitter and forward them to Twimailer. That way, I:

  • had all my follow notifications even if the service went down (it did for several days) or glitched (sometimes I get messages with no information)
  • only forwarded the messages Twimailer needed to be useful, rather than everything
  • made sure to keep password resets (which I haven't used for my main account in the last few months anyway) completely out of Twimailer's hands

I was very comfortable with this system. I can only guess that Jon's original intent was to simplify the setup process. After all, most people don't bother with email filters, and wouldn't necessarily know how to set one up. Changing settings on Twitter's website is a lot easier.

A New Age

Thanks to a TechCrunch post about fighting Twitter spam I read tonight, I discovered Topify, an invitation-only (for now) service based in Israel that offers all of what Twimailer did — and more.

I found an invite on the Topify blog (sorry, no link; you gotta dig through their site too so it's fair for everyone) and quickly signed up. The Twitter password field distressed me a little, but it's obviously necessary for all the extra features (like follow-back, reply to direct message, and block), all of which can be done via email with Topify. (In the future, I hope Topify will implement support for Twitter's OAuth authentication and delete users' passwords from their system. Consider this a request, Arik. :-)

Anyway, switching was pretty painless. All I had to do was change the address to which my Gmail filter forwards and add my direct-message notification From address to the filter. I'm currently waiting for something to happen on my Twitter account so I can try out the new service. (I considered running Twimailer and Topify side-by-side for a bit, but decided against it; redundant emails would increase my processing time, the opposite of the intended effect.)

Filter Details

For those who want to copy my setup (I'm telling you, it's a lot more resilient than the default instructions from either service), here are the filter settings to enter.

Update (2010 – 11-11): Twitter changed their addressing scheme. The old addresses don't work any more. Make sure to use the inserted instructions. :) (Updated again 2010-11-20 when Twitter removed the twitter- part of the address.)

As of November 11 20, 2010, you'll have to copy the From address of at least one Twitter notification email before you can set up the filter. The address should look like follow-<lots-of-letters-and-numbers>@postmaster.twitter.com or dm-<lots-of-letters-and-numbers>@postmaster.twitter.com

The random letters and numbers appear to stay the same whether it's a follow or a DM, so you only need to copy one address, then paste it twice and change one instance of follow or dm to the other.

In the filter's From box, enter:

  • Topify: follow-<lots-of-letters-and-numbers> OR dm-<lots-of-letters-and-numbers> twitter-follow-you=yourdomain.tld OR twitter-dm-you=yourdomain.tld
  • Twimailer: twitter-follow-you=yourdomain.tld I'm not supporting Twimailer any more (is it dead?) so no updates here.

Replace you=yourdomain.tld with your email address, using = in place of @.

That's all you need to do for filter criteria. (If you have only one Twitter account coming into your inbox, it's even easier; you can omit the -you=yourdomain.tld part(s) of the filter criteria. It doesn't hurt to include them, though.)

For actions, I selected "Skip Inbox" and "Mark as read", and told Gmail to forward these messages to my secret Twimailer/Topify address.

Click the Create filter button, scroll down your filter list, and you should see something like the following (image is linked to full-size version):

(There's also an XML file available to import, for those with the Filter Import/Export feature enabled in Gmail Labs, but creating the filter from scratch is pretty easy. No reason to recreate the importable file. The new solution is so copy-and-paste – heavy that it wouldn't be worth it. The file link might go dead in a month or two when my Google Page Creator site is moved to Google Sites, but I'll know because things like the site logo will stop working. If that happens, I'll definitely fix it. Well, since I moved to self-hosted WordPress, no links broke. :D )

Note: As I was writing this, I discovered Chris Messina's post about this, published almost two months ago. My little hack is nothing new, I guess; but I'll publish anyway because his instructions are focused on Twimailer and Twimailer only.

Wrap

Let me know if you find this little hack useful. I haven't time to make a bunch of pretty screenshots (unlike Chris ;-), so if you have questions, post in the comments.

Incidentally, this is my 500th blog post. If that means anything.

13Feb/083

Application Storage Architectures Are Important

This quarter and next quarter, I'll be taking music theory classes at school. We're using a program called Musition, distributed by an Australian company by the name Rising Software. Initially when I set it up, it was using a local database of course material with a local data store of audio files and all the other accompanying stuff. A couple days ago, though, my teacher sent out instructions for connecting the program to the network, and it's now 100 times slower.

Previous load time was around five seconds. That was tolerable, especially considering what the program was loading. It also logged me in automatically to a local account. Now, however, it takes around ten minutes to load, most of it spent on "Loading Melody Data". And it requires a username and password. Admittedly, the two together are only nine characters, but it's still an inconvenience. Also, commands that took milliseconds in the locally-stored version take five or ten seconds to execute and return results. The load time and latency are the problems that really get me.

So, what does this teach us? It teaches us that carefully considered storage architectures are important for the usability of any program. Loading all the melody data across the Internet is a really bad idea, especially since only a fraction of the data will be used in any one session. Loading everything over a local network is only marginally better, because it still wastes a lot of time and bandwidth for no good reason.

A better way to do it would be to load the server's data once and then cache it locally, requesting only a last-modified timestamp at each sign-on. That would drastically reduce load time and bandwidth use. I'm sure my school is paying for the bandwidth their server uses; they could definitely prevent drastic cost increases.

I'm not sure how to address the latency problem, because one of the foremost principles of application security is to never trust the user. All possible processing should be done server-side to prevent tampering by the client. Yet, this is most of what's responsible for the delays. If anyone has any ideas, this is your opportunity to leave a shout out in the comments.

I sincerely hope that someone who can do something about this egregious usability problem reads this. It's really an inconvenience to have to wait five, ten, or even fifteen minutes before being able to use the program, and to have five– or ten-second delays after issuing commands. Someone please do something about this architecture!

PS: If you're interested in a fictionalized, in-universe interpretation of this problem, I wrote a companion post on another blog I write for, The Queiba Wars. I also wrote a generalized "Best Practices"-type post on this subject for CodingExperiments.com.

17Jan/080

Blogger as OpenID Provider

Hot on the heels of last month's release of OpenID commenting, Blogger is now testing support for using blog URLs as OpenID logins. Now not only can other people log in with their OpenIDs from elsewhere, but Blogger users can use their Blogger blog URLs as OpenIDs to log into other sites. I have now deleted the delegation code from my template (which has been working for a while; I just never updated my previous post), as I enabled the beta feature from Blogger in Draft. For now, it's only available from Draft, through a checkbox on the Edit Profile page (rather than in the blog control panel), but Google will probably push it through to everyone by the end of the month.

There are a couple things missing at the moment, like revoking trust from a site you choose to trust "Yes, Always", but it's nearly feature-complete. I'm switching to it. Now I probably won't care as much about Yahoo!'s upcoming OpenID support, but oh well. If Blogger's integrating it, why should I care about Yahoo!'s effort? Granted, that's a large user base they have, and it will probably lift OpenID into the public view, but for my purposes it's useless now.

26Dec/070

Google Reader Just Doesn't "Get It"

The latest post to the Official Google Reader Blog concerns the recently launched share-with-your-"friends"-automatically feature and the uproar it's caused among the users. I myself have no real reason to care, since (sadly) nobody I know uses Google Reader, but I agree wholeheartedly that Google's launch of the "feature" was, in its own way, worse than Facebook's Beacon program.

The fact that Google's system assumes that anyone you talk to in Google Talk is a friend is the first part of the brokenness. Add to that the fact that you can't turn it off and have just the feed, with nothing automatic. And add to that the completely useless solutions Google has published to work around the problem.

So, what would be the logical way to give control to the user? How about a Shared Items control icon on the Tags tab of Settings, in the same column as the public/private toggle for the other tags, that allows you to turn off the automatic subscription of your "friends"? How about, since we can hide friends from showing up in our list, a function to block certain friends from seeing your feed automatically (for more-granular, Google Talk "Block" function-like control)? How about both?

What's Google done? Neither. Nothing. They've only just now begun to admit that they might have been wrong about the feature's usefulness. It's already ruined Christmas for someone, according to Garett Rogers' post on ZDNet (there's also a great Lolcat in that post).

Before today's post, Google's responses to the problem have included things like:

December 17: "There's a "clear your shared items" link on the Settings > Friends page if you urgently need to remove the items you've shared in the past."

December 18: "We just added a new option for those of you wishing to rearrange your sharing habits in light of the new features."

December 19: "Additionally, please note that blocking a person in Google Talk doesn't remove them from your Reader friends list. They'll need to be actually deleted for this to happen."

December 21: "This should help with the issue of unrecognized nicknames."

December 21: "Let me reiterate: If you're uncomfortable sharing items, you can unshare everything in a single click."

None of the features or processes that those posts refer to actually solve the underlying problem. Why would I want to clear my shared items? Why should I even have to? Why can't Google go back and hit the Undo button? Sure, I can move things to a new tag, too, but then everyone to whom I've ever sent the Shared Items URL has to get an updated address from me to continue following the items I shared under the protection of an obviously obfuscated address.

And notice that December 19 comment, about blocking people in Google Talk. I have to delete my contacts to keep them from seeing my shared items (if I don't want them to)? Sheesh!

So, to keep this post from getting too long, let me just say that I think Google should rethink this "feature." I won't go through every possible point, but this has been, all in all, a very bad move on Google's part, and I hope that, by January 1 (or at least the first week of January), Google will have switched off the feature, and maybe provided an option to turn it on.

Of course, this might be the least of our worries if what this post at Wise Bread says is true. There are rumors that Google wants to build a "universal activity feed" that will show up in Reader and possibly other services like Gmail. If I want to broadcast things I do on the Internet, there's a wonderful little service written by former Googler Paul Buchheit to do just that (it has privacy controls and you opt-in for each service you want to broadcast). Perhaps George Orwell was right about everything (except who would be doing the watching)…

19Dec/070

Microsoft Cripples Internet Explorer

Now that I'm done catching up, I can talk about today's news.

One of Microsoft's security updates for this month has been causing problems for Internet Explorer users, of both versions (6 and 7). Users have been reporting that IE either won't start or crashes when trying to load certain sites. Microsoft is reportedly looking into the issue.

It doesn't happen on all machines. My computer's perfectly fine. Admittedly, I use Firefox for everything but my school website, but at least I don't have trouble starting the browser.

As long as Microsoft is only messing up their own browser, I'm happy. If one of their security updates destroys Firefox's functionality and leaves IE smelling like roses, though, I'll be really mad.

26Nov/070

Security Software = Security Risk?

In general, we use and trust security programs like antivirus and antispyware applications from all sorts of vendors to keep our computers safe, but could those very programs be opening us up to more holes? That's what security firm n.runs AG has been testing for the last several years, and it is the subject of a recent PC World article. It turns out that file parser bugs in many of the mainstream scanning engines are exposing users to additional risks. The problem is compounded by the fact that many users run multiple scanning programs in tandem, under the reasoning that if one engine doesn't catch something, another will.

That thinking, based on real-life experience, provides additional protection against infections from outside sources, unless the engines used all have different parser holes. Running multiple programs may actually be more hazardous, due to the fact that there are more flaws exposed.

N.runs is developing a program to help secure other security engines, named ParsingSafe (a codename), that will help protect antivirus software against the sorts of parsing attacks the firm has seen. The website slates market introduction as fourth-quarter 2007, which is now, so I'm expecting to see more news popping up about it. Perhaps I should be glad this school computer of mine runs only one AV engine after all.

26Nov/071

Leopard Mail Another Security Risk

A Mail bug patched in Mac OS X 10.4 (Tiger) has been rediscovered in Leopard's Mail program. The bug allows malicious code to be executed when opening certain types of email attachments, and was thought to be fixed until now.

The problem arises from improper handling of additional file-handling instructions included with file types such as JPEG. Malicious code can be inserted into the information slot, and will be executed when the file is opened. Fortunately, not all file types are affected, and the researchers at Heise Security had difficulties consistently reproducing the problem.

Does this mean the end of Macs-are-better-because-they-can't-be-attacked fights?

26Nov/070

Microsoft's Security Focus on Vista May Have Lowered Consumer Adoption

In an article from PC World's Business Center, it is suggested that Microsoft's focus on security for the almost a year old Windows Vista may have undermined consumer opinion. Enterprises and consumers alike should not be expected to purchase an upgrade to a company's product to fix an error on the part of the manufacturer. Microsoft has been promoting the security improvements in Vista from day one, when the OS was unveiled, and that could be a factor in the slow adoption.

In fact, many people who are getting Vista do so because they have no other choice. For the most part, new PCs are sold with Vista, without an option to buy XP. The majority of Microsoft's Vista revenue is coming from the OEM (Original Equipment Manufacturer) segment, not from consumer purchases of upgrades for existing machines.

Another factor, which I believe I have spoken of before, is Vista's high system requirements. A bare minimum of 1,024 MB (1 GB) of RAM for all versions except Home Basic, and recommended memory of 2 – 4 GB, is a definite turn-off for business clients, who likely don't want to spend the money on upgrading from their current 512 MB setups (the recommended memory for XP) to support Vista. As many companies have on the order of hundreds or thousands of computers, the cost to purchase the extra RAM and the labor to install it alone might be too much, let alone the possibility that the current motherboards in use might not even support more than the current amount of RAM.

I agree that Microsoft's continued harping on security was likely a mistake, and that they should have focused on the other features Vista brings to the table. The UAC dialogs were also a huge problem, one the company is moving to fix in subsequent updates. Personally, unless all the problems and annoyances of Windows Vista go away, I'm holding out for Windows 7. My dad has an XP disc we can install on blank systems (an enterprise license), and I'll use that until Microsoft gets back on the ball.