I am an IT security consultant, author, and I love writing about passwords.
Because I have always been so fascinated with passwords, I always like to hear different tips people have for creating strong passwords. However, I have to admit that most of the tips I run across are actually kind of lame and really are not very secure. Unfortunately, some of these tips are quite popular and get passed around way too much. In fact, I rarely see any advice besides these I have listed. Read More…
What distinguishes an effective CAPTCHA from a poor CAPTCHA is the ability to make things hard on non-humans without making things hard on humans. Most of the CAPTCHAS I see out there fail in one of those two features.
But while I thought I had seen the worst CAPTCHAs ever, I stumbled across RapidShare’s new CAPTCHA. Now in the past I have actually praised their CAPTCHA because of it was so user friendly. It wasn’t case-sensitive and when there were ambiguous characters (number 0 vs letter o), it always seemed to work.
Obviously the CAPTCHA was flawed and a number of people wrote some bots and other tools to bypass it. RapidShare felt a need to tighten things up a bit so they came up with the Cat CAPTCHA:
Now it is important to note that if you are not a RapidShare member you often have to wait to be able to download a file. In this case I had to wait three minutes before I even got to the point where I could enter the CAPTCHA. Already thinking this was an annoying CAPTCHA I also grabbed a screen shot.
Now if you look closely, it says to enter all letters having the image of a cat. Looking at the image, I saw both numbers and letters so, while it made me pause and think more than most CAPTCHAs would, I figured the answer was NTPS. The caption says there are four letters, the text box limits your input to four characters, everything was all caps, and so I figured I was all set.
It turned out that NTPS wasn’t the correct answer and it put me back into the queue to wait another three minutes. After the timer finished counting down, RapidShare presented me with another CAPTCHA to solve:
This CAPTCHA was all letters and they all had little cats on them so this seemed easier, but as I started typing I remembered that the text input box only allowed four characters. So which four are the answer? I tried the first four but that didn’t work.
Thinking it might be a browser issue, I tried different browsers,but quickly discovered that after three failures it locks you out. And it doesn’t do this based on a cookie it’s based on your IP address! Being behind a NAT’d connection I guess I just locked out my entire ISP from using RapidShare.
At this point I did some searching and found out that I am just one of hundreds of people blogging about this.
It turns out that I wasn’t being too careful because what RapidShare doesn’t tell you is that some of those images on the letters are actually dogs, not cats. I must be a bot.
Looking (very) close I finally determined that the correct answer to the CAPTCHA above would have been NERW. Geez, they could at least start showing the CAPTCHA during the countdown so you can get started working on it.
This CAPTCHA fails in so many ways it is amazing:
RapidShare’s response to the issue is this:
“As every free user should have noticed, we are experimenting once again with the CAPTCHA system. The reason is that RapidShare is popular enough for people to create tools to download from RapidShare as a free user as if they were a premium user. This has a negative impact for our paying premium users, since they expect a fast download.”
In the meantime they are probably losing a lot of visitors and completely destroying the already fragile user experience with CAPTCHAs.
I just finished writing patch reports for Windows systems I must support for my clients or for my own business. After you put together all the Vistas, XP’s, 2000′s, 2003′s, SP’s, R2′s, x64′s, and IE6 and 7′s, the list of patches that need testing is quite long. And confusing.
Fortunately I don’t have to support any Itanium systems. Nor do I have to deal with XP Media Center, XP Tablet, Small Business Server, Home-editions, or non-English versions. So there are people much worse off than me. I do, however, have to deal with patching Office XP, 2003 and 2007.
And it seems that very soon we will have to address Windows 7, which could come as soon as next year, and Microsoft has extended the availability of XP home for ultra-low-cost PC’s up to June 2010 so those XP patches could still be around for quite some time.
Nevertheless, I imagine that my headache is nothing compared to what Microsoft has to deal with getting ready for Patch Tuesday. While Microsoft has made tremendous progress in patch management over the last five years, this obviously is an area with lots of room for improvement.
A couple of years ago I wrote an article at SecurityFocus.com about my security paranoia, which ended up in a lot of people thinking I went way too far and perhaps needed some mental help. In the article I wrote that instead of the word paranoia, I prefer meticulous precaution.
With astronomical growth in spyware and an increase in search engine poisoning, how is my meticulous precaution doing? Well, it’s just plain paranoia now.
So in addition to all the well-known best practices and the stuff I mentioned a couple years ago, here are some additional precautions I feel compelled to take:
1. I have an isolated virtual machine always open that I use just for e-mail and instant messaging. This machine is a member of my domain because I need to move stuff in and out of there so often, but firewall rules and other precautions limit its exposure. Plus I never browse the web from this machine.
2. I have another virtual machine always open for general web browsing and downloading. In this VM I have IE7, Firefox, Netscape, Opera, and Safari installed, as well as all the file downloaders, proxies, filters, and anything else cool I find. The browser security settings themselves are moderately secure, but relaxed enough for good web compatibility. This is where I do all my web 2.0 stuff.
3. I have another extremely isolated and extremely hardened virtual machine for more adventurous web browsing and other risky internet stuff. Just IE7 and Firefox here but lots of scanners, blockers, filters, and just about every security-related add-in I can find. I usually keep scripts, active content, and even images turned off in the browsers. Oh yeah and this vm isn’t even on my physical machine here, it’s at my data center and I connect to it via Terminal Services.
4. And of course I have a separate virtual machine on standby (suspended) for all my financial stuff. There are also a few other VM’s I keep on standby for other dedicated and potentially sensitive tasks. All these virtual machines means I need 4GB RAM and 3 monitors to get any work done.
5. Speaking of financial stuff, whenever I create a new financial account, I set up a new e-mail alias just for that account. In the case of PayPal, I created the account under that unique e-mail address but I added several other e-mail aliases that I can give out to people when they pay me so I never have to reveal my secret login address. When I get an e-mail from PayPal to any address but the secret one my Outlook rules will automatically discard it. And speaking of PayPal, I highly recommend spending five bucks to get a security key for your account.
6. I also use secret e-mail addresses for handling sensitive information. The fact that GMail keeps every e-mail forever is kind of scary, especially since it is a web-based app that could so easily fall prey to a cross-site scripting or similar attacks. This is especially a problem because so many web sites insist on sending you a plaintext e-mail with the account information you just barely set.
So I have an incoming mail filter on my GMail account that looks for words like “password” and “login information,” automatically forwards them on to another non-public e-mail address, and then deletes GMail’s archive copy. If you use Gmail, do a search for “password” and see what it comes up with. In case you were wondering, yes I do need a spreadsheet to keep track of all my e-mail accounts.
7. I frequently exit out of then re-open my web browsers, which are set to clear cache, history, and cookies upon exiting. I don’t want some cross-site scripting attack stealing any session cookies. And I never log out from a sensitive web site, I always exit the browser.
8. Occasionally I use the snapshots feature of VMWare to roll back the OS partition of my most sensitive machines. It’s my version of a Crazy Ivan.
9. And most importantly I back up frequently so I have no problem wiping a machine and starting from scratch if I suspect a malware infection or security breach.
10. Ok, well I’m withholding number 10 because I’m just too paranoid to tell you about it.
Today I was driving on the freeway and couldn’t avoid driving over a flattened cardboard box. I looked in my rearview mirror waiting for it to fly out behind me but it never did. Great, I was driving down the freeway with a box stuck to my car. Read More…
I have a problem with my two-year old: he keeps getting out of his bedroom. This morning it was 4am and he was climbing over me and my wife, patting us on our heads.
It’s not like we haven’t tried containing him. It started when he wouldn’t go down for naps. As a quick fix I just hooked a bungee cord from his door to the closet door in the hall, which really didn’t work and was probably kind of dangerous. Read More…
I thought I would write about a technology introduced in Windows Vista called Mandatory Integrity Control (MIC), which is an access control scheme that Microsoft developed partially based on previous work by others, in particular the Biba model. Read More…
This morning, after being startled by two of my sons arguing over who had the longest turn playing Guitar Hero, and still not quite ready to get out of bed, I grabbed the remote control and started up the DVR recording of the Super Bowl. As my eyes were still trying to focus, I sped forward to the first commercial break then hit play. Read More…
For those of you who have been waiting for SP1 before you move to Vista, that time has come:
Some of you who know me know I have four kids—all boys. Now when you have four brothers growing up together under the same roof there is a lot of competition. In some families this competition would be with sports or academic achievement. In my house the competition is who has the best password. Read More…
reddit.com/r/passwords Data Loss Incidents