Thursday, September 25, 2014

Null Search Term

Take a look at these Google search terms people use to locate my site.  Securitycurmudgeon.com, is appropriate.  Traffic lights, makes sense since I had an article about hacking traffic lights.  Think outside the keyboard, getting colder.  Null, freezing cold.  People searching for null find my site?  Seems more believable it's a Google search or Blogger bug.  Hum, what can we do with this?

--Milton 

Forbes: People With Bad Credit Get Surveilled Cars With Remote-Kill Switches

Interesting article, "People With Bad Credit Get Surveilled Cars With Remote-Kill Switches", by Kashmir Hill of Forbes describes new techniques creditors use to creatively secure their debt.  Technology impacts us in ways that are difficult to predict or imagine.  I would not be surprised to see a kill switch legislated into every new car someday in the future.  California has already done so with smart phones.

--Milton

Tuesday, September 23, 2014

Securitycurmudgeon.com: Two years and One-Hundred Posts Later

I have been blogging for about two years now and written one-hundred published posts on all matter of security and privacy subjects.  In fact, this is post one-hundred.  I enjoy writing on the side so I took up blogging mostly as an experiment.  If your interested to learn more about my experiences security blogging please read on.

Following are some of my top articles over the last two years, some figures related to readership, and some lessons learned along the way you may find useful for your blogging.  Feel free to send me any of your lessons learned or ideas for improvement.  Any lessons I don't have to learn painfully on my own are welcome, i'm serious.

Top 5 Pageviews

Following are the top blog articles with the highest number of pageviews and a small synopsis for those interested.

1) Tracking Aircraft on Raspberry PI
Hardware and software project combining Raspberry Pi micro-controller, RLT software defined radio, and dump1090 software into an ADS-B commercial aircraft receiver

2) So You Want to be a Security Professional?
Information about the security profession those exploring a new career in security.  Various roles in security and challenges common throughout the profession are covered

3) The Most Difficult Thing About Raspberry Pi
My experience building a Raspberry Pi micro-controller with 2.8" TFT

4) Measuring Internet Connection Throughput
Java program to measure Internet connection bandwidth over time

5) Google Hacking -- Blast from the Past
Use of Advanced Google commands to find information of interest.  Has helpful implications in day to day searching but I also provide some thoughts and examples what Internet adversaries can do.
Chart: securitycurmudgeon.com pageviews per\mo

Monthly Pageviews

The chart (on left) shows the pagesviews since July 2010.  I think the chart is not entirely accurate for a few reasons, 1) I didn't start blogging about security until a couple of years ago, 2) I moved the site to Wordpress for a short period (gap in coverage), 3) pagesviews in last 30-days top almost 6000.  Still it's useful to get some idea for an overall trend.


Lessons Learned

There are many lessons learned about building an operating a web site and I will share some of them.

Link Allergies
Readers don't like to navigate too deeply for content.  The lesson learned, if you want readers to see something then place all the content on a single page.  Pageviews drop precipitously with each degree of separation from the primary post.

Cross-Referencing Related Content
Often readers may not know about other related content.  Including a link or two to other related articles or follow-ups is sometimes helpful to readers.  Everything must be considered from the readers perspective.

Small Posts Published Regularly
Most people prefer small regular posts as opposed to massive multi-page articles.  It makes sense given the amount of competition for reader attention.  Sometimes a post of only a few sentences at the right moment in time can have tremendous positive impact.

More Posts = More Views = More Readers
You may think that readers read only the new content but you would be surprised.  Readers also read older content.  With search engines, readers can land on any of your posts and often do.  Each post developed is one more reason readers have to visit your site.  Consider each post an asset with a long shelf life.

Do Something
Personal opinion is great but reader attention is a precious commodity.  Readers like news, technical articles, projects that have practical value or at least interesting to them.  Some amount of personal opinion provides style for your site but too much is perceived as fluffy, not useful, and perhaps even a waste of reader time.

SEO & Promotion
Promotion sucks but it's unfortunately absolutely essential.  Without some promotion even the best articles in the world will go completely unnoticed.  Promotion is messy business, especially self-promotion, since it's a complete turn-off to readers.  Expanding your reach by providing presentations, articles, and books is an investment since content may be long lasting and boost pageviews to your blog.  You need to be concerned with SEO or the search engines will forget about your site.  Yoast makes a SEO plugin for Wordpress but they also provide some information information about SEO in general.  It's worth educating yourself.

If you have a passion for security and like to write then blogging is a powerful tool.  If your mostly interested in fame and fortune and driving Ad revenue to pay your bills you will need to choose a subject with broader appeal or at least it would be safer bet to do so.

At almost 6000 pageviews per month and growing, securitycurmudgeon.com is far better than I ever expected for a defensive blog on application security.  Outside of the world largest security conferences like RSA, Blackhat, DEFCON, Gartner, etc.  Many security conferences have less than 2000 attendees and many even less than that.  I try to image everyone at a conference like that reading this blog, phew, crazy.  Of course, pageviews is not the same thing as number of readers.  Some readers read more than a single page so the 6000 pageviews is definitely less readers.  Still even if number of monthly readers is half the number of pageviews it's far more readers than I ever thought would be interested in security and privacy.

The only reason I care about pageviews is that it's a rough gauge of reader interest in securitycurmudgeon.com.  It's every writers desire to craft content readers find interesting and relevant.  Security and privacy is a passion of mine and likely yours if your reading.  Thanks for following along over the years and I look forward to continue for many more.  It's been a pleasure to write for you, sincerely!

--Milton

OWASP AppSec 2014 USA in the Rear View Mirror

This years OWASP AppSec 2014 USA was held in Denver, Colorado.  The downtown Denver metro was a great location.  Plenty of stores, restaurants, and great evening walks for the adventurous.

In one of the conference sessions, Static Analysis for Dynamic Assessments presented by Greg Patton with HP Fortify, he describes a new process for reviewing dynamic web app data with static analysis tools.  Patton developed a security tool, RIPSA, which he uses for downloading dynamic web site content.  Tools like SiteSucker have been around for awhile but they are limited usefulness when working with dynamic content.  RIPSA bridges the gap and allows downloading dynamic content to a local working directory.  Once the content dynamic content is downloaded traditional static analysis tools may be leveraged.

Patton mentions the top vulnerability they usually find with the approach is DOM based XSS.  I don't think RIPSA tool is necessarily too special but the idea of using static analysis on dynamic content is impressive and opens up a completely new way to use static analysis tools.  Apologize in advance, I don't have a RIPSA link.  I contacted Patton but he did not respond in time for this post.  Patton's approach is creative, rock on!

Another session, Reverse Engineering a Web App, described the process of reverse engineering web applications and perimeter WAF detection techniques.  The session was more or less what I would expect except a tool was presented that was new to me, OSSEC.  OSSEC is open source host IDS.  If you are in need you may wish to investigate.  I always like new tools.

Photo: Skycure threats for San Jose, CA
At the event, Skycure provided an innovative product demonstration.  The following photo shows a real-time display of threats from their web site.  There is also a companion application that runs on the mobile device and likely uploads intelligence data to their central service.  Skycure describes the overall advantages for customers broadly as: seamless, cross-platform, built for enterprise, visibility, device protection, and crowd wisdom.  The web site is a little short on technical detail so it's not clear exactly which threats are included in the analysis or mitigated but I'm assuming rogue AP's at a minimum.

Photo: Iron-Clad Java book
Signing my first copy of Iron-Clad Java at the conference was a reality moment for me.  The only time my autograph was previously requested is signing Visa receipts at the cash register.  At the conference we discussed and agreed to start another book project.  The new Iron-Clad book project team is Jim Manico (Twitter: @manicode), August Detlefsen (Twitter: @codemagi), Eoin Keary (Twitter: @EoinKeary), and myself.

We all enjoyed working together on the last project and thought Eoin would make an interesting addition to the team.  No idea about publisher or content still working out the details.  More on that later.

Now that AppSec USA is past it's back to JavaOne.  JavaOne starts next week.

--Milton








Monday, September 22, 2014

The New York Times: Ex-Employees Say Home Depot Left Data Vulnerable

In my post, The Home Depot Letter of Shame, I mentioned the, "I told you so's" we would hear from former employees.  It's unusual I receive such instant gratification after I post an article but nevertheless following is a report from the The New York Times,  Ex-Employees Say Home Depot Left Data Vulnerable.
"But despite alarms as far back as 2008, Home Depot was slow to raise its defenses, according to former employees."
Apparently Home Depot ex-employees had a wealth of information,
"Some members of its [The Home Depot] security team left as managers dismissed their concerns. Others wondered how Home Depot met industry standards for protecting customer data. One went so far as to warn friends to use cash, rather than credit cards, at the company’s stores."
Ignored warnings from security staff was also noted in the Target incident.  Target ex-security staff warned management long in advance but management refused to acknowledge concerns.  In both these cases, the companies had advanced knowledge security weaknesses existed, willfully refused to improve, and even ousted outspoken security staffers to the peril of cardholders.

--Milton

The Home Depot Letter of Shame

The letter sent by The Home Depot to customers (on left, click to enlarge) about their recent security incident.  I can only think of 56 million reasons why this letter is unacceptable.  Offering free identity services is helpful but it's entirely irrelevant to the top concern - poor security.  A more satisfying plan would be additional transparency around security efforts, communicate an improvement plan, and regular public reports of progress against the plan.  In testimony to Congress Target provided several assurances and the first item on the list,

"First, we are undertaking an end-to-end review of our entire network and will make security
enhancements, as appropriate."  [Target to Congress]


The Home Depot seems to be following Target's game plan.  However, due to the lack of transparency at the The Home Depot it's not clear the actions taken address the security concerns.  Perhaps as the investigation progresses more communications are forthcoming.

I'm seeing a trend, a public weary of excuses around poor security and lack luster responses.  If this incident takes a similar trajectory to the Target incident, I would not be surprised to to see some executive turn over, finger pointing, and "I told you so's" from ex-security staffers, in the coming months.  Given the magnitude of this incident, we may even see renewed enthusiasm from Congress on security.

--Milton

Tuesday, September 16, 2014

Password Managers Gain Traction on iTunes

1Password from AgileBits is climbing the charts in the iTunes store.  It's awesome to see the public gives a damn about keeping their passwords safe and is hauling out their wallets to do it.  1Password, a security app, beat out Photoshop redonkulous!

Incidentally, a Password Manager keeps your passwords in an encrypted database accessible only to you.  Historically, people keep passwords under keyboards, written in notebooks, sticky notes, or in Excel spreadsheets.  This is not secure at all.  Most people have several passwords to remember.  If your in the technology business like me, you may have hundreds of passwords to remember.  Keeping them secure and easily accessible is where password managers are helpful.  Other password manager options are available like Robo Form, LastPass, KeePass, and Password Safe.  A few of them are free if your on a budget.

I use 1Password on OS X and Windows and love it.  I have both Windows and OS X computers so it's handy for me.  I store my password database on a Google Drive so I have access my passwords from any computer.  If my computer crashes, all data is backed up by Google and I never loose access.

A final note, no program is perfect and password managers are no exception.  Sometimes auto-completes for web page credentials do not work as expected.  There have also been some security issues from time to time.  Overall these guys are serious about security, it's their business and livelihood, and password managers are overall very useful tools.

--Milton


Monday, September 15, 2014

Power-Leveling Your Computer Security Career


You did the impossible and landed a job in the high tech world of computer security.  Now you have a few years in the security profession and some days security is like mission impossible.  Leadership is cutting the security budget, engineering has little regard for security, compliance always takes top priority, engineers endlessly debate whether a bug is a security concern, even when they agree security bugs are a concern they are placed at the bottom of the pile.  Is anyone listening to you?  Does this sound like you?  Wondering how to show some success and take your career to the next level?  If your just getting started in security then I recommend a previous post, "So You Want to be a Security Professional"?

First thing is first, take a deep breath, now let it out, and congratulate yourself - your a security professional.  Computer security is a really tough job and it does not take a computer security professional to figure that out.  There's hardly a week that passes without a new security headline in the popular media.  Somewhere in the middle of all this conflict is you - trying to get some work done.  I will share a few observations along the way you may find helpful in your career.

Be positive
This point is somewhat a generalization of all the following points but I don't want this important message to get muddled - be positive.  Unless your selling security products, security is a business where bad news abounds.  A challenge with communicating negative news is that most people have a very limited attention span for bad news.  Once you cross the limit, they disengage.  If news is frequently negative and delivered with copious emotion people have a natural defensive mechanism to marginalize the concerns.  We all do this.  The point is don't alienate yourself since it does not help your mission.  Fear is a motivator but fear mongering will get you ignored.

Don't be overbearing
Often new security professionals learn quickly the true state of security and when they do it terrifies them.  The problem is that while your security concerns for the company may be justified, if you come across continuously overbearing people will avoid you.  If your continually communicating your requests by sending down lightning bolts from Mount Olympus sooner or later people stop paying attention.  This takes us to the next point.

Let your words matter
When you communicate don't communicate too many issues at once, be brief, and tightly focused.  This is especially important if you communicate up ranks to superiors.  It's likely your superiors receive many more emails than you so control your communications.  Don't include any information that does not support your points.  Don't include individuals in your email distribution that are unnecessary or not supportive to your topic.  Big distributions generate more opportunity for distraction and further communications that may take many follow-up emails to resolve.  Extraneous communication is exhausting for you and a poor use of the time for others.  Consider alternative ways to communicate if it's faster and generates less questions, quick phone conversation, 15 min or 1/2hr face to face.  Unless your communicating with colleagues of many years, don't include emotion, humor, or irony in your communications since it's easily misinterpreted by others.  When you tightly manage your communications, communicate only your top priorities, wordsmith every word, people will start paying attention to what you say.

Be accurate
Often people conflate facts, hearsay, and emotion when they communicate.  Part of making your words matter is that when you communicate your always right.  If you make a statement, try to include facts so your managers understand your thought process.  Help them arrive at your same conclusions.  Interestingly, if you are wrong others will usually share why and you will learn.  There's more room for unsubstantiated personal opinion as you build your expertise but until the day when you become the expert, quoting them occasionally will not hurt you cause.

Be a good listener
When your contributing in group discussion, meeting individually, or reviewing email pay attention to ever word communicated.  Then think about the information not being communicated to you.  What's missing?  How is the information being communicated to you?  Is the discussion evoking some passion?  You can learn much about how people feel on a topic or what they know simply by being a good listener.  Don't be the one in the room that is thinking of the next thing they are going say or add to the conversation.  Instead give the speaker your full attention.  Similarly, if your reviewing technical documents for security approval think about the design being presented and also what may be missing.  It's often the information that is missing, purposely suppressed, or refactored into something more pleasing, that is most pertinent.

Know your place within the organization ecosystem
Your job in computer security is to defend the business as a trusted business partner.  The goal is not necessarily to reduce risk to zero.  Understand your threat landscape.  Any unreviewed areas of software code and supporting infrastructure are a huge risk since they have not been properly quantified.  You need to understand the threat landscape.  Use some creative thinking, there are often ways to mitigate risk or perhaps accept the risk for a short-time while more systemic remediation is applied.  Do some horse trading with IT staff.  If you have "No Powers" or veto authority use them very sparingly.  Keep in mind, if you use your veto authority be prepared to defend yourself to top leadership.  They will think creatively so it's better if you explore all the options prior to any escalations.  If you think security's only job is to point out all the flaws in the datacenter and applications then you have a lot to learn.  Own and assume some of the risk, help others make the best decisions for the business and you will earn respect.  Be a problem solver, not the problem.

Education and self-improvement
Education is somewhat like financial credit.  You can't get credit unless you have a credit history but how do you get started?  Likewise, business requires employees skilled in technology areas that are applicable to the business but seldom do businesses allocate regularly scheduled technical training sessions.  Companies are trying to save money everywhere and education is no exception.  Conference budgets, book budgets, in-house classes are greatly curtailed and sometimes none are available at all.  Often employees in the trenches, who need training most, don't receive it.

Some of my best training comes from "brown bag" lunch sessions where employees bring a lunch, setup a projector in a conference room, and watch some training videos while everyone eats.  Most of us eat every day so you would be surprised how much you can learn after a few months.  I learned the basics of Java programming at brown bag lunches years ago.  My advice is take some responsibility for training on your own.  Dedicate at least some time each week to education and self-improvement.  It's in your best interest to invest in yourself.

Job commitment
If you want to be a 9am to 5pm worker there's a place for you but it's not a the top.  The higher you climb up the corporate ladder the more dedicated you must become.  Life at the top comes with privileges but you might not like what you need to do to earn those privileges.  In my experience, top leaders are very dedicated and work many hours.  This is especially true for people and projects that require management across global boundaries.  If you see your manager skipping out of the office early at 3pm on a Friday make sure you pay attention to after hours meetings with overseas teams, mid-night calls when production servers crash, emergency off hours budget approval to get critical business accomplished, and your last minute vacation requests.  If you want to be in your managers position make sure you consider all the duties of the role not only the perks before you make a choice or criticize.  Being honest with yourself and understanding what is important to you will keep you happy on the job and pleasure for everyone else to work with.

Separate success of security from your personal success
I know it seems like an oxymoron but let me explain, security is like medicine and your role in security is much like a doctor. Many people smoke and lead unhealthy lifestyles.  When the doctor meets these individuals they treat their conditions and encourage good health.  Sometimes a condition is not always curable but doctors often make life more comfortable.  The doctor never shoots the patient dead because the patient is too sick.  The doctor always does their best, with a professional attitude, and encourages the patient.  Doctors make good role models for security professionals.  People will not remember your personal challenges or how demanding they were on you.  They will remember how you treated them and addressed their concerns.  Don't let your passion for security or doing things correctly jeopardize how people feel about you.  Sometimes in security there are forces in an organization that are beyond your ability to influence to a successful outcome.  Do your best, and if you fail, do what doctors do, move on and save another patient since there are many.

To say security is challenging is an understatement.  It's a profession ripe with conflict and challenges.  Moving beyond security professionals in the crowd requires tools to communicate with top leaders.  Top leaders are creative problem solvers, accept responsibility, they know when and where to speak and to whom to speak, they choose their words carefully, they stay on top of the news and educate themselves, they are committed, and they get results.  You will need to become more like your managers to enter into their ranks.

Changing your environment around you is tough but you always have the power to change yourself.  I admit it's not easy to change yourself but to the measure you do you will become more respected, well liked, and win more supporters which will only help you.

--Milton


Friday, September 12, 2014

The Most Epic Nerf War in History!



This is the most epic nerf war ever.  If you think your battle is better well, I'd like to see it.

--Milton

Heads-Up Display for Raspberry Pi


Simon Ritter from the Java team at Oracle creates heads up display with #RaspPi and #JavaFX.

See more of Simon's Pi throwing mojo on his blog.

--Milton

Thursday, September 11, 2014

Norse - IPViking Live

If you had any question about the importance of security and privacy Norse - IPViking Live threat intelligence map will enlighten you.  Norse shows attacks occurring across the globe.  The map is light on detail but it does well to communicate the constant assault against our information systems.  Looks like the War Games movie in the 80's had it right except the payloads where wrong, malware instead of nuclear.  Click the photo to enlarge.

--Milton

Wednesday, September 10, 2014

Security at JavaOne


I wanted to gather a quick post for those attending Oracle's JavaOne 2014 conference with interests in Java platform security.  If your not aware, I lead the security track at JavaOne and I'm also presenting two security sessions.

If your interested in Java security and attending, you may wish to drop in and listen or if you can't make it to JavaOne it's likely the media will be posted after the conference like previous years.  Following are my conference sessions you can attend or watch later.

CON1692 - Securing Java: Track Opening Presentation
As I mentioned, I host the Java security track for Oracle at the JavaOne conference.  The track opening is special since I cover highlights around platform security improvements and remediation throughout the year.  I also review all the session security content and provide an overview of the sessions I think attendees will find most interesting.  If your interested in highlights around platform security then you will find this session a good way to begin your week.

CON5948 - Security and the Internet of Things: Preparing for the Internet of Stings
In addition to my security role around the platform I have also been assisting with Oracle's Internet of Things(IoT) efforts.  In this session, I will discuss some of the broader areas of IoT security, threats, along with some of thoughts to meet these challenge.  If your interested in IoT security then this is the session for you.

Enough about me, I'm always interested to listen and learn what others are doing in security or if I can possibly help.  If your attending and want to meet up send me a DM message (Twitter: @spoofzu) or grab my email from the web site.  See you at JavaOne.

--Milton

Tuesday, September 9, 2014

ABC: (VIDEOS) Apple Introduces iPhone 6, iPhone 6 Plus, and Apple Watch

ABC provides video coverage of Apple introducing iPhone 6 and iPhone 6 Plus abcn.ws/1pMtJ8G and Apple Watch abcn.ws/1nJzyUS #apple

--Milton

Thursday, September 4, 2014

Aircraft Route Mapping on Raspberry Pi

This is a quick update to my "Tracking Aircraft on Raspberry PI" post.  The photo (click to enlarge) shows aircraft flying in my vicinity at the time of the screen shot.  Not much within radio range at the moment but I can have as many as 10 aircraft depending upon the time of day.  The aircraft route mapping web server is a feature of the dump1090 program running on the Raspberry Pi and described in the original article.

+1 to Shockwave8A on Reddit for aircraft telemetry background like TIS-B for secondary radar information and FIS-B for weather, text based information from METAR, TAF, as well as airspace restrictions.  Appears there are many more signals to be plumbed beyond those that dump1090 supports.  This is still seems an area highly ripe for exploration.  Btw if you want to see some bad ass signals intelligence mojo check out Oona's absorptions web site.  The helicopter post is my favorite.

--Milton

Qualys SSL Labs - SSL Report

In my HTTPS\TLS quest, I noticed when I ran Qualys SSL Labs SSL Report I received an A Overall Rating for my Blogger site running TLS under CloudFlare.  The report is very comprehensive but the results are misleading if your not paying careful attention.

You might believe if you receive an A grade your server is secure - which is not the case.  Note carefully the report indicates it's an, "SSL Report".  The report applies to the transport encryption on the target site.  The overall grade has little to do with overall site security posture.  An Overall Rating only means your encryption is strong, servers patched, and web server is properly configured for TLS.  In my case, unencrypted content was being sent along side encrypted secure content.  So while the secure content is strong and worthy of an Overall Rating of A.  The insecure content opens up all sort of security holes on the site.  This is still a favorite tool of mine but the rating only applies to encrypted transport not overall security posture for the server.

--Milton

CloudFlare is a Blogger HTTPS Bust

My quest for TLS on Blogger continues.  CloudFlare indicates their product supports HTTPS with Blogger.  Yes, it does support Blogger but not out of the box and not completely securely.  If you desire a secure solution with HTTPS\TLS you will need a different solution other than the ProPlan.  It's not even clear to me their other solutions would work either.  For those interested in the details read on.
Photo 1: CloudFlare page rules
CloudFlare setup for HTTPS was easy enough.  After making a few DNS changes the night before, hold my breath, I created a couple of easy page rules to switch over to HTTPS.  Page rules are used to identify areas of your site are applicable or within scope of a particular CloudFlare feature like redirects.  CloudFlare does not provide support for regular expressions but they do provide basic wildcard asterisk (e.g., *) support, photo 1.  After I entered the rules shown most of my site was using HTTPS.  Shortly after I applied the new rules I received some mixed content warnings from readers.

Photo 2: OWASP Zap Proxy
To identify the mixed content, I used OWASP ZAP Proxy to review the content being loaded.  ZAP Proxy is an OWASP tool that runs on your desktop to monitor HTTP(S) network traffic between your web browser and the web servers.  ZAP allows you to view HTTP requests, responses, and edit them if you wish.  Note the results from my ZAP run in photo 2.  Shown are several unprotected blogspot.com and blogblog.com These are URLs loaded by Blogger and not being rewritten by CloudFlare.  Nothing broken yet since the blogger URLs don't fit my page rule spec.  You might consider to fix this you could add a page rule to those in photo 1 like, http://*.blogspot.com but you would be wrong.  Any combination of wildcards with the asterisk up front ends in disappointment.  Contrary to instructions leading wildcards are not supported in ProPlan at all.  To work around this I created a test rule like http://1.bp.blogspot.com/.   This page rule did not work either.  When the rule is entered CloudFlare produces a warning to indicate rules must apply to your site, securitycurmudgeon.com in my case.  At this point I contacted the company who returned a prompt response.   CloudFlare's advice was not very helpful since Blogger site admins like me don't have the level of control over their site URLs required to fix this.  Unfortunately, mixed content security is even more dangerous than no security at all since it sets a false expectation of security.  If someone else has an idea please ping me but I don't think this is an easy fix for me.  I need to figure out something else.  I'm tempted to run my own server but that comes with some IT headaches of it's own.  Back to the drawing board.

--Milton


Securitycurmudgeon.com Moving to HTTPS\TLS

A short administrative message about this site, only for those interested.  Over the years readership of Securitycurmudgeon.com has grown significantly.  I have been particularly concerned about lack of transport security (e.g., HTTPS) available on Blogger, keeping readers computers secure, as well as ensuring the content I develop is the content delivered to readers desktops.  I decided to give CloudFlare a try.

With CloudFlare the browser session is protected via HTTPS\TLS between the user's web browser and the CloudFlare cloud service.  The connection is unencrypted between CloudFlare and Blogger web servers.  CloudFlare calls this their Flexible SSL encryption option, which is really TLS.  Of course, the best solution is to have the entire transport path encrypted but it's not possible at this time.  TLS to users desktops mitigates most Man in the Middle security concerns from most attackers.  The solution does not defend against attacks on Internet infrastructure like intrusion from Internet service providers and governments.  Still some security is always better than no security.

Perhaps with Google's emphasis on HTTPS, increased priority on HTTPS sites with their search engine, they will someday consider moving Blogger to HTTPS.  Also I'm not trying to disparage Google for lack of HTTPS support on their free service.  I'm interested in mitigating my security concerns.  With the low monthly price of CloudFlare I decided to give it a try.  If something is broken or not working as expected I have information on my About page you can reach me.  This is work in progress.  If anyone has any tips on CloudFlare or otherwise feel free to send along.

--Milton

Wednesday, September 3, 2014

Java Code to SSL\TLS Introspection Project On Github

Checked the Java code for the SSL\TLS project into Github.  I worked on much of this after hours so I have little in the way of documentation or even fault tolerance.  Still if you would like to play with the code or improve it's available on Github.  Warning thar be dragons.

Sample reports and how the program works are available in the original blog post.

--Milton

Tuesday, September 2, 2014

Rube Goldberg Password Policy

Password must not be a word found within any dictionary throughout the world
Password must not be the name of any famous sports athlete
Password must not match the name family members or pets
Password must not be longer than the sum of digits for current calendar year plus 10
Password must not contain any number evenly divisible by 2 or 4 or Mersenne prime number
Password must contain at least 2 alphabetic character(s)
Password must contain at least 1 lowercase letter(s)
Password must contain at least 1 numeric character(s)
Password must contain at least 1 uppercase letter(s)
Password must not match of contain your user ID
Password must not be the name of any known Marvel super-hero
Password must not match any words considered profane
Password must not be one of 1000 previous passwords used on any other Internet site
Password must not be the name of a human body part

Password for the sum of digits in current calendar year too small so I added 10 (thanks to @DonaldOJDK).  Other than this, it's a password policy that would make Rube Goldberg proud.

--Milton

Share It!