a companion discussion area for blog.codinghorror.com

There is no longer any such thing as Computer Security


#21

Personally I would like to see the URL shorteners like bitly and goo.gl to be outlawed. And notice that this phising attack used one. I tell everyone do not click on a URL in an email but go to the website directly and navigate within the website to get what you need.

Almost as bad is the “safelinks protection” that outlook.com is now using on links. The links are rewritten to go through a web service to check against a blacklist. It makes the URL almost impossible to read.


#22

I thought about that, and I bet I was a careless re-edit. He may have written “this is not a legitimate email” then gone back over it and thought he’d better make it clearer and say “is an illegitimate”. But he he deleted the “not” and forgot to update to “illegitimate.” I’ve ended up with tweets that mean the exact opposite of what I mean because of that.

However, when it’s something that important, you should not rely on single-factor reading comprehension either. When I have something that important to communicate, I lead with something like “DO NOT OPEN THIS” and then explain. I’ve found you can’t expect busy clients to read every email thoroughly or parse for apparent contradictions, so the important message should be front-loaded, bold/italic, or called out as a bullet point. Sentences in paragraph form are rarely read closely.


#23

we need to change how TLS certs are verified, currently there’s no way to say “is the CA signing cert valid for domain”, nor is there a way to say, “is the CA valid for company, and not misleading as to which company”. The former could be done with DNS, the latter, I’m not sure how it could be done, and even if it could I’m not sure how to make it relevant to the every day user without destroying the freedom of the internet. OpenDNS did, does have a good idea of allowing DNS filtering and categorization. I have no idea how we could say this url looks like who it claims to be. Of course companies like facebook aren’t helping by using a different root domain to send email… I also got an email from amazon? yesterday that looked like a phishing email… using a.co links, but when I looked at the headers everything checked out to be from amazon. So yeah… as long as companies are using phishy looking emails for real…this is an impossible problem.


#24

oddly enough, lastpass and other website specific password managers have this same benefit, since it will only autofill the real domain… of course then there’s the screwy number of websites that have weird valid alt domains, like my insurance provider… making this not work for those sites.


#25

This particular piece smells to me like a bit of paranoia. First of all, if you think that some of those third-party fingers have deliberately sabotaged your device in order to do illegal things to you, then you no longer live in that sane world you mentioned before. They might do greedy things to you (like adverts everywhere and pushing their own software and stuff), but not illegal. They’re not your adversaries, they’re annoyances.

It could be that they have made the phone insecure by accident/stupidity, but AFAIK that happens pretty rarely. In addition, there are zillions of different android phones, each with different system images and drivers. Even if there is a vulnerability in one of them, it still covers far too few people for any mass-market hacker to bother making an exploit for that. If you’re afraid of this, then maybe just stay away from the most popular makers - Samsung and Apple. The rest are just too varied to be worthwhile.

The same applies to hardware hacks that require physical access to your device (like compromised public chargers in the airport and the like). Perhaps someone might bother doing this for an iPhone (since it’s one of the most common phones out there), but most Android brands should be safe simply because any such hack would not generate enough returns.

Now, if you’re worried that someone might be targeting you specifically, then we’re talking a whole different level of paranoia. But 99% of people should not have to think about that.


#26

Yeah, agreed. I do exactly the same. TLDR; followed by the details.


#27

I like almost everything about this post, except the line:

You either have it, or you don’t.

This plays into the idea of “100% secure” sites, which always makes me laugh.


#28

Right but just a password alone is clearly insufficient. That’s my point when I say “you either have [security], or you don’t”. If you are currently using more than a password alone to log in (as long as SMS isn’t allowed), you’re probably difficult enough to attack for now.


#29

I wonder how is Chrome’s built-in password manager rated?


#30

Wait, why would John need to change his password if the mail was fake?


#31

The point Jeff was making in the article is that the rest of the email was ignored. As 'mistake’s go, it’s almost perfect, if, say, you were a mole for the Russians :smile:

But, like I say, I was being pedantic. I favour Aaron_Morey’s point that it’s most likely an edit that was only partially completed.


#32

Making ever-longer and complex passwords isn’t the solution. A relatively short password of five to eight characters padded with an easy-to-remember string of characters that make the password a non-dictionary sequence of 12 to 14 characters is just as effective and far easier for the user to remember. See Steve Gibson’s white paper on the topic, “How Big is Your Haystack? … and how well hidden is YOUR needle?” Using Gibson’s “Password Haystacks” concept, you can forget about password manager services, master passwords, YubiKey, etc.


#33

You are assuming the error was between the brain and the keyboard.

To use a programing analogy.

TypeKeyboard("an illegitimate") output “a lehitimate”

Or did MakeSenstance("bad email") call TypeKeyboard("a legitimate")


#34

I think Mr. Delavan made the mistake of being fooled into believing the phishing attempt. Everything in his email points to full-on panic mode ‘John needs to change his password immediately…’

‘…imperative that this is done ASAP’

If it was recognised as a phishing attempt then the advice would be something like: Do not under any circumstances click on the link. Delete the email. Your password does not need to be changed, but if you do go though your normal log on procedure and then use their interface to change your password. I would recommend activating 2-factor authentication.

He then compounded that error by not categorically stating that you NEVER click a link in an email and then give your password/details. You should know how to log in to your account, so do that and then go to the password reset section. Pretty simple rule to learn and follow: assume every email is fake - one day you will be right and glad to be safe.


#37

One thing I should have been more clear about in the article is to make sure your telephone number is not even listed in the records for your auth provider. I did say “don’t use SMS” but you have to be absolutely sure that SMS can’t ever be used – and the best way to do that is to remove the phone number entirely.

Many reasons for this, here’s another if you need one:


#38

Back in 2004 Bruce Schneier wrote on his blog

I am regularly asked what average Internet users can do to ensure their security. My first answer is usually, “Nothing–you’re screwed.”

Then going with

But that’s not true, and the reality is more complicated. You’re screwed if you do nothing to protect yourself, but there are many things you can do to increase your security on the Internet.

However, I think first statement is actually true and not only for average users, but especially for average users. Some people here doubted that it was just a typo from Mr. Delavan, if true, it could be a great example that even non-average users can be outsmarted & screwed.

For sure, using just passwords for authentications is like keeping door closed, but not locked. The difference is you can live in a good neighborhood and never mind, but internet is a district you usually try to avoid IRL.

You can do a lot to protect yourself, things like 2FA/U2F make you way more protected, but it’s still “a modicum of security”.

The only thing I disagree with this article is part about password managers. I don’t trust them. As for me, they’re SPOFs I better avoid. However, I don’t have that big of experience using them and this can be my prejudice. You’re welcome to change my mind.