Friday, 3 October 2008
Given such a simple idea as gridKey (working title - don't sue me) its not surprising that someone else thought of it first.
Maybe I'll get round to writing a PHP and/or PAM lib to implement it.
Sunday, 28 September 2008
Devices like hashing fobs or tamper-proof smart cards are technically the best solutions for secure authentication - but they have a number of drawbacks for proactical applications. By far the biggest one is that they are not universal - I can't use my Paypal fob to log onto my LAN, I have several smart cards in my wallet, but where do I get a reader? Even if I did, how would I get Google to support the use of the card for accessing my gmail account?
Instead we seem doomed to endure badly implemented wish-it-was-2-factor-authentication and Capchas which even those of us lucky enough not to be visually impaired, cannot read.
While kitten capchas are undoubtedly cute, do they really help solve the problem?
It occurred to me that not entering the same password more than once is a good way to avoid the risk of compromise (essentially this is the common factor in Capchas, smart cards and key fobs) and here is a simple way to achieve this:
When you create an account for your user, issue them with a grid of letters and digits, 6x6 seems about right.
Then, each time they log in, ask for, say 5 of the entries, the grid holds more than 8000 passwords.
Given say 32 possible keys (omitting the letter O and number 0, lower case L and digit 1) the chance of guessing the password are one in 33 million.
Someone's probably already thought of this. But I thought I'd write it down before it gets patented.
Monday, 1 September 2008
The post and replay are here.
Tim said that:
tim@feynman:~$ telnet www.plumbcenter.co.uk 80
Connected to www.plumbcenter.co.uk.
Escape character is '^]'.
GET /plumb/index.html HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP/1.1 400 Bad Request
Date: Wed, 27 Aug 2008 21:44:51 GMT
Content-Type: text/html; charset=iso-8859-1
(404 body snipped)
Connection closed by foreign host.
"; SV1" with "; SV2" or replace "5.1" with "5.0" but leave the "; SV1"
What's interesting here is that the request headers specify HTTP/1.0 but the response comes back from the server as HTTP/1.1
While maybe this is just sloppy programming by Microsoft, its worth bearing in mind that, by default MSIE degrades to HTTP/1.0 responses when it knows it's talking via a proxy. Also, HTTP/1.1 mainly addresses performance improvements.
Further - as Tim points out, the behaviour of the server changes when the user-agent changes.
Could it be that IIS is using the user-agent for purposes beyond what it should do according to spec? This could give Microsoft an unfair performance advantage over other browsers. Certainly in this case there is hard evidencethat the server is basing its response on the user-agent supplied in the request.
For the time being this is mostly conjecture and conspiracy theory. But it would be interesting to confirm whether IIS always responds to HTTP/1.0 requests with a HTTP/1.1 response, whether it will include HTTP/1.1 specific browser instructions - and to see if the browser then acts on these.
Friday, 8 August 2008
Another problem I encountered was that mailq is not setuid root on this distro. Rather than reinvent the wheel, I thought I'd have a look at how RH & sendmail measure the size of the queue.
- /usr/bin/mailq is a symlink to /etc/alternatives/mta-mailq
- /etc/alternatives/mta-mailq is a symlink to /usr/bin/mailq.sendmail
- /usr/bin/mailq.sendmail is a symlink to /usr/sbin/sendmail
- /usr/sbin/sendmail is a symlink to /etc/alternatives/mta
- /etc/alternatives/mta is a symlink to /usr/sbin/sendmail.sendmail
Friday, 1 August 2008
"Microsoft Word (DOC)
Documents can also be saved in Microsoft Word format. ... This is the least desirable format as it is proprietary and it cannot be guaranteed that a reader exists for a particular user’s computer."Guess what format they use.
Friday, 6 June 2008
A bit of research suggested that this is a common problem - Blackberries won't talk to the BlueZ stack.
Meanwhile, having built a test rig and demonstrated the browser problem, I tried reporting the fault to Vodafone. They've written back asking for lots and LOTS of information none of which relates to the bug. I spent less time re-writing the web application I was trying to access then I have trying to satisfy the requests from the support department - who don't seem to understand how their own software works.
Thursday, 15 May 2008
Friday, 8 February 2008
But what's even more interesting is that Oracle no longer seem to be using their own tools for monitoring - a 'view source' on most of the oracle.com pages shows they are now using Omniture's SiteCatalyst.