When Security is Bad for Security

Posted on Tuesday September 21 2010 by hell if i know

Copyright © What The Hell? Security

There are 3 kinds of security in business:  Good security, acceptable security and bad security.

Good security is the kind that works for the business and for the people who work in it.  It aligns with universally known objectives, and is communicated in a way that motivates people to do the right thing without instilling fear or evoking rebellion.

Acceptable security is the kind that everybody would rather not bother with, but are willing to because it’s necessary for the good of the business.

Bad security is the kind that irritates the hell out of everybody for no good reason.

Some airline that I mostly like recently charged a couple of flights to my credit card.  Flights that I assume had somebody’s butt in a seat.  Only because I claim that it wasn’t my butt, they won’t tell me whose butt it was, or in what city the butt walked off the plane.  Better yet, their website claims not to even have the credit card on file. So I’m having to work this through the issuing bank, which happens to be Chase.

Is it fraud? Who cares. There’s no evidence to support I made the purchases so I won’t be paying for them. But you wanna know what really annoys me?  Twice Chase has sent me an email (see picture) that says click here, then login there using such and such username and a password sent in a separate email.

Twice I have not received this separate email. Why? Again, who cares. There’s no evidence to support it was delivered. What I care about is why Chase bothers with two email security strategy at all. It’s not like they’re sending it from a different source, or to a different destination. It’s not like with snail mail, where they send two letters a few days apart, figuring the likelihood of your mailbox being robbed on both days is lower than it being robbed on one day.

So let’s take inventory.  Customer (me) is irritated by unauthorized charges.  Chase repeatedly devotes the time and energy of their stern-of-voice staff to phone me wondering why I’m not paying the charges. Customer (me) is more irritated by the phone calls. So far it’s a lose-lose stalemate.

All in the name of security.  What the hell?

Filed under: fraud, security, security sense, security soapbox | Leave a Comment »

iPhone Premature Messaging Vulnerability

Posted on Monday September 20 2010 by hell if i know

Copyright © What The Hell Security

Call me a heathen.  I recently bought my first iPhone.

I’ve owned about 15 too many Dangleberries. After accidentally dropping the last one and watching it land 75 horizontal feet from where I was standing at the time, I gave an HTC Aria running Android a try.

One of the precisely 3 things I loved about the Aria was the universal escape button that occupies the same real estate as the iPhone’s home button.  No matter what app you’re running, pressing it always backs you up one screen. You know. Escape.

In contrast, Apple’s GUI Gods provided us 6 ways to achieve an escape, only one of which seems to apply on any given screen in any given app. No matter what app you’re running, you’re abiding by the depicted flowchart.  You know.  Escape.

Now that issue is frustrating as hell.  But the “Messages” application is straight from hell.

It’s the placement of the damn “Send” button.  The one that you accidentally press half the time you’re actually trying to press one of those infrequently used I, O and P keys. The keys that constitute 50% of the letters in the word “iPhone.”

So what does this have to do with security?  Well, just like those I, O and P keys, I haven’t quite put my finger on it yet.  But surely there is a problematic use case buried somewhere.

Hey Apple – what the hell?

Filed under: security, stupid | Leave a Comment »

FTC to Twitter: “Do Not Be Concerned About Security”

Posted on Wednesday July 28 2010 by hell if i know

Copyright © What The Hell? Security

[For context see "The FTC's Bitter-Tweet Victory over Twitter"]

The Federal Trade Commission today issued a clarifying statement regarding its recently announced ruling that Twitter had not lived up to its promise of years past to protect consumers’ personal information.

“The FTC wishes to reiterate our ruling that Twitter did indeed violate its privacy policy, and that as one consequence, it will be compelled to pass security audits for the next twenty years” said FTC spokesperson Sue First. “A second consequence, although implied in supplementary documents, was not made explicitly clear in our announcement.  We therefore take this opportunity to set the record straight: Twitter should not be concerned about security.”

The supplementary documents she refers to are Version 1 and Version 2 of Twitter’s privacy policy.  As the FTC’s announcement makes clear, Version 1 of the policy contained the offending language — “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information” – that prompted the FTC’s investigation to begin with.

Version 2 of the policy, which the FTC helped draft and ultimately approved, lacks any remotely similar expression of concern.

A source inside Twitter, speaking on condition of anonymity, reports that Twitter pressed the FTC to include its sentiment of concern in Version 2. The FTC shot that down however, insisting that the new policy “contain only language directly or indirectly relevant” [to the settlement].


Filed under: security, security humor, security sense | Leave a Comment »

The FTC’s Bitter-Tweet Victory over Twitter

Posted on Monday July 26 2010 by hell if i know

Copyright © What The Hell? Security

Few security happenings leave me speechless. The FTC’s insanely aggressive settlement over Twitter’s 2009 privacy gaffes practically yanked my tongue clear out of my mouth.

First off, let’s be honest with ourselves for a minute. This is Twitter we’re talking about. Twitter isn’t a bank. It isn’t a medical institution. It isn’t a merchant. It isn’t a financial advisor. (Ok, people use it as a financial advisor, but they really shouldn’t.) Twitter is…well, you know…a DIY fan club kit. Fans not included.

This is the company that the FTC is imposing security audits on until 2030. Twenty-freaking-thirty. Twitter’s three co-founders will average 55.6 years of age in 2030. Hell, the company won’t even have had a revenue model for what, five or six years max. But that’ll teach them.

Furthermore — now pay attention here because this is really important — by promoting the “security” of Twitter, the FTC is paving the way for an abundance of unforeseen use cases to be built atop it. Ones with security ramifications that will give us a hangover that lasts beyond 2030.

Here’s the one I’m waiting for. To fully appreciate it, you have to place your head in a vise and squeeze for a minute. Now look at me. No, over here. Twitter does make for a helluva pubsub messaging backbone, doesn’t it? With some clever XORing I bet somebody could build a secure transaction processing system on top of it. Hell, a secure cloud transaction processing system.

Don’t forget to release the vise.


Filed under: security, security sense | Leave a Comment »

Symantec, VeriSign Off To Rocky Start

Posted on Thursday July 15 2010 by hell if i know

Copyright © What The Hell? Security

I still find Symantec’s purchase of VeriSign’s security business intriguing. So I decided to do a little research. All I’m gonna say is, nothing beats a little dumpster diving.

Look past the scribbles and you’ll find that each company raises some really good points about security-related problems with the other’s website. Hell, if I didn’t know better, I’d not even guess that they’re both security companies.

Gist: www.symantec.com identifies itself with an untrusted SSL cert. (My theory is that they can’t afford a trusted cert after spending $1.2 billion to buy VeriSign’s security business.)
Gist: symantec.com (i.e. their domain name) is not reachable on TCP port 443. If SSL were indeed an anti-phishing technology — which of course it’s not — it seems that a Certificate Authority ought to serve a page (using a valid cert) at https://TheirDomainName.*
Gist: Firefox 3.6 suggests that VeriSign’s so-called Extended Validation has VeriFied that they do not know who runs their own site. Sigh.**
Gist: It’s always nice when security companies don’t publish content containing a version of their logo that raises not one, not two, but three security issues. Sigh.**

I’m not really sure what this is about, but I also found a crumpled cocktail napkin with the word “VerInfrastructure” scribbled on it.

* Ironically, it actually is a good idea, but that’s a subject for a future article.

** Surely the Internet’s Infrastructure company can get a trifling browser producer to fix this. Right?


Filed under: certificate authorities, security, ssl | Leave a Comment »

Security World Cup: Microsoft 171, Google 22

Posted on Monday July 5 2010 by hell if i know

Copyright © What The Hell? Security

Hey Google, what the hell? Not that we’re keeping score or anything (see graph), but your Online Security Blog‘s quietude relative to Microsoft’s Trustworthy Computing Security and Privacy Blog is begging for a fan riot.

According to my screen-scraping calculus, for the 18 months of January 2009 through June 2010, Microsoft scored 171 goal posts (cough) to your 21. Hell, in fully 50% of those months Microsoft bloggingly demonstrated that it cares about security more than you do by a factor of . Which — and you’ll have to blame Berkeley for this — dwarfs your eponymous 10100.

Put your mouth where your money is guys.  ”The latest news and insights on security and safety on the Internet” should offer some news and insights more than 1.2 times per month.  Something around 12 would be a good start.


Filed under: security | Leave a Comment »

Next Page »
Follow

Get every new post delivered to your Inbox.