Posts tagged "security" - nolan caudill's internet house

How Secure is my Dropbox?

Sun, 14 Apr 2013 07:00:00 +0000

The answer to this is: Secure as any other “private” content uploaded to the Internet, which is “not very.” Dropbox is a widely-used service that lets you keep a specific directory in sync across many computers. Copy a file into the Dropbox folder on your work computer and it is nearly instantly available on your phone and your home computer. No more emailing files to yourself or scrambling to find a site that’ll let you upload a big file. They even give you a slick, web-based interface to browse your files. This all sounds really easy and convenient which, unfortunately, usually means it’s not secure. The problem is that Dropbox stores your files on their servers encrypted in a way that they can read them. First, what does one mean by “secure”? My definition of secure is that no one else in the world could possibly see the contents of something unless I let them. If it’s a text file, no one except me can read it; if it’s a photo, no one except me can see it. For most of the files people want to share or sync, the security level of Dropbox is adequate. Disregarding that bug a couple of years ago where anyone could log in with any password, Dropbox is password protected and they recently introduced two-factor authentication, where you have to type in both your password and a short-lived, always-changing set of numbers from your phone. All connections between you and Dropbox go over SSL. This means no one can snoop on files you send to Dropbox and no evil person can trick your computer into thinking they are Dropbox. From my limited knowledge of Dropbox’s internals, gleaned from reading a few security analysis reports, they do encrypt your files before uploading them. The downside is that they own the key to decrypt them “to ensure everyone has the ability to view and share files on the web painlessly.” Translated, this means that people-who-are-not-you can read your files. I’ll assume that Dropbox, the company, follows industry standards for security. Only certain engineers get access to certain machines. Only certain support people get access to your files as necessary. Only code that’s been properly vetted for security bugs is deployed. The weak spot in all of Dropbox’s efforts are the people. This isn’t a knock on Dropbox at all; people are the weakest spot in ANY security system. Servers are constantly barraged by people trying to break in, and they often succeed. Support people sometimes stray and snoop at files they they shouldn’t. Developers write bugs that let random people on the internet get access to things they shouldn’t. It happens, despite best efforts in engineering or culture. People make mistakes. If you’re wanting to keep your music in sync between computers, or want to quickly send a photo to a friend, Dropbox is great. It’s incredibly convenient. If it’s a file that you wouldn’t want another person to have, like your password file or financial documents, you don’t give it to Dropbox. There is one (and only one) workaround to this though. If you encrypt a file on your computer before giving it Dropbox, they won’t be able to read it. 1Password, the popular password manager, takes this approach. They store your passwords in a file they then encrypt on your computer using high-grade encryption software. They then place this encrypted file into your Dropbox. Even if this file was to leak somehow, no one else but you could open it. Dropbox is purely the syncing service, which is still a handy thing to have. The sad part of encryption is all the tools are terribly hard to use. TrueCrypt is probably the easiest of the bunch but there’s still a bit of learning curve to the terminology (partitions, volumes, and encryption algorithms?). I use GnuPG to encrypt my files, but that involves using a command-line interface, something most people aren’t (and probably shouldn’t have to be) comfortable using. OpenSSL is the Swiss Army knife of all things encryption but using it properly is like knowing some secret wizard’s spell. Dropbox can read anything you give to it, in the state you give it to them. Give them something that only you can read and you get the joy of having this file everywhere while still being the only one who can open and read it. I’m not saying to not use Dropbox. It’s just a fact that any file uploaded to Dropbox, given enough time, stands a good chance of being seen by someone you don’t know, so adjust your file syncing accordingly. This post was inspired by a Twitter message from Kellan yesterday.

Security vs Convenience

Tue, 18 Dec 2012 05:57:00 +0000

Until a few months ago, my Flickr account was still using the same 6-letter password that Yahoo automatically assigned to me in the late 1990s. Most of my other accounts were using a variation of this password, with a dumb algorithm that used pieces of the site’s URL with some numbers attached. None of this was good.

After Mat Honan’s terrible hacking fiasco this past summer, I realized that, yeah, this could happen to me too and I should just take care of locking everything down the best I can. Here’s the current state of how I’m staying safe online.

The first major improvement I made is that I started using a password manager, going with LastPass. I’ve used a Linux laptop at home forever and use Macs at work and have an iPhone so I needed something that worked on these different systems. LastPass has an iPhone app, a Chrome plugin, and a nifty website so this worked for me. Quite a few of my friends use 1Password, which works on the same principle of storing passwords in an strongly encrypted file. The main difference is that LastPass stores this encrypted file for you whereas 1Password requires you to take care of transporting, protecting, and syncing this file.

After using a password manager for a few months, there’s no way I could go back to remembering a hundred or so slightly different passwords and often having to reset them due to forgetfulness.

I then started making the effort that every time I hit a site that hadn’t been added to my LastPass account, I would change the password to a new, machine-generated password. I also started storing fake answers to security questions alongside each password in a special notes field the manager provides. Now every site I log into has a long, hard-to-crack, and unique password with security questions that no one could answer.

My current goal is to know only the password to my password manager with all the others locked away. The downside to this is all my passwords are protected by just one password which is a weak spot as passwords can be logged, guessed, or brute forced. Luckily, LastPass offers two-factor authentication which means that people would need both the password and my phone that runs the Google Authenticator app.

The tricky thing

Using two-factor authentication is incredibly secure but the tricky part to consider is what happens when I can’t access my phone, like in the case of the battery being dead, or stolen or lost in the worst case. Most services that offer two-factor authentication also give you the option to set up ahead of time a short list of one-time passwords. These should be generated and stored where you always have access to them. I store these in two spots: in my wallet and a symmetrically-encrypted file on my personal server for redundancy.

Security and convenience sit on opposite ends of a spectrum. While it takes a little effort to set up, it makes your accounts much more secure from data leaks and hacking attempts and not having to remember multiple, insecure passwords is a burden one should be happy to be relieved of.

Nobody puts tarsnap in a corner

Thu, 24 Nov 2011 08:00:00 +0000

I woke up this morning around 7:30 with my laptop (a Lenovo R61i running ArchLinux) not feeling quite as snappy as usual. After viewing top, I saw where my nightly backup to tarsnap was still running, which kicks off via cron. This script usually takes 5 minutes, tops.

My first feeling was that it was probably the couple of gigabytes of email that I backed up from Gmail yesterday, though even with the extra bits, my outbound bandwidth should have been able to allow that go through much faster than 4+ hours.

So I attached to the running tarsnap process with strace, just to see what it was doing. I saw lots of selects, receives, and sends, so it appeared to be sending things across the network, which was good.

Seeing the network activity, even though it was behaving properly, set off alarms. A bunch of new files to backup wasn’t the only thing I changed yesterday: I had also switched out my Linksys WRT54GL’s router firmware with Tomato, mainly due to its extensive Quality-of-Service settings.

We’ve got a few streaming media devices around the house and I wanted to give them priority (based on MAC, static IP, network interface, etc).

Another nice thing about Tomato is that comes with graphs. I love graphs, and Tomato gives you bandwidth graphs, broken down by timerange and NIC.

Pulling up the graph verified that I had a block of outbound traffic start at 3am, but it was never rising above 30kbps. It was being capped.

So I went back to the QoS interface and sure enough there was a class of traffic labeled “lowest” for “Bulk Traffic” (which matched any TCP/UDP packets heading out to a port 1024 or above) and it was being capped at 30kbps. While fiddling with the inbound limits in the QoS admin, I completely glazed over the outbound limit defaults. (Also, this is why I’m not a network operator.)

Since this is the only outbound traffic of any significance through this router, and I run it at night to not interfere, I just disabled all outbound limits.

Here’s the 24-hour bandwidth graph after turning the outbound limits off:

The green is outbound traffic, being capped for several hours, and then spiking and then quickly finishing.

So Tomato is awesome but is evil in that way that only computers can be, which is by doing exactly what you tell them to do.

Bad Microsoft

Mon, 19 Nov 2007 08:00:00 +0000

This is not good at all. And just as Microsoft was gaining some amount of respect as being a secure platform.