Beware: I am a real neophyte when it comes to internet security. Having said that, I couldn't have fared any worse than Sony Pictures. They lost 1,000,000 plain-text passwords when a SQL injection vulnerability was discovered. I've been protecting against that attack since 2005. (At the part, "Is the password secure?" is where I say the passwords aren't stored in plain text. SQL injections have been the subject of security jokes for a long time, too. Ah, Little Bobby Tables.)
There have been and continue to be large breaches of personal data on the internet. Nathan Yau shares an infographic of the largest data breaches of all time.
My immediate family and I need a way to keep each other up to date with our changed account info and ID numbers. We need a solution that meets the following usability criteria:
- Accessible anywhere, from any device. It has to be practically just one click away.
- Trivial, memorable URL. We may be typing it directly into the URL bar.
- Always up-to-date. Any change made from anywhere is accessible immediately from any other client.
If it's not that easy to use, it won't be used, and there'd be no point in making it. On the other hand, it has to have the following security criteria:
- Accessible anywhere, from any device. It has to be secure even over a public wifi network.
- Secure from remote client attacks. It has to handle attacks over the internet.
- Secure from local attacks. It has protect against disgruntled hosting company employees.
With all that in mind, I've decided to roll my own information vault. Here are some goals and notes from that venture:
Be A Low Value Target
My first line of defense is that my information vault is just for me and my family. This'll never store enough data of real value to make it a target for the economics of it. I might get attacked, but it'd only be for the idle challenge of it.
Block Direct Access of Data Files
Move data files off the server, even though they're encrypted, or into directories tightly controlled by permission settings and .htaccess instructions. Test both attacks. If your encrypted files can fall into your attacker's hands, they can try a local brute force attack. (More on that below.)
Use HTTP Secure
For any data that is accessible, use HTTPS. This is the first line of defense if you want your data accessible over a public wifi network.
Unique and Long Master Password
Force your users to use a long random, impossible-to-guess master password. Prevent any sort of social attack: No names, dates, or places. In my case, since I'm the creator of the tool, I can do this.
Use a Hard-To-Compute Hash for the Master Password
Related: Do not store the master password anywhere. And the salted hash you use for it should be secure. Refer to this wikipedia article on cryptographic hash functions to see relative weaknesses of the functions. I've considered throwing in with a hashing algorithm that adapts to faster hardware to frustrate brute-force attacks.
Don't Store any Data in Plain Text
This is a defense against a local attack from someone who can obtain file-level access, like a company employee with admin access.
Sony Pictures stored private data in plain text format, and thus enabled this interesting analysis of passwords in the Sony Pictures security breach. Consider your encryption algorithm carefully. I used AES, but am keeping my options open. I can change my backend at any time.
Limit Cookie Scope
Limit your HTTPS cookie scope with morsels like max-age, httponly, domain, path and secure morsels.
While you're at it, it doesn't hurt to salt cookie and session data with an identifier associated with the request. In Python you could use os.environ['REMOTE_ADDR'].
Know what kinds of attacks can be performed. Encode characters that have special meaning for the languages you use, like the quotes characters, <, >, and &, among others. In Python, the bare minimum you'd use is cgi.escape for that, but you'd want to use other functions depending on where/how the data is travelling or being displayed.
Analyze and Act Upon Suspicious Activity
It's not enough that your server is passively logging each access. Your site needs to analyze recent activity and take action (like email you or ban certain origins) when preset triggers are tripped.
Security is not a product, but a process." --Bruce Schneier, author of "Applied Cryptography"
This blog entry may have already has fallen out-of-date with new measures I've taken to protect our information vault.
If I'm missing a vector of attack, or you have some practical advice for me, I'd appreciate hearing from you.
In his article, The Importance of Vacation, Jonah Lehrer wrote the following:
When we feel distant from our work — when it seems wonderfully far away — we are able to think about work in a new way.
By thinking about problems in a new way, we can arrive at solutions we'd otherwise miss.
Jonah points this out as a benefit of going on vacation. While going on vacation can tickle your creative process when it comes to problem solving, you don't actually have to leave to get all of the benefits. Just feeling distant from the work is enough to get you to approach a challenge from new angles.
Jonah cites an experiment, the effect of spatial distance on creative cognition, where a psychologist ran two groups through the same set of insight puzzles, but told one group that the puzzles originated in a far away land.
Surprisingly, the group that was told the puzzles came from far away performed better. Why would simply telling somebody that the problem came from far away affect their ability to solve the puzzles? Jonah explains:
The sense of distance allowed these subjects to consider a far wider range of alternatives, which made them more likely to solve the challenging brain teasers. ... Instead of getting stuck and giving up, they were able to persist until the right answer appeared.
This is a technique that you can use, too. The next time you're struggling with a problem, do the following:
Put some distance between you and the problem. With perseverance and a little luck, you'll arrive at the answer.
In the not too distant future, my children are sure to come to me citing the 2007 study in the journal Pediatrics that says they should do the following things in the following order:
- Play video games.
- Do homework.
- Watch videos.
Nice try, kids. That's not exactly what the study says, but it does say that kids shouldn't play video games after doing their studies.
A New York Times article, Growing Up Digital, Wired for Distraction, cites the study, which was done at the German Sport University in Cologne.
The researchers looked at how [playing video games vs. watching a video] affected the boys’ brainwave patterns while sleeping and their ability to remember their homework in the subsequent days. They found that playing video games led to markedly lower sleep quality than watching TV, and also led to a “significant decline” in the boys’ ability to remember vocabulary words.
The New York Times article then references another study from the University of California at San Francisco:
Scientists have found that when rats have a new experience, like exploring an unfamiliar area, their brains show new patterns of activity. But only when the rats take a break from their exploration do they process those patterns in a way that seems to create a persistent memory.
We're all already bombarded by attempts to distract us. The trick is to know the value of our attention. As Leigh Reyes said, "Attention is the mind’s currency. Once we’ve spent it, we can’t buy it back." In order to get the value out of that transaction, the mind needs downtime to process and retain what it's taken in.
If you want to make the most of your studies, don't put them off until the last minute. Get them done, then take a break and let your brain absorb what it's learned.
- Do homework.
- Take a break.
I've got two examples of quality over quantity for you. But first, just the opposite:
A week ago it was hot. The heat wave was reaching about 90°, and we spent most of the day sweltering by the pool, vying for the shade. It didn't cool off much that night either.
I popped in a Blu-ray disc to watch with my wife. She and I settled in, hoping the movie would take our mind off the heat.
The Blu-ray disk spent a couple of minutes downloading trailers from the studio's server on the internet, and then proceeded to gather the local time and weather conditions and display them in widgets in the disc's main menu.
First: That's the last thing we want. What we want is the movie. That the disk would make us wait forever in the heat to download trailers we don't want to see, and then do the calculations to display the local time and the weather in these annoying widgets complicating the main menu was frustrating.
Second: What was really infuriating was that the disc got the weather wrong. Instead of showing the high eighties, it displayed the current weather at 62°. Even worse, it displayed the day's high as 62°! I wanted to throw my shoe through the TV. Luckily for the TV, it was too hot to be wearing shoes.
Not only was the Blu-ray disk blocking our attempt to watch the movie it contained, it was mocking us with blatant lies.
A Note To Blu-ray Disc Authors: We don't want to be reminded how late it is, or how uncomfortable it is outside. We want to escape into the movie. Now. Please let us.
Things Done Right
The natural thing to do in the iteration of technology is to add things. (Hence the stupid Blu-ray widgets.) Make things do more, make them bigger, or if there's supposed to be smaller, provide more of them. But that's not always better.
So when companies can resist that urge, and make things actually better, instead of making them just do more or have more stuff, then it's worth applauding.
Sony Cyber-shot DSC-HX5V
We've gone through a few generations of cameras increasing the size of their CCDs or CMOSs, making images take up much more space, but not making their picture quality any better. Consumers would end up with the same problems, but would need more disk space for the pictures.
Sony recently made a camera that didn't take bigger pictures for its class, but one that took quicker and better pictures. It's the Sony Cyber-shot DSC-HX5V. Outstanding. That's exactly the kind of improvement I've been hoping for.
Google's about to release a new iteration of their browser, Chrome, that actually has less visual noise around the web page than the current version. Awesome! They're taking away the stuff we don't want. They're already doing DNS pre-fetching in anticipation that we'd click somewhere on the page. It's like they want me to be more efficient at what I want to do.
I love it when companies hone in on what the product is supposed to do.
That's how companies can make their customers happy, and keep their customers with them. more
The baby biting my nose in the picture to the right is turning ten years old. It's hard for me to believe that I've been using that picture as my avatar across the web for so long. When I created that avatar, I chose a picture that delighted me. My daughter and I were playing a game that we both loved. I'd hold her with her head next to mine, and when she'd turn away I'd brush her cheek with my nose, to bug her. She'd turn back and playfully bite it. We'd both laugh.
My wife caught the photo of us in the middle of the game. The original photo was nearly monochromatic already, and I thought I'd make it sepia-toned to give it an aged look. It seemed a good idea at the time, since because we had a new baby just about everything seemed renewed and full of wonder and color. A faux sepia-toned photo added some variety.
Now, that ten-year-old sepia-toned photo is beginning to look, well, old. Not only can the baby in the photo read the blog about herself, she probably has her own twitter account. It's time for a new icon/avatar.
There were a few things I really liked about the old avatar. I liked that I used the same one across multiple websites. That makes it easier for my friends to know that it's the same me at each website. I liked that I only took up about 30% of the image. At most sites that allow you to put up an avatar, you're going to be stuck seeing it yourself, so you'd better not mind. I don't want to look at a cheesy smirking headshot of myself when I check in at social networks. And even though I only make up 30% of the frame, I'm glad that it's me in there. I do want my online friends to have at least a rough idea of what I look like.
My friend David D. posted a self-portrait on flickr that really captured my imagination. He only comprised a small part of the photo, yet there was just enough to suggest physical traits to recognize him by, and it had a brilliant warm blue sky. I tried to capture a similar shot, and this is the result. It meets most of that criteria. A couple of other aspects of the photo grew on me, too. I like the deep blue, and I like that since I'm facing to the right, for most social network posts that put my icon on the left, it looks like I'm looking at the conversation.
I'm going to give this new icon a try. Let's see how it goes! more