Category Archives: Computer Security

Taking the Safety Off

Purism’s explanations for removing various safety features from Librem One’s social network sound like someone explaining why they removed the mirrors, brakes, horns, seat belts, airbags and signals from the cars they’re reselling, because they know those cars are only ever going to be driven on a track where they’ll never have to change lanes or negotiate with other drivers.

Even though there’s a bunch of driveways on that track, connecting to the public road system.

If a collision does happen, we can call in the tow trucks and ambulances. But giving drivers tools to avoid collisions or reduce injuries? That would be interfering with their freedom!

Treat Passwords Like Driving: Separate Your Hazards.

The last time I set up a new computer, I was surprised to find that installing a password manager has become a critical part of getting the system ready to use.

It used to be that you could pick a few unique passwords for critical services like your primary email and banking sites, and reuse some passwords for less important sites, and maybe remember them all. But when so much of what we do happens online in so many places with so many different levels of security (and visibility), the attack surface is huge. Add in how many criminals and others are trying to break into those sites, and it’s no longer safe to reuse passwords.

Why?

If one site gets hacked, and you use the same password at another site, someone will try it just to see if it works.

The only way to protect against that is to use a different password on every site. And unless your online activity is very narrow, chances are you can only memorize a few of them. You can stretch it out with mnemonics like XKCD’s passphrase scheme, but eventually you’re going to have to record them somewhere. Putting it in a text file or spreadsheet is bad, because anything that gets onto your system can read it, but password managers are designed to encrypt them.

You still have to protect the master password on that file, but now you don’t need to worry that when someone finds your old MySpace password, they’ll start buying stuff on one of your shopping accounts, or hijack your Twitter as part of a harassment campaign, or use your email account to send malware to all your friends.

LastPass is a popular one. It’s cloud-based, which makes it convenient to use on multiple devices, but you do have to trust them. If you’d rather not trust your passwords to someone else’s computer, you can go with an offline manager like KeePass, which stores everything locally on your system in an encrypted file.

It’s amazing more email accounts weren’t hacked back in the 2000s

At a tech training session, I wanted to get access to some of my class-related email on the training computer. But I didn’t want to log into my primary email on an open network, or on someone else’s computer at all. I have no idea what they’re logging, whether they’re doing SSL inspection, whether there’s a keylogger on it — probably not, but who knows?

Heck, I didn’t even want to use my own device on the hotel Wi-Fi without a VPN, and that was at least secured by WPA2! (then again…)

I ended up forwarding the extra class materials to a disposable email account and logging into that one. No risk to other accounts if it got sniffed, at any level.

But I remembered how we all used to get at email when traveling back in the early 2000s, before smartphones, and before every laptop and every Starbucks had Wi-Fi:

Internet Cafes.

We’d walk into a storefront and rent time on one of their computers. Then we’d go to our webmail site and type in our primary email login and password over plain, unsecured HTTP without TLS.

I’d never do that today. Admittedly, I wouldn’t need to in most cases — I can access my email wirelessly from a device I own that I carry in my pocket. (Whether that’s a good thing remains up for debate.)

But more importantly, we know how easy it is for someone to break into that sort of setup. Even if your own devices are clean, someone else’s computer might have malware or keyloggers or a bogus SSL cert authority on their browser to let them intercept HTTPS traffic. An HTTP website is wide open, no matter whose device you use. And an open network is easy to spoof.

So these days it’s defense in depth: If it needs a password, it had better be running on HTTPS. If I don’t trust the network, I use a VPN. And I really don’t want to enter my login info on somebody else’s device.

Rogue One (Star Wars) and Imperial IT (SPOILERS!)

I liked Rogue One: A Star Wars Story quite a bit. Despite having a very different tone from either the original trilogy or the prequels, it’s still recognizable as a Star Wars film, and successfully weaves in and out of the events leading up to A New Hope.

There’s a somewhat odd setup for where they actually find the Death Star plans, though. SPOILERS after the cut:

Continue reading

Amazon Apps won’t Install on Android? Check Screen Dimmers

I mostly use the Google Play Store on my phone, but I have a few apps through the Amazon App Store. I recently found that I couldn’t update them — or the store itself. I could tell it to download the app, but at the point that I was ready to review the permissions and click on Install, the Install button wouldn’t respond. At all. Nothing. Cancel worked. Everything else worked. But not that one.

A forum thread pointed me to screen management apps. Lux, Twilight, etc. – the kind of apps that will alter your screen to red-shift it at night, or adjust brightness below the range of the screen’s backlight.

Sure enough, I disabled Lux from the pull-down, and the Install button worked. Once the update was done, I re-enabled it. Just an extra two seconds of work before and after.

It probably happens on other third-party app stores and stand-alone installers as well.

The cause wasn’t completely clear from the discussion thread, but reading between the lines and adding my knowledge of software and web development suggests that it’s a security issue: Apps like Lux and Twilight work by altering the appearance of the screen (“draw over other apps” permissions). It makes sense that Android would prevent installation (outside of its own privileged update system, anyway) actions when it can’t be sure that what the user sees is actually an Install button.

Imagine a malicious app that overwrites the screen to hide an Install button under something more benign. In web development, we call this clickjacking.

Anyway, that’s the issue and the workaround, and why I think it hasn’t been fixed in all this time: Fixing it would open up a security vulnerability.

Fortunately, the workaround is pretty easy!

Update: It occurs to me that Facebook also requires the “draw over other apps” permission, which was why I finally uninstalled it. I expect that might cause issues if chat heads are visible when you try to install/update an Amazon app.