Terminally Incoherent

Some time ago my boss found himself a new pony, named it SECURITAR and decided to ride it around office every other week talking about policies, improvements and all that jazz. I don’t really mind - it is a positive thing actually. He knows we need more of it, but doesn’t really know how exactly is it acquired. I think that at some point there was a plan to set up some hydroponic vats in the parking lot and try to grow it there but I don’t think that panned out well.

So SECURITAR gets brought up every once in a while, everyone full heatedly agrees that we need it and IT gets the job of figuring out how to implement it. Usually this involves, deploying encryption software on all laptops and workstations, training staff how to use it, enforcing strict security policies and smacking around people who don’t want to comply with them. Then directors scratch their heads, say

“Well… That’s a lot of effort and expenses and time… We have a really busy quarter right now, and maybe we shouldn’t rush into that thing just to get more SECURITAR…”

The subject gets dropped like its hot, Snoop Dog style only to be revisited the next time the big boss takes out the pony out of the shed and takes it for a ride.

A while ago someone has recommended PGP. The affair with it was short lived and ended around the time someone soberly said “it costs how much per user???”. Someone else said “I hope that this PGP comes with blackjack and hookers for that price” and I said “Get the fuck out of here Bender, no one asked you for your opinion”. So PGP never got rolled out and we still send emails unencrypted to this day.

Only that every once in a while the topic gets brought up again. Last time around I had some sort of a lapse and I blurted out something about GPG. I mean, it is roughly the same thing - only free, and its from GNU. And as everyone knows the G in GNU stands for Grrreat! At least that’s what Tony the Tiger told me before someone “punched” him in the face with my chair for being a Furry. So somehow I became the person responsible for figuring out how to make the GPG thing work in our Windows based, Outlook obsessed organization.

While G in GNU may stand for great, the NU definitely stands for Not Userfriendly for mere mortals. Don’t get me wrong - I use GPG myself, but then again I fucking hate mere mortals and I secretly hope they all die one day, preferably due to some sort of memetic-plague transferred via reality TV broadcasts and celebrity gossip. The problem is that GPG and Outlook do not play well together.

I downloaded and installed several free Outlook plug-ins that promised GPG integration and the breakdown was pretty much this:

1. Shitty
2. Shittier
3. No longer maintained and last updated in the 1800’s
4. PGP - also known as: “Costs Money == No Good”

Normally I’d post links to each and bash each on it’s own terms, but I just don’t feel like doing that. I looked at all the notable ones that I could dig out of Google and they all sucked hard. The interfaces were ugly, buggy and counter intuitive, key management was either nonexistent, clobbered together as an afterthought or required a separate application to run in the task bar and some very unstable communication between it and Outlook. And of course in most cases an encrypted email simply looked like a blank message with a weird attachment which could not be decrypted by double clicking, but rather required the user to save it to the hard disk, and then perform some complex operations involving clicking buttons, dancing, chanting and sometimes even singing the theme song from the Breakfast Club backwards while juggling 7 live poodles above your head. Or rather that’s how my users would describe it to their supervisors if we unleashed these monstrosities upon them.

Here is the thing - personally I think I could use all these applications, but neither one could match something like Enigmail in terms of simplicity, ease of use and level of integration with the mail client. They were all just a bit awkward. Of course when you are dealing with people who are technically half retarded when it comes to computers, bit awkward translates into UNUSABLE.

Now I know how PGP keeps making money even though OpenPGP and GPG are widely used and widely available alternatives. No one else has figured out (or bothered to figure out) how to seamlessly integrate with Outlook.

So here is a question for you. Do you use PGP/GPG at your work? Do you use it with Outlook? Can you recommend a free solution that could be used by a moderately intelligent Chimpanzees and/or regular people? I’m sure I’m missing something here but I’m at a loss. Perhaps we will simply have to suck it in and buy PGP licenses, or just forget about this whole deal. I’d migrate this whole merry bunch to Thunderbird in a heartbeat if this was feasible, but I don’t think that would fly with the management because of that fucking Office Addiction.

Most of you probably know about Ze Frank. If you don’t you should go and watch The Show right now. It was one of the most insightful, hilarious and nutty online shows that I have ever seen. It was not really a vlog (btw, who the hell came up with the word vlog? It sounds like someone throwing up), but something else. It is an important bit in the history of online hilarity and you don’t want to be the person who doesn’t get the jokes about duckies, giant babies and etc.

Anyway, I found it amusing that Ze’s latest exploit was a classic bit of social engineering. Ze asked his fans, readers and followers to let him borrow their Facebook profile for a month. During that month he would maintain their profile, make status updates, post on people’s walls and generally pretend to be you based on the notes you provided him. I guess the idea was to expose how your online persona can easily be disassociated from you without anyone noticing. Interesting concept and the person who participated in this experiment admitted that she sort of wished that Ze would take her online identity into new bold directions she never considered. And he sort of did, by flirting with her “crush of the moment” as she described it.

What kills me though is that people actually allowed Ze to do this. And that they sent him their login information en masse:

Last month i asked people on twitter whether they would allow me to take over their facebook accounts for a week. Within a half hour I had to remove the request due to the volume of incoming username and passwords.

I’m amazed, and terrified by this at the same time. I know that we live in a society that worships celebrities the same way ancient Greeks worshiped their promiscuous, quarreling, unruly gods. So I guess it should be no surprise that if a celebrity (even a minor online one) asks people for their login information, his loyal fans will be more than happy to provide. Still, it frightens me.

Personally I don’t care who you are - you can be the emperor of the universe for all I care but if you ask me for my password my answer will be the same as to anyone else: “GO TO HELL!” Sharing your login information for any online service or email is a horrible idea.

I’m not sure whether or not Ze realizes this (but I suspect he might), and whether or not his fans ever even considered it but this was classic social engineering. Using a gimmick to weasel out personal information from a group of people. All the people who sent him their password they got duped. Naturally I’m sure Ze is a responsible person, and he had no malicious intent but he could easily turn around and cash in on his fans trust by selling their login info to Facebook spammers. Would his fans know? Would they even be able to connect total pwnage of their accounts with the fact they sent their login info to a complete stranger over an unencrypted protocol? I don’t know. Half of them would probably never figure it out. The fact they gave away their info so easily and willingly is just scary, and underlines how little value people put on privacy these days.

It disturbs me to no end that the person who participated in the experiment actually viewed it as a positive experience. I guess she doesn’t realize it yet. She gave a complete stranger access to her facebook account allowing him to explore her personal correspondence and all sorts of private and semi-private information along with a written guideline on how to act like her on Facebook. Who knows what he could dig out with this information. Could he figure out her other passwords and secret questions based on her friend list, and her private emails (you know, name of your dog, name of your childhood friend and etc)? A skillful social engineer could take that account and milk it for information potentially leading to an all out identity theft (“hey mom, what was my social security number? I forgot. Send it to my facebook!”).

Which brings me to a question for you. Do you share passwords with anyone? Can anyone except you log into your email, social media or your desktop? Personally I am very conscious about electronic privacy and I will not give my passwords to anyone. Not even my closest family. No one except me gets to read my email and use my social media profiles. I’m even in a habit of locking my workstation when I leave my desk even if I’m home alone. Not that I have anything to hide (well, except maybe the pr0n folder) but I personally believe that everyone should have a certain degree of personal privacy - even in close personal relationships.

I believe that your personal email, your social media accounts and the contents of your hard drive are off-limits to me. I have no business looking through them - and in fact I have no interest in what I might find there. I know people who either have their girlfriend’s/boyfriend’s email/facebook/myspace password or gave her/him theirs (or both). To me that sort of thing implies an alarming lack of trust, and excessive jealousy in the relationship. I personally believe that it is much healthier to simply respect each other’s privacy and have trust in the other person. Healthier, and more secure - because if you won’t give your password to your significant other, then you will be less likely to give it to Ze Frank or that Nigerian prince who promised you 10% of his wealth if you just hook him up with your pin number.

I previously ranted about strange password restrictions that disallow usage of special characters such as spaces or alphanumerics. This time I want to complain about another boneheaded security feature out there - word length restrictions on your “secret” password recovery question. I was recently creating a Microsoft Live Passport account to register Visual Studio Express 2008 copy. Yeah, laugh all you want but PerfMonG is written in C# and it won’t maintain itself no matter how hard I try to ignore it. At some point during registration I saw this:

click on the image to embiggen

Don’t get me wrong. I’m all for keeping things more secure, but restricting the secret answer to strings of more than 5 characters is a bit silly. For starters, let’s consider pet names. I don’t know about you, but I find that most of them are relatively short. For example I did a quick google search of most popular dog names and I stumbled upon this ranking:

It turns out that half of the top 10 most popular dog names are shorter than 5 characters. If you look down that list, this trend continues. So roughly half the people won’t be able to use their pet name as their secret question, or will have to figure out a way to make it longer (for example by adding their last name) by simply adding confusion. Same goes for the childhood friend option. You may remember that your best buddy from the playground was named Bob, but will you always remember his last name was Szczebrzeszyński? Will you remember how you spell it? Hell, if on top of all this the place of your birth is Ido, Japan then you are totally fucked.

Now you are forced to make up answers - ones that you won’t remember 3 years from now when you need to recover your password making them absolutely useless. This minimum length limit is silly, because these hints are not really designed to be secure. Anyone can find out the name of my first pet, or the birthplace of my mother. It’s really not a secret, and it can easily come up in a casual conversation. The whole point of them is to provide another layer of protection for your account so that the attacker has to have both the secret answer, and access to the email account you used to open the service. Brute forcing the secret answer should not be a concern, because they’d be incredibly vulnerable to dictionary attacks anyway.

So why won’t you let us to use answers that are as short, or as long as we like or stop using them altogether. Otherwise it is just counter productive as people won’t be able to remember what they typed in to pad their answers to meet your arbitrary minimum length limit.

For a while now we knew that CAPTCHA’s were becoming irrelevant. There were a great solution when they were first introduced, but I think that everyone knew that they are not going to be around for a long time. The tend in technology is always constant improvement - so OCR engines will continuously improve each passing year. CAPTCHA strength on the other hand has an upper bound because it needs to be human readable. You can continue making the pictures more complex and tricky to solve but at some point they become as incomprehensible to a human being, as they are to some random bot. For example, how do you guys like the rapidshare dog/cat CAPTCHA?

I personally hate that one. Yes, you can sort of figure it out but you actually have to put some effort into it, and sometimes it’s just pure guesswork. Does it help against the automated scripts? I don’t know - I guess this is a question we should direct at Rapidshare. But it sure is annoying to regular users.

The OCR technology is not there yet - it’s getting better, but I presume that we could still get few years out of our CAPTCHA’s if their effectiveness boiled down to complexity of design vs. character recognition arms race. But we all know there is a growing cottage industry out there which uses real people to solve CAPTCHA’s by either tricking them into doing it or paying them per solved puzzle. I always imagined this to be rather shady business conducted in private spammer forums and via private channels. But it is not. They are actually doing this out in the open, as a legitimate paid service:

Here is a screenshot of imagetotext.com - a company which specializes in solving CAPTCHAS. They of course don’t say it like that, but I think the blurbs on their site make it pretty clear that they are not really interested in doing any sort of data entry tasks or into transcribing free hand text into digital format. They are interested in receiving a small image, and shooting back the text at $.02 a pop bought in “packages” of 500 images or more. With a narrow focus like that, what else could they be doing?

Note that I’m not linking to them, because sure as hell they don’t need any Google juice from me. The ubiquity of CAPTCHA basically created a new niche industry. All you need now is some clever script that will harvest CAPTCHAS, send them to Image to Text, receive responses and create accounts on popular online services. Thank god these sort of scripts are shady, and probably hard to get, right? You either have to make them yourself, or know where to find them, or who to ask for them. It’s not like anyone can just go to a website and buy, for example, an automated Myspace account creator? Right?

This one is from allbots.info - a website that seems to be selling precisely that: account generation scripts that create random profiles, and simply need a human being solving CAPTCHA’s really fast for them. So you buy one of these apps, then purchase a big ass package with ImageToText you can start building your brand new spam empire. All it takes is some cash - you can even be borderline retarded. It won’t slow you down.

Combine the two services, and you have yourself a deadly combo with no programing, and no thinking required. A bit scary if you think about it. I’m not sure how profitable are these two companies, but the fact that they exist indicates that there is demand for these type of services out there.

CAPTCHA’s may be effective in stopping your average home grown spammer, but they are actually creating a whole micro-industry revolving around circumventing them. In other words, they are actually performing natural selection - weeding out the week players with few resources, and leaving only the biggest, baddest and most determined in the game. They are the catalyst, helping to evolve bigger and better bad guys.

Public Turing tests may be doomed and I suspect they might get completely phased out from use on the web in next 5-10 years. And it’s not just CAPTCHA’s - all public Turing tests. After all, it doesn’t matter if you are interpreting an image, solving an equation, or answering a question - it doesn’t really matter if there is a low wage human worker solving it on the other end, and then handing control over to a script.

Google has an interesting idea going on with their text message based application. If you haven’t seen it, try signing up for one of their services such as Gmail or Google App Engine. Instead of using a CAPTCHA they send a text message with an activation code to your cell phone. At least for the time being this system remains much harder to game - which means we might see it being used more and more often by popular online services. Of course it does have serious downsides as not everyone with an internet connection may have a cell phone (think less developed countries) and not all cell carriers may be supported. We will need something else - but what?

It will be interesting to observe where will the anti-bot technology will go in the next few years.

Here is a question for you. Have you noticed a strange, non functioning, un-encrypted ad-hoc wireless network occasionally popping up on your Wifi network list in your area? Yeah, I did too. When I first saw it at work, I thought someone in the building is messing around with at-hoc networks. Good for them. Then I noticed the same network popping up at home. Then at school, in a coffee shop and other places. I talked to my co-workers who travel a lot and they too seem to notice this strange network popping all over the country. And these networks never work and disappear as mysteriously as they appear.

To sort of gauge the magnitude of this phenomenon, I decided to search for “Free Public Wifi” on WiGLE. This is what I found:

via WiGLE - see the interactive version of this map here

Bizarre. I assume some of these hits are from genuine free public wifi networks. But I have a feeling that most are not. If you click on the link below the map, and zoom out a bit, you will be able to see that these things are also popping up all over Europe and in other places of the globe too. It seems to be a worldwide phenomenon.

So I decided to investigate. After some googling, I found out a really nice writeup of this issue written by y Zaib Kaleem at wlanbook.com:

The answer to why this SSID seems to be everywhere can be blamed on Microsoft, more specifically a Windows feature called Wireless Auto Configuration (aka Wireless Zero Configuration). Wireless Auto Configuration “provides automatic configuration for the 802.11 adapters”. In an attempt to make it extremely easy to connect to WiFi networks, Wireless Auto Configuration does the following when an 802.11 adapter is enabled and starts to scan for WiFi networks. (…)

If there are no successful connections and there is an ad hoc network in the list of preferred networks that is not available, Wireless Auto Configuration configures the wireless network adapter to act as the first node in the ad hoc network (…).

At one time or another somewhere out there someone connected to a real ad-hoc WiFi network that had the SSID “Free Public WiFi”. They added this network to their preferred network list. They then traveled to a location where this WiFi SSID didn’t exist (airport, airplane, and/or hotel). They powered on their laptop with the wireless card on and Wireless Auto Configuration took over and starting searching for WiFi networks. After trying [failing to connect to any viable network in range], Windows gave up and configured WiFi card to ad hoc mode with the SSID “Free Public WiFi” (since it was a preferred network).

A second person in close proximity to the user above also has a wireless enabled laptop and is looking to connect to a WiFi network. They scan to see what is available and notice an SSID called “Free Public WiFi”….they connect to it not knowing that it is an ad hoc network. After a few seconds of wondering why they can’t surf the web they disconnect from the SSID, shrug their shoulders and move on with life. Now they have the viral SSID in their preferred list too. The next time they power on their laptop it starts to look for the “Free Public WiFi” SSID. This process is repeated in many locations across the US and world again and again. Soon this SSID is in preferred wireless networks lists everywhere spreads like a virus.

Joshua Wright likened it to a zombie outbreak in the way it has likely started with a single ad-hoc network, and now took over most of the eastern seaboard and created hot spots on the west coast, and Europe. He posted about this weird issue over a year ago, and he also did that WiGLE mapping thing. Go check out his post and compare our maps. You can clearly see how this odd infection has spread since May 07 - the difference is huge. It’s growing!

Is this wifi zombie plague dangerous? Not in and of itself, but it does create certain risk. Whenever your laptop is broadcasting the “Free Public Wifi” SSID, it is essentially revealing itself to all potential attackers. Whether or not you are actually vulnerable to an attack depends on your system setup, and security software you are running. But you clearly become a more of a target due to increased visibility. And naturally any open public wifi hotspot is arguably a dangerous place to be to begin with. This goes double for public ad-hoc networks.

Few people really use the ad-hoc functionality on a regular basis, so it is probably a good idea to configure windows not to automatically connect to them anyway. This way you both immunize yourself to this non-malicious viral wifi worm, and protect yourself from accidentally stumbling into a trap network set up by someone with malicious intent.