Single sign-on everywhere

July 02, 2007 at 09:35 PM | categories: python, security, linux | View Comments

Using a single password for every site you visit is really stupid. However, the alternative, making unique and secure passwords for every single site you visit can get tedious and unmanageable quickly.

A long while ago I started memorizing about 10 different passwords of various security levels, thinking that I can mitigate the risk by grouping similar sites together under one password. Memorizing 10 passwords really isn't that hard to do if you're dedicated.. but it still isn't that much smarter than a single password.

Then I started using KisKis, a Java application with which I could store all my passwords in an encrypted form. Although it's very secure and I liked it at first, it became really tedious to create a new entry every single time I made a new account somewhere and then to open the application up and look up the password every time I needed it. Add to that that I had to come up with a way of synchronizing my passwords on all of the machines I use - it became a real pain.

In about 2004, Firefox came along with the ability to store passwords in an encrypted form right inside your browser. What a godsend! Now I can make a new unique password for every site I visit and have the browser remember it for me.

However, I still have one problem. I use a lot of different computers and there is still no easy way to synchronize passwords between firefoxen on different machines.

A couple days ago I found this: PwdHash. PwdHash is a rather ingenious method for generating a unique, secure password for every single site you visit and yet the password is based on a function of a master password and the URL itself, so you don't even need to store the password, you can simply generate it whenever you need it. Almost magic really.

However, I still have a few security related issues with it. I think that it is likely there are websites out there that could implement a keystroke logger in JavaScript or even more likely in Macromedia flash. So the ideal solution for me is to have the same functionality outside of the browser completely. This isn't so bad when combined with Firefox's ability to cache passwords. To PwdHash's credit, the developers have gone to great lengths to make sure that PwdHash is secure, I'm just paranoid. It's my flaw, not theirs.

So here is my first stab at a PwdHash-like python application (Note that this is not compatible with PwdHash. I didn't want to have the temptation of using their software when I'm at some public terminal.) You can run this standalone on any unix like OS (I find it most convenient to have it long running inside of GNU Screen.)

How to run:
  • python site_pass.py
  • The first time it is run you have to create a master password
  • Now simply enter a URL (either a full URL like http://www.enigmacurry.com or simply enigmacurry.com)
  • It will generate an eight character password for you, now copy and paste that into your webbrowser and have firefox remember the password.
  • If you ever need to look up the password again, simply rerun the application, enter the URL, and you'll get the exact same password back again. Since it is a hash of your master password and the domain name you don't ever have to store the password (except in your browser for convenience). Just generate it again whenever you need it.
  • Do the same for all your other accounts and only look up your password again on other computers that have yet to cache the password

Now you'll never have to go through the process of "I forgot my password" again!

One word of caution however. Don't run this on your friend's box or any other place where you don't have full control of the root account. Your master password resides in memory and could be seen by root if he really wanted to.

Also, this is an alpha release (I wrote it in about an hour's time just today). Progressive.com, my car insurance doesn't like any punctuation in a password. If I find other sites that don't like the generated password I may have to modify the hashing function which would mean that any passwords created with this version would need to change to use a forthcoming version.

Download
Read and Post Comments

Elections Hacked and 'Man of the Year'.

November 05, 2006 at 11:05 PM | categories: stupidity, liberty rants, security | View Comments

I get excited around election time. I hope for change in this country and I think that my vote matters. There are so many exciting candidates running this year. With such a principled platform, and so many good candidates running, I have every hope in the world that there will be at least one libertarian victory this year.

Oh, but aren't I so naive?


Elections Hacked

The Elections in this country are rigged. You might label me a conspiracy theorist for that statement, but before you do, watch this video: HBO's Elections Hacked. Here are just a few of the extraordinary things brought forth in this film:

  • With unmodified 2004 Diebold voting machines, Blackbox voting was able to show that they could rig an election by replacing the memory card with one which was specially prepared to skew the votes. Also, there was no evidence of tampering and all of the security checks done by the unit itself passed both prior to and after the voting occurred. The memory cards also have an executable binary on them that could be modified to skew results while leaving no trace of the change besides the change itself. The votes on the paper log, those stored on the card, as well as the integrity checks performed by the machine would appear impeccable. The only way for someone to detect foul play would be to audit the memory card itself, which because it's detachable from the voting machine itself can easily be destroyed and/or replaced.
  • The GEMS system, diebold's vote counting system can easily be hacked by simply changing values in an unencrypted, non hash value checked database. As long as you change the value outside of the GEMS system (ie with a hex editor) the GEMS system does not detect any foul play and assumes the value is correct.
  • Diebold claims that the memory cards used in their systems contain no binary executable component. A forensic analysis of an actual diebold memory card proved otherwise. An executable on the memory card introduces the possibility of someone modifying the way in which votes are collected on the voting machines by simply replacing the memory card.

Do we have any proof of rigged elections in this country? No, and we probably never will -- there simply is no public access to scrutinize the voting process. But before labeling me a conspiracy theorist, please ask yourself: Isn't there enough evidence to prove that the elections COULD POSSIBLY be rigged without detection? If your answer is yes then we have common ground and we need to do something about it.. if your answer is no, prove me wrong, and if you're unable to do that.. then you're simply not paying attention.

I am a computer scientist and I am completely disgusted by what BlackBox voting was able to uncover in the above mentioned film. Here are very simple modifications that every Computer Science BS graduate I know of could implement with readily available and easy to use tools:

  • Hash value checking. If you perform a hash value function (eg md5 sum) over the entire memory card (as well as a seperate hash specifically over the executable portion) before it is allowed to continue with the vote tabulation process, there is no way that someone could tamper with the memory card because the original hash value and the hash value of the card would not match. I am simply flabbergasted that this simple technique is not used in the diebold system. In the film it was obvious that the only audit trail left behind on the paper log was that the initial vote counts were all zeros. Certainly this is good information to have, but in addition to that, it should report that every single bit of memory on the card is in its original condition, including the binary executable portion of the card to insure that it hasn't been tampered with. Diebold should publish the md5 sum of the executables on a public website, have several independent arbiters audit the code with the same md5 sum as published, then the county should publish the md5 sum of a properly zeroed card on the election commission website, and then photographically scan and post on their website each signed paper log to show that the md5 sum printed on the log is exactly the same before vote tabulation occurs as the 'pristine' card's md5 sum. In case you didn't follow all that, if those guidelines were followed, it would PROVE that the card was not tampered with as long as the independent arbiters were of good character and had a solid understanding of the code.
  • Encryption. Encryption is so incredibly easy to implement these days. As the video showed, the GEMS system database is obviously written in PLAIN TEXT. If the system were to simply apply a little basic encryption then modification of that data would be impossible unless the attacker were to know the key, which could be different at each precinct and generated just minutes before the polls open. Every computer science program in the country teaches at least something about encryption, so the fact that Diebold is not using it in their system shows they are either completely incompetent or completely fraudulent in their practices.
Certainly though, one of the absolute best practices for ensuring correct vote tabulation is to use paper ballots which have worked just fine for a good long time. But even if in the interests of performing vote counts rapidly, we desire an electronic voting system, an open-source public scrutinizable (sp?) voting system is a no brainer. Why do we, the taxpayers, purchase a very expensive voting system and then not demand access into it's internals?

Man of the Year

WARNING: movie plot spoilers ahead

Apparently, I am not alone in my view on electronic voting. Even the movies are talking about it. Last night I went to the theater and saw Man of the Year. The new Robin Williams movie about a third party candidate winning the presidential election is also all about how electronic voting might go wrong. It is also probably the worst movie I've seen this year. In all actuality, it is doing a superb job at misdirecting attention away from the fine efforts being done by Blackbox voting by showing how absurd a 'glitch' in the voting system might be. But before I tell you why I hated this film, let me tell you the few things I did like about this movie:

  • Dobbs (Robin Williams' character) is a third party candidate
  • He gets into the presidential debate (However, he does seem to get in with relative ease, which doesn't educate the public much on the problems third party candidates have in getting into the debates in the real world.)
  • He touches on some interesting current event topics (His TSA joke about the old lady being labeled a terrorist was especially funny)

But here is why I really hated this film:

  • Dobbs wins the election because of a 'glitch' in the electronic voting system. This 'glitch' is that any candidate with double letters in his name will win as long as those letters alphabetically precede any other candidates double letters. Dobbs wins because he has two B's in his name (beating out Kelogg with two G's and Mills with two L's because B comes before G which comes before L). As a computer scientist, I found this plot device to be totally, absurdly, stupidly distracting throughout the entire movie. There is absolutely NO WAY that a 'glitch' of this nature would ever occur, it would have to be deliberate, but when Dobbs tells america that his election was incorrectly chosen, he is quick to point out that no foul play was involved and that it was simply an accidental computer 'glitch'. Had it been malicious, it probably would have made for a much more entertaining film, but then they would still have had to come up with a more involved, more realistic method for changing the votes. This plot device simply insulted my intelligence.
  • Eleanor, the voting system manufacturer whistle blower, meets Dobbs and has a grand old time with him, dancing, paintball shooting, a thanksgiving dinner, but takes her sweet-ass time (almost a month) to tell Dobbs that the vote was a fraud. Then once she does tell him, Dobbs immediately believes her. Eleanor offers no proof to him whatsoever. What could have been a political and technological intriguing point.. died with a thud.

The worst part of this movie is that, as absurd as it is, it could make some people believe that this sort of thing is what the whole problem with real-world elections is about, and if they ever realize the absurdity of the movie, the credibility of anyone who casts doubt on the real-world election systems goes away with it. It's called misdirection folks, and this movie has it bad.


So, we have elections in two days. Am I still excited? Even more so.

Read and Post Comments

Digital Photograph Fingerprinting

April 21, 2006 at 06:19 PM | categories: python, security | View Comments

Our printers have been spying on us for years, but soon we may be revealing our identity when we publicly post pictures we take with our digital cameras.

According to Jessica Fridrich, the holder of two new patents related to digital image fingerprinting, she has been able to statistically show whether or not a particular camera took a picture in question. She asserts that each camera has a unique signature in the way it captures the image and that this signature will be visible in every image that the camera takes. If true, this brings up many privacy concerns; it is most certainly beneficial to individuals, and society in general, to be able to post pictures anonymously.

Computer images are just a long string of RGB values, which are easily modifiable. What if we were to randomize those values within a small delta (using appropriate software)? If the delta were small enough, the change would be unnoticeable to the human eye, but would render any statistical analysis for identification purposes impossible.

Here's some python code to test my theory.

Here's an example test I ran. This is a scaled down copy of the original image (click the image for the original one):

Here's the same image run through at delta = 2:

Here's the same image run through at delta = 20:

Here's the same image run through at delta = 100... Now it's really grainy (click the image to see it better):

Obviously, you want to pick the right delta level. I personally can't see much of a difference between the original and delta=2. The question is: at what point does the image lose its "statistical identity"? I would tend to think that it would lose the identity at even delta=2. At delta = 100 the picture becomes really grainy (although at low resoultion it's easy to miss) ... When it comes time for the revolution though, I think we'll have more important things to worry about than grainy pictures.

Read and Post Comments

ECSniff 0.6 released

January 17, 2006 at 11:56 PM | categories: python, security | View Comments

I've just made an update to the Enigma Curry Network Sniffer.

Version 0.6 includes the following changes:

  • MSN instant message logging
  • FTP authentication logging
  • HTTP web page access logging
  • Subnet Filtering
Read and Post Comments

ECSniff - Introducing the Enigma Curry Network Sniffer

January 13, 2006 at 01:59 AM | categories: python, security | View Comments

I was talking to my friend Gandhi today. He's taking a really lame computer networking class this semester in order to fulfill graduation requirements. He's confident that he won't be learning a thing in the class.

This worries me a bit. I was told by one of my professors a few years ago that I would not need to take this class. Now Gandhi is being forced into it. Despite my having several years of experience in the field already, soon, I too may be forced into answering questions like "What is an IP address?" or even worse "How does the Internet make our lives easier?"....... shudder and shudder.

Maybe I can prove to them that I really don't need to take the class. I thought of showing them a picture of the server room at work. We have a little under 70 computers in there. All networked and maintained by me. Then again, maybe they think the class will teach me "the deep internals of networking" or something equally untrue of the class. So, I thought if push comes to shove, I'd show them that I can find anyone's email password on the network (assuming I have physical access of course)

So without further ado, here is the Enigma Curry Network Sniffer.

This software is by no means original. There are umpteen different other programs out there that will do similar things. I wrote this one, however, by only reading the RFC documents available on the various protocols used. I wanted to make sure that I knew much more than will ever be taught in this dumb IS course. Plus, it was pretty fun to write.

Right now this software only does two things. It will scan the local network for connections to POP3 email servers and HTTP servers using Basic Authentication. Anytime someone on the network uses one of these very insecure protocols, it will display their username and password on the screen of the person running this program. You can also leave the program running and log the results to a file. For future versions, I think it would be fun to explore some instant messaging protocols like MSN... it would be fun to prove the necessity to some of my friends and coworkers of using Gaim-Encryption.

Go download the software if you'd like to try it out, but please don't get yourself into trouble! I take no responsibility for your actions.

Read and Post Comments