Category Archives: Software

If it’s not hard, it’s software

Quicken Security Theater

Posted on by
2

Quicken Password Confirmation

I don’t understand this one. The reason many (most) sites require you to confirm your password is to ensure you typed it correctly when creating your password, otherwise a typo would prevent you from logging back in correctly later. We’ve all “fat fingered” a password before. That simple confirmation step prevents it on creation. How does entering my password twice when logging in provide any additional security? If the password is compromised, the extra field does nothing.

I presume the reason is to make Quicken look/feel more secure than it really is.

I should note that I like Quicken. I like it enough that even though the native Mac version is so disappointing on paper that I never purchased it, I did I purchased the Windows version and continue to use it there. I think that demonstrates my not hating Quicken. It does however have its quirks that just make me wonder what they were thinking.

On Square Skimmer Security Risks

Posted on by
11

There’s an “open letter” going around about the alleged security hole created by SquareUp, a startup that gives out free credit card readers for smart phones. To quote the meat of it:

In less than an hour, any reasonably skilled programmer can write an application that will “skim” – or steal – a consumer’s financial and personal information right off the card utilizing an easily obtained Square card reader. How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.

Allow me to debunk the hell out of this:

  • To skim a card you need physical possession of the card. The numbers are printed on the front. No reader needed.
  • Skimming is normally done by attaching a device in front of a legitimate reader (such as an ATM) so it passively collects data. Not via cell phone. Stealing a credit card, walking to a back ally and skimming doesn’t make any sense.
  • Credit cards numbers are worth almost nothing on the black market. They are sold in bulk. This process is to slow to be viable for even the most brain-dead of criminals to want to bother with.
  • There are easier methods than the above including phishing attacks, becoming a waiter (the best job for credit card thieves), or just hacking one of the many insecure ecommerce sites on the net. An ATM skimmer attached to an ATM is much more profitable and harder to get caught since you can leave and come back later.
  • Square’s dongle doesn’t encrypt data because it goes directly to the phone. You’d need to extensively modify the device to intercept anything. The connection from your phone to Square seems to be encrypted.
  • Oh yea… They have their logo on top, but never link to their homepage or explain who they are. VeriFone is a vendor of credit card scanners. A direct competitor of Square. They also sell wireless scanners that would compete directly with Square. They cost a lot.

How’d I do?

Bonus:

VeriFone sells “contactless” point of sale systems. I’ve mentioned several times over the past few years how poorly thought out these seem to be. WREG recently did a great story on how easy it is to scan/clone one of these cards to a hotel key (full disclosure: WREG is an affiliate of my employer).

Conclusion:

If someone steals your credit card swiping it on their own scanner, reads the numbers off, or just running to the nearest store and buying things, it doesn’t make a difference. Square isn’t the security hole here.

I’ve got a square reader on hand and can say it’s cheaply made (obviously), but no reason at all to think it’s any less secure than any other terminal. The owner/operator of the terminal is the chief point of failure.

MacBook Pro Sleeps When Lid Closes

Posted on by
Reply

The MacBook Pro still has a quirk that has always bothered me. It’s not a hardware issue, it’s a software issue. Power users with laptops know about “closed clamshell” or “closed display” mode. That’s when you use a laptop with a desktop keyboard and mouse and the laptop remains closed. I don’t think any OS I’ve used totally gets this totally right, they all have their quirks. The MacBook Pro just has this one quirk that gets to me.

The problem with the MacBook Pro is when you have the computer open and on and you connect another display you’re given the option to mirror or use the display as a second display. If you mirror and close the laptop it goes to sleep. That’s completely illogical. There seems to be no way to disable going to sleep in this situation that I can find. I can’t imagine why anyone would want another behavior when closing a laptop while having a display and input device connected. When no display is connected and the laptop is closed, it should obviously sleep.

Searching on Google returns numerous forum threads with people who also have this gripe. Even a check box in the Energy Saver pref panel to facilitate this would do nicely.

For the record Windows is no saint either. It’s handling of monitor resolutions, especially if your desktop display is a different resolution is abhorrent. It can result in anything from reshuffling icons to putting windows out of the display area. I’ve never even bothered with such functionality in Linux, at least not yet so I can’t speak to its competency in this area.

Mac Finally Gets H.264 Decoding In Flash

Posted on by
Reply

Adobe today pushed an update that enabled H.264 hardware decoding in Flash 10.1. It only works on certain newer Mac’s and there are an assortment of caveats in which Flash will revert to software decoding according to a Flash Engineer.

I’ve only played with it for a few minutes on my Core i7 MacBook Pro, and things seem very speedy and my CPU didn’t see much of a spike. Hopefully enough videos will take advantage of hardware decoding that this will be a nice improvement.

I still believe WebM is the better future, but H.264 hardware decoding does make Flash less painful for the moment.

Email Alarm System

Posted on by
Reply

I’ve been in the mood for some hardware hacking for a while. Recently at work I thought it would be nice to have a way to know if an important (emergency) email came in that required attention. These fire-drills are just part of the job. I have multiple computers and screens so an on-screen alert isn’t always effective. Audible alerts don’t work either because speakers are only connected to one computer at a time and often headphones are plugged in. I need something more independent.

My solution was to build a USB alarm system: Two rotating LED lights to get attention visually as well as a 76 db piezo buzzer which chirps when the system is activates to help get attention. The buzzer only chirps and only when the system first invokes so it’s not an annoyance. It’s enough to get attention, but not enough to bother others. It has multiple chirps so that I can potentially setup multiple alert types.

Now we can really be on the ball!
P1 Bug Report Alarm
Obligatory goofy office signage

Continue reading

Kernel Upgrade Fun

Posted on by
Reply

A few days ago I did a kernel upgrade from 2.6.24 to 2.6.32.1. Surprisingly the load on the server has dropped slightly. The server is generally under minimal load, just the way I like it so a drop is particularly surprising. It was restarted just a few weeks prior, so I don’t think the restart had an impact on load. Unscientifically it appears the box is under the same level of usage as prior to the upgrade. The two spikes that delimit the restart are due to some log processing.

Server Load