Category: Software

If it’s not hard, it’s software

Quicken Security Theater

Post date 3/12/2011
3 Comments on Quicken Security Theater

I don’t understand this one. The reason many (most) sites require you to confirm your password is to ensure you typed it correctly when creating your password, otherwise a typo would prevent you from logging back in correctly later. We’ve all “fat fingered” a password before. That simple confirmation step prevents it on creation. How does entering my password twice when logging in provide any additional security? If the password is compromised, the extra field does nothing.

I presume the reason is to make Quicken look/feel more secure than it really is.

I should note that I like Quicken. I like it enough that even though the native Mac version is so disappointing on paper that I never purchased it, I did I purchased the Windows version and continue to use it there. I think that demonstrates my not hating Quicken. It does however have its quirks that just make me wonder what they were thinking.

Tags fail, intuit, Password, quicken, Security

Software

On Square Skimmer Security Risks

Post date 3/9/2011
11 Comments on On Square Skimmer Security Risks

There’s an “open letter” going around about the alleged security hole created by SquareUp, a startup that gives out free credit card readers for smart phones. To quote the meat of it:

In less than an hour, any reasonably skilled programmer can write an application that will “skim” – or steal – a consumer’s financial and personal information right off the card utilizing an easily obtained Square card reader. How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.

Allow me to debunk the hell out of this:

To skim a card you need physical possession of the card. The numbers are printed on the front. No reader needed.
Skimming is normally done by attaching a device in front of a legitimate reader (such as an ATM) so it passively collects data. Not via cell phone. Stealing a credit card, walking to a back ally and skimming doesn’t make any sense.
Credit cards numbers are worth almost nothing on the black market. They are sold in bulk. This process is to slow to be viable for even the most brain-dead of criminals to want to bother with.
There are easier methods than the above including phishing attacks, becoming a waiter (the best job for credit card thieves), or just hacking one of the many insecure ecommerce sites on the net. An ATM skimmer attached to an ATM is much more profitable and harder to get caught since you can leave and come back later.
Square’s dongle doesn’t encrypt data because it goes directly to the phone. You’d need to extensively modify the device to intercept anything. The connection from your phone to Square seems to be encrypted.
Oh yea… They have their logo on top, but never link to their homepage or explain who they are. VeriFone is a vendor of credit card scanners. A direct competitor of Square. They also sell wireless scanners that would compete directly with Square. They cost a lot.

How’d I do?

Bonus:

VeriFone sells “contactless” point of sale systems. I’ve mentioned several times over the past few years how poorly thought out these seem to be. WREG recently did a great story on how easy it is to scan/clone one of these cards to a hotel key (full disclosure: WREG is an affiliate of my employer).

Conclusion:

If someone steals your credit card swiping it on their own scanner, reads the numbers off, or just running to the nearest store and buying things, it doesn’t make a difference. Square isn’t the security hole here.

I’ve got a square reader on hand and can say it’s cheaply made (obviously), but no reason at all to think it’s any less secure than any other terminal. The owner/operator of the terminal is the chief point of failure.

Tags credit-card, Hardware, rfid, skimming, square, verifone

Apple Hardware Software

MacBook Pro Sleeps When Lid Closes

Post date 8/14/2010
No Comments on MacBook Pro Sleeps When Lid Closes

The MacBook Pro still has a quirk that has always bothered me. It’s not a hardware issue, it’s a software issue. Power users with laptops know about “closed clamshell” or “closed display” mode. That’s when you use a laptop with a desktop keyboard and mouse and the laptop remains closed. I don’t think any OS I’ve used totally gets this totally right, they all have their quirks. The MacBook Pro just has this one quirk that gets to me.

The problem with the MacBook Pro is when you have the computer open and on and you connect another display you’re given the option to mirror or use the display as a second display. If you mirror and close the laptop it goes to sleep. That’s completely illogical. There seems to be no way to disable going to sleep in this situation that I can find. I can’t imagine why anyone would want another behavior when closing a laptop while having a display and input device connected. When no display is connected and the laptop is closed, it should obviously sleep.

Searching on Google returns numerous forum threads with people who also have this gripe. Even a check box in the Energy Saver pref panel to facilitate this would do nicely.

For the record Windows is no saint either. It’s handling of monitor resolutions, especially if your desktop display is a different resolution is abhorrent. It can result in anything from reshuffling icons to putting windows out of the display area. I’ve never even bothered with such functionality in Linux, at least not yet so I can’t speak to its competency in this area.

Tags Apple, mac-os-x, macbook-pro

Apple Software

Mac Finally Gets H.264 Decoding In Flash

Post date 8/10/2010
No Comments on Mac Finally Gets H.264 Decoding In Flash

Adobe today pushed an update that enabled H.264 hardware decoding in Flash 10.1. It only works on certain newer Mac’s and there are an assortment of caveats in which Flash will revert to software decoding according to a Flash Engineer.

I’ve only played with it for a few minutes on my Core i7 MacBook Pro, and things seem very speedy and my CPU didn’t see much of a spike. Hopefully enough videos will take advantage of hardware decoding that this will be a nice improvement.

I still believe WebM is the better future, but H.264 hardware decoding does make Flash less painful for the moment.

Tags adobe, Apple, flash, h.264, macbook-pro, webm

Hardware Software

Email Alarm System

Post date 7/24/2010
No Comments on Email Alarm System

I’ve been in the mood for some hardware hacking for a while. Recently at work I thought it would be nice to have a way to know if an important (emergency) email came in that required attention. These fire-drills are just part of the job. I have multiple computers and screens so an on-screen alert isn’t always effective. Audible alerts don’t work either because speakers are only connected to one computer at a time and often headphones are plugged in. I need something more independent.

My solution was to build a USB alarm system: Two rotating LED lights to get attention visually as well as a 76 db piezo buzzer which chirps when the system is activates to help get attention. The buzzer only chirps and only when the system first invokes so it’s not an annoyance. It’s enough to get attention, but not enough to bother others. It has multiple chirps so that I can potentially setup multiple alert types.

Now we can really be on the ball!

Obligatory goofy office signage

Tags alarm, arduino, email, Hardware, Software

Apple Open Source Software

VirtualBox 3.2 Beta Supports Mac OS X Guests

Post date 4/29/2010
6 Comments on VirtualBox 3.2 Beta Supports Mac OS X Guests

Interestingly one of the new features in ~~Sun~~ Oracle’s VirtualBox 3.2 Beta is:

Experimental support for Mac OS X guests

I’m curious how they implemented that so that they steer clear of Apple’s legal team. I’m also curious how that runs. I may need to give that a try.

Tags Apple, mac-os-x, oracle, sun, virtualbox, virtualization

Software

Photoshop Content-Aware Fill

Post date 3/24/2010
2 Comments on Photoshop Content-Aware Fill

What’s likely the biggest feature in the upcoming Photoshop release is Content-Aware Fill. I’m sure the photos used for the demo work exceptionally well, and better than in practice, but regardless it’s amazing technology and leap years ahead of what’s currently out there.

Tags adobe, content-aware fill, photoshop

Software

Fountain Of Youth

Post date 3/19/2010
No Comments on Fountain Of Youth

Ah the classics.

Tags duke-nukem, gaming, screenshot

Open Source Software

Kernel Upgrade Fun

Post date 2/23/2010
No Comments on Kernel Upgrade Fun

A few days ago I did a kernel upgrade from 2.6.24 to 2.6.32.1. Surprisingly the load on the server has dropped slightly. The server is generally under minimal load, just the way I like it so a drop is particularly surprising. It was restarted just a few weeks prior, so I don’t think the restart had an impact on load. Unscientifically it appears the box is under the same level of usage as prior to the upgrade. The two spikes that delimit the restart are due to some log processing.

Tags kernel, linux, operating-systems, server

Software

Microsoft Entourage Calendar Cache Problem

Post date 1/15/2010
2 Comments on Microsoft Entourage Calendar Cache Problem

I’ve noticed that Microsoft Entourage 2008 sometimes falls out of sync with the Exchange server. This results in missing or outdated events on a calendar. When you use multiple computers and webmail this can become annoying. I’ve traced the problem to the cache in Entourage 2008 becoming either corrupt or stale for some unknown reason. Clearing the cache can be done manually (right click on the calendar and go into “Folder Properties” then press “empty cache”) or can be automated.

Obviously I prefer the automated route. Here’s the AppleScript I wrote:

set accountIterator to 1
tell application "Microsoft Entourage"
    repeat
        if (exists Exchange account accountIterator) then
            empty cache of every calendar of Exchange account accountIterator
            set accountIterator to accountIterator + 1
        else
            exit repeat
        end if
    end repeat
end tell

Save it as a script, I’ll call mine clearCal.scpt. Now place it somewhere. I’ll use /Users/me/clearCal.scpt.

Now in terminal open crontab via crontab -e and enter the following obviously adjusting the path to point to the script:

0 8 * * * osascript /Users/me/clearCal.scpt

Save (ctrl-o) and exit (ctrl-x).

This will run the script at 8:00 AM every morning and clear the cache. I’m pretty sure this will only worked if your logged in, which is fine for me.

Warning: Clearing the cache means that if an event wasn’t sync’d to the exchange server it will be lost. In my case I find this to be the lesser evil. Obviously if you use this, it’s at your own risk.

Tags applescript, exchange, microsoft, microsoft entourage, microsoft office 2008