This Blog Is Not For Reading

A blog, just like any blog, only more so

  • Subscribe

  • Categories

  • RSS Bob Jonkman’s Microblog

    • bobjonkman repeated a notice by darius 20 February 2019
      RT @darius If I'm typing a bunch of unix command line stuff trying to figure out the right solution, and I eventually DO figure out the solution, one thing I do when possible is re-run the command with a comment like$ doing-the-thing.sh # This is the one that actually worksSo when I inevitably search my […]
    • Favorite 20 February 2019
      bobjonkman favorited something by darius: If I'm typing a bunch of unix command line stuff trying to figure out the right solution, and I eventually DO figure out the solution, one thing I do when possible is re-run the command with a comment like$ doing-the-thing.sh # This is the one that actually worksSo when I […]
    • Favorite 18 February 2019
      bobjonkman favorited something by kat: #tfw you think you know what you are doing... But type reboot on a remote server and your OWN workstation goes off.
    • New note by bobjonkman 18 February 2019
      And as a result I've spent the last two hours watching Emo Phillips on YouTube. https://www.youtube.com/watch?v=9nX_EaFBTPE et al.
    • Favorite 18 February 2019
      bobjonkman favorited something by indi: The second part of my interview with In-Sight Journal's Question Time about the term "Nones" is up! This part's about alternative terms. Looks like only one part left to go! https://medium.com/question-time/ask-mark-2-squeezing-more-some-things-from-nothings-eea9114021ff !atheism
    • Favorite 15 February 2019
      bobjonkman favorited something by clacke: The themes of TOS, TNG, DS9 and VOY all rearranged into one big beautiful thing!invidio.us/watch?v=-SRu_anT0PULots of VOY fans in the comments. 😀I'm overall not a big VOY fan, but it had many good aspects, and the theme music is definitely one of them.
    • bobjonkman repeated a notice by sim 15 February 2019
      RT @sim The less javascript a site uses and/or requires, the better.
    • Favorite 15 February 2019
      bobjonkman favorited something by sim: The less javascript a site uses and/or requires, the better.
    • New note by bobjonkman 11 February 2019
      *sigh*... 20 years ago... #User_Friendly
    • bobjonkman repeated a notice by lnxw37a2 11 February 2019
      RT @lnxw37a2 Every so often, I run across this. I laugh and laugh. I miss #User_Friendly. http://www.userfriendly.org/cartoons/archives/00jan/20000124.html #Depends

Shutting down ServiceOntario kiosks could be Considered Harmful

Posted by Bob Jonkman on 9th November 2012

Service Ontario kiosk with "Temporarily shut down" notice

ServiceOntario kiosk

The Ontario government has announced it is shutting down the ServiceOntario kiosks.

Closing the kiosks won’t do any good if the web site is no better secured. ServiceOntario had control over the hardware and software running on the kiosks, but they have no control over the computers people use to access the ServiceOntario web site. User PCs will have all sorts of malware running on them, and malusers can far more easily spend time breaking into a web site than a kiosk. Unless ServiceOntario has much better security on their web site, it is far more vulnerable than a kiosk.

In his article Government to discontinue ServiceOntario kiosks, Sameer Vasta asks if the ServiceOntario web site is ready to pick up the slack. His conclusion is yes, and although the web site user experience could be improved, he considers closing the kiosks a prudent move. But if the kiosk interface was so much easier to use, then the web site could use that interface too. Security isn’t created by the user interface — security needs to be built into the servers. Malusers are unlikely to use the web interface to launch their attacks; they’ll have more sophisticated tools to try to break into the servers.

Of course, since the ServiceOntario web site was already in place while the kiosks were operational it has been a potential vector for attack all along. Closing the kiosks doesn’t increase that vulnerability. And the vulnerability that prompted the government to shut down the kiosks was card skimming, which is not an issue on a Web site accessed from home. But shutting down a fully managed kiosk to be replaced by home users’ PCs that are full of malware does not look like a prudent move to me.

However, it should be cheaper to manage security on one web site than on 72 kiosks. The government reports that shutting the kiosks will save taxpayers about $6.3 million in one-time upgrading costs and $2.2 million in annual maintenance costs. The Star reports that Minister of Government Services Harinder Takhar says the kiosks cost $4 million to deploy, and it will cost $250,000 to remove them.

And shutting down the kiosks has one other benefit: If a security breach occurs as a result of using our own computers then ServiceOntario has successfully shifted blame, hasn’t it? Surely there will be a disclaimer in the fine print on the website somewhere!

–Bob.


ServiceOntario kiosk "Permanently Closed" notice

“Permanently Closed” notice Service Ontario kiosk.

The picture above shows a ServiceOntario kiosk with a notice indicating the kiosk is temporarily shut down. A new notice has been posted, which reads:

ServiceOntario Kiosks Are Now Permanently Closed.

After a thorough investigation into the safety and security issues surrounding ServiceOntario kiosks, it has been decided to permanently shut down the network.

All former kiosk services are conveniently available online, including:

  • License plate sticker renewal
  • Address change
  • Driver abstract

Fermeture permanente des kiosques ServiceOntario.

À la suite d’une enquête approfondie sur les problèmes de sécurité survenus dans les kiosques ServiceOntario, il a été décidé de fermer le réseau de façon permanente.

Tous les services anciennement founis dal les kiosques son offerts en ligne, notamment les suivants:

  • Renouvellement de la vignette d’immatriculation
  • Changement d’addresse
  • Résumé de dossier de conducteur.

We look forward to serving you.
For these services, and more than 40 other online services, or for a complete list of our locations and available services, please visit ServiceOntario.ca

Au plaisir de vous servir.
Pour ces services, et plus de 40 autres services en ligne, ou la liste complète de nos centres et de leurs services, visitez ServiceOntario.ca

Images courtesy of lothlaurien.ca used under a CC BYCreative Commons Attribution 2.5 Canada License license.

Thanx to my friend RW for the idea for this post, and her contributions.

Tags: , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in considered harmful, Politics, security | 4 Comments »

What to do about compromised Hotmail passwords

Posted by Bob Jonkman on 18th November 2010

autoroute à emails

autoroute à emails by Biscarotte

I administer a number of e-mail systems, and I’ve been seeing a lot of spam coming from Hotmail accounts recently. And both friends and clients have been telling me that it’s not them who are sending spam from Hotmail (and ending up in my e-mail systems), their accounts have been hacked. One person asked me:

Is it just Hotmail? What else could I use? Can’t I just change my password?

Changing passwords is only an effective solution if the account was compromised by social engineering, eg. the legitimate user giving out the password in a phishing attempt or other direct means, or if a simple password was guessed or cracked.

There is evidence that Hotmail and Yahoo’s password recovery mechanism is flawed (eg. the Sarah Palin breach), so that malusers can acquire a new password for an account. I don’t think this is happening, because victims are not reporting being locked out of their accounts. Of course, if the service merely sends out the current password then this may be what is happening, and no amount of password complexity will protect the account.

If the passwords were compromised by an automated password cracker then I would expect only simple passwords to be breached, and accounts with strong passwords would be safe. I do not know what kind of passwords were in use by the people who have compromised accounts, but it is likely they were simple passwords.

While I have no evidence, I think the current rash of breaches is due to a more systematic attack by URL munging, or fuzzing the inputs on a POST request, or some other attack vector. These attacks do not require an authenticated login, and in that case no amount of password complexity will provide security either.

I haven’t heard of similar compromised accounts in Gmail, so that may be a suitable alternative for now. I’ve been recommending that people use the mail accounts provided by their ISPs, largely so that they can make use of the ISP’s technical support if their accounts do get compromised. And, of course, if they’re paying their ISP for a mail account then there may be immunity from liability (“My mail account was compromised and I was paying my ISP for security, so all this spam is their fault”).

–Bob.

Update 5 Feb 2012: I retract the first sentence in the last paragraph. E-mail Administrator friends have been telling me that Google Mail is just as vulnerable as Hotmail and Yahoo. Having just read “Hacked!” in The Atlantic I’m convinced the problem of compromised mail accounts is worse than I thought, and that no online providers (especially the “free” ones) adequately protect the e-mail of their users.

autoroute à emails by Biscarotte is used under a Creative Commons by-sa-v2.0 license.

Tags: , , , , , , , , , , , ,
Posted in email, Internet, spam | 1 Comment »

 
Better Tag Cloud