This Blog Is Not For Reading

A blog, just like any blog, only more so

  • Subscribe

  • Categories

  • RSS Bob Jonkman’s Microblog

    • bobjonkman repeated a notice by lnxw48a1 31 January 2021
      RT @lnxw48a1 @geniusmusing Yeah. :-( I think the #blockwars folks may have indirectly caused this. There are people who file complaints against client apps that don’t build in blocklists against specific servers whose moderation policies they dislike. I think that #Matrix / #Element competes with one or more Google-owned chat-type services. Since they gatekeep the […]
    • Favorite 31 January 2021
      bobjonkman favorited something by lnxw48a1: @geniusmusing Yeah. :-( I think the #blockwars folks may have indirectly caused this. There are people who file complaints against client apps that don’t build in blocklists against specific servers whose moderation policies they dislike. I think that #Matrix / #Element competes with one or more Google-owned chat-type services. Since […]
    • New note by bobjonkman 30 January 2021
      And I can't figure out how to connect to a particular server. The #Patchwork #SSB client I'm using has a "+ Join Server" field, but it requires an invitation code. Which I can't generate unless I have a pub server. Which I can't join until I have an invitation code... Sigh. #SSB: Concept: A+ ; […]
    • New note by bobjonkman 29 January 2021
      I was on #SSB Secure Scuttlebutt for a while (attended an #SSB seminar at last year's LibrePlanet conference), but the application was so resource intense that my laptop couldn't keep up. And, there wasn't the network effect I needed to make it useful. While there are probably interesting people to converse with, I have no […]
    • New note by bobjonkman 23 January 2021
      Oh, hang on. It's @joeyh who reveals the inadequacy of #journalism. Not the article author, @Jonemo@twitter.com #ReadingComprehension
    • New note by bobjonkman 23 January 2021
      @lnxw48a1 writes "In this post, Joey H. accidentally reveals a major reason why #news_media / #journalism is so bad today." This didn't leap out at me. Is it because good, in-depth reporting requires A LOT of research and hard work, and that modern journalism is adequately rewarded by re-Tweeted sound bites?
    • New note by bobjonkman 23 January 2021
      What an excellent #LongRead article! "Exploring the Supply Chain of the Pfizer/BioNTech and Moderna COVID-19 vaccines" https://blog.jonasneubert.com/2021/01/10/exploring-the-supply-chain-of-the-pfizer-biontech-and-moderna-covid-19-vaccines/
    • bobjonkman repeated a notice by lnxw48a1 23 January 2021
      RT @lnxw48a1 Explaining the supply chain of Pfizer & Moderna #COVID-19 vaccines: https://nu.federati.net/url/279451 Source: https://octodon.social/@joeyh/105606567412940936 #2019-nCoV | #coronavirus | #SARS-CoV-2 In this post, Joey H. accidentally reveals a major reason why #news_media / #journalism is so bad today.
    • Favorite 23 January 2021
      bobjonkman favorited something by lnxw48a1: Explaining the supply chain of Pfizer & Moderna #COVID-19 vaccines: https://nu.federati.net/url/279451 Source: https://octodon.social/@joeyh/105606567412940936 #2019-nCoV | #coronavirus | #SARS-CoV-2 In this post, Joey H. accidentally reveals a major reason why #news_media / #journalism is so bad today.
    • New note by bobjonkman 22 January 2021
      That was much better than I expected it to be. Covers the spectrum of opinions of several #ITSec professionals, and does not strike an alarmist note. Sadly, somewhat devoid of practical advice, tho. https://www.hipaajournal.com/hipaa-password-requirements/

Auto-Type Keywords for KeepassX

Posted by Bob Jonkman on 1st November 2016

KeepassX logo

KeepassX

I use KeePassX to keep track of passwords for web sites, server logins, and encrypted disks. And, at the touch of a keystroke, KeepassX can auto-type login names and passwords to those web sites, servers, and disks.

By default, KeepassX sends the sequence

{USERNAME}{TAB}{PASSWORD}{ENTER}

but if the Username field is blank then KeepassX just sends

{PASSWORD}{ENTER}

or if the Password field is blank then KeepassX only sends

{USERNAME}{ENTER}

But what other things can KeepassX send? A quick look at the AutoType.cpp source code reveals these additional keystrokes:

  • {tab}
  • {enter}
  • {up}
  • {down}
  • {left}
  • {right}
  • {insert} or {ins}
  • {delete} or {del}
  • {home}
  • {end}
  • {pgup}
  • {pgdown}
  • {backspace} or {bs} or {bksp}
  • {break}
  • {capslock}
  • {esc}
  • {help}
  • {numlock}
  • {ptrsc}
  • {scolllock}
  • {add} or {+}
  • {subtract}
  • {multiply}
  • {divide}
  • {^}
  • {%}
  • {~}
  • {(}
  • {)}
  • {{}
  • {}}
  • {f1}
  • {f2} .. {f16}

KeepassX is written by Felix Geyer and Florian Geyer with reporter Tarquin Winot, and is released under the GNU head logoGNU General Public License.

Tags: , , , ,
Posted in FLOSS, security, Software | Comments Off on Auto-Type Keywords for KeepassX

Chotchkie’s Passwords

Posted by Bob Jonkman on 7th March 2015

Note to security policy admins: Be sure there are technical means to enforce the policies you set, because, like physics, people tend towards the lowest energy levels.

It’s amazing what a little search’n’replace will do.

Manager: We need to talk about your password.

Joanna: Really? I… I have fifteen characters. I, also…

Manager: Well, okay. Fifteen is the minimum, okay?

Joanna: Okay.

Manager: Now, you know it’s up to you whether or not you want to just do the bare minimum. Or… well, like Brian, for example, has thirty seven characters in his password, okay. And a terrific smile.

Joanna: Okay. So you… you want me to use more?

Manager: Look. Joanna.

Joanna: Yeah.

Manager: People can get a password anywhere, okay? They come to Chotchkie’s for the atmosphere and the security. Okay? That’s what the password’s about. It’s about security.

Joanna: Yeah. Okay. So more then, yeah?

Manager: Look, we want you to secure yourself, okay? Now if you feel that the bare minimum is enough, then okay. But some people choose to have more and we encourage that, okay? You do want to secure yourself, don’t you?

Joanna: Yeah, yeah.

Manager: Okay. Great. Great. That’s all I ask.

Later…

Manager: We need to talk.

Joanna: Yeah…

Manager: Do you know what this is about?

Joanna: My password?

Manager: Yeah. Or your, um, lack of password. ‘Cause I’m counting, and I see only fifteen characters. Let me ask you a question, Joanna. What do you think of a person who only does the bare minimum?

Joanna: What do I think? You know what, Stan, if you want me to have 37 characters in my password, like your pretty boy over there, Brian, why don’t you just make the minimum 37 characters?

Manager: Well, I thought I remembered you saying that you wanted to secure yourself.

Joanna: Yeah. You know what, yeah, I do. I do want to secure myself, okay. And I don’t need 37 characters in my password to do it!

Tags: , , ,
Posted in security | Comments Off on Chotchkie’s Passwords

What to do about compromised Hotmail passwords

Posted by Bob Jonkman on 18th November 2010

autoroute à emails

autoroute à emails by Biscarotte

I administer a number of e-mail systems, and I’ve been seeing a lot of spam coming from Hotmail accounts recently. And both friends and clients have been telling me that it’s not them who are sending spam from Hotmail (and ending up in my e-mail systems), their accounts have been hacked. One person asked me:

Is it just Hotmail? What else could I use? Can’t I just change my password?

Changing passwords is only an effective solution if the account was compromised by social engineering, eg. the legitimate user giving out the password in a phishing attempt or other direct means, or if a simple password was guessed or cracked.

There is evidence that Hotmail and Yahoo’s password recovery mechanism is flawed (eg. the Sarah Palin breach), so that malusers can acquire a new password for an account. I don’t think this is happening, because victims are not reporting being locked out of their accounts. Of course, if the service merely sends out the current password then this may be what is happening, and no amount of password complexity will protect the account.

If the passwords were compromised by an automated password cracker then I would expect only simple passwords to be breached, and accounts with strong passwords would be safe. I do not know what kind of passwords were in use by the people who have compromised accounts, but it is likely they were simple passwords.

While I have no evidence, I think the current rash of breaches is due to a more systematic attack by URL munging, or fuzzing the inputs on a POST request, or some other attack vector. These attacks do not require an authenticated login, and in that case no amount of password complexity will provide security either.

I haven’t heard of similar compromised accounts in Gmail, so that may be a suitable alternative for now. I’ve been recommending that people use the mail accounts provided by their ISPs, largely so that they can make use of the ISP’s technical support if their accounts do get compromised. And, of course, if they’re paying their ISP for a mail account then there may be immunity from liability (“My mail account was compromised and I was paying my ISP for security, so all this spam is their fault”).

–Bob.

Update 5 Feb 2012: I retract the first sentence in the last paragraph. E-mail Administrator friends have been telling me that Google Mail is just as vulnerable as Hotmail and Yahoo. Having just read “Hacked!” in The Atlantic I’m convinced the problem of compromised mail accounts is worse than I thought, and that no online providers (especially the “free” ones) adequately protect the e-mail of their users.

autoroute à emails by Biscarotte is used under a Creative Commons by-sa-v2.0 license.

Tags: , , , , , , , , , , , ,
Posted in email, Internet, spam | 1 Comment »

 
Better Tag Cloud