(No, not retinal scans :)

After upgrading the home server today, I was looking through the logs, and noticed several simultaneous username/password guessing scripts probing the machine, connecting via SSH. Fortunately the machine that actually serves incoming SSH connections is a virtual machine, locked down with few packages installed and (relatively) good passwords. I still feel dirty, though.

I’m going to have to install a good portknocking package, I think. In the meantime, I’ve locked down the home server to only accept incoming SSH from a small number of machines. I should have done this long ago (both persephone and penelope already have this), but custom firewall rules with DD-WRT are hard, and so I punted.

This also means I’m probably going to have to replace my crappy Linksys running DD-WRT with a full-blown Linux box so that I can create a proper firewall. I really wonder sometimes if this whole “Internet” thing is worth the trouble.

posted at 9:36 pm on Friday, November 06, 2009 in Security | Comments Off on probes

less than one percent

I saw a story recently about a musician who took out an ad in a magazine to sell CDs, and ended up only receiving four orders. I don’t want to quote the whole thing, so the original is worth reading (“and if only one percent of those people…”:

In particular, the punch-line struck me as interesting in the context of SPAM and 419 scams and similar issues:

bq. He forgot there was a number lower than one percent.

Why do SPAM and email scams work? because there is a number lower than one percent, and because sending millions of e-mails is virtually free. Taking my recent “work on a cruise ship” scam e-mail, we have to remember that if only 100 people are sucked in, that’s still $32,000 revenue for the scammer…

posted at 8:38 pm on Wednesday, October 21, 2009 in Security | Comments Off on less than one percent

New 419 style scam

I just received unsolicited email offering jobs on a cruise ship; all I have to do is send a bunch of personal data and $320 for processing. They say all unplaced applicants will have their money refunded… Do you believe them?

posted at 2:40 pm on Wednesday, October 21, 2009 in Security | Comments Off on New 419 style scam

outside the box

Apparently there are many secret cables buried in and around Washington, DC. The “call before you dig” guys don’t know about them, so if you dig one up, guys in suits driving black SUVs arrive. Which of course creates a social engineering attack:

bq. So if I want to stop a construction project in the DC area, all I need to do is drive up in a black SUV, wear a suit and sunglasses, and refuse to identify myself.

“Secret Government Communications Cables Buried Around Washington, DC”:

posted at 9:39 am on Monday, June 08, 2009 in Links, Security | Comments Off on outside the box

Fear of Aerial Images

Schneier on Security: Fear of Aerial Images

Yet another “refuse to be terrorized” article from Bruce Schneier, this time about satellite images in online mapping services…

bq. “It struck me that a person in a tent halfway around the world could target an attack like that with a laptop computer,” said Anderson, a Republican legislator who represents San Diego’s East County. Anderson said he doesn’t want to limit technology, but added, “There’s got to be some common sense.”

The usual rebuttal applies:

bq. Criminals have used telephones and mobile phones since they were invented. Drug smugglers use airplanes and boats, radios and satellite phones. Bank robbers have long used cars and motorcycles as getaway vehicles, and horses before then. I haven’t seen it talked about yet, but the Mumbai terrorists used boats as well. They also wore boots. They ate lunch at restaurants, drank bottled water, and breathed the air. Society survives all of this because the good uses of infrastructure far outweigh the bad uses, even though the good uses are — by and large — small and pedestrian and the bad uses are rare and spectacular. And while terrorism turns society’s very infrastructure against itself, we only harm ourselves by dismantling that infrastructure in response — just as we would if we banned cars because bank robbers used them too.

(the last quote is from

posted at 9:35 am on Monday, June 08, 2009 in Links, Security | Comments Off on Fear of Aerial Images

Perverse Security Incentives

Yet another example of the premise that if you want to understand the world around you, look for the incentives…

Schneier on Security: Perverse Security Incentives

bq. Incentives explain much that is perplexing about security trade-offs. Why does King County, Washington, require one form of ID to get a concealed-carry permit, but two forms of ID to pay for the permit by check? Making a mistake on a gun permit is an abstract problem, but a bad check actually costs some department money.

bq. In the decades before 9/11, why did the airlines fight every security measure except the photo-ID check? Increased security annoys their customers, but the photo-ID check solved a security problem of a different kind: the resale of nonrefundable tickets. So the airlines were on board for that one.

And so on…

posted at 9:39 am on Wednesday, April 01, 2009 in Links, Security | Comments Off on Perverse Security Incentives

defense in depth

“The World’s Biggest Diamond Heist”:

These guys managed to blow through many layers of hi-tech security with careful planning and some low-tech tricks, and one huge security gaff: the “unduplicatable” key for the vault was hung on the wall in a storeroom next door.

My favorite bit, I think, was how they disabled a magnetic sensor on the vault door, that would detect the door being opened; they brought a piece of aluminum covered in double-sided tape, stuck it over the sensor pieces, unscrewed the pieces from the vault door and door frame, and swung them out of the way. The sensor was never triggered because the two pieces remained in contact…

The article is a bit long, but it’s worth reading both for how they got through all of the security, and the one stupid mistake they made that led to them all getting caught…

posted at 9:17 am on Thursday, March 12, 2009 in Links, Security | Comments Off on defense in depth

internet threat overblown

Who would have thought that a threat to children would be exaggerated by parents, teachers, and the media? “Not I,” he said sarcastically…

I’m not sure how long this link will last, so check it out:

“Internet threat to minors overblown: study”:

bq. The report, released on Wednesday, suggests that the biggest threats to children’s safety online may come from other children, and that their own behaviour could contribute to the trouble they encounter.

bq. “The risks minors face online are complex and multifaceted and are in most cases not significantly different than those they face offline,

bq. They said bullying and harassment, especially by peers, are the most frequent problem minors face both online and elsewhere.

As an aside, I’m particularly amused by the “fairness in reporting” content later in the article. The CEO of a company that _sells software_ to protect minors says that “more needs to be done”. I’m sure everyone agrees that he’s hopelessly biased, but modern journalistic standards require that both sides of a dispute be covered equally, regardless of the distribution of supporters to nay-sayers or the inherent bias of either parties.

Granted, my excerpts are probably biased too, so go read the article yourself. :)

posted at 11:00 am on Friday, January 16, 2009 in Current Events, Links, Security | Comments Off on internet threat overblown

timing is everything

Take a new computer and install Windows XP. Connect it to the Internet to download service packs and other patches. Before you have finished downloading and installing, your computer will have been hacked. There are so many automated probes running that you’re almost 100% sure to be infected by one of them. Researchers do this all the time with honeypots, to find out what payloads are currently in the wild.

I had installed a new Windows 2003 Server, had finished downloading and installing SP2, and was in the middle of downloading and installing the 51 patches released since, when IT Security hacked into the server and shut it down (disabling TCP/IP and the boot, of course)…


posted at 9:37 pm on Wednesday, January 07, 2009 in Personal, Security | Comments (1)
  1. Ron says:

    One of my reasons I refuse to use Windows in “real life” ;-)

back to work

And what a way to come back to work it was!

Over the holidays, IT security used the Windows RPC flaw to “break in” to all of my Windows servers. The payload disabled TCP/IP in the registry, and modified the boot.ini to disable system startup. I spent today manually booting servers one by one and re-enabling TCP/IP, so that I could download and install the required patches. I am extremely glad that I have remote consoles on all of my servers, or I would have had to make the long trek out to Mississauga to fix everything!

The important servers are back up, but I probably have another day of this before everything’s back to normal. Ugh…

posted at 6:33 pm on Monday, January 05, 2009 in Personal, Security | Comments (1)
  1. David Brake says:

    So you and your own IT security bods are in some kind of ongoing war?


One of my computers managed to get itself infected with that evil Trojan that keeps popping up the “Warning! Your Computer May Be Infected!” window, to convince you to download and install more nefariously evil software.

I’ve spent the last hour cleaning it with various utilities; they’re starting to report “0 infections” now.


posted at 10:25 pm on Tuesday, December 09, 2008 in Personal, Security | Comments Off on trojans

IBM Identity Management

I’m surprised this announcement took so long:

*IBM to Bail Out HP Security Software Customers*

read it at “yahoo”: or “marketwire”:

posted at 12:46 pm on Wednesday, October 01, 2008 in Personal, Programming, Security | Comments (1)
  1. RG says:

    I got this as an internal email flash this morning and just chuckled. I agree this seemed to have dropped out of a time warp or something…

weakest link

The Weakest Link

The Weakest Link

I thought I had posted this photo a long time ago, but I can’t find it now, so here it is again. (It came up on Fairly Oddparents this morning).

I first saw this on “Bruce Scheier’s security weblog”:

(As it turns out, I had uploaded it to Gallery, but still never linked it here. Must have been distracted. Damned kids, get off my lawn! :-)

posted at 9:11 am on Thursday, August 07, 2008 in Humour, Links, Security | Comments Off on weakest link

Debian / Ubuntu and OpenSSL

(See “Debian Security Advisory 1571”: and “SSLkeys”:

This seems appropriate somehow:


posted at 8:38 am on Wednesday, May 14, 2008 in Programming, Security | Comments Off on Debian / Ubuntu and OpenSSL


Today I finally learned how to solve the NFS UID problem on Ubuntu.

You see, NFS normally does it’s permissions by numeric UID. If the UIDs on two different machines don’t match, then NFS permission checking doesn’t work; you don’t get access to your own files, and you might get access to somebody else’s files instead!

Ubuntu, of course, has no standard UIDs, not even for system services. So my four ubuntu boxes here each have different username <> UID maps.

Enter the ugidd package, which is an RPC daemon that runs on the client. The NFS server calls this daemon when a mount request comes in, and dynamically builds a UID map between the server and the client, based on the string usernames. As a side effect, it also seems to map userids that are not assigned on the client to ‘nobody’. In this way, the nfs server can map UIDs between systems, without the administrator (that’s me!) maintaining static map files.

The one downside is that this feature requires the user-space NFS server instead of the kernel nfs server, so performance suffers a bit. I have CPU to spare, though!

Now I can use NFS between my MythTV boxes :-)

posted at 12:56 pm on Wednesday, March 12, 2008 in Personal, Security | Comments Off on rpc.ugidd

real-world passwords

An analysis of a large collection of passwords gathered in a Myspace phishing attack reveals that passwords are getting better, although:

bq. We used to quip that “password” is the most common password. Now it’s “password1.” Who said users haven’t learned anything about security?

Schneier on Security: Real-World Passwords

posted at 1:20 pm on Wednesday, December 20, 2006 in Links, Security | Comments (1)
  1. Nita says:

    I have this theory that I should let LB put a bunch of his magnets on the fridge, take a photo of hi standing in front of it, then use it as my password generator and desktop background.

the new sneakernet

Schneier on Security: Tracking People by their Sneakers

Researchers at the University of Washington have demonstrated a surveillance system that automatically tracks people through the Nike iPod Sport Kit.

posted at 9:26 am on Wednesday, December 13, 2006 in Links, Security | Comments Off on the new sneakernet

modern info warfare

feint and attack; move and countermove. The escalation is constant.

Steel armor meant the end of bows and crossbows. Firearms that could punch through armour made it useless as a defense, since armor only made the soldier slow and uncoordinated; a sitting duck. A close formation of infantry firing volleys by the numbers was unstoppable, until the devasation of the machine gun spelled their demise. Kevlar armor influenced the development of armor-piercing rounds (which, incidentally, are *less* deadly because they tend to go through their targets).

Technology is no different:

* Many modern computer viruses and trojans are capable of automatically disabling anti-virus software.

* Carjackings are on the rise, not because criminals necessarily like violent crime, but because with modern auto security systems it’s the only way to steal the car.

* In Denmark, criminals are breaking into stores and ransacking them; not because they like trashing stores, but because they can install ATM card-skimming hardware while everyone is distracted.

* In the Netherlands, they’re less subtle; they simply blow up the ATM and scoop the cash as it flutters down. (Kind of reminds me of the back-hoe technique of driving up and scooping the ATM out of the wall :).

Plus ca change, plus le meme chose.

posted at 9:46 pm on Friday, March 10, 2006 in Current Events, Security | Comments Off on modern info warfare


I went to log on to my Group RRSP provider’s website today Thanks to a misguided policy that HR introduced this year, my January RRSP contributions ended up in a non-registered plan, and I wanted to fix it. It turned out that I can fix this particular problem on the web, but that’s beside the point.

When I logged in, I was informed that my password had expired, and must be changed. It’s been 18 months since I logged in (yes, I check my quarterly statements, but I’m happy with the results; no changes required). I dutifully filled in the boxes, only to be faced with password strength requirements. Now, the whole point of these things is to prevent high-speed, dictionary-based password guessing attacks. You can’t launch a high-speed guessing attack against this website because it’s really slow, and after a certain number of failures, your account is locked out. And we have the research to prove that these kinds of passwords are less secure, because people cannot remember them and are forced to write them down. But a bunch of security consultants are getting paid to write password policies, and they’re an insurance company so care greatly about liability, so there you go.

Anyway, for as yet unknown reasons, I managed to fumble the password change, so I couldn’t get back into my account. So then I trundled off to the password reset page. And it occured to me:

* My password expires regularly. The problem is, I don’t login regularly (who moves RRSP funds around that often, anyway?).
* Password strength rules are enforced (mixed-case, numbers or symbols, minimum length, etc.)

And yet, the password reset page does none of this, and doesn’t have any other security checks! At least they used to make me phone Ireland to change my password. Now, I type in the answer to my challenge question, my date of birth, and instantly a new password is printed on the screen. The answer to my challenge question doesn’t have to be mixed case or have numbers, and never changes! They don’t even take the minor step of using e-mail to send my either my new password or a temporary, expires soon password reset URL. Granted, this is a minor security enhancement, but it does keep the amateurs out.

Does anyone else see a false sense of security here?

The irony is that I spent the rest of today fighting with our own password reset implementation :-).

Bill Gates has promised that the password will be obsolete in 2007; I’m beginning to hope he’s right…

posted at 9:20 pm on Thursday, February 16, 2006 in Personal, Security | Comments (3)
  1. Jeff K says:

    Yeah, the false sense of security is that you don’t need to watch your RRSP. I trade in it almost every day. I locked in $10k of gains on Valentines in fact. I also unloaded Petro Canada for a 2x gain. I think I’ll be busy for at least 2 weeks moving stuff around for this year’s contributions.

    Most Canadians don’t realize the foreign contribution limit is gone and even more don’t care, even though their resource mutuals / stocks are sky-high and the dollar is sky high and it’s time to get out there and pillage the foreign markets. Aye matey! I made a few hundred in just a couple of a days on a couple of Taiwanese ADRs this week (still holding), and I’m getting excited about raping the Japanese market in a little while, down 6% or so after a rapid rise from the depths in the last 2 months. The Japanese finiancial sector is not good, and for example, Toyota is already sky high, but there’s got to be some curvascious stock just waiting for me.

    Disclaimers: It’s probably better to earn capital gains outside an RRSP, I’m no adviser, I just think trading is better than sex, and since its all in an RRSP, I can’t even pay for, um… things I might want, with the money.

  2. Jeff K says:

    Er, that was “curvaceous”.

  3. Jeff K says:

    If you do trade foreign ADRs or stocks on the NYSE inside an RRSP, since the rules don’t allow you to have a US$ SDRRSP, you can direct the proceeds of a sale straight into a US$ money market fund and bypass the forex spread.

    The best is to trade in-trust-for a child in a US-denominated account, then the tax is lower, but I imagine most folks’ liquid capital is in RRSPs. RESP rules are even worse — I hate ’em.

    I laugh everytime I see that Scotia Bank ad during the Olympics where some dumbass can’t figure out more than one mutual fund. ..then I cry when I hear how many people lost money 2001->2003 in mutual funds, bailed, and lost out on the 2003->2006 escalator-ride when they went back up. Scary stuff.

    Disclaimer: I know nothing and give no advice. What was one Toronto paper’s marketing slogan… hm, “They don’t read us for the financial pages.”

smtp block

It figures. After doing a bunch of work to move my backup mailserver to a “virtual server”:, it worked fine for about 10 days, and then suddenly I was seeing no incoming email in the logs. This is a sign of a problem; even when the primary server is working, spammers are always connecting to the backup (in the hopes of getting past filters).

Much testing has determined that rogers is now blocking inbound SMTP on my portion of the network (something they’ve apparently been rolling out for over a year now). The best laid plans of mice and men, and all that…

posted at 11:32 am on Wednesday, February 15, 2006 in Personal, Security | Comments (4)
  1. Reid says:

    Is there a way to specify the port in an MX record? That would be sweet.

  2. Harald Koch says:

    Not yet, but if enough ISPs start blocking, I’m sure it’ll appear…

  3. Mark says:

    Shop around for ISPs. I left bell when they cut off inbound SMTP. Now I’m with But, i1f you don’t want to switch ISPs then there are forwarding services like’s mailhop.

  4. Harald Koch says:

    My friend Reid is with; one of their selling features is “no bandwidth cap”, but I don’t usually get close to the 60Gb/month that rogers allows, so I’m not sure if that’s an actual feature for me or not. On the other hand, 3.0Mb + a static IP for $45/month isn’t too bad. wants $30/yr/domain for the service I want, which is almost the difference in price… hmm.

    It looks like Magma has the old istop bandwidth policy; limited during the day, unlimited between midnight and 7AM. Their prices are good, except for the static IP option. Unfortunately, the packages list doesn’t specify a monthly cap, and the FAQ only says “see the package list”. The only misread I can see is that the main packages don’t have a bandwidth cap?

Next Page »