Et tu, Google?

I was just reading through the comments over at theYcombinator comments about Elliott Kember’s blog about Chrome. I am shocked. You, as my only reader, are already familiar with the fact that my hobby, education, and profession are all security. Initially software, but expanding to just security.

Not only shocked, but absolutely appalled. Mister Kember is writing about how Chrome has revealed that OS X provides programmatic access to your “Keychain” without requiring a password. Think about that again. OS X pretends to be guarding your passwords, but... not really. About half the comment replies are attacking Google, for not protecting something which is not otherwise protected!

What the Google haters are asking for is no different than “encrypting” your passwords.txt file by renaming it passwords.exe. Sure, it means that your Grandma can’t double click on the desktop icon to read them, but it doesn’t mean it is secure.

Justin Schuh, from Google, had this to say about the password security...

I'm the Chrome browser security tech lead, so it might help if I explain our reasoning here. The only strong permission boundary for your password storage is the OS user account. So, Chrome uses whatever encrypted storage the system provides to keep your passwords safe for a locked account. Beyond that, however, we've found that boundaries within the OS user account just aren't reliable, and are mostly just theater. Consider the case of someone malicious getting access to your account. Said bad guy can dump all your session cookies, grab your history, install malicious extension to intercept all your browsing activity, or install OS user account level monitoring software. My point is that once the bad guy got access to your account the game was lost, because there are just too many vectors for him to get what he wants. We've also been repeatedly asked why we don't just support a master password or something similar, even if we don't believe it works. We've debated it over and over again, but the conclusion we always come to is that we don't want to provide users with a false sense of security, and encourage risky behavior. We want to be very clear that when you grant someone access to your OS user account, that they can get at everything. Because in effect, that's really what they get.

… and it is all true. Thank you, Google for concerning yourself with true security instead of faking it.

Now, onto my list of favorite fails from the comments!

1. This sets up a situation where Chrome actually circumvents and makes passwords originally stored in Safari less secure than they were initially - Without having a Mac to research, I can’t say for sure, but it sounds like neither Chrome nor Safari are storing the passwords on a Mac, they use the operating system keychain. Which obviously doesn’t require a password to access or Chrome couldn’t do it.
2. This concerns me. I have friends that I would not trust around my computer now because... - Sorry mate, you shouldn’t be trusting those friends to access your computer then. Think a bit more about what all you are exposing yourself to. Chrome isn’t the problem.
3. Also, going off what you have said, the "locking" process in windows is pointless since it offers a false sense of security. It can be broken just by rebooting the computer with a boot disk, right? - A rebooted machine has wiped system state and still doesn’t gain the attacker anything if you defended against it. *cough* disk encryption *cough* Applications can’t reasonably defend against the OS and the OS can’t defend against the hardware. Thems the breaks.
4. that does make it psychologically harder - When your standard of security is “I’m protected against someone that doesn’t want to attack me” then you have lost. Leave up a sign that says “Key under mat” or don’t lock your door, neither is protecting you.
5. Yes, but by your reasoning, surely obfuscating passwords when inputted into websites is also pointless, yet you do do this in Chrome - Masking passwords is not done to protect them from the user, it is done to protect them from anyone with visible access to the screen.

You only defend against the threats you try to defend against. Chrome has decided to not try to defend against the malicious user legitimately logged into your system, because they can’t. Not really. It even says so in their FAQ Why aren't physically-local attacks in Chrome's threat model?! So, either use Chrome as it is or don’t. Just realize that that whatever else you use is failing to protect you from a malicious user too. How long does it take to steal your Chrome passwords? No longer than it takes to install a RAT from a thumbdrive!

The title is just amusing to me, I don't feel betrayed by them at all. In fact when I forgot a password I had saved, Chrome reminded me. And I was glad for it.

My Introduction to the Physical Side of Cybersecurity

Let me apologize if you came in expecting a discussion of cold-boot attacks.

A few months ago I moved to a new townhouse. The front door has an interesting handle lock/ deadbolt combination; in which the handle lock defaults to engaged with buttons on the covered side of the door which disables it. Interestingly, if the deadbolt is engaged then the buttons revert back to engage. Not knowing about that feature, the first time after moving in that I went to leave was the first time I was locked out of the house. It was a scary moment, as I didn't even know any of the neighbors yet and the landlord is out of state. Remembering a trick I was shown years ago by a neighbor helping us re-enter our apartment, I attempted to jimmy open the latch with an unused credit card. (Don’t use your primary debit card, the attempt can snap a card in half!) Thankfully, and terrifyingly, the front door opened with a soft click. My feelings about the moment were echoed back to me upon returning to the car when my house-guest stated “I’m glad you got it open but a big part of me was hoping it would be harder than that!”

That day and the sudden feeling of helplessness when the door first clicked shut told me that I don’t ever want to feel like that again. This event occurred about a month before my wedding anniversary, I informed my partner that the only gift I wanted was a set of lock picks and a how-to guide. Soon my very own copy of the “CIA Lock Picking: Field Operative Training Manual” arrived followed by a small set of lock picks. (Less than 4 stars on Amazon, not a very detailed book)

Once my picks arrived, I went searching through my house of locks to practice on. Turns out that all of the keyed lock in the house are the exterior doors; to practice I would have to sit in public picking at the lock. Something tells me that this sort of activity would not endear me to my new neighbors. So, off to Walmart I go, purchasing a Brinks deadbolt, single cylinder, spending about sixteen dollars. (Hindsight: who thinks that a sixteen dollar lock is a good choice to protect that 60 inch television?)

Television time became practice time, up to two hours a night, depending on when the days obligations finished. That first successful pick took a few weeks to occur. I kept practicing with that dead bolt until I could open it three times in a single show. The keyway scraped wide so that the tension wrench could slip without the chamber turning, so I felt it was time to retire that one.

Today I decided to try a new lock, so I picked up a Master padlock. One was labeled as “Level 5” and one was labeled as “Level 9”, so I grabbed the nine. My assumption was that it should provide me with another few weeks of practice. Wrong. Time to first pick was measured in seconds, what a waste. For the next few minutes I just kept clicking it back open. So much for “pick-resistant.”

These two locks are a significant milestone in the development of my security growth. Picking provides me an ability to assess the physical security of a space. Recommending ten to twenty dollar lock from Walmart to secure your spaces and data storage is not a recommendation I would make.

In my basement I discovered that there is a locked box from an old, disconnected security system. Fairly ironic that a metal box with the word ‘Security’ in the brand label has a lock which is trivial to pick.

Amusingly, one lock I have not yet attempted is my own front door. Not disturbing the neighbors is still the excuse I give myself, but maybe I just don’t actually want an honest assessment.

As a closing thought, I want to stress as strenuously as a newbie security blogger can that handle locks are worse than no lock. Security theater, where the lock does not do anything. An actor willing to walk into your house will likewise have no scruples against just unlatching the door. Cost required? Free, as I have found store club cards to be better than credit cards for doing this. They flex around the corners better than the stiffer credit cards and you can get more just by walking into a store and asking for one. My “pick” of choice right now is a Safeway card!

TLDR; Locks seem to really be a place where you get what you pay for! Handle locks just let you think you're secure!

Lazy Saturday and tech woes

Strangely enough, I find myself this Saturday with some free time and keyboard access. Upon browsing my own blog, I found that my most recent post (The Blonde in the Bar) had been reverted to an out of date draft.

Originally, I had the inspiration for the write up while I was on vacation. As such, the post was created using the Blogger app on my phone and then saved as a draft. When I got home I cleaned up the post on my desktop through Chrome. A few days ago I had reopened the Blogger app on my phone which was still open to the first draft of that write up. Closing the app saved the writing back to the version cached in the phone! Thank you, Google Cache. That was how I had to revert to the correct version.

I would love to write something deep and thought provoking or, better yet, get some coding done but I just heard life calling again.

The blonde in the bar

In A Beautiful Mind Russell Crowe plays a brilliant mathematician John Nash. Part way through he has a moment at a bar which inspires him to write. His bar moment gave him insight into his field and he left after thanking the blonde in the bar. I have been inspired to write about what I've recently learned from a night in a bar. To my blonde in the bar, thank you.

At some level, everyone knows that their privacy is at best only as safe as the protect it. People also tend to be really bad at doing that protection. When a gorgeous, dashing gentlemen lonely, bored drunk in the bar asks for a dance can be an awkward moment, since both parties are keeping the physical contact to less than that of a middle school formal. Small talk fills the few minutes of the dance.

What has you in town? School.
Study? Interesting sounding topic.
Prompt for information. Chat, including a brief, slightly bragging mention of a great internship.

Part way through the song her friend cuts in and the dance ends. Part ways, no names given. Anonymous.

How anonymous? Not at all. The school, the program of study, and the internship was all that was given. When searched appropriately online, that tuple points initially to a person. One that just happens to share the same first name which was overheard in the bar, said by the blonde's friends. Even without that tidbit, that first entry contains a full name. Searching for that full name on another site provides a picture along with the results. Match.

The friend that cut in, the only information she ever provided was her face and her association with the blonde. Solid anonymity? No more than the first. The online trail included her full name and even a friendly nickname. Hometown? High school? Interests? All exposed based entirely off a chance meeting with her friend, the blonde in the bar.

What is the appropriate amount of information to share and what is the information that must be held close to the chest? A brief, anonymous chat with a stranger in a bar can potentially have wide rippling effects. How much do you say without thinking about if it exposes you, your friends, or your family? In The Art of Deception, Mitnick poses a challenge which should be trained into employees: "If I gave this information to my worst enemy, could it be used to injure me or my company?" (2002, pg 53) This is a question that should probably be employed by all of us about all our information.

Once again, thank you. I never before had thought as deeply about what information I may be exposing just by chatting away.

I can't not leave you without the clip that I began by discussing...

Summer Reading List

I was browsing an actual Barnes and Noble yesterday and it was a pretty nice experience. The draw in was that I wanted to grab the new expansion to the deck building game Legendary, (Dark City!) but they didn't have it in stock. Since I had thirty minutes to kill anyway, I used the rest of my time to shop around, though not intending to buy anything.

If it has been a while (for me it has been years since I spent any significant time in a library or bookstore, outside of the SciFi/Fantasy sections) since you explored a brick and mortar book source, I recommend you head back for a bit. Getting to handle the books and look them over was a nice way to shop, rather than the sterile, recommendation filled environment of Amazon. Sure, Amazon is really efficient, but the hands-on nature of the Barnes and Noble was enjoyable.

Anyway, in the Professional Computing section, I found a whole set of books that I want to have.

• The Shellcoder's Handbook
• Malware Analyst's Cookbook and DVD
• The Android Tablet Developer's Cookbook
• Rootkits

The book I wound up getting was Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick. So far it has been a great read. I plan on writing my thoughts about it here.

Also, in making this list I saw I could order The Shellcoder's Handbook for under $7, including shipping. It should arrive in a week or so!

Canned Spam

There are no published comments on this blog because no one has commented. I just read through the spam filter and it is quite full. Annoying, but why bother spamming a blog that apparently has no readers?

Hiccups and funding

I have not been posting recently, since most of my posts were just dumps of work from my cybersecurity courses. This semester became a break when I encountered a last minute hiccup for my funding. I regret that I have not been posting because this blog is a way to lay out my thoughts permanently.

Upon selecting to learn more about cybersecurity, I was thinking that the field would be computer science with a focus on dangerous coding. That has not been the experience at all. As is encapsulated in my existing posts, cybersecurity is a much more big-picture field. Personnel management, policy development and compliance, physical security, access control, vulnerability discovery, incident response, intrusion detection, cryptography... the list of topics related to cybersecurity goes on and on. All these topics come up in blogs I read and news I see. Both the articles I read and the thoughts I have from them deserve comment, so I should be writing here.

I don't know if there are any repeat readers here or if the visitors are just stumbling on things related to the classes they take, but I said I started this blog to "dump thoughts and archive work." There has been precious little of me just dumping thoughts, so that will have to change since I'm not currently in a class to need to archive the work.

I almost published this as a big blog of text because I nearly left out the HTML. Have a nice weekend!