In the past 6 months, I was turned on to KeePass Password Safe (keepass.info). It’s a password manager that, given a single master password, allows users to store passwords for all their computing needs. It’s so simple it makes using unique strong passwords/passphrases for all different resources a reality.

KeePass encrypts the password database with AES 256. It allows you to store a password along with some metadata, then CTRL+B on the entry to copy the username, then CTRL+C on the entry to copy the password. The clipboard auto-clears in a configurable timeframe (by default in 2.x, 12 seconds, in 1.x, 5 seconds).

The security concerns with KeePass, as with managers of all kinds, is single point of failure. If the database is stolen and the user does not use a strong (brute-force & dictionary resistant) password, then all the user’s passwords may be compromised. If the database is lost, all the user’s passwords are lost and that’s a huge hassle. My answers to these problems are:

• A single strong passphrase
• Dropbox + PortableApps platform

I use Dropbox to store my PortableApps platform, which allows me to carry my PortableApps on any computer installed with Dropbox. KeePass is one of those apps. Using Dropbox, the same database is always updated regardless of where from I’m updating KeePass (e.g., if I update a password from my laptop, the update will reflect on my desktop automagically). I use a strong passphrase to protect my database and then use KeePass to do the rest of the heavy lifting (in this case, remembering a slew of unique, crazy passwords).

KeePass 1.x does not require .NET, but the plugins are not as cool. KeePass 2.x requires .NET Framework 2.0 or MONO, so keep that in mind when figuring out how you want to proceed. They seem to be functionally the same out of the box (though I haven’t done a thorough feature diff).

An important decision by the U.S. District Court of Appeals for the Northern District of Florida has ruled that your 5th Amendment rights protecting you from self-incrimination also protect you from providing the encryption password to authorities. Yeah, that just happened. (link)

Up to this point, the DOJ claimed such a request was just an extension of prosecutor’s ability to assemble potential evidence during a trial. (link)

The take-away here is that we should all be using encryption more earnestly to protect our privacy (from all potential consumers of that private information) and that what is in your head is still legally protected from discovery by the 5th Amendment to the US Constitution. This isn’t something to take lightly! Here are some tips to help with the effort:

TrueCrypt
GnuPG
Gpg4Win
PGP Whole Disk Encryption
Coding Horror: Passwords vs Pass-Phrases

I found this little gem waiting for me to approve. I get a bit of spam that Akismet doesn’t toss automatically, but this one struck me as an absolute failure to come across as human. It also struck me that Akismet didn’t toss this one automatically.. .:-\

Russ McRee over at HolisticInfoSec.org wrote a great article talking about Mandiant Highlighter that I and Jason Luttgens wrote. We just released a minor bug fix version, 1.1.3. Here’s the link.

holisticinfosec.blogspot.com/2011/10/toolsmith-log-analysis-with-highlighter.html

Here’s the link to the download:

www.mandiant.com/products/free_software/highlighter/

Here’s a link to the forums:

forums.mandiant.com/forum/highlighter

Highlighter v1.1.3 has been released. Check out the sweet blog post by yours truly over at blog.mandiant.com/.

Lately I’ve been doing some work in C# targeting the 3.5 .NET Framework (because that’s where LINQ — Language INtegrated Query — is introduced).  There are two forms for using LINQ: the query expression form and the method-based query form.  Each allows the exact same functionality and each has its own pros and cons.  I have found that I prefer the method-based form, perhaps because I’m trying to expand my skills with lambda functions and already know SQL well enough to get by. Here is an example of each technique.

First, here is the build-up to the interaction with LINQ:
using System.Linq;
List<string> names = new List<string> { "Alice", "Bob", "Cathy", "Eddie", "Frank", "Gary" };
Easy, right?  Even if you don’t know programming, you might be able to figure out what this means.  Moving on, the following is the query-expression form to show all names ending in the letter “y”. Then the results (in var y_endings) are printed to stdout.
var y_endings = from n in names
                where n.ToLower().EndsWith("y")
                select n;
foreach (string name in y_endings)
{
    System.Console.Out.WriteLine(name);
}
Got it?  Good.  Ok, now here’s a similar query using the method-based form to find all names of length 5 (also printed to stdout):
var fives = names.Where(n => n.Length == 5);
foreach (string name in fives)
{
    System.Console.Out.WriteLine(name);
}
That lambda function is pretty wacky, but it’s saying “Return all values which have a length of 5. I choose to refer to each tested value as ‘n’.”  They aren’t so hard in their simplest forms, but still gave me a little trouble because I’m not familiar with anonymous functions.  You can see how the query expression form is basically a lambda function and maybe that will help form your method-based queries (if you’re so disposed).  Anyway, I just wanted to share the two forms side-by-side.  For more, google LINQ and read.  Ugh.  Do it.

I recently had to get my iPhone restored at an Apple store because I was away from my home computer and my phone was stuck on the loading screen (with the pretty metal apple). I was a little pissed because I knew they were going to upgrade me to the newest firmware (3.1.3) and I didn’t know there was a jailbreak out for it, but I needed my phone!

When I got home, I started sniffing around for a 3.1.3 jailbreak and came across sn0wbreak (ih8sn0w.com/index.php/welcome.snow). I started the app and followed the instructions to get into DFU mode, but the app never moved on from there… always stayed at the DFU Starter Help screen. Realizing sn0wbreeze is not an “official” dev-team release, I went to their blog to see what was going on: that’s where I learned about the Spirit hack.

The Spirit hack (spiritjb.com/) is a small download and a simple screen. You run it with your iPhone attached (some stipulation if you’re using a 3GS) and when the process is over, you have a jailbroken iPhone. Done. The people rejoice.

[edit 2010-05-10]
I posted this on my facebook account and received a well-deserved lambasting for up-voting the article.  I hadn’t thought hard enough on the problem of domain trusting with such a distributed, flexible, and multi-point service such as email.  Mat Whitney gave me a lesson on the difficulties of domain reputations when the domain is something like gmail.com or live.com — they’re publicly available and that’s where the majority of spam comes from, so how can you trust any sender from that domain without specifically white-listing the address?  That means there are only baby-steps in security available through a huge effort on the part of IT administrators with the technologies described in The Register’s article.  I take back my promotion of this article until I am able to speak more intelligently on the matter.   Whoops!
[end edit]

——————————————

www.theregister.co.uk/2010/05/09/email_and_trust/

An article on The Register writes about finally adopting existing technology (software, not hardware) to allow people to trust their inboxes again.  With all the worms, identity theft attempts, scams, and general nogoodnickism that happens via email today, users are hesitant to open emails even from addresses they recognize.  It’s like getting a package delivered by USPS and wondering if you’ll find a pipe bomb or anthrax in each one.  Well, in the digital word, electronic messages can be signed in such a way that trust can be (largely) restored and, as with the Web, “feature rich” email is the way of the future.

The article describes that, as everyone should realize, social hubs like Facebook and [the defunct] Google Wave will grow in popularity and virtual size and will begin to experience the same problems that email users have to deal with daily.  Identity theft, worms (www.google.com/search?q=koobface), and hijacked accounts occur in Facebook already and there will be no long-term decrease in these activities because they are making money with them.

My words of advice: read the article; expect trust-restoring technologies in the near future that may look a little different from the email you’re familiar with, but will be fundementally the same; be wary of what you put on social media sites (Facebook, Google profiles, MySpace, etc.); be wary of who you friend and who you show your information to.  I absolutely DO NOT advise to stop using social media websites because they carry value (that’s for a different article), but realize that it’s just a picture and text — the person you think is behind that profile may not be who you expect.

As always, your thoughts/opinions/comments/defamations/flattery/proposals are welcome.  I have to refuse some of those on principle but send them anyway.

I consider myself relatively browser agnostic but I use Firefox for a lot of my work.  I utilize multiple profiles and use the –no-remote option to actually run these multiple profiles at the same time.  It keeps the cookies, extensions, add-ons and sessions all separate which allows me to work more efficiently.

I also rely rather heavily on Firefox extensions to do my work: Hackbar, Web Developer, Firebug, FireTitle and several others are my staples.  I recently upgraded to FF 3.6 and that unfortunately broke my FireTitle extension. (side note: FireTitle is used to change the title bar of my different browsers so I know which profile I’m working under in each window).  Looking for a solution and not finding any, I decided to try to “fix it” on my own.  I tried to alter the install.rdf file that sits in the C:\Users\foo\AppData\Roaming\Mozilla\Firefox\Profiles\y1g9vafa.WebAppTest1\extensions\{f4b962b4-ab75-41bf-8da7-a0435258a27c} folder.  There’s a line in there that says <em:maxVersion>3.5.*</em:maxVersion>.  Knowing how clever I am, I changed that 3.5 to 3.6 and restarted FF!  FAIL.  So I looked for something else…

I can across the Add-on Compatibility Reporter and, just wanting to have an avenue to report that the extension wasn’t working, installed it.  I restarted FF 3.6, went to the add-on screen, clicked the Compatibility button next to FireTitle, selected “This add-on no longer works” from the drop-down, submitted my report and restarted FF.  Much to my surprise, the Options button for FireTitle was now enabled!  The settings were reset to default, but something about that whole process enabled the extension.  I repeated it for each of my profiles and now I’m back to where I want to be.

Of course, none of this would be necessary if Mr. Nowitz would just update it.  Cheers Jonathan, and thanks for a great tool.  I truly do enjoy it.

Go here: mrdoob.com/lab/javascript/harmony/. Play with Harmony. You’ll get it. It. Is. Dope! HTML5 is the media-rich future of the World Wide Web and this sort of thing is going to become more prevalent very quickly. I’m excited!