Log in

Security, Crypto, and Random Topics
Recent Entries 
19th-Aug-2008 10:41 pm - Dot Mac on Vista
I know what you're going to tell me. "Don't run Apple software on Windows Vista." But I did. Save your typing.

It says:
dotmacsyncclient has stopped working
A problem caused the program to stop working correctly.
Windows will close the program and notify you if a solution is available.

So far, no notification.

The only help I can see on the web is someone saying that they turned off DEP (Data Execution Prevention) and things worked great. DEP is a security feature of Windows Vista that prevents an application from running code from a data segment of memory. If you simply must run Windows, you really don't want to turn off DEP.  Really. If the Dot Mac sync client really is doing something illegal, and if Vista is stopping it, then it's an Apple bug.

The good news is that I can access all my Mac content from my Linux desktop and laptop via Firefox.  Oh, and from my Mac also, I suppose.

Anyone else have any bright ideas?
17th-Aug-2008 06:49 pm - Thawte S/MIME cert enrollment broken?
A friend tried to get a Thawte S/MIME cert tonight, and was having trouble.  I decided to get a new cert to walk him through the process.  It turned out to be a change in the Thawte enrollment process, that I hope is a web site bug.

After the Thawte CA issues the cert, it takes you to a page with the "Fetch" button at the bottom.  When you click on that button, Firefox is supposed to import the certificate so you can use it.  Instead, tonight my friend and I got this confusing Save File dialog.

Eh?  SPC files are code signing certs, right?

I tried to alert Thawte, but that also proved to be a challenge.  Their vintage email submission code does not allow exotic symbols like equals, quotes, and parentheses.  Sadly, that means I cannot include actual URLs to their site since many of the good ones include an equals sign.

I really like the Thawte free S/MIME cert program and I hope they get this fixed before you read this entry. ;-)
14th-Aug-2008 10:13 am - Banks still act like phishers
A few years ago I started writing about how financial institutions, organizations that are really security companies at their core, have implemented web site designs that are so broken from a security perspective that they actually act like phishing sites.

Recently some University of Michigan researchers picked up the effort to document the problem in a more formal way. 

From their paper, they describe the flaws they chose to investigate:
1. Break in the chain of trust
2. Presenting secure login options on insecure pages
3. Contact Information/Security Advice on Insecure Pages
4. Inadequate policies for user ids and passwords
5. E-Mailing security sensitive information insecurely
I'm really glad to see more attention on this issue.  Perhaps the automated tools they devised can become well known as industry best practices.

It's hard to believe with all things Sarbanes-Oxley Act auditors make companies do that they don't require banks to have secure web site design. 

My old posts:

SOUPS (Symposium On Usable Privacy and Security)


12th-Aug-2008 07:37 pm - Finding text using Firefox 3
There is a lot to love in Firefox 3. But one of the things I still struggle with is the Find Text feature. It just doesn't work the way I do and I don't think it's gotten much attention in years.

First, the Next and Previous buttons are backwards. See this page for a visual. But let's ignore that for a bit.

Second, Firefox always scrolls long pages such that the search string, if it appears on the page, is positioned at the very bottom on the page. Aren't there some better algorithms than that? It's often the case that the first occurrence of a word is the first of many occurrences, but all the subsequent hits are hidden below the visible window region. At a minimum, FF should scroll so the string is in the middle of the page.

Third, I'd like Firefox to highlight all occurrences of the word. Maybe my usage pattern is very different from most people, but I'd like to see all occurrences highlighted, and the "Highlight all" button removed. Why would you not want to see all the results? Search engines don't return one result and wait for you to say "Next". Further, sometimes the string is hard to see on web sites with strange color choices. I'd like to see someone come up with a way to make them more visible (without blinking, of course).

Fourth, I'd like for the the text I'm searching for to remain highlighted across page transitions. If I'm looking for a term on a page, and then click on a link to another page on that site, I'm frequently looking for the same term on that page also. So I hit "Highlight all" again, click to another page, click "Highlight all", and so on.

The Google toolbar does some of what I want, but it seems to only do it when I've sent the query string to Google. What about pages on my home or work networks?

I spend time each day trying to find the right stuff on a page. I'd like to see some real innovation for Firefox 4!

Is there a plug-in that I should be using?
I upgraded my iPhone from 2.0.0 to 2.0.1 hoping it would help resolve a few minor problems.  Instead, I no longer have any phone service.  I turned off 3G service hoping that it would help. Still nothing.

8th-Aug-2008 06:29 pm - Weak Mac support from AT&T
I purchased a 3G card for my MacBook Pro so I could stop fighting with hotels, airports, and hotspots that require registration. It works great! But the installation process was quite poor.

There are no Mac instructions, and after over an hour on hold with the support department I decided to hang up. I eventually found some web pages where other frustrated users vented and found solutions. After numerous re-installs and poking around I found one that worked for me. Given that people have already done much of the documentation for AT&T for free, why can't they just have someone clean it up and post it?

They were also kind enough to send me an email:
We recently sent a free text message to your phone. That message contains a six-digit temporary password for logging in and registering your wireless account at att.com/myWireless. You will be asked to set a permanent password after logging in.
But it's not a real phone. It's a networking device that uses the 3G phone network, but there is no display. I'll never get that message.

Don't they QA this stuff at all? 

Do the VPs at AT&T go through the same purchase and installation pathway as their customers?  Or do they have Senior Architects hand them fully configured machine?  Wait, don't answer.  I think I figured it out.
26th-Jul-2008 09:45 pm - iPhone Backup Lottery
From http://www.macworld.com/article/134525/2008/07/iphonebackingup.html

This is the cause of my syncing angst—that little progress bar—which is part of a fun game I like to call the “iPhone Backup Lottery,” or IBL for short. How do you play the IBL? It’s simple—just plug in your iPhone (or iPod touch, I imagine), and then wait. If you’ve won the IBL, the backing-up progress bar will rapidly fill from left to right, followed by the start of the usual iPhone syncing process.

If, as is usually the case with lotteries, you’ve lost the IBL, then the progress bar moves more slowly than does the release cycle for major versions of Microsoft Windows. In my case, my current personal record as an IBL loser is 74 minutes from the time I docked the iPhone until the backup completed. As it turns out, though, I’m far from a record-setter. My Macworld colleague Dan Frakes reports that he’s had a backup take more than two hours!

My iPhone takes a very long time (though less than 20 minutes worst case) to sync each time I sync. Now there's a name for this problem.  At least I am not alone.
24th-May-2008 11:36 pm - S/MIME for GMail in Firefox 3
I've been beta testing the latest version of a Firefox add-on that adds S/MIME security to GMail. This version adds some features, including support for the latest builds of Firefox 3.

Here's the link to get it:

Now I can send signed and encrypted email to people using Outlook, Thunderbird, and Apple Mail while using the native GMail web interface.

If you use S/MIME, Firefox 3, and GMail, you can finally use them together. My hats are off to the developers!
11th-Apr-2008 03:12 pm - Crypto ops are pretty fast these days
Here are some interesting crypto performance factoids. We ran some tests to see how many RSA signing operations NSS could do on my work desktop machine. The results were better than I expected:

Using a 1024-bit RSA key: ~ 5,100 ops/sec
Using a 2048-bit RSA key: ~970 ops/sec.
Using a 4096-bit RSA key: ~172 ops/sec

So a good desktop machine can do almost 1,000 2048-bit private key operations. In software!   Note that we were not using a hardware accelerator. Just a good Intel-based CPU, running Fedora 8. Today most SSL web servers use the weaker 1,024-bit keys, though the 2048-bit keys will become more common in the next few years.

Your mileage will vary with the computer, the number and type of CPUs, and other factors that make meaningful performance measuring difficult. I was already convinced that SSL/TLS were fast enough to deploy extensively on a web site and even on entire web sites, but these numbers are icing on the cake.
25th-Mar-2008 08:51 pm - New Dogtag home URL
Thanks to everyone who let us know that our Dogtag home URL was too hard to remember. Here is the new URL for our home wiki page:


Please update your links and bookmarks to point to this page.

And feel free to join the mailing lists and join the IRC channels:
Please let us know if you succeed or fail in getting the system to build or run!
This page was loaded Feb 24th 2017, 5:51 am GMT.