Friday, 3 October 2008

Two factor authentication - grid Key followup

It looks like CAPCHA's days could be numbered. And not before time as I try to decipher the picture below the editor where I'm typing this.

Given such a simple idea as gridKey (working title - don't sue me) its not surprising that someone else thought of it first.

Maybe I'll get round to writing a PHP and/or PAM lib to implement it.

Sunday, 28 September 2008

Authentication tokens

Devices like hashing fobs or tamper-proof smart cards are technically the best solutions for secure authentication - but they have a number of drawbacks for proactical applications. By far the biggest one is that they are not universal - I can't use my Paypal fob to log onto my LAN, I have several smart cards in my wallet, but where do I get a reader? Even if I did, how would I get Google to support the use of the card for accessing my gmail account?

Instead we seem doomed to endure badly implemented wish-it-was-2-factor-authentication and Capchas which even those of us lucky enough not to be visually impaired, cannot read.

While kitten capchas are undoubtedly cute, do they really help solve the problem?

It occurred to me that not entering the same password more than once is a good way to avoid the risk of compromise (essentially this is the common factor in Capchas, smart cards and key fobs) and here is a simple way to achieve this:

When you create an account for your user, issue them with a grid of letters and digits, 6x6 seems about right.


Then, each time they log in, ask for, say 5 of the entries, the grid holds more than 8000 passwords.

Given say 32 possible keys (omitting the letter O and number 0, lower case L and digit 1) the chance of guessing the password are one in 33 million.

Someone's probably already thought of this. But I thought I'd write it down before it gets patented.

Monday, 1 September 2008

Microsoft backdoor optimization?

I recently replied to a post on uk.comp.os.linux regarding squid - but on reflection, if the details supplied by the OP are correct, then this exposes some backdoor optimization by Microsoft in IIS

The post and replay are here.

Tim said that:

tim@feynman:~$ telnet 80
Connected to
Escape character is '^]'.
GET /plumb/index.html HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

HTTP/1.1 400 Bad Request
Date: Wed, 27 Aug 2008 21:44:51 GMT
Server: Microsoft-IIS/6.0
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1
(404 body snipped)

Connection closed by foreign host.

This works if you drop the "; SV1" from the user agent. Or even replace
"; SV1" with "; SV2" or replace "5.1" with "5.0" but leave the "; SV1"

What's interesting here is that the request headers specify HTTP/1.0 but the response comes back from the server as HTTP/1.1

While maybe this is just sloppy programming by Microsoft, its worth bearing in mind that, by default MSIE degrades to HTTP/1.0 responses when it knows it's talking via a proxy. Also, HTTP/1.1 mainly addresses performance improvements.

Further - as Tim points out, the behaviour of the server changes when the user-agent changes.

Could it be that IIS is using the user-agent for purposes beyond what it should do according to spec? This could give Microsoft an unfair performance advantage over other browsers. Certainly in this case there is hard evidencethat the server is basing its response on the user-agent supplied in the request.

For the time being this is mostly conjecture and conspiracy theory. But it would be interesting to confirm whether IIS always responds to HTTP/1.0 requests with a HTTP/1.1 response, whether it will include HTTP/1.1 specific browser instructions - and to see if the browser then acts on these.

Friday, 8 August 2008


Today I'm looking at monitoring the throughput of a mail server running RHEL5. Unfortunately the default check_mailq supplied with Nagios just looks at the size of the number of messages in the mailq.

Another problem I encountered was that mailq is not setuid root on this distro. Rather than reinvent the wheel, I thought I'd have a look at how RH & sendmail measure the size of the queue.
  • /usr/bin/mailq is a symlink to /etc/alternatives/mta-mailq
  • /etc/alternatives/mta-mailq is a symlink to /usr/bin/mailq.sendmail
  • /usr/bin/mailq.sendmail is a symlink to /usr/sbin/sendmail
  • /usr/sbin/sendmail is a symlink to /etc/alternatives/mta
  • /etc/alternatives/mta is a symlink to /usr/sbin/sendmail.sendmail
...of course!

Friday, 1 August 2008

It would appear that the UK Cabinet Office publish guidance on publishing word processor and other files on government websites:
"Microsoft Word (DOC)

Documents can also be saved in Microsoft Word format. ... This is the least desirable format as it is proprietary and it cannot be guaranteed that a reader exists for a particular user’s computer."

Guess what format they use.

Friday, 6 June 2008

Oracle Javascript

Finally got to the bottom of the problems with oracle_smp_chronos.js turns out its worse than I thought. The script just can't cope with links calling a forms onsubmit method on Mozilla based browsers (actually there is about three different defects here, only the first was initially visible). The odd thing is that the code they've written for MSIE works flawlessly on every version of Mozilla / Firefox I've tested - although I haven't gone back to Navigator version 4. The solution seems quite simple - just change the browser identification code so it runs the same code for Mozilla 5+ and Firefox 1+ as it does for MSIE.

Blackberry blues

Work has decided I need a Blackberry. So after a mere two months procurement process an 8800 appeared. It took me about 3 hours to find the first bug in the software (browser does not accept a cookie suplied in a HTTP 302 response) still I was trying to look on the bright side. Having previously worked for a company selling ringtones, I thought it would be a good idea to add something a bit out of the ordinary. But having previously worked in the industry, the last thing I would do is actually buy one from one of the many suppliers! Fate helped things along when I saw bluetooth USB dongles in my local Tesco for £7. It wasn't long before I had it plugged into my computer and the relevant software up and running. Unfortunately, although I could get the devies to pair, the only service I could get working was kbluelock - the Obex push client just couldn't see the device.

A bit of research suggested that this is a common problem - Blackberries won't talk to the BlueZ stack.

Ho hum.

Meanwhile, having built a test rig and demonstrated the browser problem, I tried reporting the fault to Vodafone. They've written back asking for lots and LOTS of information none of which relates to the bug. I spent less time re-writing the web application I was trying to access then I have trying to satisfy the requests from the support department - who don't seem to understand how their own software works.

Thursday, 15 May 2008

Oracle - not as bad as I thought?

In fairness to Oracle, the problems I described only seem to manifest in conjunction with other suppliers javascript. But perhaps its just as well that the DMCA forbids me from finding out exactly how well written their code really is.

Friday, 8 February 2008

Oracle stop eating own dog food?

Enabling End-User performance monitoring using the Oracle application stack and Grid Control, depends on a script called oracle_smp_chronos.js however the the copy we've got will only work with MSIE (its hard-wired to the Microsoft browser event model). I had a look around to see if anyone had a solution - and I couldn't find anyone with the same problem. I couldn't - so I thought great, they've fixed it! But I can't find the fix.

But what's even more interesting is that Oracle no longer seem to be using their own tools for monitoring - a 'view source' on most of the pages shows they are now using Omniture's SiteCatalyst.