authentication | General Musing

Posts Tagged ‘authentication’

6 Months of Security Links #2011

I’m a regular curator of daily links, and like to give overviews of my collection of curated links and posts. This is partly as there are some good sources and articles in here and as I am working on a research project which I started based on a number of books I read.

I’m sure you’ll find something interesting in the items below – there are some gems in the list – and I dare to hazard the guess you might learn something you wanted to know.

Read the rest of this entry »

About these ads

Written by Daniël W. Crompton (webhat)

July 15, 2011 at 4:10 pm

Posted in tagging

Tagged with 2010, 4chan, 802.11, aclu, advertising, airplane, airport, algorithm, analysis, audio, audit, authentication, authority, authorization, availability, backbone, bandwidth, bias, biases, biometrics, bluetooth, botnet, browser, bruceschneier, ca, camera, certificate, certificates, china, cia, communication, computer, copyright, cpu, crime, cryptography, cybersecurity, data, database, datagathering, datamining, db, dead, death, defcon, descriptor, detection, disk, diy, drive, drm, drone, economics, embedded, encryption, erase, eu, europe, experiment, facebook, fbi, file, filter, fingerprint, fingerprinting, flying, forensics, freedom, gcc, geolocation, google, government, gprs, gsm, hack, hacking, hardware, hdd, health, hibernate, identification, identity, india, insurance, intelligence, internet, isp, java, javascript, jboss, kerberos, latency, law, learning, lifehacks, linux, livecd, mac, malware, marketing, microsoft, mobile, monitoring, music, mythology, nagog, network, networking, ntlm, oauth, openid, osx, outsourcing, paper, passwd, password, peering, penetration, pentest, performance, pki, plane, police, politics, privacy, quora, ra, recovery, refresher, reload, repair, report, risk, robotics, router, routing, scam, schneier, science, security, seo, socialmedia, socialnetworking, software, solidstate, specialbrands, ssd, ssl, sso, surveillance, system:filetype:pdf, system:media:document, technology, terror, terrorism, testing, theft, threats, tls, toblog, tor, toread, tracking, traffic, travel, tsa, uav, uk, umts, usa, video, visualization, vodafone, vulnerability, wasp, watermarking, web, webapp, webpage, windows, wireless, youtube

A catalog of this year’s risky articles #2010

leave a comment »

Risk is something which can be difficult to evaluate for the average person, there is a lot of work which goes in to learning not to do the two things that people usually do when they are confronted with risk:

Ignore
Overreact

Facebook is the new Portal for Insurers and Banks #social #finance

It looks like every man and his dog needs to have a Facebook page, even banks…

@Google and @FaceBook battle over the back of @FriendFeed? #social #feedburner

It has been almost 1.5 weeks since Google’s FeedBurner removed the Frie…

Prosper allows loans to fund Kiva projects #microfinance

Some days ago I tweeted to Prosper, a personal loan marketplace, whether they…

Social Revolution – Do You Get It?

I don’t really think most people get “it” when it comes to …

Secret Google campaign against Hyves? #social #networking

Just noticed that Google Translate translates the name of the Dutch social ne…

Company Policy or People #hr

I find a 400 plus page manual of office policies and job descriptions for eac…

Social Media Syndication – Feedback Loop

In the last two days I’ve not been posting so much, and focussing on up…

Google Scribe – Ye Shall Know Them By Their Fruits #google

I started playing with Google Scribe and wanted to see if patterns emerged so…

@Google, please stop with the language! #google

I have my Google account set up with English as the preferred language, my br…

Did The LinkedIn Certificate Expire Again? #linkedin

For the last 2 years LinkedIn has been running a bad poor IT management depar…

Advert: Reserve your Agile/SCRUM Pack #scrum #agile

When I just started I too had trouble with getting all the items I required t…

GMail Quota and Statistics (follow-up) #google #gmail #dashboard

On August 11th 2007 I exceeded my GMail quota, I blogged about it here. At th…

More SMS banking by M&T #sms #bank #risk

Brian Szymanski send a reply to me concerning another bank implementing SMS b…

Solving the URL shortening problem #twitter #tweet

I don’t understand why url expansion after url shortening is such an is…

Is RevTrax violating FaceBook privacy policy? #facebook @RevTrax #privacy

I just read an article Web Coupons Know Lots About You, and They Tell in the …

China acquires more than China… #hacks

This morning/night China’s networks were sending rerouting messages to …

Implementation of Security #risk

The lack of trained and experienced computer security people working in small…

ING reveals names using account numbers #bank #risk

Last week I saw an episode of a popular Dutch Ombudsman program Kassa, they r…

Musing: Why can I fly solo?

After seeing a program about a lifecoach trying to find the time to get his p…

Image source Radio Nederland Wereldomroep

Written by Daniël W. Crompton (webhat)

December 28, 2010 at 7:00 pm

Posted in tagging

Tagged with advert, agile, authentication, authorization, availability, bank, banking, bing, blogging, business, calendar, certificate, certiﬁcation, china, confidentiality, control, dashboard, defense, department, difference, dod, dutch, english, evil, facebook, feedburner, finance, flying, folksonomy, friendfeed, game, gmail, google, hack, hootsuite, HR, human, humor, humour, hyves, illusion, ing, integrity, kanban, kiva, labs, language, lifehacks, linguistics, linkedin, loan, mail, maintainability, mashup, media, microblogging, microfinance, myspace, navy, networing, networking, nl, personal, ping.fm, pki, privacy, programming, quota, reliability, resources, risk, scam, scribe, scrum, search, security, shortening, sms, social, socialmedia, spam, statistics, technology, theory, therapy, threat, translate, travel, twitter, url, us, violation, web, work, xp, yahoo!

This year’s articles about programming #2010

leave a comment »

In 2010 I was less focussed on programming articles on the blog than previous years, still I have managed to create some interesting articles with code in 2010. This is an overview of the activity:

Sync Web with Phone #html #javascript #scratchpad

Having some fun today with QR codes, JavaScript and the Google Analytics URL …

The Structure of a Daily Scrum #agile #scrum

The only questions that are asked in the Daily Scrum, aka Stand-Up, are: What…

Features I Still Miss in Mail #mail #email

UPDATE: GMail has introduced my number 3. YEAH! (Gmail introduces Priority In…

YouTube Channel Unsubscribe #bookmarklet

I like YouTube, and often subscribe to new channels and unsubscribe after a w…

PCI is nice (or what I do) #pcidss

Since I started working for my company I’ve been exposed to PCI DSS (Pa…

Solving the URL shortening problem #twitter #tweet

I don’t understand why url expansion after url shortening is such an is…

VeriSign PIP Browser Certificate workaround (PIN Request) #identity #openid

VeriSign – Personal Identity Portal is a OpenID provider with multiple …

Image source D’Arcy Norman

Written by Daniël W. Crompton (webhat)

December 24, 2010 at 8:52 pm

Posted in review

Tagged with authentication, bank, bing, bookmarklet, business, certificate, chrome, database, dbsm, dss, ecommerce, encryption, firefox, folksonomy, google, greasemonkey, identity, industry, javascript, mail, mashup, merchant, mobile, onetimepassword, openid, otp, password, payment, pci, personal, pip, pki, programming, qr, retailer, risk, rkm, rsa, safari, search, security, shortening, smtp, standard, tagging, technology, url, verisign, web, yahoo!, youtube

ProFTP configuration is in the details #ftp

with one comment

I was setting up an anonymous ftp to serve up all my vservers from. (I recently bought 1.5Tb, 1Tb for my PVR and .5Tb for internal storage such as mail, cvs, http, ftp and samba.) I already had a boa web server running on another machine hosting my internal portage tree with overlays, but I preferred ftp for this task as there was no need for a pretty interface and I thought it would be fun to setup.

It had been a while since I configured ProFTPD or any ftp server, and I can only recall setting up one anonymous ftp in 1999. Naturally ftp should be easy to setup with anonymous access, no messing with pam or an authentication stuff. The configuration is pretty much the same as apache, only not as long.

I’m running a really old install of Mandrake, now Mandriva, it was installed in the 25th of December 2001. The machine itself is a laptop Mobile Pentium MMX 200.457Mhz with the original patched/recompiled 2.4.8-26mdk build date Sep 23 17:06:39 CEST 2001. The uptime is back and the main disk is failing, but it has served me well as a web/mail server and development machine. The disk actually comes from a far older machine, which is in my computer cupboard. I’m digressing.

I was installing this ftp server and configured it with the example configs from ProFTP, but it didn’t work. I kept getting:

Connected to localhost.localdomain. 220 ProFTPD 1.2.2 Server (ProFTPD VServer Store) [rphh] 500 AUTH not understood. 500 AUTH not understood. KERBEROS_V4 rejected as an authentication type Name (localhost:root): ftp 331 Anonymous login ok, send your complete email address as your password. Password: 530 Login incorrect. Login failed. ftp> 221 Goodbye.

It couldn’t be the config, that was almost verbatim from the example.

User ftp Group ftp UserAlias anonymous ftp RequireValidShell off

So I searched on the internet and read the examples again and the ProFTPD Logins and Authentication howto. I didn’t find the answer until I read the ProFTPD Debugging Problems page and enabled debugging.

proftpd -nd5 The debug outputs: rphh (127.0.0.1[127.0.0.1]) - connected - local : 127.0.0.1:21 rphh (127.0.0.1[127.0.0.1]) - connected - remote : 127.0.0.1:1525 rphh (127.0.0.1[127.0.0.1]) - FTP session opened. rphh (127.0.0.1[127.0.0.1]) - received: AUTH GSSAPI rphh (127.0.0.1[127.0.0.1]) - received: AUTH KERBEROS_V4 rphh (127.0.0.1[127.0.0.1]) - received: USER anonymous rphh (127.0.0.1[127.0.0.1]) - received: USER anonymous rphh (127.0.0.1[127.0.0.1]) - received: USER anonymous rphh (127.0.0.1[127.0.0.1]) - received: USER anonymous rphh (127.0.0.1[127.0.0.1]) - received: PASS (hidden) rphh (127.0.0.1[127.0.0.1]) - received: PASS (hidden) rphh (127.0.0.1[127.0.0.1]) - received: PASS (hidden) rphh (127.0.0.1[127.0.0.1]) - received: PASS (hidden) rphh (127.0.0.1[127.0.0.1]) - no supplemental groups found for user 'ftp' rphh (127.0.0.1[127.0.0.1]) - USER ftp (Login failed): Invalid shell. rphh (127.0.0.1[127.0.0.1]) - received: SYST rphh (127.0.0.1[127.0.0.1]) - received: QUIT rphh (127.0.0.1[127.0.0.1]) - received: QUIT rphh (127.0.0.1[127.0.0.1]) - FTP session closed.

Which gives me my solution, I don’t have a group ftp or a valid shell. I had changed it previously to nobody:nogroup, which didn’t work. So I changed Group to nogroup, enabled RequireValidShell and restarted the server.

User ftp Group nogroup UserAlias anonymous ftp RequireValidShell off

I ended up spending an hour, where I could have spend 15 minutes because the install added the user ftp, but not the group. Oh well…

Originally posted here.

technorati tags: ftp, ncftp, proftp, boa, http, httpd, debug, authentication, login, server, mandrake, mandriva, chown, nogroup

Written by Daniël W. Crompton (webhat)

May 17, 2010 at 10:45 am

Posted in network, security

Tagged with authentication, boa, chown, debug, ftp, http, httpd, login, mandrake, mandriva, ncftp, nogroup, proftp, server

VeriSign PIP Browser Certificate workaround (PIN Request) #identity #openid

leave a comment »

VeriSign – Personal Identity Portal is a OpenID provider with multiple factor identification: Password +

Mobile Credential (phone or mail PIN)
Account Information Card (can be used by applications such as Microsoft CardSpace)
VeriSign browser certificate
VeriSign Identity Protection (VIP) Credential (Physical Token)

As I have a browser certificate linked to my old browser and couldn’t login with my current browser I had to figure out a workaround when I don’t have the browser certificate: PIN Request. On the page that does the browser certificate request there is a hidden link to get a PIN send by mail or mobile, which you can find here.

Hope that helps you.

Written by Daniël W. Crompton (webhat)

April 17, 2010 at 7:24 pm

Posted in identity, pki, security, technology

Tagged with authentication, certificate, identity, onetimepassword, openid, otp, password, pip, security, verisign

Implementation of Security #risk

with one comment

The lack of trained and experienced computer security people working in small to medium sized businesses today means that many times this is left to the regular IT departments to solve, if there even is an IT department. In many cases this leads to vendors educating the IT department on what are best practices, this is often to the advantage of both the vendors and the company. Important to remember is that such inequality and lack of knowledge on the part of the IT department can lead to a situation that when a vendor leaves the knowledge leaves with him/her. In the end the vendor is there to sell their software.

Read the rest of this entry »

Written by Daniël W. Crompton (webhat)

March 5, 2010 at 10:57 am

Posted in privacy, risk, security

Tagged with authentication, authorization, availability, certiﬁcation, confidentiality, integrity, maintainability, privacy, reliability, risk, security

Podcasts I Like – Speaking of Security #podcast

leave a comment »

The RSA Podcast Speaking of Security is one of my favourite podcasts covering security, not just because they are my former employers. They cover many of the issues faced by enterprises, many of the subjects such as online fraud and privacy, enterprise data protection, authentication strategies, and government policy are covered from enterprise perspective.

It’s also a good source of discussion on RSA’s Conference

technorati tags: security, podcast, compliance, pci, mifid, fraud, authentication, identity

Written by Daniël W. Crompton (webhat)

August 18, 2008 at 8:13 pm

Posted in review, security

Tagged with authentication, compliance, fraud, identity, mifid, pci, podcast, security

Clipperz, Online Password Share

with 4 comments

I was trying to think about what to say about SlideShare, so I was browsing the site to give me inspiration, it didn’t work.

What I did find was Clipperz, Clipperz makes it possible to login with one click. The username and password for the site is stored encrypted at Clipperz and is decrypted and posted to the site. I’ll use the example of /., the bookmarklet provided extracts the form and uses that to populate the login form.

{ "page": {"title": "Slashdot: News for nerds, stuff that matters"}, "form": { "attributes": {"action": "http://slashdot.org/login.pl", "method": "post"}, "inputs":[ {"type": "text", "name": "unickname", "value": "username"}, {"type": "hidden", "name": "returnto", "value": "//slashdot.org/"}, {"type": "hidden", "name": "op", "value": "userlogin"}, {"type": "password", "name": "upasswd", "value": "password"}, {"type": "checkbox", "name": "login_temp", "value": "yes"}, {"type": "submit", "name": "userlogin", "value": "Log in"}] }, "version": "0.2.3" }

To be entirely portable you can access the websites from a sidebar in your browser. Naturally this is a nice proof of concept for the real product they are selling: zero-knowledge web applications.

Zero-knowledge web applications is about making web applications more secure. Do you trust Google Documents with your confidential documents? You shouldn’t unless the data is stored without the knowledge of the SaaS provider. Clipperz password manager is the first zero-knowledge web application. This means that Clipperz knows nothing about its users and their data. They do this using a JavaScript library, based on Ajax and browser-based cryptography, which can be used to build applications that users can can use to manage their private data.

technorati tags: saas, business, javascript, security, authentication, identity

Written by Daniël W. Crompton (webhat)

July 26, 2008 at 8:07 pm

Posted in algorithm, business, identity, pki, security, web

Tagged with authentication, business, identity, javascript, saas, security

MySpace gains OpenID, FaceBook should

leave a comment »

Firstly I’m not using WordPress’ Press This feature any more, this is the third time I am having to post this after it ate 2 previous drafts. Maybe I should fix the GreaseMonkey script I build for /. to work on Press This.

After predicting the death of MySpace they have surprised me by adding an OpenID Identity Provider. Obviously they are only allowing you to use it to authenticate on other sites, but still is a step with others including FaceBook haven’t done yet. So I started to muse how FaceBook would be able to top it, and what I actually want from a OpenID Identity Provider:

Authentication (obviously)
FOAF
hCard (or other microformats)
Certificate Authentication (PKI)

ClaimID already has 3 of the 4, but their friend system requires some kind of social networking and as it is not a social networking site it doesn’t really cover FOAF completely. This is why integration of FOAF would be a good step for both FaceBook and MySpace.

MySpace is only acting as an identity provider, meaning that while you can use your MySpace credentials to sign into other Web sites, you cannot yet use your credentials from another OpenID provider to sign into MySpace.

Source: MySpace Opens Up First; Launches Data Availability on Flixster and Eventful

technorati tags: authentication, foaf, hcard, identity, microformat, openid, security