Michael Jay Lissner

Enabling Two-Factor Authentication

2013-02-02T14:27:15-08:00

This post is as much Public Service Announcement as anything else. I didn’t realize that two-factor authentication had finally taken off. It’s practically vital for your email account (you’re asking for trouble without it), but in the past year or so, a bunch of other services have begun offering it.

Today I went on a little security binge, and found that I could turn on two-factor authentication at:

Google/Gmail
Yahoo
Dropbox
Charles Schwab (they send you a fob for free)
Facebook
Paypal
Amazon Web Services

One note about Charles Schwab is that getting their fob is great, but it’s hardly all you should do to secure your account. You should also set up what they call a “verbal password” that you have to provide whenever you call in. Without it, it’s pretty easy to get into an account via their surprisingly weak phone security.

Anyway, this is a pretty good list so far. The companies are using a handful of different techniques for doing this, but they all seem pretty solid in the end. Google’s, naturally, seems to be one of the most robust, but I’m impressed there’s so much offered.

Go set these up!

Analyzing Facebook’s Security Mechanisms

2009-11-15T17:43:55-08:00

For my Privacy, Security and Cryptography class, we studied a set of 13 principles for secure systems:

Security is Economics
Least Privilege
Use Fail-Safe Defaults
Separation of Responsibility
Defense in Depth
Psychological Acceptability
Usability
Ensure Complete Mediation
Least Common Mechanism
Detect if You Cannot Prevent
Orthogonal Security
Don’t Rely on Security Through Obscurity
Design Security in, From the Start

For our midterm, we were asked to analyze how Facebook exemplifies or does not follow these principles. It was an interesting assignment, which finally forced me to think more thoroughly about Facebook’s security policies, and I’m happy to attach my findings here.

For some people these may be rather run of the mill notes. For others, you may be surprised at poor security of the world’s biggest photo and social networking site.

Enjoy.

Testing Deletion Speed of Online Photo Sites

2009-11-14T16:28:44-08:00

Updates

2014-08-22: While updating this blog to a new platform, I wound down these tests and put notes about each service’s final result. After nearly five years, some of these sites still haven’t taken down the image.
2010-03-08: Added an image at drop.io
2010-01-28: Added an image at Orkut.com
2010-01-28: At the FTC privacy round table today, Facebook’s director of public policy, Tim Sparapani, claimed that information deleted from Facebook cannot be retrieved even by Facebook staff, because it is almost instantly deleted. I informed him this was not true in the case of pictures, and he said he would look into it. Will update this post when/if I hear more.

Background and Threat Model

Imagine an embarrassing photo of you is placed online by one of your friends. You ask them to take it down, and they do. Now, imagine that your enemy had gotten a link to that photo, and had posted it to their blog. You’d hope that your friend taking the photo down would in fact delete the photo, but I’m sorry to say that isn’t always the case.

Inspired by Jacqui Cheng’s article, I decided to test some of the more popular online services for photo hosting to see what happens when you press the delete button on a photo from their site. On November 14^th, 2009, I uploaded and then deleted the following image of a black box with white text to Facebook, Flickr, Picasa, MySpace, Photobucket, Shutterfly, Twitpic and WalMart. A few months later, I also added drop.io and Orkut:

When you look below, if you can see the black box for a site, that means that it was not truly deleted and is still live. You can verify this by clicking on the image. This is checked each time this page is loaded, so the information is constantly verified. If the image has been deleted, you will see the date that it was deleted.

There are a number of reasons why photo services might be lazy about properly removing images from their site, but until they have proper deletion mechanisms, we should all think twice about what we upload.

If there’s a service that is not shown here that you’d like to see, please let me know. And now, without further ado, I present, the ongoing results of the test:

Facebook

Facebook properly deleted the photo from their server as of May 27, 2010.

Flickr

Flickr began showing the following message approximately an hour after the image was deleted.

Picasa

Picasa properly deleted the photo from their server as of at least November 15, 2009.

MySpace

At an unknown time, MySpace began showing this photo instead:

Photobucket

Photobucket properly deleted the photo from their server as of at least November 14, 2009.

Shutterfly

As of 2014-08-22, Shutterfly still shows the original image on their server.

Twitpic

Twitpic properly deleted the photo from their server as of at least November 14, 2009.

Walmart

As of 2014-08-22, Walmart still shows the original image on their server.

Google Orkut (added 2010-01-28)

Despite being nearly shut down completely, as of 2014-08-22, Orkut still shows the original image on their server.

Drop.io (added 08 March 2010)

Drop.io properly deleted the photo from their server as of 8 March 2010, the day it was added.

Rethinking Facebook Privacy Settings

2009-08-17T12:09:06-07:00

Ars Technica has an article today outlining some excellent techniques for safeguarding your privacy while using Facebook. One of the best methods explained in the article is to cordon off your friends into different groups of people, and to then set different permissions for those groups. Thus, the common technique is to put your ex-partners into one group, your friends into another, family into another, and thus down the line.

But in practice this technique is nigh on impossible. I have family members (such as cousins) that are close friends, and so-called friends that, really, I haven’t talked to since high school. Beyond this, managing the groups is a problem too since over time, some of your friends become closer and others more distant.

Thinking through this problem, I have come up with a better, and perhaps more obvious solution: Simply organize your Facebook friends into groups based on how much you want those people to know about you. In practice I found this to be fairly simple with only three groups: Loose Privacy, Standard Privacy, and Strict Privacy. Bosses, ex-partners and distant friends go into the Strict category, close friends and current partners go into the Loose category, and everybody else goes into the Medium category.

Admittedly, this dumbs down the power that Facebook gives you to categorize your friends into groups, but in practice, it’s much easier to maintain, since there are only three lists, and it’s clear who belongs in which.

A second group of settings that people are likely unaware of are those that “limit what types of information your friends can see about you through applications.” These are important and creepy because by default, when your friends install an application, that application can see and aggregate an incredible quantity of information about you, even without your or your friend’s permission or knowledge. As part of its dotrights campaign, the ACLU is currently working on an application that demonstrates this loophole, but for the moment, it’s probably wise to adjust these settings.

To adjust these settings so third-party applications can see as little information as possible (without your friends simply not using them), go to Settings > Privacy > Applications, and then click on the “Other” tab (this link should also work, if you’re logged in). Once on that page, uncheck all of the boxes in the first section, and save your settings.

Twitter (and Facebook) Integrated

2009-01-25T13:03:03-08:00

I upgraded the site a bit today by adding my Twitter/Facebook feed to left-hand sidebar. To a teenager in Colorado I am indebted for this script. Jeez, they just get younger and younger.

Let me know if you catch any bugginess.