Friday, June 15, 2012

not-so-secret questions...

You want to know something that drives me nuts?

Password reset questions.  Yeah, I know, I'm not the only one, and it's certainly not an original or new complaint...But hey, it's the first time I've complained about it (in this forum, at any rate).

As anyone in InfoSec can attest, password-based authentication systems are frequently flawed...But when your only interaction with your customers is an impersonal remote connection -- via a seemingly-infinite variety of potential computing devices -- password-based systems are easy to implement & manage.

As an end user with little visibility to the protections implemented by a given website, the only sure way to mitigate risks associated with potential weaknesses is to take matters into your own hands...Use strong passwords...Rotate them on occasion...Don't use the same password for multiple sites.  If you hang out with any InfoSec geeks, I'm sure you've heard this all before.

Analog Password Manager
And unless you have an eidetic memory (or an office that looks like a scene out of Conspiracy Theory), keeping track of your passwords when following such a practice can get rather complicated...So, to my friends & family, I usually recommend a password manager like LastPass (there are others, but I prefer LastPass because it supports a variety of multi-factor options).  And for my coworkers, I usually hand them a page from my notebook (pictured).

So you do everything right. You get yourself a password manager. You set long, meaningless passwords with letters, numbers, symbols...maybe even the occasional umlaut (otherwise known as "röck döts,")...And then one day, you log in to your bank, and they ask you to provide answers to some secret questions, in case you ever need to reset your password.

Seems like a good idea, right?  I mean, I'd hate to lose access to my online account.  Because then I'd have to go interact with a teller face-to-face. And honestly, I don't exactly remember how that works....there was...something on the news...about wearing not nylons on your head...Anyway, not that it matters -- I'm pretty sure the closest physical office for my bank is roughly 1300 miles from my home.

So, yes, it seems like it'd be good to have a backup plan, in case I forget my password.

But... mother's maiden name?  I'm from a small town; how hard can that be to figure out?  Name of my first pet??  I'd give that info up during a casual conversation without even thinking about the risk.  Father's middle name?  That's gotta be statistically easy to extrapolate.

A decade ago, before social networks became all the rage, there may have been a few questions in the pool that would have felt a little difficult to guess.  But today, there are Facebook apps trying to build out your family tree.  Your favorite book/movie/food/hamburger-topping/band/band-name-that's-also-a-city/breed-of-fish/etc is all potentially published right there at the top of your profile.  Seven-hundred-thirty-six of your closest friends, most of whom wouldn't know your name if you ran into them on the street, are wishing you a happy birthday on your wall.

And we thought password-based systems were weak before this.

Sure, you can take some basic precautions to help your own children...Name your pet something uncommon, perhaps with a hyphen or apostrophe. But nothing stops them unraveling your careful work by posting an update on Twitter, "Taking my new pet, O'Fluffy-the-Kitteh, to Grandma MomsMaidenName's house where she grew up, in Bumbletucky, for my birthday next Tuesday."

My guidance to end users? Don't answer those password reset questions accurately. If the site is "high value," (your bank, or something that could be used to order & ship expensive koala meat), create random strings of text & store your answers in the notes section of your password manager.

And my guidance to companies implementing such practices?  Look, single-factor password systems were weak before...maybe it's time to move forward?  Look at how Google implemented 2-step verification, or look at how LastPass enables multifactor with the Google Authenticator. If you're a retail site, and I forget my password, I don't mind if you lock my transaction history & force me to reset any stored payment methods (I'd actually prefer it).  If you're running a low-sensitivity comment forum, I probably don't need anything more than email confirmation for the reset.  Just...don't further compromise your whole system just to save a couple bucks on customer support....It won't save you anything, in the long run.

and +B!ng(0) was his name-o

Monday, June 11, 2012

and now, a word from our author...

Let's kick off this new blog with a bit of an introduction...

First, a bit about my nom de plume...I've been operating online as TrackZero since the Dark Times, when Prodigy & CompuServe were still real, squelching things you could summon through arcane portals, opened by the ancient, wailing incantation of modem-song.  The alias is a reference to the old CHS method for addressing locations on a hard drive. Track0 contained the partition table (layout information for the rest of the disk) and the bootstrap code required to fire up the operating system...So without Track Zero, all the other bits were basically meaningless.

Perhaps, in the very beginning, I thought to use the alias as a veil for my real-life identity...but after a cursory glance at the echos left by simply participating as a consumer of modern conveniences, the illusion of potential anonymity in a tech-centric world was quickly dispelled.

TrackZero is now, for all practical purposes, my always-on persona.  I've done little to firewall the pseudonym from my real-world identity.  I've lived in states that freely published their DMV records (with SSN!), I've gone to schools that blindly published fully-populated, anonymously-accessible CSOPhonebooks, and I've received data-breach notices from more institutions than I care to recount...So if you're a skiddie and you want to show me how fast I can be doxxed, you'll understand why I don't seem shocked or impressed.

Well, that's the name...origin of the brand, if you will.  And the guy behind it?  I'm a hacker, and have been since well before it took on any lawless connotation.  Many had rightly identified me as a geek, at a time when the less-technical local villagers would have considered such a title to be a derogatory term. My peers were often perplexed as to why I would accept --if not happily wear -- such insult so proudly; I like to think it's because I knew what was coming next.

Throughout my career, I've built a broad range of expertise across many Information Technology disciplines. I started as a COBOL programmer, but I quickly moved to infrastructure engineering.  My niche areas include Information Security, Client/End-User, Systems Management, and Identity & Directory services.  Other strengths include Windows Server, messaging, and many aspects of network engineering & operations.  I published or contributed to a handful of technical books back in the days when they still made 'em out of dead trees.  I'm a CISSP, but don't hold that against me...I've known this stuff since well before anyone started peddling certifications.  Sometimes you just need the right acronym to get 'em to open the door.

In Real Life, I can fake a fairly respectable corporate persona.  Enough so that I've been in mid-level management for Fortune 50 companies for the last ten years.  This is the Management Track, as it were, and I can keep him out there for years on end, when I need to. always feels a bit like holding my breath.

And eventually, I've gotta breathe.


trackzero: rebooted

Well, hey, everybody!  Welcome back!

If you're just tuning in for the first time, thanks for visiting, hope you like what you see...Check back with us* periodically...I'm told it's frequently entertaining, occasionally educational, and often terribly inaccurate...

What's that?  Where have I been?  Ah....yes, that.  It's been a long time.  A little over five years, since I last published anything. Sorry, no-longer-faithful readers (of which, upon this fresh, inaugural post, to my brand-spankin'-new domain name, there are exactly none).  I stopped all professional writing and most personal blogging with my last job change/cross-country relocation...but recently, the domain became I snapped it up, and here I am.

Yep, back on line. An old-school blogger, back blogging 'bout blogable bits, on this, my blog.

Hmm.  Turns out, I still detest the word "blog." (damn you, Peter Merholz)  But it's been over a decade now, and I still haven't been able to convince anyone else to call 'em weasels, so I'll go with the public consensus.

My intent, circa post one, is for this to be my InfoSec/Technology industry professional blog.  I'll stick to the social networks for the occasional personal ramblings.

Welcome back my friends, to the show that never ends.