Re: Security in 2017 (was "OK, the list *really* needs to be fixed")

[J. Landman Gay]

The limitation goes back to the time when routers cost upwards of $200 and 
hardly anyone had one. Things are getting better now for some manufacturers 
but still not all.


I'm more concerned these days about malware that attacks routers and the 
inability to find out if your current one is vulnerable.


--
Jacqueline Landman Gay | jac...@hyperactivesw.com
HyperActive Software   | http://www.hyperactivesw.com



On January 3, 2017 5:42:47 PM Bob Sneidar  wrote:


You may want to spend more than $35 on a router. ;-)

Bob S


On Jan 3, 2017, at 14:54 , J. Landman Gay 
> wrote:


On 1/3/17 3:42 PM, Richard Gaskin wrote:
My favorite example is wifi routers.  They ship with a default password
and login published in the manual, and more than 75% are never changed.

And almost all the routers I've had over the years won't even *let* you 
change the login name. It's always "admin" and that's it.  Pah.


--
Jacqueline Landman Gay | 
jac...@hyperactivesw.com
HyperActive Software   | 
http://www.hyperactivesw.com


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your 
subscription preferences:

http://lists.runrev.com/mailman/listinfo/use-livecode




___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Security in 2017 (was "OK, the list *really* needs to be fixed")

[Bob Sneidar]

You may want to spend more than $35 on a router. ;-)

Bob S


On Jan 3, 2017, at 14:54 , J. Landman Gay 
> wrote:

On 1/3/17 3:42 PM, Richard Gaskin wrote:
My favorite example is wifi routers.  They ship with a default password
and login published in the manual, and more than 75% are never changed.

And almost all the routers I've had over the years won't even *let* you change 
the login name. It's always "admin" and that's it.  Pah.

--
Jacqueline Landman Gay | 
jac...@hyperactivesw.com
HyperActive Software   | 
http://www.hyperactivesw.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Security in 2017 (was "OK, the list *really* needs to be fixed")

[J. Landman Gay]

On 1/3/17 3:42 PM, Richard Gaskin wrote:

My favorite example is wifi routers.  They ship with a default password
and login published in the manual, and more than 75% are never changed.


And almost all the routers I've had over the years won't even *let* you 
change the login name. It's always "admin" and that's it.  Pah.


--
Jacqueline Landman Gay | jac...@hyperactivesw.com
HyperActive Software   | http://www.hyperactivesw.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Security in 2017 (was "OK, the list *really* needs to be fixed")

[Richard Gaskin]

Bob Sneidar wrote:

> And redundant backups are just one more vector to your data.

Indeed it is.  The old adage "physical access = root" still applies.

I have a friend I met through my local Linux user group who does 
security audits.  One of the most common sets of problems he finds isn't 
with firewall rules or password policies, but server room doors propped 
open and ancient easily-picked locks.  And more than a few C-suite 
secretaries with their boss' password on a Post-It note on their 
monitor, viewable by anyone who enters the reception area. No, really.



> Really, security has to be balanced with usability. Absolute security
> is to never write, type, speak  or otherwise store any information
> you want to protect, or which might give clues to any information you
> want to protect. This is of course absurd. We sacrifice some degree
> of confidence for some degree of usability. I personally do not do
> bit level encryption because of the reason stated below. It's too
> easy to lose everything. But locking down you information as best you
> can is always wise.

There is currently a spectrum with Usability on one end and Security at 
the other.  Changes favoring one tend to weaken the other.


I like to believe that the next frontier in UX is to make good security 
practices easy.


My favorite example is wifi routers.  They ship with a default password 
and login published in the manual, and more than 75% are never changed.


Some day we'll see a router vendor come up with a really nice solution 
to make updating the password on first-use super-easy.


And the first one to do it will get the lion's share of the market, 
because right now the rest are so cumbersome to set up that few bother.


--
 Richard Gaskin
 Fourth World Systems
 Software Design and Development for the Desktop, Mobile, and the Web
 
 ambassa...@fourthworld.comhttp://www.FourthWorld.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Security in 2017 (was "OK, the list *really* needs to be fixed")

[Rick Harrison]

Hi Bob,

That is both a great and terrible story!
One really can’t make this type of
story up either because it’s too bizarre.

Sorry to hear that it was a true one for you!
Thanks for sharing...

Rick

> On Jan 3, 2017, at 4:16 PM, Bob Sneidar  wrote:
> 
> And redundant backups are just one more vector to your data. Really, security 
> has to be balanced with usability. Absolute security is to never write, type, 
> speak  or otherwise store any information you want to protect, or which might 
> give clues to any information you want to protect. This is of course absurd. 
> We sacrifice some degree of confidence for some degree of usability. I 
> personally do not do bit level encryption because of the reason stated below. 
> It's too easy to lose everything. But locking down you information as best 
> you can is always wise. 
> 
> By way of example, I took a phone into Apple where I had the fingerprint 
> recognition enabled. The touch screen was intermittent, so I had them replace 
> the touch screen. They did of course, first have me disable the fingerprint 
> recognition, and turn off Find My iPhone. I got the phone back bricked. They 
> had damaged the cable that goes from the security chip to the logic board, 
> and now the phone was impossible to restore. The chip marries itself to the 
> board, and even replacing the cable would not have solved the problem. 
> Otherwise anyone could bypass the security by simply putting a new security 
> chip/cable in the phone. 
> 
> Yes, too much security is a bad, bad, very bad thing. 
> 
> Bob S
> 


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Security in 2017 (was "OK, the list *really* needs to be fixed")

[Richard Gaskin]

Rick Harrison wrote:

> Hi Richard,
>
> Remember that if just one bit/blob on your encrypted hard
> drive becomes unreadable, then you could lose
> everything on that drive.  That makes redundant
> backups over time even more important!

That was why I've been putting it off for so long.  But so far I've had 
such good luck with the encrypted volumes I've been using, and have such 
redundancy to my backups (I live in an earthquake-prone area), that for 
me it's the right time to consider the change.



> Have a great secure NewYear!

Thanks.  And a safe and happy one for you as well.

--
 Richard Gaskin
 Fourth World Systems
 Software Design and Development for the Desktop, Mobile, and the Web
 
 ambassa...@fourthworld.comhttp://www.FourthWorld.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Security in 2017 (was "OK, the list *really* needs to be fixed")

[Bob Sneidar]

And redundant backups are just one more vector to your data. Really, security 
has to be balanced with usability. Absolute security is to never write, type, 
speak  or otherwise store any information you want to protect, or which might 
give clues to any information you want to protect. This is of course absurd. We 
sacrifice some degree of confidence for some degree of usability. I personally 
do not do bit level encryption because of the reason stated below. It's too 
easy to lose everything. But locking down you information as best you can is 
always wise. 

By way of example, I took a phone into Apple where I had the fingerprint 
recognition enabled. The touch screen was intermittent, so I had them replace 
the touch screen. They did of course, first have me disable the fingerprint 
recognition, and turn off Find My iPhone. I got the phone back bricked. They 
had damaged the cable that goes from the security chip to the logic board, and 
now the phone was impossible to restore. The chip marries itself to the board, 
and even replacing the cable would not have solved the problem. Otherwise 
anyone could bypass the security by simply putting a new security chip/cable in 
the phone. 

Yes, too much security is a bad, bad, very bad thing. 

Bob S


> On Jan 3, 2017, at 12:46 , Rick Harrison  wrote:
> 
> Hi Richard,
> 
> Remember that if just one bit/blob on your encrypted hard
> drive becomes unreadable, then you could lose
> everything on that drive.  That makes redundant
> backups over time even more important!
> 
> Have a great secure NewYear!
> 
> Rick
> 
>> 
>> This year I want to take this further. I just turned off automatic login; 
>> next I'll encrypt my home partition. ...
> 
> ___
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription 
> preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode


___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Re: Security in 2017 (was "OK, the list *really* needs to be fixed")

[Rick Harrison]

Hi Richard,

Remember that if just one bit/blob on your encrypted hard
drive becomes unreadable, then you could lose
everything on that drive.  That makes redundant
backups over time even more important!

Have a great secure NewYear!

Rick

> 
> This year I want to take this further. I just turned off automatic login; 
> next I'll encrypt my home partition. ...

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode

Security in 2017 (was "OK, the list *really* needs to be fixed")

[Richard Gaskin]

Bob Sneidar wrote:

> DON'T CLICK THE LINK!

Amen, brother. A wise default.  Click nothing in an email unless you're 
certain it is what it claims to be.


This article was eye-opening for me:

  The human attack surface, counting it all up
  Humans have become the primary attack surface for cyber criminals.



...which includes this gem:

"Ninety-one percent of attacks by cyber criminals start through email..."


As app devs we're making ever-fewer solo apps with isolated islands of 
information, increasingly supporting collaboration with client-server 
systems.


Protecting our users' data is of course a priority, but often what's 
more important to the attacker are the passwords and control of the 
server itself.


This requires all of us in this profession to take a fresh look at not 
only each individual part of a system, but the ways they connect to one 
another.


Email plays a central role in much of what we do, and refining our 
practices with how we use it can help mitigate risks to things that may 
not immediately seem related.


Last year I moved my email credentials from the main hard drive to an 
encrypted USB thumb drive. There are tutorials on the web for doing this 
with most email clients.  With that, stealing my laptop doesn't grant 
the thief access to my email; they'd also need to steal my thumb drive, 
and also have the password to that drive.


This year I want to take this further. I just turned off automatic 
login; next I'll encrypt my home partition.  I'm exploring options to 
run browsers exclusively in containers to isolate them beyond their 
sandbox.  I'm upgrading my password hashing and salting.  I'm replacing 
my SSH keys with longer ones.  And I'm reading more about these things 
for new things to add as I go.


Risk can never be eliminated, but it can be mitigated.  And as we've 
seen with the DDoS attack on the east coast in October, and the email 
hacks over the summer, much of the risk we face can be avoided with only 
a little diligence.


--
 Richard Gaskin
 Fourth World Systems
 Software Design and Development for the Desktop, Mobile, and the Web
 
 ambassa...@fourthworld.comhttp://www.FourthWorld.com

___
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode