Password Safe

passwordsafe-2Whether it’s your bank’s website, OSCPA’s membership resources, or even just an email account, nearly everything we do on the Internet requires us to authenticate ourselves with a password. But passwords provide a virtually inevitable quandary: Any password that easily can be remembered can also probably easily be guessed. Worse yet, it is difficult enough to remember multiple simple passwords, much less multiple secure ones, so people tend to reuse the same password, or set of a few passwords, across multiple services, perhaps altering the passwords very slightly (and probably predictably) for each one, and that’s if we’re lucky. Add to this the sometimes draconian password policies requiring passwords to be changed on a regular basis, and it’s no wonder that passwords are such a problem today.

The ideal solution, of course, would be if everyone (we will use an apocryphal user Alice for simplification) used different passwords for each resource (email, banking, OSCPA, etc.), and if each password was secure. The importance of using different passwords for different services is the same as the importance of using different keys for different locks. Imagine if Alice used the same key for her car, her home, her mailbox, and her office. If a thief — let’s call her Eve — ever managed to copy the key, she would immediately have access to all of these locations, and Alice would have additional hassles with having to change so many locks. Furthermore, Eve could target the easiest location at which to copy Alice’s key — perhaps by impersonating a maintenance person at her work, instead of having to go directly to her house. The importance of Alice’s keys being secure (i.e., not easy to copy, not blank keys bought from the store, and of a shape not easily guessed) is, we hope, self-evident.

Password security involves a lot of different technical aspects, but the three take-away elements are this: Good passwords should be complex, utilizing both uppercase and lowercase letters, as well as numbers, spaces, punctuation, and other symbols; they should be long; and they should be random. Complexity is a measure of a password’s key space. Intuitively, the greater number of symbols that Alice’s password contains (e.g., letters and numbers instead of just letters), the greater the number of combinations of passwords that she could be using, and so the more passwords that Eve must guess. Length is a measure of a password’s key length. Once again, the longer a password, the more possible passwords there could be, and so the harder individual passwords are to guess. Finally, randomness is a measure of a password’s entropy, which can be thought of as measuring how hard it is to predict one letter based on another (for example, a password of “abcd” is less entropic and so less secure than that of “a3@Z”).

passwordsafe-3

These days, a minimum amount of entropy that we should demand from our passwords is about 128 bits. In lay terms, this corresponds to a password of between 16 characters (containing a completely random sequence of every symbol of which you can conceive) and 64 characters (containing only regularly-typed English letters). Somehow remembering a litany of completely different passwords of these types, some of which must be changed on a regular basis, is understandably probably impossible (unless you’re Dustin Hoffman’s character in Rain Man). And if you write these passwords down, unless you store them somewhere safe, you might as well use weaker passwords that are easier to remember — and if you do store them somewhere safe, they’re probably not going to be easy to get to.

What’s the solution to this technical headache? Go ahead and use different, strong passwords everywhere — but only worry about remembering one of them. There are a number of different software solutions that will store your password for you, many built into the different operating systems, but the program we will be reviewing is Password Safe, which is free (in fact, open source), available for Windows (beneficial for many corporate environments, and programs compatible with Password Safe are available for other operating systems), and secure.

Upon launching Password Safe, you’ll be asked either to open an existing database or to create a new one (choose the latter if you’re using it for the first time). The fact that you can create multiple databases has a number of useful applications. For example, you could have one database for home and another for work, or one database for personal accounts, and another for group accounts, and the password database for the latter could securely be shared among multiple people. The password that you supply for each database will be all that is required to access the passwords inside, letting you remember just one key — the database password — while forgetting about the numerous secure passwords stored inside. If ever you need them, just open up Password Safe and pull them back out again.

passwordsafe-1

Password Safe helps you manage your passwords in other ways as well, like coming up with good passwords in the first place (you can customize your password policy and even have the program generate a random password for you), storing account and other info along with them, remembering the last several passwords used, copying passwords to the clipboard without viewing them (for deterring shoulder surfers), changing how often passwords expire, and so on.

Finally, the databases that Password Safe creates are very secure, ensuring that if a thief somehow got access thereto, if the password you chose to protect it is secure, its contents will be, as well. The software is open source, so you can examine its code yourself and ensure it is up to no ill, and it was designed by the respected security analyst Bruce Schneier. To protect your information, databases are encrypted with the Twofish algorithm, one of the Advanced Encryption Standard finalists, and Password Safe has been reviewed by Schneier’s own Counterpane Internet Security, Inc. (now BT Counterpane, owned by BT Group plc). So whether you’re a grandmother at home or a corporate executive flying between Columbus and San Francisco, it’s time to set your excuses aside for not using multiple strong passwords everywhere and save yourself a headache of trying to remember them all.

Nothing to hide? Hide it anyway

If you’re like most Americans, you probably value your privacy. You’re probably not ashamed of anything, and you’re not doing anything wrong, but just on the principle of the matter, you would prefer to keep your private life private. If a stranger knocked on your door and told you that he was going to watch you read your mail, you would almost certainly call the police. If you saw your neighbors peeking through your living room windows as you watched TV at night, you would probably walk over and give them a piece of your mind. And if you found out that the government had been listening to your phone calls without a warrant, you would be outraged, and probably hire a lawyer to get justice and accountability. And all of these actions you would be justified in carrying out.

Just as you enforce your privacy in your tangible, day-to-day life, so, too, should you do so on your computer — especially as more and more of the activities that make up our usual days become digitized, are stored on hard drives, and are sent flying across the Internet. So it is somewhat mystifying to me that most of the people to whom I have talked about encryption seem entirely disinterested in taking the time to implement secure cryptography (see the end of this post for more information) on their computers.

Oftentimes, the first reaction to my suggestion that I hear is, “Why? I have nothing I need to hide.” But, while that is probably almost always the case, their reaction misses the point entirely. It’s not whether or not you have anything to hide, it’s whether or not anyone else has the right to pry, and in my mind, unless either someone is both legally authorized and justified in snooping on my data, or I give my consent for them to do so, I should keep the data on my computer as secure as possible.

It used to be the case that setting up good encryption was difficult, and that trustworthy software was hard to find — but this is no longer the case. While it is true that there are a glut of badly-written encryption programs that leave your data virtually as vulnerable as they were before, there are also plenty of respectable implementations that easily can be obtained and installed (see the end of this post), and no longer do you need a degree in computer science or mathematics to use them, either (although if you find Feistel networks or finite fields interesting there are plenty of technical aspects about which to learn as well).

The reasons aren’t purely philosophical, either, as there are serious risks in allowing data to sit unprotected on a hard drive. We store our home videos, vacation photos, tax records, hotel reservations, flight itineraries, bank statements, music, and business correspondences on our computers, just to name a few, and more and more, these data are not just sitting on our hard drives, but transmitted online, synchronized via servers located around the world, and categorized, indexed, dissected, and disseminated via the Internet and a littany of applications. So, just think of the potential devastation — financial loss, identity theft, character destruction, etc. — that could result from a breach of privacy on your computer.

Worse yet, it doesn’t take a skilled attacker or government spy for your information to be at risk. Social networking sites routinely encourage their users to volunteer reams of personal information; most grocery store shoppers don’t think twice about swiping their “frequent shopper cards” to gain access to special deals (and allowing the store to track their purchases); and, frighteningly enough, more than 70% of people would give up their passwords for a chocolate bar. Most people seem so incredibly careless with their information security that these and other signs of complacency only add emphasis to the fact that we collectively need to take more seriously the potential risks in leaving our data unprotected (not to mention giving it away) and abrogating our responsibilities — just as it would be irresponsible for us to leave our front doors unlocked and open at night, print our credit card numbers on the back of our shirts, or walk down the street announcing how much money we have and in which pockets we have our wallets.

If you value your privacy in other aspects of your life, consider taking more seriously your privacy when it comes to your computer and your “digital life,” for lack of a better phrase. It is both an issue of security and of philosophy, and it is a salient one. For respectable cryptographic software, consider TrueCrypt, PGP, GPG, and RSA. (For platform-specific options, consider also FileVault for Mac OS X and BitLocker for Windows Vista, both built into their respective operating systems.) For general cryptographic (and other) security information, check out Bruce Schneier‘s work (as well as his blog, Schneier on Security, and his books), the Center for Democracy and Technology’s cryptography page, and the Electronic Frontier Foundation.

Consider keeping some important data online

It is common for data security folks to tell you to be careful about what data you keep online and the risks associated. But, I’m here to tell you why you should keep some of your data online. Because, while you should be careful about what data you put online – you should be careful about what you don’t.

Consider the unpleasant scenario – a home robbery, house fire, storm, flood or some other loss. After the event you will need access to insurance documents, home photos and other important data. Now assume that you stored all that information on your home computer – all that information is now lost, and recovering it has just become much more difficult.

NOAA public domain image

“But wait!” you say, “I keep all my data backed-up and stored in a fire safe so I’ll be alright.” You need to be careful with this assumption and should be aware of some facts:

  1. Thieves like stealing safes – they assume that you have something valuable inside that they want. 
  2. Fire safes are rated to a specific temperature for a specific amount of time – but the temperatures that are reached inside – while relatively safe for paper documents, at least for the rated period of time – can be catastrophic for your data storage media (backup tapes, CDs/DVDs, flash drives and pretty much all other media are susceptible to heat).
  3. Water, used by the fire department or the result of some act of Mother Nature, can cause damage to both your digital storage media and your paper documents within a safe. So even if you have taken measures to protect your data at home – it may not be quite enough.

No one wants to think that events like these might occur to them, but unfortunately no one is immune from the possibility. Preparation gives you the possibility to mitigate your risk in these situations. To help yourself prepare for some sort of catastrophic event like this I suggest that you look into keeping copies of your important data online. You may want to consider using an online document management service or one of the many online backup services avaialbe. Most online backup services provide reasonable protection of your data through encryption and other measures, and are a relatively safe (there is no such thing as perfect) means to protect your data from loss or theft – and will still be available to you should some catastrophic loss at home occur.

So remember, while you may not want to advertise information about yourself or put compromising data on the Internet, you really don’t want to avoid putting data up for that reason. With proper consideration most data can be reasonably secured online – and your disaster recovery solution could be considered an investment in your own future well being,

Our data, wherever we are and whenever we need them

“Cloud computing,” like social networking (LinkedIn, Twitter, YouTube, et al.), is all the rage in this new era of distributed, collaborative, high-tech solutions to what are now everyday problems (some previously unknown until the time at which we arrived at a solution and forgot how we could have ever lived without them), and in the area of distributed, Internet-accessible file hosting, Dropbox reigns supreme.

Consider a fictional executive, Alice, who works frequently from home, and has a number of files that she needs to be able to access from both home and work. More importantly, she needs her files to stay synchronized between the two locations, so that if she updates an expense report at home in Upper Arlington she will have the up-to-date version when she arrives at work in Dublin, as well. Furthermore, while she is with her grandchildren in Manhattan, if she should realize that she forgot to record an expenditure, she needs to have access to that same up-to-date report.

In the past, Alice might have used a floppy disk, Zip drive, CD-RW, or, more recently, portable flash drive. But these media are susceptible to damage, and can be lost or stolen with relative ease. Adding encryption would keep Alice’s files secure, but at the expense of convenience and easy interoperability. She might choose, instead, simply to email the files to herself, but this solution is cumbersome, and sacrifices the ability easily to keep versions of her files in sync wherever she goes. Should Alice further discover that one of her fellow executives, Bob, also needs access to some of her files, both removable media and emailing herself become next to impossible to implement as workable solutions.

These types of problems are what Dropbox has been specifically designed to address. When someone downloads and installs Dropbox, the software (which includes a free version with limited but not insubstantial storage capacity) creates a special directory on that person’s computer (called his or her dropbox) which is linked automatically to the Dropbox servers. Any files placed in this folder are automatically backed up to Dropbox’s servers and stored securely and privately, accessible only that user’s Dropbox account. Whenever a file is updated, the Dropbox software updates it on the server as well, and since Dropbox detects what portion has been altered, the software does not transmit the entire file each time, but, rather, only the changes, making this process virtually instantaneous for most files.

Furthermore, the Dropbox software can be installed on multiple computers and linked to the same account, and whenever a file is updated (or added, or removed) in one of the linked locations, it is updated (respectively, added or removed) elsewhere as well. If a file is deleted by accident, Dropbox can bring the file back from the dead. If a change is made that is later found to be in error, the software allows the user seamlessly to roll the file back to a previous version. And, should the user use a computer that is not his or hers, Dropbox allows full access to his or her files through an intuitive, uncluttered web interface.

As if that weren’t enough, Alice’s desire to share some of her files with Bob are met by Dropbox as well. Our apocryphal user can place files in a “Public” folder, wherein he or she can create a special URL allowing anyone, whether or not he or she has a Dropbox account, to download and view the files. If more collaborative access is desired, one can create a “shared folder,” which allows any number of additional people with Dropbox accounts to have full access to all the files in the shared folder, all other features (version tracking, un-deleting, synchronization across computers) intact as well.

All of this is more easily experienced than explained. If you ever find yourself wanting to have access to certain files wherever you are, trying to keep track of something that needs to be maintained by multiple people in multiple locations, or even just wanting an easy way to back up some important files without having to worry about extra hard drives or stacks of disks, download Dropbox and give it a shot. You just might find that it solves a problem you didn’t even know you had.

Cloud Computing

Recently, there has been a push by companies like Microsoft, SalesForce, Amazon and Google, to use their cloud computing services as a platform to build applications. What makes this any different than running server within your office and storing your business data there? Nothing. You’re just outsourcing number crunching power and storage.

If you use Gmail/Yahoo! Mail/Hotmail- guess what? You’re already using a cloud application. You have no knowledge of where data exists nor do (or should) you really care. You can reach that data from any computer where you have access to the Internet, and the entry cost to that data in terms of hardware is low.

What does a business gain with moving to a cloud computing model? Cost savings in terms of hardware and data storage, and processing power and less reliance on internal servers for 100% availability. To take advantage of this savings, you become reliant on access to your chosen cloud service’s servers, this being your ISP (as if any of us wasn’t reliant on the web already), you have to rebuild your applications and you no longer have your institutional data in-house.

Rebuilding applications to take full advantage of this technology is no small undertaking. Data that resides in your existing data store will have to be ported into your chosen cloud service and any application logic that speaks to your current data will have to be rewritten.

Why is this?

atmostpheresmall In terms of Microsoft’s platform, Azure, a developer has to now conform to a new standard of data storage rather than the ORM or ADO.NET model. Azure is made to deliver mass amounts of data and provide redundancy and recovery features- in order to meet this goal, you have to do things the Azure way. You, as a developer, have a layer of abstraction that sits on top of a network of database servers and no knowledge of how the data is stored in the most basic sense.

I am not going to push for using a SAAS model of development. I, personally, am no salesman. I am not sure I could convince a business owner that 10 years of work should be moved off-site. This is not to say that you must have all of your data off-site, you can peruse a hybrid model as well. I can, however, give one guideline that can ease the transition should it be something that your company wants to do.

Remove all of your business logic from your database.

This, in and of itself, can be a troubling task. I have worked on many applications that have had stored procedures that performed business logic- this has to change in order to use a cloud based platform. There is no more access to the database, so you have to write code that modifies data in the form of a service that runs in the cloud. Encapsulation is key for the cloud model to work.

As I am a Microsoft based developer, I have been focused on the platform that Microsoft has provided (which is said to have Java support soon). Some other examples of cloud service hosts:

Perl? I’ve seen those

So this morning I was asked to get content from a website out in plain text.

htmlcontent Visually, this means that the HTML code over on the left, needs to be converted to straight text that can be viewed in notepad without all of the tags.plaintext

As I have done some screen scraping in the past for other jobs, I am familiar with the concept of taking data from a terminal screen and working with it. I have not, however, done any sort of screen scraping for web content. 

My first step in the process is to ask what other people have used. I don’t want to re-invent the wheel if possible. As I am the only developer here, I find it useful to post questions on Twitter, as most of the people I follow have some attachment to the technical industry. I use it as an open messaging system- kind of like shouting down a hall and seeing who answers.

My first response was HTML::Strip. As someone who has been a Windows programmer for most of his career, focused on Microsoft based products (and not really web based platforms), this told me absolutely nothing. Google (or Bing… I’m trying…) tells me that this is essentially a Perl module. Huh?

startmenustrawberry So begins my morning’s quest for knowledge. I do a bit of digging, and I found that what I need to do first is get a some type of Perl interpreter. These sort of things come with Unix/Linux… but Microsoft pays for my life, so I use Windows. The top of my result list was fine for me, so I went with Strawberry Perl as my interpreter of choice. 

As a value add, I get a CPAN Client which is essentially a universal installer utility for installing modules which can be consumed by Pearl script. Meaning that if you need to include a reads HTML pages and return their content to you, you just tell CPAN the name of the library and it magically installs! 

I need two things to get started:

  • HTML::Strip – the Perl library that strips content out of web pages
  • LWP::Simple – the Perl Library to manipulate HTML

cpaninstallAfter a bit more research I found that all I need to do is launch my CPAN Client and in the command prompt run install HTML::Strip, and install LWP::Simple. It’s really just that simple! No messing around with installer files. It just works. Now I can write a script that consumes those libraries.

This post is getting long and rather than just drag on with coding, here’s how we can scrape the text from a web page using Perl:

#!/usr/bin/perl

use HTML::Strip;
use LWP::Simple;

my $hs = HTML::Strip->new();
my $url = "http://www.google.com";
my $content = get($url);

my $clean_text = $hs->parse($content);
print $clean_text;
$hs->eof;

Done. That will write the contents of our $urlvariable’s web site to the screen. I save my script into a text file C:\strawberry\perl\Scripts\Scraper.pl (I use .pl as the file extension only for convention’s sake). 

scraped To execute my script, I open the command prompt and type perl C:\strawberry\perl\Scripts\Scraper.pl and the result is printed to the command window.

 

 

Obviously, I still have some work to do to make my little script a viable solution:

  • Scrape a specific target area on the web page rather than the whole page
  • Loop thru a list of pages to parse rather than just a single page

…but that’s the brunt of what I needed it to do. For all you Perl experts out there- I probably butchered your favorite language... sorry.

 

Follow

Get every new post delivered to your Inbox.

Join 1,871 other followers