a companion discussion area for blog.codinghorror.com

There is no longer any such thing as Computer Security


#1

Remember "cybersecurity"?

Mysterious hooded computer guys doing mysterious hooded computer guy .. things! Who knows what kind of naughty digital mischief they might be up to?


This is a companion discussion topic for the original entry at https://blog.codinghorror.com/there-is-no-longer-any-such-thing-as-computer-security/

#2

As I understand it, the “big win” of going to U2F is that your key will only respond to the challenge after the browser verifies that it’s talking to the same site that was used for initial setup. You initialize a key for facebook.com, then it will never be used to answer a challenge for facabook.com. The thing is, password managers already solve this problem for your first factor. If I clicked on one of the phishing examples in the post, got a Google login prompt, then didn’t see at least my username auto-filled, warning bells would be going off because the browser doesn’t think it should populate form fields with the values I’ve used previously on google.com. Of course, passwords can still get phished, doesn’t address second factor, etc etc, but it’s definitely worth educating users about this – if your browser doesn’t treat the site like “real Google”, notice the signs!


#3

Somehow we also need to stop ‘experts’ from disabling paste to password entry fields so that they are ‘more secure’…


#4

I’m going to be pedantic, so feel free to skip ahead, but he actually got TWO words wrong and that makes me think his defence might be a bit suspicious.

This is a legitimate email.
This is an illegitimate email.
Or
This isn’t a legitimate email. - But you wouldn’t write it like this, for obvious reasons.

I’ll give him the benefit of the doubt, though.


#5

Even better than enabling 2FA, which you absolutely totally should do, where possible enable authentication using an app.
Microsoft sites let you log in using the Microsoft Authenticator app, which I’m not going to say it’s impossible to subvert, but, for now, makes simple phishing attacks all but impossible.


#6

It would be interesting to see the reasoning to some of the advice given here.

  • Why is Android phone inherently insecure?
  • What is wrong with Firefox or Tor browser?

etc.


#7

Of course using a U2F key involves putting a USB stick into your computer, which can lead to an instant compromise of the whole device. Counterfeit keys seem an easy attack vector.


#8

This stunk to me too. It doesn’t pass the “smell test” at all. I don’t give Delevan the benefit of the doubt at all and call total BS. Given the basically career-ending mistake he made, I can’t say I blame him for lying though.


#9

I would also be interested in learning more about their reasoning. Since they are listed " for non-profits and journalists," these strike me as the kind of rules that you give non-tech people to make sure they don’t do something wrong.

In that case, there are some Android phones that are secured, with os encryption on out of the box (Pixel line for sure, likely other high-end phone makes), but plenty of the budget phones are not sacrificing the horse power to encrypt. I would see advice of “iPhone or nothing” as a security shield against cheap managers. If you crack open the door to Android, you’re much more likely to get something massively insecure if you cheap out, but not so with an iPhone. And I say this as an Android or bust kind of guy.

The guide was last updated in May of 2017, so Firefox Quantum wasn’t out yet, which might receive a different mark from them than previous versions.


#10

Is it just me or are nearly all of the images in this blog post broken?


#11

Those things and a couple of others made the whole list feel a bit like an ad to me. Calling out specific products just smelled a little off to me.


#12

It kinda did, but it makes sense. If one product is inherently better at the thing that is your top priority, then you should probably use it.


#13

Ah, okay, if Iphones are encrypted by defaul than that makes a lot of sense, I did not know that. It is a much easier advice to give rather then “Here is the list of specific Android models that you can buy”


#14

I think that was done for the benefit of simple users who don’t know what to select or what to trust. Still, adding more than one choice would have been good then.


#15

What does that encryption do, actually? Mine is encrypted by default too, but I don’t know what benefits I get from that, since it can be turned on without any codes anyway.


#16

funny that your email was marked as spam (even if you have DMARC), and your blog link is marked as suspicious… :slight_smile: nice post, very much agree!


#17

Ummm " Uninstall all anti-virus software" WTF


#18

I see your point, since the app would only talk to the real website, and not the fake phishing one, this could be a practical alternative. Interesting.

Right but this is the same argument for using an iPhone (or any device) that you did not open from a visibly sealed box as shipped from the manufacturer. One of the creepy things about the Snowden docs was Cisco routers shipping from the factory pre-compromised.

So TL;DR as long as you buy them from a reputable source and they are in sealed boxes, you have to assume they are not compromised. Or else you no longer live in a sane world.

I have seen several reports of that, and it smells like CDN issues to me. The blog is behind cloudflare which is automagically doing DNS based CDN routing to the images.

There are too many third-party fingers in the Android pie for it to be secure. And Apple SoCs have been way ahead on hardware security (as well as general performance) for many years now. Your best security value at the time of writing is a certified refurbished iPhone 7 direct from Apple.

You’re right, if you have no login security they’d just pick up your phone and physically look at it. Most people have some form of login security, though, which is why you’d try to bypass that by poking through the storage system directly. That’s what default filesystem encryption solves for you.


#19

Also interesting! I didn’t consider that he possibly screwed up and was trying to hide that fact by claiming he mistyped a word.


#20

The thing is, password managers already solve this problem for your first factor.

Yes, I was going to say the same thing. Besides taking care of storing and generating unique, strong passwords they also have this nice side effect that they are so much better than humans, even trained ones, to separate the correct domain from phising attempts. This is rarely mentioned as much as it should be, IMO.