Marianne Plays With Computers

My Digital Adventures

Should I Shop Online? — June 29, 2015

Should I Shop Online?

I know a lot of people who are afraid to shop online for fear of their credit card information being stolen. Here are the reasons you shouldn’t be afraid, and some areas where you should be cautious.

E-Commerce Visa (Test tamron 17-50 2.8) via photopin (license)
E-Commerce Visa (Test tamron 17-50 2.8) via photopin (license)

I don’t want my credit card information online

Like it or not, your credit card information is already online. When you use a card in a bricks-and-mortar store, they send the information to a payment processor. Guess how? And there have been several high-profile breaches of these middlemen in the payment process in the last few years.

I don’t want to lose money.

If you report fraudulent charges as soon as you realize what has happened, your liability is limited to $50 by federal law. Most card issuers will actually waive this liability all together. This does mean keeping up with your purchases and reconciling them with your statement, but you’re doing that anyway, right? Right? Well, you should be, anyway.

I don’t trust the merchant.

That’s a good reason to be cautious, but well-known online merchants can generally be trusted. You can shop at the website of your favorite bricks-and-mortar store. Companies like Amazon that are publicly traded are accountable to a board of directors and government entities. They’re probably not going to gamble their reputation by cheating you on that $100 hard drive.

I want to see something in person before buying it.

Ok, that’s a good reason to get in the car and drive to a bricks-and-mortar store. But you can still check the online stores to make sure you’re getting the best deal.

So how about those safety tips?

Shop at well-known stores.

Like I said above, amazon.com is a safe store to shop at. The online version of your favorite bricks-and-mortar store should be, too. That Canadian pharmacy site that says it’s “just as good as Viagra?” Maybe not so much.

Verify the address.

Especially if you’ve clicked on a link from another site or from an email, check the address bar before doing anything to make sure that you are on the site that you think you are on.

Check for the lock symbol.

Modern browsers all show some kind of lock on the address bar when you’re on a secure website. Never enter your credit card information, or any other sensitive information (like a password, or even things like your email address) unless you see it.

Advertisements
My Password’s Been Compromised! What now? — June 24, 2015

My Password’s Been Compromised! What now?

If you’re lucky, you hear it from the company. If you’re not, you hear it on the news. If you’re really unlucky, you never hear about it at all! A company you do business with has been hacked, and your password may have been compromised. So what do you do?

First, as The Hitchhiker’s Guide to the Galaxy says, don’t panic! In most cases, what this means is that someone may or may not have a cryptic blob of text that is associated with your user name. This blob of text is called a hash, and if it’s a good one, it will be very difficult for someone to reverse engineer it to get your password. There are some things you can do to make it even more difficult for them, though.

For well-hashed passwords, the only way to get the original password is to a) guess it, or b) brute force. It may be easier than you think for someone to guess your password. Is it a series of adjacent keys? Your favorite sport? Favorite animal? Dream car? Eight grade boyfriend’s name? Yeah, so is everyone else’s. To prevent your passwords being easy to guess, don’t use words or names, or even famous phrases (trustno1, anybody?) in your passwords.

To prevent it being brute forced, make your password long. No, longer. No, even longer than that! This is why many sites require you to have a password with a minimum length. (I don’t know why they require you to have a password with a maximum length. That’s terrible.) I did a hash-cracking project a few years ago, and to even be close to non-brute forceable (by me, an amateur), a password needed to have more than 8 characters. That number can only go up as CPUs and GPUs get faster and storage density goes up. Another factor in the brute force method is the character set used. I hope you password already includes upper and lower case letters and numbers. If special characters are allowed, throw some of those in, too.

You also should never, ever use the same password for multiple accounts. Why? Because if your password is compromised from a site with poor security (like, say, social media application company RockYou), you don’t want that plaintext password that’s now posted online to also be your online banking password.

So you can’t use words or names, but it has to be really long. You have to use weird characters. And you have to have a whole new one for each of the jillions of websites you use. Oh, and did I mention that you should change them all periodically? This is getting to be a Sisyphean task.

photo credit: Stupid DRM via photopin (license)
photo credit: Stupid DRM via photopin (license)

Well, current best practice is using a password manager. I know, I know, they may have gotten some bad press lately. But if you read beyond the headlines, it’s not as dire as it sounds. There are even password managers that never store any of your data anywhere but on your own computer. (But bear in mind, that means that your data is only on your computer. No backups.)

A good password manager should ensure that only you have access to all your passwords. Yes, there is one (hopefully) long, strong password that rules them all, but one password is much easier to change (and remember!) than all of them.

How to find a good password manager? I’m glad you asked. Life hacker made a good list of the best ones. Read about them. Think about where and how you need to use it. Do you need a mobile version? Cloud backup? Password generation? Try them out. Pick the one that’s best for you.

With your new password manager and good password hygeine, news about a site you use being hacked can be more of an inconvenience than a disaster.

Milter Power! — June 18, 2015

Milter Power!

I started on a new (to me) project about a year ago, and the first big task that I was assigned was to create a milter. What’s a milter, you ask? So did I. The word is a portmanteau of “mail filter,” which is pretty much what it sounds like – a plugin to your email server that you can use to filter the mail, or do all kinds of other interesting things.

This project is primarily written in Java, and I’m primarily a programmer in Java, so the implementation I chose to work with was sendmail-jilter. (Get it? Java milter? Jilter?) This project provides a nice little SimpleJilterServer that handles the communication to and from the mail transfer agent (MTA). All I had to do was implement an interface, or even easier, extend the abstract class they provide.

The way it works is that as the MTA receives the message, it sends the pieces to the SimpleJilterServer, which calls the appropriate methods on the jilter.

The methods get called in the following order:

  • connect(String hostname, InetAddress hostaddr, Properties properties)
  • helo(String helohost, Properties properties)
  • envfrom(String[] argv, Properties properties)
  • envrcpt(String[] argv, Properties properties)
  • header(String headerf, String headerv)
  • eoh()
  • body(ByteBuffer bodyp)
  • eom(JilterEOMActions eomActions, Properties properties)
  • close()

The method names should be pretty self-explanatory if you’re familiar with the SMTP protocol. If not, you can read this post that I wrote about it.

The envfrom method’s argv argument is an array of the email addresses received with MAIL FROM. Ditto for the envrcpt method, except that is, of course, the RCPT TO addresses. These contain the bytes off the wire, so if you want the actual email addresses, you will need to parse them with javax.mail.internet.InternetAddress or a similar class.

The headers, however, come one at a time into the header method. If you’re planning to compile and recreate the complete email for some reason, this is the place to start. The eoh method is called when the server gets that empty line that is supposed to follow the headers. It seems a little useless, but it can come in handy if, for example, you want to know that a certain header definitely was not received..

The body method gets the rest of the message, including any attachments. Be careful here, though. The body can get broken up into chunks, so if you need to do something with the whole message, wait until you’ve gotten them all. How do you know when you’ve gotten them all, you ask? When the eom method gets called.

The eom method is where the real power (and fun!) of the milter is. Using the JilterEOMActions object that gets passed in, you can change the message that the MTA passes on. This is another area where this implementation makes things really easy for you. The actions that you can perform here are:

  • addheader – Add a new header to the message.
  • addrcpt – Add a recipient to the message. This will basically be a BCC if you don’t add a corresponding To or CC header.
  • chgheader – Change an existing header. This can also be used to add a new header or delete an existing one.
  • replacebody – Change the body of the message. This is where saving all the chunks can come in handy.

Oh, and one other thing I forgot to tell you? After any method call you can tell the MTA what to do with the message. Each method calls for a return value of type JilterStatus. The possible statuses are:

  • Accept – You are done with the message, don’t want to see any more, and it can be passed to the next person who cares.
  • Continue – You don’t have a problem with this message, but you want to continue to get it.
  • Discard – This message needs to be thrown away! (But don’t tell the sender.)
  • Reject – Tell the sender we don’t want this stupid message!
  • Tempfail – We’re having technical difficulties. Please try again later.
No, It’s Not Secure. But That’s OK. — June 14, 2015

No, It’s Not Secure. But That’s OK.

Lurking in security- and consumer-related forums, I constantly see questions like, “Is this encryption secure?” “I heard that I shouldn’t do such and such because it’s not secure.” “How should I configure this to make it secure?”

If you hang around security people very long, you’ll eventually have one of them tell you that if you want to make something perfectly secure, pull all the cords out of it, turn it off, bury it in 10 feet of concrete, and drop it in the Mariana Trench. Then it will definitely be secure. Of course, it won’t be usable either.

We tend to think of security (like so many other things) as binary: either something is secure or it’s insecure. The result of such thinking can lead us to believe that we are “secure” because we’re using encryption, or whatever. But because we have determined that we are “secure,” we forget to look at where the data goes once it’s decoded, or how we’re generating and storing the key, or who has access to it. Conversely, it can lead us the other way into worrying about the NSA reading our email and finding out that our kid got detention, or wondering how to hire people to develop code without giving them access to it.

The reality is that security is a continuum and a process. You take a risk every day by getting in a car. Don’t drive? There are risks in staying home, too. In the real world, most of us have settled into (rationally or irrationally) a level of security that we are comfortable with. We need to learn to do that with our digital lives, too.

The Nitty-gritty of Email — June 10, 2015

The Nitty-gritty of Email

I check my email about a zillion times a day. You probably do, too. I access it through a webmail interface, through a client program, and even through my phone. But how does email make its way around the web?

Email is transfered via the Simple Mail Transfer Protocol, or SMTP. It looks cryptic at first, but there’s really not all that much to it. You can even create and send email manually, without using a client. Here’s how.

You’ll need to use a connection protocol like Telnet. This is probably already installed on your Linux or Mac, and can installed on Windows from the Control Panel. You’ll also need a mail server to connect to. You can install and configure an open source one on your computer to play with if you don’t have access to one.

Once you have your infrastructure set up, it’s easy:

telnet my.mail.server 25
HELO my.domain.name
MAIL FROM: Me <me@mymail.com>
RCPT TO: My Friend <my.friend@hermail.com>
DATA
Subject: My cool email
 
I sent this email with telnet!
.
QUIT

Cool, huh? A few notes:

  • The server you are connecting to should respond politely to the different commands. If it’s rude (ie., gives you an error or disconnects, sometimes with an actual rude reply), you’ve either screwed up something or maybe it’s configured not to accept mail from any schmuck with telnet.
  • The HELO domain name is supposed to be your real domain name, but if you don’t know it try making something up. SMTP allows you to lie!
  • The MAIL FROM email address is supposed to be your real email address. But you can lie about this, too.
  • The RCPT TO address has to be real if you want the mail to be delivered somewhere. Helpful hint: start by using your own email address here.
  • You could just type the email address into the from/to fields, but this way you can add real names.
  • You can have multiple RCPT TO lines.
  • Once you type DATA and hit enter, this is the actual email. Use as many lines as you like, but to end it you must type a period (.) on its own line.
  • The Subject: line is an email header. This isn’t required, but this is how you would get a subject to show up on the recipient’s end. Any valid headers can be added here.
  • There should be an empty line between the headers and the message body.
  • The SMTP protocol is defined in RFC 5321. Message format is defined by RFC 822.
Redecorating — May 26, 2013
My New Toy — July 4, 2011

My New Toy

So I got a new toy last week from woot.com. If you’re not familiar with Woot, they offer a different deal every day, and only for that day. Now this can be dangerous if you’re a big impulse shopper. It’s also not for those who always know exactly what they want, since you never know what the deal is going to be. But if something comes up that happens to be something you’ve been thinking about getting, it’s probably the best deal you’re likely to find.

So. On Wednesday, I just happened to hear about that day’s Woot deal – an enTourage Pocket Edge DualBook for $119.99. These are going on Amazon for $198.99 or $189.95, depending on whether you want black or red. (Both are from third-party sellers, but the prices seem consistent with what you can find elsewhere.)

I’d heard about these before, and I always thought it was a pretty clever idea. It opens like a book, and one side has an e-ink screen, with an LCD screen on the other side. You would typically use the e-ink side to read books (EPUB and PDF) and the LCD side to do typical tablet functions. I had some fun money saved up, and at that price it seemed like a pretty good deal for a tablet, even just to play with. I also should be able to use the reader to read ADE ebooks, like those from the library. You can also send a web page over to the e-ink screen, which seems like it would be great for reading long articles and such. It always seemed to me that this would be perfect for students – you could have your textbook open on one screen while using the web on the other. Now I don’t use e-texts myself, and don’t plan to, but I still may be able to use it effectively for research. We’ll see how that works out.

Before I go any further, I should probably tell you that enTourage, the company that makes these, has closed the store. The website still has a support page consisting of the device manuals and a few FAQs, but, for all practical purposes, there is no support for this device. If that bothers you, definitely do not spend almost $200 for one of these. But if you’re like me and are OK with getting support from Internet forums and the like, there may be more great deals to come as resellers burn off their existing stock. There is a good community of support at mobileread.com, including a port of the official enTourage forum (which is now gone).

I’ve been playing with it a bit and getting to know its features and navigation. It runs Android (an old version, Donut, I think, but I should be able to update it at least to Froyo), and although it doesn’t have the official Android app store, it will run some apps. I hear the Amazon app store works nicely with it. Since I have had an Android phone for a while, it hasn’t been too difficult to pick up the interface. It has wifi, so I can use the Internet as long as I’m at home. It also has a camera, cleverly placed above the e-ink screen, so you can take a picture of yourself as a front-facing camera, or fold the screen back to take a picture like a rear-facing camera. There is bluetooth, although I haven’t yet determined whether this can be used for data transfer, or only for accessories, like an earpiece. There used to be a bookstore associated with enTourage, but now they are pointing people to Google Books for content. I haven’t tried Google Books out yet (and not likely to do any serious reading with it for a while, since I just started An Echo in the Bone on my Kindle), but I do want to try to get a free classic or other cheapie soon to see how it works.

Bottom line, this device isn’t going to replace either my Kindle or my netbook any time soon. It is much heavier than the Kindle, especially the new one, and no way I’m abandoning the hundreds of Kindle books I’ve already purchased. On the other hand, it is quite a bit lighter than my netbook (an ASUS Eee PC that is a couple of years old). I’m not willing to give up the productivity of a real keyboard, though, at least not until I’m done with school, although I may feel differently after. I think it will make a fun little Internet device, though, especially for using in bed when the phone just isn’t big enough. I’m also excited by the though of reading library books on an e-ink screen (even though I have a ton of unread books on my Kindle, and will not have a lot of extra reading time once school starts, and Kindle-compatible library loans are supposed to be available by the end of the year). I’m also hoping that I can put some of the freebies I’ve picked up at the Sony store on it, and there are always the free classics.

So does anybody out there have one? I’d love to hear what you think about it and what you’re using it for!

Hello world! — June 20, 2011

Hello world!

Hi!  This is my new blog about my adventures with computers. I’ll be exploring whatever tickles my fancy as I work, study, and play with computers.

In some ways, I am a professional.  I make my living as a software engineer. I have a bachelor’s in electrical and computer engineering, and I am working on my master’s in security engineering.

In other ways, I feel pretty average. My programming language repertoire is a little thin. I’ve been working on a single project for most of my career; although it has evolved quite a bit, and I’ve learned a lot from working on it, I can’t help feeling that I don’t know much about the rest of the world.

My goal is to learn new things and share them with you, but also have fun!