Friday, August 08, 2008

How to steal my Google account

My old friend Brendan would know the answer to this Google password change security question:







Yes, to steal my Google account, my primary digital identity, all you need to know is my first phone number.

It's ok to sob quietly now. I understand.

I'm 187 years old, so not that many people know my first phone number any more. Only hackers who've broken into other security systems that ask the same question, and about a dozen other people. For anyone under 25 though, this isn't that hard to learn.

Ok, so I'm not a complete idiot. The answer I stored in Google for that question is a a 200 character hex string taken from GRC secure passwords. So you really would be better off stealing my primary password.

Google, on the other hand, is behaving like a complete idiot. Why is this?

That's the interesting question. It leads to some noteworthy conclusions ...
  1. Passwords are a complete fail. Schneier has been saying this for years. We are now into the realm of madness. We need multi-factor authentication devices that handle our secondary authentication for us. Yeah, it's not perfect, but, really, this is s#$!@# insane.
  2. We live in the age of the tyranny of the mean. Even the vast majority of geeks aren't going to figure out how to sync 1Password with an iPhone. Regular folks are going to use one password everywhere and then forget it. Google, like everyone else with these asinine security question is bowing to the reality that humans didn't evolve to live in a digital world. We're maxing out right now.

at No comments:
Labels: , ,

Thursday, August 07, 2008

My iPhone cracks. Of course. And a new restore glitch.

When I quoted TUAW's coverage of the 3G iPhone plastic crack problem last week, I heard the bells tolling ...

Gordon's Tech: Check your 3G iPhone for cracks
... Cracks 'appearing' in new iPhone 3Gs - The Unofficial Apple Weblog (TUAW)
...The problem is not the plastic, but that the metal frame is too small for the plastic to lock on without causing the stress fractures.' It's pretty clear Apple has a manufacturing defect on its hands.
For those with cracks, taking it back to the Apple Store (or possibly the mobile phone retailer where you made your original purchase) is your only recourse. Several people have noted here and elsewhere that they've successfully had their handset replaced after a careful inspection....
I knew this would happen to me. Apple hates me.

Two thin cracks appeared today next to the volume control and the vibrate toggle switches. No trauma of course, so pretty much what others have seen.

I was near the Apple store getting my son his well earned summer Lego prize, so I figured I'd give 'em a try. A keen young floor staffer was ready to swap the phone on the spot, but since I'd bought it at AT&T I had to go through the "Genius Bar". That took a long time, the Mall of America store was very busy. I saw quite a few new iPhones going out the door.

Ben probably got an hour of computer game time in -- about twice what he's usually allowed. He was a happy camper.

The "Genius" was less keen on a swap, and seemed to be half-heartedly looking for a way out. Or maybe he was just tired and unsure of the procedure for an AT&T phone. Eventually they made the swap for another white phone -- you can't change colors.

I got the distinct impression that Apple has not yet defined a process for the cracks, that each store has to set its own policy.

This is what I learned about the swap process:
  1. You should wipe your phone beforehand. I am kicking myself that I didn't do this -- it could have been done in the store. Of course the "Genius" might have mentioned this too, but I think we were both tired. I changed my primary Google password last night.
  2. You need to clear any lock password.
  3. They want the receipt (of course) and all accessories, box, etc. Ended up though that only the phone was swapped.
  4. They tried to register the phone, but due to technical problems I didn't have my Apple ID available. This turned out to be unnecessary, with iPhone 2.0 a simple SIM swap activates a new phone.

So now we see if the problem recurs. Rumor has it that Apple knows what went wrong, and that only white 3G phones in a specific serial number range are affected.

Once I got home the restore process was a bit ugly. The standard restore wouldn't work because the phone had OS 2.0, and the restore wanted 2.01. I had to:
  1. Set up as a new phone. First of all I disabled the sync phone as it was trying to sync all the apps.
  2. Once it was on 2.01 I clicked the "Restore" button to set it back to factory status (wipe the name I gave it). This took a VERY long time and it included firmware restore.
  3. Then I let it mount again. This time I was able to go through the expected "Set Up Your iPhone" procedure, including the option to restore from backup.
  4. Then it said it was restoring the phone's settings, and the phone reset again.
  5. Once again I came to the "Set Up Your iPhone" screen, this time it said an iPhone had been previously synced. I had the option of restoring from "iPhone" (created at step 3) or my prior backup. When I selected my prior backup I got the "restoring iPhone from backup dialog".
  6. After a longer delay the iPhone displayed a ghostly numeric keypad with the message "voice mail password incorrect ... enter voice mail password". I also had to reenter our WiFi password, my email password, etc. Reassuringly, the backup doesn't store the passwords.
  7. Then it was done.
Update
Or not.
After I restored I started trying to use the phone. None of my installed apps worked except Google Mobile. I think my dictionary settings have been lost too. Looks like the iPhone restore was a total fail.
I'm now going through another install. Time to backup my desktop calendar and address book!

Update:

Ok, I finally got the restore to work. Here's what I did:
  1. Let it register as a new phone. Now I stopped getting the "Set Up Your iPhone" screens. I think they're buggy.
  2. After my "temp" phone mounted, I right clicked and chose "restore from backup" from the iPhone context menu.
  3. That restore worked. I did have to reenter my AT&T voice mail PIN and all stored passwords. I also had to redo all sync from iTunes.
Update 10/21/09: About 10 months later the replacement iPhone developed a 1 cm crack in the top right back corner. No other cracks. This could easily have been traumatic. The phone seems fine otherwise.
at No comments:
Labels: ,

Laptop short of space? Remember NTFS compression.

I’d forgotten about NTFS compression. This thorough review, Thrilling tales of NTFS compression, reminded me that it’s a reliable tool for a few circumstances: (Quotes are from the Dans Data link):

  • Laptop short of space: “Program Files contains a lot of stuff that's read moderately often but not written to very much, which is a good access profile for compression to have no perceptible speed impact at all, after the half-hour or whatever you'll be waiting for everything in a typical large-ish Program Files, on a laptop with a slow-ish CPU, to be compressed…

    … You can't expect a terribly large amount of compression from this, but when I tried it, I turned a 35.4Gb Program Files into a 27.6Gb one - 78% of its previous size, and a perfectly worthwhile 7.8Gb saved…”
  • Microsoft Access databases (however this may impact I/O slightly). These compress extremely well.
  • Windows BMPs – though almost no-one would keep these around outside of (gasp) screen shots pasted into PowerPoint.

Practically speaking, I think NTFS compression is most useful if you have to carry around a lot of large Microsoft Access databases on a laptop (consider using NTFS on a directory) or if you need to free up a few GBs on any laptop.

NTFS compression is not compatible with NTFS encryption (which most people will want to avoid, see the linked DD article). I don’t know if it’s compatible with other encryption schemes corporations apply to hard drives these days.

I think the closest OS X equivalent would be the 10.5 expandable sparse images.

at 1 comment:
Labels:

Dan's Data recommends a USB enclosure

Allegedly, it spins down: Cheap USB box du jour :: August :: 2008. Only available in Australia, but he gives advice on the chipset.

Good links to other DD notes on enclosures.

It's very hard to find good recommendations on these things.
at No comments:

Tuesday, August 05, 2008

iPhone synchronization is a flaming mess

1Password has yet another approach to iPhone synchronization. Problem is, it didn't work for me:
Gordon's Tech: Palm to iPhone: JFile to 1Password

.... After all of the following, I'm unable to get the sync to desktop working under 10.4.11..
1Password tries to sync with the desktop app. OmniFocus tries to work through an absurd WebDav service. Missing Sync for iPhone is the only product I've seen to date that syncs anything through the cable.

This is *%$& ridiculous. All of these kludgy synchronization methods are only creating security holes and stability issues. Not to mention screwing up my evenings!

Apple needs to give developers a standard, reliable, synchronization framework. I've worried about the apparent absence of API synchronization support for desktop apps for months; I'm not happy to discover I was right to worry.
at No comments:
Labels: , ,

Palm to iPhone: JFile to 1Password

For at least 14 years I've kept my URL base and password data in FileMaker Pro for PC and Mac. I periodically exported the data to my Palm, using an old database app with support for encryption (JFile).

It worked, so I haven't touched it for years. Now it's one more thing I have to transition from my Palm to the iPhone.

I was hoping that FileMaker would resurrect FileMaker Mobile for the iPhone, and add encryption. That would be perfect. Alas, I don't see it.

So I'm looking at dedicated password storage apps like the list on the left, including 1Password, eWallet, SplashID, etc.

There are three criteria other than an established user base and a good reputation:
  1. It has to work on the iPhone (native app).
  2. It has to sync with my iMac
  3. It has to be able to import tab delimited data exported from my FileMaker database
  4. It has to have good export options.
  5. There has to be a good demo app I can test.
1Password seems to meet the criteria, and it has plug-ins for Firefox and Safari. I write "seems" because the web site says nothing about the limitations of the downloaded version. If I run into limitations that make it hard to test then I'll put 1Password down at the bottom of my list.

The above screenshot shows it can import in many formats. More importantly, it can also export as tab delimited and as 1Password Interchange File.

So how do I import data from my FMPro database? The 1Password documentation is pretty terse:
1Password User Guide

... In addition to the above formats, 1Password has a Generic Importer that can import any Comma or Tab Separated Values. To use this, specify Generic Text as the Import Format.

The Generic Text importer will allow you to specify which columns in your CSV file should be used for each 1Password field...

Problem is, I need to know what all the possible import choices are, so I can create an export from FileMaker Pro for further testing.

I created an entry in 1Password then exported it as tab delimited. I found the following list, I've bolded those I can provide from my database:

  • title
  • notes
  • htmlName
  • htmlID
  • htmlAction
  • htmlMethod
  • passwordHistory
  • username
  • password
  • URL/Location
My FM database has a much richer organizational scheme than 1Password can support, including two types of classification, tags/keywords, extensive notes, those insane "secret questions", search across all fields, and more. It's also shareable with Emily in a way that 1Password is not.

So I'm not sure I'll give up on the FM database, but it looks like I can, for the moment, export it to 1Password so it's available on my iPhone.

At $35 1Password isn't cheap, but if it passes my import test I may go for it.

Update: It took over an hour to import 1400 rows, so it's pretty darned slow. That's not a big deal though, it's quite fast to search them. Turns out these are the available columns on import:
  1. Title
  2. Username
  3. Password
  4. URL
  5. Folder
  6. Notes 1, Notes 2, Notes 3, Notes 4, Notes 5
As best I can tell Columns titled "Notes" 1-5 are concatenated into the 1Password Note field. I used Notes 1 for my description field and Notes 2 for a calculation field that concatenated several FM fields.

Search runs against Title and Notes, so this concatenation works for my purposes.

One major limitation is that you can import into Web Form and Secure Note, but you cannot import "Wallet items". You can export Wallet items however. The inability to import a wallet item is very annoying, though I can see why that is a harder task for the developer. Wallet items use a different data model for each type of item, so a tab import is less likely to work. I will probably use "Secure Note" for another JFile database that holds that type of information.

Update 8/7/08: After the above things got messy. I couldn't get the sync to work at all. 1Password technical support pointed me to firewall instructions, and explained something that really should be documented on the web site:
... 1Password is fully functional for 30 days, with no limitations. After this time, should you wish to continue using it for free, you will need to store fewer than 20 items...
This is a great demo policy, it just needs to be documented. There are other things that could use some documentation. It turns out there are firewall changes to make, but that's only documented in a support forum thread:
Firewalls can prevent the iPhone/iPod touch and Mac applications from connecting to one another. Please check if you have firewall turned on (System Preferences > Security on Leopard). Details for Leopard. Tiger is quite a bit different: Details for Tiger
I turned off my 10.4 firewall and was able to sync. I'll try it later with the firewall enabled and the port they recommend set up.

Update 8/14/08: I think 1Password uses the OS X Keychain. That has some nice features, but it is unbelievably slow to delete large numbers of items or add large numbers from an import. Slow, as in seconds per transaction! It feels like AppleScript speed.

Update 9/2/08: Unbelievable. I went to buy 1Password, and I learned it uses a "license token". I hate those, because they're a pain to backup and manage. I want a registration code. I'm going to contact support, but this is a real stinker of a deal killer.

Update 9/4/08: About the same time as I wrote my 9/2 post, 1Password relented. The current version supports entering a text un/registration number that they provide via email. I found out because I let them know why I wasn't going to buy 1Password, and they quickly responded that I wasn't the only person who was unhappy with the encrypted token approach -- and they were now providing both options. So I bought it.

Update 7/15/09: I use 1Password still. It's been through several updates, sometimes with new bugs. I've also discovered it uses an Input Manager -- something I really try to avoid because of all the associated bugs and complications. I'd recommend an application that didn't use an Input Manager, though I'll stick with 1 Password for now.
at 1 comment:
Labels: , , ,

Palm to iPhone migration: import into iCal

If I decide to migrate my legacy Palm/Outlook calendar data to iCal, this is a handy reference: macosxhints.com - Import .csv and other text files to iCal. The comments suggest other options.

For now I simply ended my Outlook calendar and started using the iPhone calendar. That was the least trouble for the moment.

[Update 8/16/08: Much later I realized I could have used Missing Sync for Palm OS to sync my Palm to iCal. I have a license from eons ago, when we used to sync my wife's SONY PalmOS device to the iMac. I may still do that to get legacy data into the calendar, but really I'm better off archiving that data.

Update 10/2/2009: Another method.
at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)