Thursday, September 18, 2008

Password twilight: bad from Gmail, not so bad from OpenID.

Bad news, then not-so-bad news, in the twilight of the password.

From Google, another scary installment in their online safety series:
When it comes to Gmail specifically, there are a couple of things that might cause account-related interruptions in access: a lost or forgotten password, unusual activity that triggers the safety measures designed to keep accounts from being compromised, or, in the worst case, someone has stolen your login info and changed it...

... we don't ask for much personal information when you sign up for Gmail, which can sometimes make it difficult to prove ownership of an account and trigger the recovery process.

Still, there are some simple steps you can take to ensure that your account stays in your hands, and to greatly improve the chances of regaining access if you have any problems...
  • Always keep the verification number you get when you sign up for Gmail. When you sign up for Gmail, we'll ask you for a secondary email address and then email a verification number to that account. This number is the best way to prove ownership of your account, so be sure to hang on to it.
  • If you aren't able to access your account, try resetting your password. As mentioned above, most of the support requests we get turn out to be lost or forgotten passwords, rather than something more serious. Resetting your password usually gets the job done.
  • If resetting your password doesn't work, try our account-recovery process. We recently launched an account-recovery form in our help center that can drastically reduce the amount of time it takes to verify ownership of an account and restore access. If you have the information necessary to prove ownership -- such as the verification code for the account -- this new process can help our support team restore access within a matter of hours.
The $%!%!#$% verification code for my Gmail account?!! The account I opened the month they launched? Did they even do verification codes back then? What's the chance I could find that now? At least I know it's not in my Gmail respository?

And, of course we know about Google's brilliant mafia-funded password reset approach.

I was on the verge of having nightmares about losing control of my Google account, but their "reassuring" message is giving me night terrors instead.

On the bright side, there's optional two factor identification for my myOpenID account.
About CallVerifID

... CallVerifID™ provides the most convenient and cost-effective strong security measure available for OpenID users. An individual can enable CallVerifID™ within seconds to add an additional authentication factor.

* Easy two-factor authentication for myOpenID
* Instantly receive a call when signing into myOpenID. Simply answer and press # to authenticate.
* No extra phone capabilities or text messages. Use any phone.
The basics of OpenID are pretty simple. From a user perspective it's like the old Microsoft Hailstorm/Passport scheme -- a single un/pw sign-on. So when I use my OpenID to sign on to a web service, I'm redirected to enter my password into the myOpenID site then return to my true destination. I can stay authenticated with myOpenID provider, then I don't have to keep entering my password as I move from site to site.

The big difference from Hailstorm/Passport is it's not controlled by Microsoft, Apple, Amazon, IBM or your cellphone company. All kinds of places can, and do, offer OpenID services -- including my many Blogger blogs.

Of course these services are only as good as the associated security, and Google hasn't been wining any prizes for their security measures.

Even MyOpenID is vulnerable, like anyone else, to password theft. It's a "one factor identification" service -- a "what I know" factor. If I add CallVerifID though it's a "two factor" service -- "what I know" and "what I have". A thief would have to steal both.

So what happens if I lose my phone?

Well, that's kind of where the good news ends:
What happens if I lose my phone?

An alternate number can be set up by calling the support staff, once your identity is strongly established.

What happens if I lose cell phone coverage in a certain area?

Call the support staff from any phone to request a one time bypass. Once your identity is strongly established, they can allow you to authenticate one time without receiving a PhoneFactor call. They can also change your account to point to an alternate phone number, such as a land line.

Ooookkkkaaayy. What do they mean by "strongly established"? There's no detail on what that is, it sure sounds vulnerable to social engineering.

Still, it's a measure of progress.

What I think I need is some combination of two factor identification and a digital certificate stored on secured machines. Then if I lose the phone I could at least fix things from a secure machine with a digital certificate (eg. home computer, not a laptop) stored on an encrypted disk image.

I think it might be possible to do that with MyOpenID; I'm going to give it a try. The combination of digital cert access from secured machines with two factor phone id when in other locations is interesting. I do want to be able to secure the cert on an encrypted disk image, I'll have to research how to do that, I'd prefer not to encrypt my entire user account directory (the default OS X approach). The cert can be revoked, so if I knew the machine had been stolen I could revoke the cert. [ps. The digital cert is browser specific, not user account specific. So if you use more than one browser you need a cert for each one on the user account.]

Now if only Google would enroll itself in a remedial security training program. At least they could use some loose change to pay Schneier for a consultation ...

PS. It looks like I can create MyOpenIDs for my domains, such as faughnan.com or faughnanlagace.com. That could help with securing Emily and the children's accounts.

Update: Too bad! myOpenID missed the brass ring.

If you active the two factor identification, you still need the cell phone call even when signing in with the digital certificate. So there's no good fallback if you lose cell phone access. Arghh!! They should have had two different two factor identification schemes:
  • password + digital cert (secure browser)
  • password + phone ID
Then if you lose the phone, you could go to the secure machine and get access.

Oh well, maybe they'll read this blog and fix it.

Update 3/8/09: Sign. OpenID.com never did get a clue. BTW, more the horror of losing Gmail account access.

iPhone - layers of integrated functionality

It's easy to make a list of what my iPhone can't do. No cut, copy paste -- which I miss all the time. No cross-application search (I can imagine why not, but I sure miss it). No tethering - yet. No standard sync infrastructure, so every vendor has to roll their own.

I'll omit "no tasks, no notes sync" because I love Appigo's solutions and they wouldn't exist if Apple had done these things.

What gets missed is how much deep and integrated functionality there is ...
Gordon's Tech: iPhone notes you won't read elsewhere

... The silver on/off button has context dependent behavior. In standard mode it locks the phone and turns off the display. When a call comes in one push silences the ring, two sends it directly to voice mail. When you're on a call, one push locks the phone, preventing errant touches from messing up your call. (I lost a lot of calls until I learned this.)

... When you search for a business on the Map and select a pin, you get a pop-up with an arrow. Touch the arrow to see the contact. What's not obvious at that point is that if you scroll down, you can add this to your address book (you cannot, however, specify to which group). I do this all the time. The form of contact that's created is very complete, including a map link.
And, of course, there's the App Store, which gets more amazing every day.

It's the deep integration though that really impresses me. Very elegant, very, I must admit, Apple.

Update: Oops. Looks like a minor iPhone glitch led me to think pushing the wake/sleep button when on a call would lock the screen. In truth it's supposed to disconnect the call. I do wish there was a way to lock the screen during calls. I switch to another app to avoid pressing keys that will interrupt the call.

Wednesday, September 17, 2008

Clarifi iPhone case - must buy now ... cannot resist ...

This is just painfully brilliant ...
Griffin Technology: Clarifi

... Slide the Clarifi lens into place over the built-in lens of your iPhone.... ... With Clarifi's lens, your iPhone can image an entire business card with astounding clarity.... you can move in to 4 inches for crisp detail and great pictures.

And, of course, Clarifi is also a super-protective case, constructed of durable polycarbonate, with cutaways for access to power switch, headphone jack, volume controls, and dock connector. For use with Apple Universal Dock wells, Clarifi features Griffin's trademark EasyDock™ design: the bottom third of the case slides down and off to fit in standard dock wells.

I cannot resist. It's not on sale yet, but now I'm glad I haven't found a case I really like.

Evernote will do offline OCR of scanned and uploaded images. I assume they do something special for business cards especially if you pay for their enhanced service. I assume an OCR app for the iPhone is on the way ...

The Devil's Due: Qwest has been good

I've had a few nasty things to say about Sprint and AT&T.

So I was surprised when I recently realized that I've gotten quite good service from Qwest. It's been a year since I switched ISPs ...
Gordon's Tech: I switch to Qwest DSL Platinum

... The tech person was, again, very good. She promptly gave me my Qwest un/pw and, for what it's worth, my MSN un/pw (guess I need a mail forwarder there [1]).

So far it's been fine. I'll update with this post as I learn how well it works, and, most of all, learn how much it will really cost....
My DSL works, speed seems adequate, I pay my bills. Qwest doesn't even spy on me. They don't even spam me.

Weird.

Tuesday, September 16, 2008

Simple iPhone web app directory

iPhone Web Apps. A very simple list that renders well on the iPhone, from pure-mac.com. I had no idea Amazon had a web app interface.

Air Sharing: turn your iPhone into a file and web server

I have my copy:
Avatron Software: "Air Sharing's regular price is US$6.99. But don't miss this special introductory offer: For the first two weeks, Avatron Software will be giving Air Sharing away for FREE!"
So now my iPhone is a file server and and a web server. If you knew my IP address I suppose I could run my old web site off it.

Comes with a file viewer which did a fine job rendering a word doc.

This is a bit insane. Today I bought an HP41C emulator, got Air Sharing for free, and got a free upgrade to Apple's Remote app.

Ever since I found a fix for the "unknown error" on update bug the App Store has been my candy store. I'm already forgetting the suffering of switching from Palm to the iPhone...

The iPhone HP 41C emulator (i41CX) - because sometimes madness must be honored

An obsessed madman has created a full emulation of a legendary scientific calculator ...
i41CX

Advanced programmable and expandable RPN scientific calculator with virtual thermal printer/plotter suitable for a wide variety of scientific, engineering, mathematical, financial, and academic applications.

  • RPN logic with 4 element stack
  • Powerful rich set of numeric and mathematical functions
  • Time, calendar, alarm, and stopwatch functions
  • 12 character display with alphanumeric capability
  • User definable keyboard with support for overlays
  • Expandability: four module ports provide access to additional functions (e.g. matrix operations, programmer functions, equation solvers, etc.) beyond the standard built-in functions
  • Ability to download module files from the internet
  • Program features: automatic line numbering, labels, branching, subroutines, interactive alphanumeric input/output, loop operations, indirect addressing, flag operations, and synthetic operations...
Note the word "HP" does not appear anywhere on this page or on the screens. It's just an "scientific calculator". Nudge-nudge.

It cost me $8 to buy this. I might use the timer, and I might use the calculator every few weeks.

I bought it because sometimes glorious madness must be honored.

Update 12/23/09: There's a comprehensive (of course) FAQ on the AL Software site and a mini-manual. The original HP 41C manual is probably a bit hard to come buy, but, inevitably, another wonderfully insane geek has an online version and the i41CX manual points to PDF scans of the original manuals (252 pages!). Yes, and there's anHP41.org domain.

The only mystery remaining is who wrote this incredible application. The answer can be found on the HP-41 archive website emulation page. (Or you could just look at the author credits on the "mini manual").

I must add that I've recently scanned the "mini-manual" and "staggering" comes to mind. For example:
... Need to solve first- or second-order differential equations? Need to perform complex number operations and functions? Need to perform vector operations? Coordinate transformations? Number conversions and Boolean logic? Curve fitting? Solve time value of money problems? These are essentially the problems for which the HP-15C and HP-16C were developed. The Advantage Pac provides these capabilities to the HP-41CX. Thus, by loading the Advantage Pac and creating the appropriate key assignments, you can turn the i41CX+ into a virtual HP-15C or HP-16C!...
Oookaay. And let's not mention the GPS tools.