
The habits of practically unhackable people - lobo_tuerto
https://digitalsecurity.intel.com/5habits/
======
groby_b
Wow. Looks trustworthy. "SHARE TO WIN", uses RC4 certificates, AddTrust CA, JS
links, tracking cookies galore, no CSP...

Yeah, _definitely_ the people I want to talk to about security.

~~~
Yver
I thought the "Share for a chance to win*" button was a demo illustrating the
kind of button not to click.

~~~
groby_b
I'm not sure. I sure as heck wasn't going to click without spinning up a VM :)

------
sanqui
I honestly thought all those "Share for a chance to win*" buttons were going
to scold you for clicking on them, but they're actually serious...

------
danans
_#2:Use HTTPS where it matters._

In Chrome "https" is red and struck out: digitalsecurity.intel.com Identity
not verified

~~~
yk
Firefox nigthly just refuses to connect. The reason is, that the site only
accepts a RC4 cypher.

    
    
        $sslscan digitalsecurity.intel.com|grep -i acc
        Accepted  TLSv1  128 bits  RC4-SHA

~~~
krylon
If irony were made of strawberries, we'd be drinking a whole lot of smoothies
right about now...

~~~
AlyssaRowan
Make that cheesecake and I'm in.

No-one who runs a server which only accepts RC4 (!!) with no forward security,
and SHA1 signatures, in _2015_ , should be _giving_ security advice.

My daily driver browser has RC4 entirely disabled. This is one of the more
amusing won't-connect sites I've found.

------
java-man
Unable to Connect Securely

Firefox cannot guarantee the safety of your data on digitalsecurity.intel.com
because it uses SSLv3, a broken security protocol. Advanced info:
ssl_error_no_cypher_overlap

For some reason, many sites, including amazon recommendations, fail to support
256 bit ciphers. I don't understand why.

~~~
JshWright
> For some reason, many sites, including amazon recommendations, fail to
> support 256 bit ciphers. I don't understand why.

I assume you mean AES-256 vs AES-128. If a site is preferring AES-128 ciphers
(particularly in combination with other modern cipher suite choices (ECHDE,
SHA2, etc)) that's actually a pretty good indication they know what they are
doing.

AES-256 offers no practical advantage over AES-128. There are no known
practical attacks against AES-128, and stretching the key to 256 bits just
wastes CPU cycles.

In fact, most of the attacks out there that weaken AES to any meaningful
degree are those that attack the key schedule used in the 192 and 256 bit
versions.

tl;dr; Save the planet. Use AES-128.

------
Zikes
It doesn't seem to matter much what I do when every company I interact with
gets hacked.

I had to replace my debit card this week because somebody halfway across the
country tried to use it to buy $400 in gas. They probably bought it from one
of the usual black markets, who acquired it from Lowe's, or Jimmy John's, or
Sony, or god knows who else got hacked this week.

------
chatmasta
Is this part of an Intel content marketing campaign to promote awareness of
how difficult operational security is for the layman? Perhaps in anticipation
of their new security suite and attempt to "eliminate the password?"

Very nice if so!

------
nullc
Firefox nightly / built from development source refuses to connect to this
site because it fails the (experimental) stronger SSL/cert requirements. (The
site forces RC4)

On the habits of practically unhackable people indeed.

------
TTPrograms
I sort of thought that https was sufficient for most things on unsecured
connections, so a VPN wouldn't be necessary to prevent things like password
sniffing. Or is that wrong?

~~~
teamhappy
At home TLS is fine. If you're connected to a public wifi using a VPN on top
of that is a good idea because you only have to trust one VPN provider (or
your own server) instead of every hotel chain, coffeeshop, etc.

> sufficient for most things on unsecured connections

WPA2 + good TLS encryption (i.e., good cyphers) should be.

~~~
stu_k
Speaking of which, can anyone recommend a good VPN provider?

~~~
TheOtherHobbes
TorrentFreak has a regular round-up of VPNs:

[http://torrentfreak.com/which-vpn-services-take-your-
anonymi...](http://torrentfreak.com/which-vpn-services-take-your-anonymity-
seriously-2014-edition-140315/)

The comments are probably as useful as the main content.

Personally I use AirVPN. They're not expensive, the client is open source, and
performance seems good enough for casual use.

I'm not sure I'd trust any of the usual VPNs if I needed Snowden-level
security. But I don't, so casual use is fine.

------
djfm
Is there any advantage in using a password manager over authenticating with
e.g. your google account through OpenID?

I usually use my google account to login to websites I care about (most
sensitive websites I know provide this facility) and moderately strong but
easy to remember passwords for non-critical websites that don't provide OpenID
(e.g. a forum I never consult).

Of course I have 2FA on the google account and I feel rather safe.

Should I be worried?

~~~
mikekchar
I'm very sleepy today, so I'm going to try not to say anything stupid. If I
do, I hope someone will correct me ;-)

The basic overview of how OpenID works is here:
[http://openid.net/pres/protocolflow-1.1.png](http://openid.net/pres/protocolflow-1.1.png)

So if I understand this diagram correctly, you connect to the server that you
want to log into. It determines whether or not you are authenticated (probably
through cookies). If so, it redirects you to the OpenID server. The OpenID
server checks your credentials and returns back to the original server. The
diagram does not specify, but I'm guessing the OpenID server has a session
cookie for your credentials so that you don't have to log in over and over
again.

So what are the downsides?

1) The server you want to log in to knows about your OpenID. In other words
they can potentially identify you and track you (possibly with the help of
Google). 2) The OpenID server knows which sites you are going to and when you
are logging into them. It can track all of your movements. I think it would be
naive in the extreme to assume that Google does not do this ;-) 3) Without
knowing more details I couldn't say, but I suppose it might open you up to
Cross Site Request Forgery style attacks. My experience with Google code in
this respect is that they are usually extremely thorough about this sort of
thing, so I think this is unlikely on the OpenID side. In my sleepy state, I
can't really think clearly enough to imagine whether or not there are ways to
screw up the code in the server that uses OpenID, though.

My employer loves Google and we use a ton of Google services. I am lucky
enough to have incredibly technically competent management and they understand
the tradeoffs of having Google track everything we do. Because of that, I use
OpenID for any other external service that my employer mandates/approves of.
I'm pretty careful not to go to OpenID authenticated sites by clicking on
links and open them directly, so I feel confident that I can avoid CSRF
attacks even if they could be done.

I do not use OpenID for personal use. My employer may be happy to have me
daily work activities tracked by Google, but as a private individual, I don't
really want that. I use an offline password manager:
[http://www.passwordstore.org/](http://www.passwordstore.org/)

------
kelvinn
#6 Disables JavaScript by default

~~~
ChuckMcM
I would say disable flash/javascript by default but I too was surprised they
didn't have this. Nothing like knowing you shouldn't click on a link only to
have some malicious javascript do it for you.

------
teamhappy
Anybody else clicked the "think before you click" thing right away?

~~~
krylon
I did, expecting something along of the lines of "Damn! What did we just tell
you?". That was kind of a disappointment.

------
dheera
I'm not trusting any closed-source password management programs. I generate
most of my passwords (different for each service) with

    
    
        from passlib.utils.pbkdf2 import pbkdf2
    
        def gen_password(master_password, domain, n = 0):
          thehash = pbkdf2((master_password + "/" + domain).encode('utf-8'), b'', 100000 + n, keylen = 16)
          return base64.b64encode(thehash)[0:12].decode('utf-8') + "$1Aa"
    

I welcome any comments on the security of this scheme.

~~~
bostik
That may look sane, but you're deriving all your passwords from a single
master "key". Leak it once, for any reason, and all your passwords just became
known. (Unless you provide unique value of 'n' for each site, which I doubt
you do.) If you use a common login or email address as your user name across
the sites you use, they all pop open at the same time.

My take on password generation is even more straightforward:

    
    
      % head -c 9 /dev/urandom | base64
    

Then whatever comes out, I store on an encrypted volume - so effectively I do
have a master passphrase but none of the login credentials are derived from
it. For sites that I think require even more entropy, I'll just bump up the
number of bytes read. (9 _8 = 72 bits of entropy, 12_ 8 = 96 bits)

I haven't yet found a password manager I truly liked.

EDIT: you do realise you are capping the entropy of your per-site passwords at
72 bits? It's more than enough against all practical brute force attacks, but
it also means that any entropy in your master key above 72 bits is effectively
lost.

~~~
svenfaw
>more than enough against all practical brute force attacks

Source?

~~~
bostik
Math.

But to give some substance to the claim, the speed record for single-system
password hashing in 2012 was ~350GH/s [0].

Let's assume that in 2015 a single system is capable of doing 1TH/s, or
~1000GH/s. So, 10^12 password attempts per second. An attacker, who is _not_ a
nation state, should be expected to have access to maybe 400 such systems. But
to make this conservative, let's assume they have 1000 such systems. So, the
attackers should be able to reach 1000 TH/s, or 10^15 attempts per second.

10^15 =~ 2^(15/0.301) =~ 2^50.

Hence, a determined attacker with finite resources has to do, on average, 2^31
seconds of work to brute force a password with 72 bits of entropy. 2^31
seconds is roughly 68 years.

That in turn means that there are lot of lower hanging fruit to pick before
even thinking of expending resources to brute force passwords with 72 bits of
entropy.

On the other hand, the resource requirements _are_ getting awfully close to
the realm of feasibility, so 72 bits might not be sufficient for long after
all...

0: [http://hackaday.com/2012/12/06/25-gpus-brute-
force-348-billi...](http://hackaday.com/2012/12/06/25-gpus-brute-
force-348-billion-hashes-per-second-to-crack-your-passwords/)

~~~
dheera
I feel like it wouldn't be anywhere close to 10^15 if they use a slow hashing
algorithm, which is what password stores _should_ be using (e.g.
[http://en.wikipedia.org/wiki/PBKDF2](http://en.wikipedia.org/wiki/PBKDF2) )

~~~
bostik
Indeed :)

Every new sensible implementation of password store is using either bcrypt,
pbkdf2 or scrypt.

I picked the lowest common denominator because it caters for the worst case
scenario. Systems where passwords are improperly hashed are quite likely to
have other security problems too. And as such are more likely to get breached,
whereby their password store is lifted too.

------
frik
Triva: _Intel Security Group_ , (previously _McAfee, Inc._ named after its
founder named John McAfee, recently renamed because of the tainted brand):
[http://en.wikipedia.org/wiki/McAfee](http://en.wikipedia.org/wiki/McAfee) ,
[http://money.cnn.com/2014/01/07/technology/security/intel-
mc...](http://money.cnn.com/2014/01/07/technology/security/intel-mcafee/)

------
vacri
Speaking of password managers, what are some suggestions for password managers
for sharing passwords around groups of staff in small businesses? We're
currently using passpack, but the UI is a little janky - as a result, it's
hard to get colleagues to practice good password hygiene. It's not terrible,
but it is a bit annoying to use.

------
ArtDev
Intel does security really well. They set an example how all large companies
should do it.

------
sthreet
two factor authentication: Things like this are probably the best argument for
why I should get a phone, thought I still wouldn't have much use for it.

Also, it seems safer to write down your passwords. I mean, someone might
physically take it, but that seems less likely than someone digitally taking
it.

------
gglitch
How is using a VPN different/better than tunneling through your home ssh
server? Honest q.

~~~
late2part
Using either is good. VPN offers misdirective pseudo-anonymization which might
help.

------
iamfeek
Phew.. Great to know that I have those traits!

------
benihana
A pragmatic one I like to say to non technical people like my mom and sister:

\- Have a dedicated email password that is different from every other password
you use.

Let's be honest: You _should_ have different passwords for every site, and you
should use strong passwords and a manager, but you don't because you're a
normal person. At the very least, be pragmatic and have an email password
that's separate from every other service password. The idea being, if your
random-service-you-signed-up-for-once.com password gets hacked, and your
username was your email address, the first thing an attacker will try to do is
use that password on your email. So have a strong email password and trust
that your gmail account is less likely to be hacked than your random-service
account password.

~~~
arjie
I use LastPass and I can't recommend it enough. It's fantastic and I have
different passwords for everything simply because I never bother making
passwords. I just hit the random function on it.

I still have my email passwords memorized, though.

This is honestly the best service I've ever paid for. It has never failed me,
and it substantially improves my life.

~~~
seanwilson
I use LastPass and think it's great as well. I've tried to recommend it to
others though and the common reply is "that doesn't sound secure enough for
company policy".

They don't seem to realise though that their usual approach of sharing
passwords over email, using the same password for several logins so it's easy
to remember and using easy to remember passwords in general is much more
insecure.

Services like LastPass make it practical for you to use impossible to guess
passwords, different passwords for every site and let you share passwords
securely.

~~~
dikaiosune
My key argument when I've convinced past employers to implement it: you
already outsource all of the hard parts of your security. Antivirus, firewall,
AD permissions, server config, all of it. They either bought a product to fit
the need or hired a consultant to do the advanced stuff. $12/year is pretty
cheap to hire a dedicated team of security wonks to safeguard your passwords,
IMO.

~~~
seanwilson
It's not the cost that's the issue though, people don't like the idea of
passwords being stored in a single place on a internet connected computer. I
mention that you can secure password access behind two factor authentication
but it doesn't get around the knee-jerk reaction often. Sharing lots of
passwords when working with a team remotely is especially painful when
password managers are not allowed...

