Autocomplete

15 February 2020

autocomplete tag
There is lots of advise on how to disable autocomplete, or copy/paste for input forms especially password forms. This is mostly well meaning, in that there is a perception that this makes their sites more secure, when in practice this makes them less secure.

The correct security advice is to recommend that users use a password manager, and that the web-page assists the password manager by setting the autocomplete="current-password" on the field so that users can use long, complex, randomly generated, and unique passwords to log in quickly.

If you make the user type the password they will
1. hate you
2. use a simple easily remembered password (weak, not unique, & short)
3. users that already use a password manager will give up and go elsewhere

autocomplete="off" is almost universally ignored by browsers, and is always ignored by password managers. Some password managers have an option to respect autocomplete, but if you turn this on it makes the password manager useless.

if autocomplete="off" is set the password manager has to guess which fields are which on the form. They do this by looking at the field name, the input type, and the label fields. But there is no standard as to how these are named.

Perhaps the most unfathomable aggression against the user is this plugin:

The jquery.disableAutoFill plugin randomizes an input’s name attribute by default. When the form is submitted, the plugin restores the original name. This prevents auto-completion for all browsers (includes third-party auto-completion extensions) but doesn’t necessarily help with login fields. https://terrylinooo.github.io/jquery.disableAutoFill/

On the Mozilla page about autocomplete it tries to remind developers about the principals of what the web is for:

It is important to know that if you turn off autocomplete, you are breaking the rule 1.3.5: Identify Input Purpose in WCAG 2.1. If you are making a website that should follow WCAG, you should use autocomplete with autofill. https://www.w3.org/WAI/WCAG21/Understanding/identify-input-purpose.html

https://www.ncsc.gov.uk/blog-post/let-them-paste-passwords
https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete
https://developers.google.com/web/fundamentals/design-and-ux/input/forms


Right to Repair

12 February 2020

Extending the life

We are at a strange junction of history. We have unprecedented access to technology. The number and capability of single board computers, sensor chips, even things like FPGAs that are available to the hobbiest, is amazing.

At the same time we have a massive removal of normal consumer rights from the ability and the right to access their own technology. Consumer devices are sealed shut with glues, special screws, warning stickers that threaten the user with dire consequences should they have the tenacity to break them. But the main method of sealing goods is to do it with software, and the aid of copyright protections.

The Digital Millennium Copyright act in the US and many similar laws make it a crime to break a software lock that is protecting a copyright work, even if the reason is legal. So we have seen a explosion of software in devices, and as software is a copyrightable work, all a manufacturer need to do is put a lock on that and they have the law to stop anyone using the device they sold to you in ways that they don’t like.

Apart from this being a horrible business practice, it is changing our society into that consumerist culture. In a time of climate change we should be conserving resources and minimising carbon footprints. Most of the carbon footprints of devices comes from their manufacture not operation, so extending the useful life makes a large contribution.

There is substantial support for the “Right to Repair” across Europe and the US at the moment. There are a number of right to repair acts at state level in the US some making progress, some not. In Europe we recently got repair legislation for some appliances in terms of requiring the supply of parts from manufacturers for 10 years.

The battleground is now about mobile phones, though other electronic devices are also in the mix. So go to repair.eu and sign the petition. Or in the US repair.org and lobby your state senators about the Right to Repair.


The use of SMS (Text Message) to deliver a One Time Passcode (OTP) is not recommended.

12 February 2020

sms-two-factor-authenticationUsing a text message (SMS) to deliver a authentication or security token to a user has been useful in the past. It is still used in many systems, but we need to phase this method out.

Messages are transmitted across the global SS7 network, there is no encryption, authentication, or integrity protection on the SS7 network. Access is limited (Mainly telecom operators, but wider access is developing) There have been a few malicious actors detected on this network, but this threat is growing.

The more common attack method at the moment is to Social Engineer the mobile operator to do a SIM swap, and while Mobile Operators have a poor security record in protecting customers against number takeover attacks.

While the Mobile Operator is attacked in this there is little incentive for them to protect customers against this as their business is not affected. This has been the main mechanism of SMS OTP compromise so far.

The responsibility falls to system designers not to rely on SMS to securely deliver these messages.

You can use of email to transport the OTP, or the use of an encrypted messaging service such as Whatsapp, signal, telegram as an alternative to SMS.

The use of a Time based OTP is recommended, this should conform to the RFC-6238 standard. Google Authenticator is widely assessed and recommended tool for using this.

Attacks and exploitations reported

https://krebsonsecurity.com/2018/11/sms-phishing-cardless-atm-profit/

https://krebsonsecurity.com/2018/11/busting-sim-swappers-and-sim-swap-myths/

https://bitcoinmagazine.com/articles/investor-lawsuit-brought-against-t-t-mobile-sim-swapping-hacks/

https://motherboard.vice.com/en_us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank

https://thehackernews.com/2016/07/two-factor-authentication.html

PCI DSS Standards

https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authentication-Guidance-v1.pdf

Use of SMS for Authentication

PCI DSS relies on industry standards—such as NIST, ISO, and ANSI—that cover all industries, not just the payments industry. While NIST currently permits the use of SMS, they have advised that out-of-band authentication using SMS or voice has been deprecated and may be removed from future releases of their publication.


Winter book suggestions

29 December 2019

Book reading by the fire

Holiday Book Guide 2019

Here is my annual reading suggestions list from things that I have read this year, and a few suggestions from friends. Please add your own suggestions in the comments.

“Radialised” by Cory Doctorow.

Cory is an activist with the Electronic Freedom Foundation (EFF) and some of that is reflected in his stories. In this there are 4 separate stories of the near future where the consequences of some of the current laws are played out. What if your toaster was like an iPhone, so you could only toast approved bread. What if superman came in a just stopped discrimination, would that solve anything. What would happen if the prediction of “preppers” came true would they be better placed to survive in a post apocalypse world.
https://craphound.com/category/radicalized-full/

“Good Omens” by Neil Gaiman & Terry Pratchett.

I have not read much Terry Prachett, and only a bit of Neil Gaiman, but I picked this up when I heard about the BBC series of the book. Really enjoyed the dry humour and story. Read it before you watch the rerun of the BBC Series.
https://www.neilgaiman.com/works/Books/Good+Omens/

“Rendezvous with Rama” by Arthur C Clark.

I first read this many many years ago. Picked it up to re-read this year. What a wonderful story. And with the amazing scientific rigueur that allows an amazing space story without having to invent imposable things like warp drive, ray guns and teleport machines. Why hasn’t this been made into a film.
https://en.wikipedia.org/wiki/Rendezvous_with_Rama#Film

And here are some suggestions from my friends.

Matt Kemp

“The End Is Always Near” by Dan Carlin.

A superb history of apocalypse, suffering and extreme human situation throughout history. Amos if your history buff and makes you think about the world today.
https://en.wikipedia.org/wiki/Dan_Carlin

“The Storm Before The Storm” by Mike Duncan.

If you’re interested in the Roman Empire, this is a thorough take on the period prior to the downfall of Rome. An appreciation of what it took to be at the top of a society where everyone is striving to get their name set into history.
https://en.wikipedia.org/wiki/Mike_Duncan_(podcaster)#The_Storm_Before_the_Storm

“Invisible Women” by Caroline Creado-Perez.

An absolutely superb book about the gender data gap. Explores how society dominated by men, designs everything for men.
https://en.wikipedia.org/wiki/Caroline_Criado-Perez

Oh I read Birdsong recently. I know it’s on all the lists of books to read but it is bloody brilliant.
https://www.sebastianfaulks.com/book/birdsong/

Mark Sutton

“The Order of Time” by Carlo Rovelli.

Very accessible perception altering book on the nature of time and how fundamental it is.
Gives a good background from classical to quantum and includes philosophical perspectives from Aristotle etc.
https://en.wikipedia.org/wiki/Carlo_Rovelli

“A Gentleman in Moscow” by Amor Towles.

A historical fiction about a Count sentenced during the revolution to spend his days in a Moscow hotel. Amusing easy going book with something of everything.
http://www.amortowles.com/gentleman-moscow-amor-towles/

Nigel Worthy

I’ve been very intellectual and reading the Bernie Gunther series by Philip Kerr this year. Very much a detective/action Set in Hitler’s Germany and post Hitler, he’s a German detective and then SS intelligence officer (hates Nazis), then escapee to Argentina. Interesting history elements and perspective from a non-Nazi. Set between 1930s and 1950s. Easy reading, though some heavy and disturbing bits. Fiction, of course.
https://berniegunther.com/


LED Cube project

29 December 2019

LED Cube
As a bit of a holiday project I got a kit to make one of these LED cube displays. A huge amount of soldering, bending leads, testing each plane of LEDs, and now it is finished.

LED cube in action

I think it is cool!

I got the kit from banggood, but their instructions are rubbish. If you are doing this look at these instructions.


How to start a Repair Cafe in your Town

14 September 2019

Repair Cafe Reading - Sep 2018-15-800x566As an organiser of the Reading Repair Cafe I am regularly asked how to start a Restart Party / Repair Cafe. So to I dont keep repeating myself here is an outline of the advice.

The key steps I think you should do in order to get a successful event happening are:

  1. Visit some events, bring something that needs repair, and talk to people, see how their event is run, copy the good bits.
  2. Set up your organisation, or find a charitable organisation to be a part of. The key thing you need here is Public Liability insurance, and finance (bank account etc). In Reading we formed under an existing organisation Transition Town Reading.
  3. Find your repairers. You need to gather together a group of people that are happy to volunteer and have the range of skills that that will help people. Local Hackspace is a good start for electronics skills. Linux user group for computer people, Community cycling groups for bicycle repair, etc. Build a list of contacts, keep then updated with regular emails.
  4. Find a venue. You need somewhere that wont object to soldering irons, computers etc being brought in. Has power and Wi-Fi available, and you can afford. Community halls, church halls are good places to start, but most of these need to charge to cover their costs.
    We have tried roaming between different locations, and being based in the same location. Having a fixed location and regular schedule of events is best. You become known and can advertise your events more easily.
  5. Set up and advertise your events. facebook, twitter, website…
    Start small, and build. Don’t be disappointed if you don’t have many visitors to your first few events, don’t become too confident if you have too many visitors as well.
  6. Track your visitors and repairs. Keep a log of all repairs, we use the restart project tool for this. You will need this later to show what you have done, to apply for grants and other money.
  7. Participate in the Repair community, Fixfest, network with other groups.

Resources:

Restart party wiki has lots of useful guides on how to repair different devices.
https://wiki.restarters.net/Main_Page

iFixit is a company and a website focused on Repair. They sell great tools, and they also have fixit guides for many types of devices. Phones and computers mainly.
https://www.ifixit.com/

The Restart party has guidance on hosting your own event
https://therestartproject.org/restartparty/
The Repair Cafe site also has some good guides on how to start an event.
https://repaircafe.org/en/start/


Letter to Mr John Howarth MEP

21 March 2019

With the coming calamity that is the Directive on Copyright in the Digital Single Market, and Article 13 and Article 11, I wrote to a number of MEPs asking for their support in ensuring that this does not pass. Most were supportive, but Mr John Howarth MEP replied with a lot of rubbish. I have copied my reply to him below. Please do write to your MEPs about this issue.

Dear Mr John Howarth MEP

Thank you for your reply, but with respect I think you are very wrong about the effect of the Directive on Copyright in the Digital Single Market, and Article 13 and Article 11 that is before you. You had a series of claims on which I think you are wrong. I respectfully ask you to reconsider your position.

On 21/03/2019 13:41, John Howarth MEP wrote:

Among all of this claims have been made about the proposed legislation that are wildly exaggerated or simply untrue. The implementation of updated copyright legislation will NOT end the internet as we know it.

No, it will not end the internet, but it will seriously change it. As the internet is now the means of communication and organisation for society the dominance of the giant companies will shape the internet in ways that support their business, not be a conduit for social change. Article 11 imposes a tax on linking. The link is a fundamental part of the internet, taxing and restricting this will change the internet in ways we cannot predict, but probably not good ways.

It will NOT constrain or unduly limit ‘free speech’,

And this is my main point. Upload filters are a pre-restraint on speech. A fundamental right. This amounts to institutional censorship of the internet. Who will police the upload filters to ensure that they are not over-blocking? There will be no penalty for falsely claiming copyright on a work in the blocking list. This is designed to promote over-blocking.

It gives more power to the vested interests that are already using the current powers to limit free speech. The notice and take-down requirements are repeatedly used the claim copyright in content to force unpalatable content off the internet. Are you a regular contributor to YouTube? if you are you will know that your uploads are randomly taken down because of spurious copyright claims. Or because you have accidentally incorporated some background music that has been detected. Here are some links to documented abuse of Notice and Take-down:

https://www.takedownabuse.org/
https://www.eff.org/wp/unsafe-harbors-abusive-dmca-subpoenas-and-takedown-demands
https://iamstevein.files.wordpress.com/2019/02/free-speech-and-dmca-abuse.pdf

it will NOT place an unreasonable burden on the internet giants who have put significant time and effort into misleading people because they believe it threatens their super profits.

Yes Here I agree with you, that the large companies will not be unduly affected, it will cement their market dominance, and any smaller company that grows above the threshold will suddenly have to implement filters at huge expense. Nobody will be able to challenge the dominant players and this will stifle innovation.

It will not “outlaw memes”, it protects and defines the notion of satire and parody (which, by the way, were not in any way protected in the outdated copyright regimes that have applied till now). Exceptions set out in the legislation protect free academic enquiry, small businesses and bloggers.

I welcome the exceptions for academic research Article 4, but even here copyright claims (false or valid) will affect everyone, there will be no way to turn off the upload filters just because you are doing research, or your usage is satire, or parody. You will have your upload blocked and will have to go through a lengthy process to obtain remedy. Upload filters give a presumption of gilt.

I do not believe that the legislation in any way limits the ability of the open source software community to continue to trade on the business model it has operated for some time – in other words the ‘sharing economy’ will continue to do just fine. The monopolistic platforms benefit from this “free internet”, however the fact is nothing is “free” – someone always pays, whether through collection of personal data in exchange for access or by the exploitation of their work.

Well that is not the view of Github, perhaps the largest open source community on the internet. Even as the latest version seems to have a very explicit exception for open source software.

https://github.blog/2019-02-13-the-eu-copyright-directive-what-happens-from-here/

Yours sincerely

Stuart Ward