Tag Archives: Security

Carry your PIN number in your wallet

I have a confession to make.  I have been carrying the PIN number to my credit cards in my wallet for the last five years!

In my wallet I have a slip of paper right next each of my cards that looks like this…

A B C D E F G H I
6 9 2 1 6 2 4 0 1
J K L M N O P Q R
8 7 9 1 7 2 3 2 4
S T U V W X Y Z
7 7 2 8 1 7 2 0

… I can remember a four letter word easier than four random numbers and have challenged many people to guess my pin number from it.  e.g. if the four letter word was MOVE then the PIN would be 1286 and if the four letter word was CHIP then the PIN would be 2013.

I cryptographic terminology this is classed as a one way hash, a terrible idea for encrypting data on the internet but for data as small as 4 numbers it works quite well.  4 numbers only gives (10^4 =) 10000 combinations at the best of times although there are things that can be done to try and break it.

If we take a standard dictionary file (/usr/dict/words) there are 1778 four letter words that could be used. Based on the example matrix above that equates to 907 different PIN numbers. While this is still too many to guess at random we are down a long way from the 10000 original possibilities. I’ll let you decide if that is an acceptable risk.

It’s worth noting that while most people would probably use a four letter dictionary word there’s nothing from stopping you using things like “A DOG” or “I RUN” or even a pass phase “Am I Nicely Secure?” = AINS.

What are your views? Foolish or clever? Are there any other wallet tricks that people know?

Can you really delete a tweet?

The lovely James Firth has just announced that he will “delete all my old tweets, and only keep the last month or so”.  I think he is being foolish as I don’t believe it’s possible to delete things off the interwebs.  As such I decided to find out which of us was right!

The Test

  1. Post a tweet (Done 20th Sept 2010).
  2. Wait for it to be picked up by search engines and search tools.
  3. Delete the tweet (Done 25th Oct 2010).
  4. Wait to see how long it takes for the tweet to be deleted from these sites.

The Tweet

This is the tweet I will be deleting…

[blackbirdpie url=”http://twitter.com/dogsbodyorg/status/25050638391″]

I’m embedding it with the Blackbird Pie WordPress plugin, It will be interesting to see if it goes from here too!

The Results

Will be posted here when I have done the test.  Add me to Twitter or subscribe to my RSS to find out! 😉

  • GoogleDeleted but took over 2 months.
  • Google RealtimeDeleted in less than 24 hours.
  • Bing – The tweet never appeared in their search.  Can’t test.
  • Yahoo!Deleted but took over 2 months.
  • TweetMeme – The tweet never appeared in their search.  Can’t test.
  • TwitpicNot much you can do if someone takes a picture of the tweet.
  • RetweetThere is nothing you can do if someone has already retweeted you
  • Embedded with Blackbird Pie – Deleted some time before 01 Mar 2019 but probably because Blackbird Pie has long since broken :-p
  • topsy.comStill appearing in the Topsy index as of 28 Feb 2011.
  • flavors.meStill appearing in embedded sites as of 28 Feb 2011.

If you have written something news worthy that someone else has blogged about or discussed then no, that content can obviously be copied and quoted without issue.  And while tweets about your breakfast may be deleted by large sites such as Google and Yahoo there are plenty more that do not honour Twitters deletion protocols.

In short, I wouldn’t bother deleting things of the Internet.  All you are doing is making work for yourself.

Any other sites? Suggest them in the comments.

The Firehose

This is not a new test.  Until recently deleted tweets weren’t removed from Twitter’s official search resulting in services such as Tweleted.  With more and more sites drinking from the Twitter firehose (Twitters name for having a live feed of public status updates) it will be come harder and harder to stop tweets from being archived which is why I think it’s important to test this every once in a while.

Interestingly Twitter have blurred the line of firehose access with the launch of their new streaming service as a lot of companies that want to drink from the firehose only actually want a subset of the data.  e.g. TweetMeme only needs to index tweets with a URL in them. The Streaming API help has this to say about deleted tweets…

Streams may also contain status deletion notices. Clients are urged to honor deletion requests and discard deleted statuses immediately. At times, status deletion messages may arrive before the status. Even in this case, the late arriving status should be deleted from your backing store.

… urge != must.  It’s not in their T&Cs either that I can see.

I believe there are at least tens of full firehose users and hundreds of streaming users if not hundreds and thousands respectively.  Either way, the number is only going up!

Oh and we aren’t just talking websites and services here. The US Library of Congress has access to every public tweet ever written 😉

P.S.

  • I started creating a list of Twitter Firehose users as I don’t believe any such list exists.  Feel free to update and add to it, it’s public 🙂
  • I have been told to “play nice”, this is not a personal attack on James at all who is a top bloke, this is just an open debate and test.

Securing Majordomo

Did you know that buy default majordomo will give a list of all the addresses on your mailing list to anyone?

I have written a script that will tidy up majordomo config files as follows…

  • Only shows lists you are subscribed to with the ‘lists’ command
  • Does not allow anyone to use the ‘who’ command to get addresses
  • Doesn’t allow anyone to use the ‘which’ command to get addresses

This can either be run once or added to /etc/cron.daily so that any new lists created are forced to the correct settings.

Simply download the file, change the directory path at the top of the file if required and execute. Download Here.

Bluetooth security and advertising

I was watching BBC’s Click program today which had an piece on how technology was being used in advertising to make billboards stand out [1]. The bit that got my interest was using bluetooth to connect to passing mobiles, this interview sums it up well. If the bluetooth UID of a mobile phone can be picked up by a poster as you walk past, and all these posters are networked together then how long before the information is sold to tracking agencies?

We already have mobile phone tracking sites that allow you to find out where in the country a phone is logged on (to quite a good resolution too). While most of these sites require some form of authentication with the phone for public use the information is obviously there to phone company employees and the people behind these sites, who knows who has access to this info.

The other security concern is the vulnerabilities of the phones, apparently with Coldplays latest album, posters in London were offering to upload a free mp3 track from the album to bluetooth phones passing by. Nearly all first generation phones that support bluetooth are hackable with new vulnerabilities being discovered on phones all the time. Bluetooth can already be used to control a vulnerable phone, for example to make it call a premium rate number without the owner knowing. If I were to use Internet Explorer as a browser I could pick up spyware just by visiting a webpage, now people will be infecting their phones by playing affected MP3’s that they have downloaded for free from rogue posters. Neither of these techniques are new but in this ever mobile age the transport methods are changing and the speed these changes are implemented are getting faster.