If you're reading this and are not already browsing Facebook using HTTPS (secure HTTP), you need to go to Facebook RIGHT NOW and enable the option (lest you fall victim to [Firesheep](http://en.wikipedia.org/wiki/Firesheep)). In in your [Account Settings](https://www.facebook.com/editaccount.php?ref=mb&drop) under Account Security -> Secure Browsing (https). If you need more help, [Gizmodo has a great tutorial about how to do it](http://gizmodo.com/5748754/how-to-keep-your-facebook-secure-by-enabling-https).
[Firesheep](http://codebutler.com/firesheep) is a Firefox extension that allows users to steal login cookies on popular websites, which allows the user to login as you if you are browsing on the same network. It was release last week and has already forced sites like Facebook to issue statements addressing security. I downloaded it just now to test it out, and ran it while I logged into Facebook, Gmail, Amazon, Twitter, and other sites I frequent often. Here's what Firesheep sniffed out:
Firesheep can login to a lot of the sites I use
Double clicking on an avatar or account in the sidebar immediately opened a browser session as me, logged into the website shown. Anyone running Firesheep on an open network can sniff out and login as anyone on the network who is actively using the websites Firesheep knows about.
To combat this attack, everyone should immediately install the [HTTPS Everywhere](https://www.eff.org/https-everywhere) extension for Firefox or the [Use HTTPS](https://chrome.google.com/extensions/detail/kbkgnojednemejclpggpnhlhlhkmfidi) extension for Google Chrome. These plugins redirect you to secure versions of supported websites, preventing you from ever accessing them the normal (insecure) way. If you are not using Firefox or Chrome, you should switch.
It won't protect you on sites that don't support site-wide HTTPS like eBay, Amazon, and others, but it's a start.
EFF's HTTPS Everywhere for Firefox secures these sites by default
You can tell if your session is secure by looking for "https://" in the location bar, or by looking for visual cues like a lock icon (Chrome) or a green background (Firefox).
A secure browsing session in Firefox
A secure browsing session in Chrome
This is not a new problem, but it is the first time there has been an easy way for anyone to exploit the issue. It's likely that every major website will now have to address the way their session information is stored, but it may be some time before they can react.
Good luck staying secure!
This is an security problem that has been rehashed numerous times, but I've found that none of my friends seem to know that it is an issue. Note that if you're someone who keeps all of your passwords on a sticky attached to your monitor, you probably won't care about any of this. I love Firefox and rely on it heavily, but one thing that has always bothered me is that its password manager stores passwords in plain text and by default, allows anyone at your computer to see them. You can see this for yourself, and if you're like me, it will probably freak you out to actually see your password written out.
In Firefox, go to **Preferences->Security**:
Click on **Saved Passwords**, and then **Show Passwords**. Firefox will ask you if you're sure. Click **Yes**, because that's what someone snooping around on your machine would do.
Surprise! All of your passwords are there, in plain text.
Note that Firefox does offer a "Use a master password" option in its security dialog. This does prevent the casual snooper from seeing your passwords, but it also prompts you for a password
every time a webpage wants to auto-fill a password field once per session. In my world, that happens 20-30 times a day (if not more). Unacceptable. [Corrected: John Lilly wrote me to let me know that Firefox only asks once per session. This behavior is totally usable, but there are still some issues. When I launched Firefox with more than one tab open, it prompted me once for each tab.]
1. Uncheck **Remember passwords for sites** and use [1Password](http://agilewebsolutions.com/products/1Password). I swear by 1Password, and everyone I've demoed it for starts to use it.
2. Switch to Safari, Chrome, or Camino, all of which use Mac OS X's Keychain to store passwords securely.
I'm going to stick to Firefox -- for now -- but it is a huge convenience FAIL that I have to turn off the feature to save passwords. As more plugins start to appear in Chrome, I'm more and more tempted to Switch; this security issue is the number 1 reason.
I just reinstalled PGP Whole Disk Encryption (WDE) on my MacBook Pro 17" running Mac OS 10.5.8. I'm not using it to encrypt my entire drive, but I used to use it to encrypt entire backup volumes so the data on them cannot be used if the drive itself is stolen (when traveling, mostly). I'm embarrassed to be a FileVault user, but I don't see any other way to have certain parts of my disk remain fast, while keeping other parts encrypted (and slow). One additional requirement is seamless access; using TrueCrypt wasn't really an option because I'd have to mount the volume every time I wanted to access it (which is almost all the time, since I want my mail and all non-media files to be encrypted). I'm lazy.
And so, I settled with FileVault, which has actually been working just fine. On my striped Intel SSD setup, I don't even notice it.
But it isn't just my machine that needs to be encrypted; backups need to be encrypted as well. I travel with backup drives, and they are much more easily stolen than computers are.
When I back up my machine to an external drive using SuperDuper, the resulting backup is still encrypted because it backs up the files that live on my drive, as opposed to a solution that backs up files that are currently available to the OS. As a result, my FileVault-encrypted files are not accessible on my backup drive unless I boot Mac OS and log in. But since I'm paranoid that FileVault may fail and eat my data, I also use CrashPlan to backup non-image, non-video files to a server. CrashPlan is cool because it does these remote backups even when I am away traveling, and all backups are encrypted.
So why do I need PGP WDE, then?
I'm not sure. I guess I originally used it so that I could stay compatible with friends. I also used to use it to encrypt backup drives in case they are stolen... but then I decided that I could just use DiskUtil to create encrypted disk images and backup to them. I use GPG as a replacement for PGP for general encryption, and use Sente's GPG mail bundle for Mail.app integration.
I think I just talked myself into uninstalling PGP WDE.
ANYWAY, the point of this post was to write that when you install PGP, it disables Mail.app bundles. When you launch Mail, it will notify you that bundles have been disabled. Here's how to get them back:
1. Disable PGP's Messaging Security (uncheck "Secure Email" in Preferences -> Messaging) 2. Go to ~/Library/Mail and rename "Bundles (disabled)" back to "Bundles" 3. Run "defaults write com.apple.mail EnableBundles 1" in Terminal
There you go. I'm going to go uninstall PGP WDE now. :)
I did some research yesterday on website password managers for Mac OS X. A good place to start is Alex King's blog; he has written two thought-provoking articles about why you shouldn't use the same password for everything, and how software can help your password / login workflow ([Passwords](alexking1), [More on Passwords](alexking2)). [alexking1]: http://alexking.org/blog/2007/02/02/passwords [alexking2]: http://alexking.org/blog/2007/02/05/more-on-passwords
Really, it should just be common sense to not use the same password for everything; after all, you have no idea how a particular website is going to store your super-secret password. What if your password is stored in plain-text on a server with a gaping security hole? What if the website likes to email you a password reminder -- in plain text -- every month? I've seen sites that do all sorts of bad things, and if you use the same password at an insecure site as you do at your bank's website, you're asking for trouble. And even if you use different passwords, you need a secure way to store them all. The worst I've seen is someone who kept all of their passwords and financial account numbers in an Excel document on their notebook computer's desktop. I suspect that sort of thing isn't as rare as it might seem to be.
Some people use variations of the same password for all of their websites. I typically use variations on three or four base passwords. I have to track literally dozens, if not hundreds, of website passwords, and it is simply impossible to remember so many. If I can help it, I don't write the passwords down anywhere. Instead, I write down "helper" words that I associate with the base passwords, which I've memorized. So instead of writing a password as "omgLOL", I might write "stupid teens", which would trigger me to remember the actual password. Finally, I encrypt the data so that no one can even see my helper words.
I've been using one of my favorite applications, Evernote, to store all of my accounts, passwords, and more (manuals, tips, photos of restaurants, notes, etc.). Evernote syncs its database between all of my computers, evernote.com, and the Evernote iPhone app. It supports encryption, shared notebooks, OCR of text in images, and more. I love Evernote.
Still, I have to look up passwords to various websites many times each day, and Evernote doesn't help there (other than by offering a keyboard shortcut to launch the app and search, which is great). Alex uses PwdHash, a plugin and service written by Stanford crypto guys. For each website with a password field detected, it hashes the domain name with a master password you provide. All you have to do is enter "@@masterpassword" in a password field, and it does the rest, ensuring that each site's password is unique. However, it becomes complicated when domain names change within the same web service (e.g. mybank.com and mybankonline.com), and it also fails when services disallow specific characters or symbols in a password. If you need to look up a password manually, you can go to PwdHash.com to generate hashed password using your master password and a domain name.
PwdHash looked like an interesting option, but when I tried to go to PwdHash.com last night, the site was down. I've read that you can just grab the source from that page and stick it somewhere else (like on your own website), but it didn't inspire confidence to have the site down.
[1Password](1password) has gotten great reviews, especially from Windows-to-Mac switchers who were Roboform users. I've been trying this out, and it seems to be a great solution. It requires that I manually create passwords for each website, but it does a great job of integrating with web browsers (using browser plugins). It also features a fantastic automatic form filler, so I can enter my home address, work address, credit card numbers, etc. and just select which one to use when I encounter forms on any website. It also has an iPhone app that can be synchronized with the desktop client.
Synchronization is accomplished using various third-party file sharing services. I was already a die-hard user of [DropBox](dropbox), so it was easy to simply store my encrypted 1Password database on a shared DropBox folder to accomplish multi-machine sync.
[1password]: http://agilewebsolutions.com/products/1Password [dropbpx]: https://www.getdropbox.com
A Twitter person asked why I don't use [KeePassX](keepassx). It's free, but it doesn't look to be as fully-featured as 1Password is.
That's it for now. I'll report back once I've used 1Password for a longer period of time. Remember -- change your passwords!!
I just came across a particularly disturbing article about Facebook's ad policy, which by default allows the use of your face in advertisements targeted at your Facebook friends (via @johnolilly). > Facebook occasionally pairs advertisements with relevant social actions from a user's friends to create Facebook Ads. Facebook Ads make advertisements more interesting and more tailored to you and your friends. These respect all privacy rules.
To turn this off, go to **Settings -> Privacy -> News Feed and Wall -> Facebook Ads -> Appearance in Facebook Ads** and select "no one."
Note that this privacy page doesn't appear in Firefox 3.5 if you use AdBlock Plus extension. Even selecting "disable on this page only" in AdBlock Plus and refreshing the page won't make the controls appear. I had to completely disable AdBlock Plus and refresh to the page in order to see them. Alternatively, you could use another browser (e.g. Safari, Chrome).