By Patrick | September 14, 2007
Word coming out a couple hours ago on the AP Newswire (via MSNBC) that TD Ameritrade has been hacked and information has been compromised.
Information such as email addresses, names, addresses and phone numbers was retrieved from this database and affects TD AMERITRADE retail and institutional clients.
Client assets held in accounts with the Company remain secure as UserIDs, personal identification numbers and passwords were not stored in this particular database.
Popularity: 22% [?]
By Patrick | July 10, 2007
Almost a month ago I received an email from Martin Wright, creator of PassPub. He was telling me a little bit about his new web based SSL password generator. I promised him I would take a look. Well Martin, sorry for the delay, but I’m finally getting around to checking out PassPub.
PassPub is a cool little website that allows you to generate all kinds of unique passwords. I do some private consulting and sometimes I need to come up with a new, unique password. Whether it’s a new WPA key or a router password I need, PassPub is extremely helpful for these types of situations.
PassPub offers predefined templates for creating passwords. It can create a random 6, 8, 10 or 12 character password. It can also create 64 and 128 bit WEP keys, as well as 256-bit WPA keys all with a single click.
For those times when you need a memorable, but still hard to guess password, there is a section entitled “Memorable Passwords” with a few cool choices. My favorite option from this section is the “Mnemonic” generator. This option creates an easy to read password, with alternate vowels and consonants and an appended 3 digit suffix. I like this one because usually it’s a lot easier for me to read and therefore easier to remember, but still hard to guess. I generally use Mnemonic when changing my login password for my PC, especially since I do that every 45 days. The Memorable Passwords section also offers password generators using keyboard combinations as well as chemical elements symbols that can be extremely useful as well.
As a personal example, when I’m configuring a new router or firewall password, this is when I use the standard 10 or 12 character password generator. I use this option because I want a very hard to guess, random password. Plus, I won’t be typing it in often, so I can afford to have one that’s not easy to remember.
Now many of you are probably asking why would I waste my time going to this website when I can just come up with some random letters and numerics on my own? This was the same reaction I first had when I looked at Martin’s product. However, I always try to commit to using a new program or application for a couple weeks before I totally disregard it, and I have to say that PassPub has come in very handy. You may find it’s not a great tool for your arsenal, but others might. I do know you need to check it out and decide for yourself. Thanks for a cool new tool Martin!
Popularity: 21% [?]
By Patrick | June 29, 2007
Just saw a very interesting article come across my RSS feed from Slashdot. Senate Bill S. 704 is currently being entertained in a Congressional subcommittee right now. This bill serves as an amendment to The Communications Act of 1934 that would make “manipulation of caller identification information” illegal. This means services like SpoofCard and FoneFaker would quickly become illegal. Illegal at a cost of up to $10,000 per violation.
This amendment was introduced in February of this year by Sen. Bill Nelson (D-FL) and is known as the Truth in Caller ID Act of 2007. The summary is as follows:
Truth in Caller ID Act of 2007 – Amends the Communications Act of 1934 to make it unlawful for any person in the United States, in connection with any telecommunications service or Internet protocol (IP)-enabled voice service, to cause any caller identification (ID) service to transmit misleading or inaccurate caller ID information, unless such transmission is exempted in connection with: (1) authorized activities of law enforcement agencies; or (2) a court order specifically authorizing the use of caller ID manipulation.
Provides civil and criminal penalties for violations. Allows for enforcement by states (with authorized intervention by the Federal Communications Commission (FCC)).
While this piece of legislation isn’t a really big blow to privacy or a violation of our civil liberties or freedoms, it does raise a couple questions. If I block my Caller ID is that illegal? This could be good or bad considering who you talk to.
Also, why is the responsibility on the citizen as opposed to the telecommunications company that ALLOWS caller ID manipulation? What about the telecom carriers? Shouldn’t this bill be directed at them as well? While the end result would really be the same –no more spoofed caller ID– it would at least hold the telecom companies accountable. So now, just as we were teaching people to not always trust a person because of what shows up on their caller ID, that may be changing. People will go back to assuming caller ID is always accurate since the government has laws against manipulating it.
And finally, is this the best use of our federal government? Since I am huge proponent of smaller, limited government and favor state’s rights, this is yet another really pointless piece of legislation. As usual, it will keep the honest people honest, and the criminals will continue to spoof caller ID as they wish. It’s the way it always is and always will be.
What do you guys think? Is this a good piece of legislation or not? Does it even really matter?
Popularity: 17% [?]
By Patrick | June 28, 2007
One really awesome feature I did not cover in my previous review of the Online Password Manager, Clipperz, was their Direct Login feature. This is a feature that allows you to configure Clipperz to automatically log you in to various websites with a single click.
When I first signed up for Clipperz I did not use this feature at all. However, upon Marco’s suggestion that I should really try them out, I decided I would take a look. The first account I configured for Direct Login was one of my bank accounts. It was extremely easy to configure in Clipperz and within a couple minutes I had one-click login access to my bank account. I’m VERY sold on Direct Logins. I immediately started adding any other accounts that I could. Be forewarned, Direct Logins do not work for every site. I had a couple they would not work for, but that’s a minor inconvenience.
Clipperz definitely has a one up over PassPack in this area. Everyone knows I’m a PassPack evangelist because of it’s lightweight feel and it’s blazing speed. However, I also love Clipperz for it’s multi-field cards that can store custom data, not just usernames and passwords.
The solution to this multi-password-manager dilemma? I have accounts at both places. And to be honest, it will remain that way for as long as Clipperz is the only one with Direct Login.
Popularity: 9% [?]
By Patrick | June 28, 2007
I received a letter in the mail from the bank that issues the a.K.a Card requesting more information from me. They asked me for a copy of my driver’s license, a W-2 from last year showing my gross income, and then an employment history. When I first received I was a bit taken aback. This seemed like a lot of information to be giving up for an anonymous card, but I had to remember the bank has to know who I am. And from my earlier post there are two main roads you can go down in the privacy-aware lifestyle:
- Seek complete anonymity
- Seek to avoid identity theft
The latter of the two is what the a.K.a card accomplishes, while it’s not bullet proof for complete anonymity, since real addresses have to be used even on the alternate identity of the a.K.a Card. Plus the bank has a slew of information so that it can verify me and issue me a revolving credit card. This is NOT an anonymous credit/debit card like Vanilla Visa and others.
Either way, I’ll be filling this out and submitting the information this weekend. I’ll keep everyone updated.
Popularity: 10% [?]
By Patrick | June 25, 2007
I was contacted the other day by a nice woman from The a.K.a Card. She was contacting me to inform me about their product that offers “Total Anonymity, Privacy and Freedom”: the a.K.a Card. In a nutshell what it is is a credit card you apply for and upon approval are sent a card that has two identities. One is your real identity that you used when you applied for the credit card and the other is one you make up and use when purchase items online. They have a pretty decent explanation here and their FAQ can be found here. Currently, a.K.a Card is running an introductory special where you can sign up for $9.99/month or $99.99/yr. Normally I think the price is $14.99/month.
So what does this service offer? When you go to shop online and you put in your credit card information, sometimes you don’t know just how securely the merchant on the other end will protect your information. Even if they do everything they can, sometimes mistakes are made, or accidents happen and servers and databases get hacked. With a.K.a Card when you buy online, you give the merchant your alternate identity with a totally different name, address and card number. The theory is that if or when the merchant is compromised, the attacker doesn’t walk away with your real credit card number or even real name.
So you’ve heard me talk about anonymous prepaid credit/debit cards before, however this is different. The goal with the a.K.a Card is to prevent identity theft. I see a couple problems though that I hope to get ironed out either by speaking with the folks at a.K.a Card or someone posting a comment on here.
The first problem is that if the merchant requires the billing and shipping address to match then that could be a problem if your address for the alternate identity is not an address where you can receive mail. For example, I set up my alternate address as 123 Nowhere St., but I want my goods sent to 505 Somewhere Ln., then that may not jive.
Second problem is the alternate name. I think it’s awesome you can assign any name you want for an alternate identity, but what if the address you’re receiving your merchandise at doesn’t know you by your fake name? For instance in the scenario presented on a.K.a’s website, “Melissa Miller” is telling us how she uses her card. She uses the pseudonym of “Jane Freedom” and she also uses her office address as the alternate address. Let’s say Melissa/Jane orders some brand new shoes from an online vendor and has them shipped to her work address since the merchant will only ship to the billing address. The shoes show up at her office and the mail room employees try to look up “Jane Freedom” in their directory seeing as how they don’t know what floor Ms. Freedom sits on. Well, guess what? There’s no Jane Freedom at that company. Hrm. You see where I’m going with this.
I really, really want to like all products out there that even remotely seem to help in the defense of identity theft and defense of privacy. However, do I see the a.K.a Card as something that I would pay $9.99/month for, much less $14.99/month? I’ll soon find out as I’m going to be applying for one later today (hopefully I’ll be approved) and then will attempt to test it out. I feel actually trying out the product I’m reviewing is the only fair way to write a decent review about it.
I’d really love to hear any comments from anyone else who looks at this product. What do you think? Is it worth it? Anyone got some great ideas on how to utilize this card?
Popularity: 12% [?]
By Patrick | June 21, 2007
Tell me again why I should trust the government with any of my sensitive data? Tell me why it is that so many people are in favor of a national ID card (AKA Real ID)? When are people going to get it through their head that personally identifiable information is best left private with the individual; not with the government or some corporate entity.
This one quote from this particular article about a state government’s latest data loss kills me (emphasis added):
The tape was stolen June 10 out of the unlocked car of a 22-year-old intern who had been designated to take the backup device home as part of a standard security procedure.
What kind of screwed up security policy is that procedure a part of? Not surprisingly, the governor has suspended that procedure of taking home any dat-backup devices and is “mandating a review of how state data is handled.” Good call Gov.
Popularity: 5% [?]
By Patrick | June 13, 2007
A couple months ago, I posted a brief review of PassPack, an Online Password Manager (OPM). When I posted the initial review of PassPack, I was aware of another similar, but different OPM by the name of Clipperz. Today I want to take the time to review Clipperz, some of it’s features and flaws.
First of all let me say that I will not be incorporating any screenshots into this post, so allow me to give you this link that has numerous screenshots for your viewing pleasure. Now, on to the review!
Upon first use, you obviously need to sign up. Clipperz makes registration a breeze. One thing I love immediately is that registration is anonymous. Their signup process asks for three things: a username, a passPHRASE and verification of the passphrase. That’s it. Just two pieces of information you have to remember. I capitalized phrase in passphrase intentionally a moment ago. That’s because your passphrase is the ONLY thing standing between no access and full access to your passwords. So a super strong passphrase is highly recommended.
One other thing that you might notice right off hand, and will definitely see throughout the Clipperz application, is a password strength meter. Whenever you are typing in a password or a passphrase, this strength meter is displayed beneath the text field in which you are typing. As your password becomes longer and more complex, the meter changes from bright red (least secure) to bright green (very secure). Most of us know what is and isn’t a good, strong password, however it’s a really cool feature to have and you’ll see why later.
Once you log in with your new account, you land on the “card view” screen. This is where you create your various cards that will hold passwords or information for various websites, companies, individuals, etc. Think of it as an online Rolodex per se. You might have cards for things like Gmail, Digg, MyBank, MyStockAccount, etc. When you click on “Add new card” you are given a number of predefined template cards to choose from. These templates consist of cards with certain fields already defined for you. Card templates for simple simple web password credentials, online banking information or even an address book entry card.
Now this is where Clipperz has a huge one up on PassPack. These cards have an unlimited number of “fields” that they can contain. And the predefined “template” cards can have any and all of their fields modified, added to, or even removed. Clipperz offers you full control and tons of flexibility on the type of information you can store in your cards. It’s virtually limitless on the number and type of data sets you can store.
Of the field definitions, the “password” type is one that will probably be most often used. When you store information in a password type field, the text is always displayed as stars. While great for that nosy coworker or curious boss, this is a problem. It’s a problem because there is no single click or otherwise convenient method to reveal the password that is behind the stars. Most password managers have a descramble or reveal button you can click to see the password in the clear. This is one of my biggest complaints of the application. Clipperz does allow you to click on the stars themselves which copies the field data (password) to the clipboard. This enables you to quickly paste the password into a waiting login prompt or webform. Still, I would love to see a one-click button that would change those stars into the clear text password when I needed to view a password quickly, and not necessarily copy it to the clipboard every time.
You remember how I said the password strength meter had another great use? Well, here’s where I give you a real life example. I have a number of clients I consult for at various times. Each client has their very own card in Clipperz. I store numerous passwords for each client in their respective cards. Passwords for their routers, firewalls, servers, etc. It would not be uncommon for me to have 10-15 password fields on one card. With the password strength meter, I can glance at a card for a client and get an overall idea how strong their passwords are for all their devices I have information for. It may seem small to some people, but it’s a feature I really appreciate.
My favorite feature of almost all real OPM’s (including Clipperz and PassPack) is the encryption and security aspect. All my information remains encrpyted safely on their servers and never passed in the clear. Encryption and decryption takes place on the client side in the browser, so even if the Clipperz servers were compromised, your data would be safe and useless to the perpetrators. Plus, there’s no worry if a Clipperz employee ever turns rogue and tries to walk off with all the sensitive information that is home to the Clipperz servers.
To wrap up, I like Clipperz. The interface isn’t as easy or simple as PassPack. But then again, you have a lot more flexibility and can do so much more in Clipperz than you can PassPack. I still give really big kudos to PassPack for having the unscramble button next to their password fields. Whichever OPM you choose, you Clipperz is definitely an option worth investigating.
Popularity: 17% [?]
By Patrick | June 12, 2007
Slashdot has an article talking about some Google Privacy Quickies. A recap of sorts of some of the latest Google privacy news and statements.
Google Privacy Quickies – Slashdot
Popularity: 3% [?]
By Patrick | June 11, 2007
Privacy International is an International (duh) Privacy watchdog group that just released a report of privacy rankings for many of the Internet’s major players (ie. Google, Microsoft, MySpace, Facebook, etc). The Washington Post has an article talking about the report here.
One excerpt from the report states:
“We are aware that the decision to place Google at the bottom of the ranking is likely to be controversial, but throughout our research we have found numerous deficiencies and hostilities in Google’s approach to privacy that go well beyond those of other organizations. While a number of companies share some of these negative elements, none comes close to achieving status as an endemic threat to privacy.”
Some of you may remember last year the big fiasco Google raised when it challenged the DOJ’s subpoena request to review millions of user’s search requests. A feather in their cap for privacy advocates right? This along with their agreement to “sanitize” search data after 18-24 months has created some confusion as to just how Google could have received the lowest ranking of all companies analyzed. Privacy International came to it’s conclusions based off of 6 months of research conducted with 30 professors from the US and the UK.
Some of the takeaways from both the Washington Post article and Privacy International’s actual report are as follows:
- Out of 23 total companies, Google received the lowest ranking allowed and was the only one to receive that rank.
- “An independent European panel recently opened an inquiry into whether Google’s policies abide by Europe’s privacy rules.” – Washington Post
- Three consumer groups in the United States are pressuring government regulators to force Google to change some of it’s privacy policies before allowing the $3.1 billion deal with online ad service Double-Click.
- Google’s ability to match data gathered by its search engine with information collected from other services such as e-mail, instant messaging and maps is equally concerning.
I believe Google is keeping privacy in mind when it comes to third parties. I don’t believe they are sharing data with anyone else or advancing the rise in spam traffic. However, I also believe they are gathering and analyzing data in ways that will benefit them greatly and anyone else that had this same type of market research. They obviously won’t share this type of research with competitors but will use this information any way they can to serve their own interests. At least, that’s just my opinion.
Do I think they’re in bed with the government like Facebook has been suggested to be? No. Do I think they have very valuable information that the government and/or corporate entities would like to get their hands on? Absolutely.
Popularity: 5% [?]