eBags Downloader

eBags Downloader

The eBags Downloader is a fairly cheap laptop backpack (you can regularly get it for less than $40 on sale) with two primary compartments, plus side pouches and a small additional pocket on the back. One of the side pouches can be used as a water bottle holder if left open. It has a small water resistant opening to allow headphones out of, and a lot of internal organization pouches. The laptop sits in the largest primary compartment and has padding on three sides. The back padding is reasonably comfortable. I managed to squeeze a 15″ Dell D820 into the laptop compartment but it fit really tightly against the top and had no padding on the upper portion. I’d recommend 14″ and smaller machines for this pack.

This is probably a good bag for a student who carries one or two text books with them plus a laptop. It does fill up very quickly though, and can be a bit uncomfortable when full. The audio holder can hold a portable CD player (are those still made), and as MP3 players slide around a lot in it. It worked for me on a day to day basis, but just wasn’t accommodating enough for travel with all of the stuff I carry. I was making a decent number of compromises, and the straps wore out pretty quickly with the load I usually carried.

This is definitely a “value” bag, where they tried to offer nice features, but cut corners doing so. The zippers are exposed, rather than having a small flap covering them, and aren’t great quality. The straps are entirely mediocre- some more padding and sturdier material would have been welcome, as would a sternum strap. It has some laptop padding, but not all around.

Pros

• Very Reasonably priced (eBags has it on sale fairly often for around $40, and you can get it for $30 at the right sale)
• Offers a fair amount of organizational pockets within each compartment
• Nice bright colors

Cons

• Strap wore out after less than a year
• Fills up quickly, and uncomfortable when full
• Audio pouch allows too much movement of player
• Questionable water resistance as a result of exposed zippers
• Laptop holder doesn’t offer great padding, and is horrid if you need to get a laptop out at security gates.

Conclusion- Grade:  C

You get what you pay for. This bag will last you a while, but isn’t a bag for the long haul. It is cheap, but you can see where they kept the price down. It offers some organization, but certainly doesn’t meet my needs. I’d recommend the bag for teenagers who are going to want another bag next year just because anyway.  That said, if you can find it for $30, its worth $30.

~ Joshbw

For years I have been on a quest to find the perfect Geek Bag to haul all of my crap around in, whether I am heading out to visit friends, running down to the local coffee shop, commuting into work, or suffering the tedium of airline travel. I have looked high and low for the perfect catch all bag, the irony being that in my search I have acquired more bags than if I purchased separate bags for specific use scenarios. Much like gadgets, all in one solutions may seem attractive, but rarely excel at any purpose, a lesson I seem to keep in mind with gadgets but refuse to acknowledge with bags. The reason, I suppose, is because I hate transferring stuff from one bag to another, so switching back and forth between bags isn’t practical (nor is just having duplicates in each bag practical with the level of crap I carry).

So in a multi-part series, not at all related to my security ramblings, I shall outline my quest and what I have thought about each bag along the way. To begin with, I will talk a bit about my usage scenarios, so that my particular opinion is understandable. To put it bluntly, my bag is the dream for would be muggers, though I myself am not (having lived in some bad places I am one of those people who habitually notices the movement of everyone around me and can spot threats fairly easily). At any point I am carrying at least one laptop, either my work laptop or my personal one, and often times I am carrying both, especially if traveling. Fortunately both of my laptops are rather small, as I prefer machines I can actually open up on planes with the whopping 12″ of total space they give you between your seat and the seat in front of you (do you know how much a pain in the ass it is to find small laptops with good resolutions and decent hardware?). Along with the laptops comes their associated power supplies (fortunately also pretty small), a wireless Microsoft travel mouse (death to touchpads, death to mouse nubs), a USB flash drive, and a Micro -> mini -> full SD adapter. Also, my personal laptop is a tablet, so I carry a spare stylus for it.

On top of that I have my Zune, plus the associated premium headphones (its nice that MS actually includes decent headphones for free), and syncing cable, as well as a 12″ 1/8″ to 1/8″ cable so I can use it with the aux jack in my car or in rental cars. I have my cell phone (at the moment an HTC Touch), sync cable, and charger. I have my Nintendo DS, games, and power adapter. Plus miscellaneous pens, some pain killers (my knee and back used to kill me on plane flights as a result of a car wreck, but surgery actually worked), usually the most recent issues of some combination of Discover, Scientific American, or Smithsonian magazine, possibly a computer book that I am reading (though I try to get ones that come with eBooks on a companion CD so I can just read them on my tablet PC), keys to my storage unit and desks (I don’t like them on my primary key chain, but also don’t want to forget them), and a novel (though I will soon get a Kindle to save space).

So I have a ton of crap, and holding it can be a challenge, especially if I want to maintain any semblance of order in the bag. Moreover, as I used to fly often, and now do so again, it is important that I can get my laptops out quickly while going through security, while still having padding for them, and it is also important that the bag doesn’t take up *too* much space, since tiny little commuter planes are my most common ride out of the hell hole I live in now (here is your 4 cubic inches of overhead space sir, unfortunately someone else is infringing on it because they bought three body bags on the plane and we didn’t speak up).
Various leather (or plether), formal looking business bags are right out. I’m not a business type so I don’t care for the look, but moreover the bags are rarely designed for ergonomic comfort, and take up a constant amount of space no matter how full they are. If I am carrying less stuff I like a bag that can compress down a bit. I tend to bounce back and forth between backpacks and messengers. Backpacks are more comfortable when loaded up with a decent amount of weight, but are more bulky in general. A backpack with crappy straps is usually still tolerable, while a messenger lives and dies by the quality of its strap. The benefit to a messenger strap is that can be loaded up with various gadget holders, bandolier style, and allow for them to be more accessible (Timbuk2 makes pretty good strap pouches that mount on messenger straps), though at the cost of also making them more exposed.

I am unopposed to walking, and especially if I am visiting the office in Chicago I will forgo a rental car and just travel on foot and commuter rail, so I do prefer a bag I can comfortably carry for a decent period of time, and water resistant in case I am caught in the rain. So in short I want a bag that can hold a lot, but has a compact footprint and allows for easy organization; a bag that allows easy access to possibly two laptops, while also offering padding; a bag that is comfortable and waterproof; and a bag that will hold up to continual abuse. Is that asking for too much? We shall see.

~ Joshbw

Johnny Long has a great auction of stuff available for his I Hack Charities organization. There is some good stuff, and it is a good cause.

- Joshbw

RSnake has a post on Google’s new image orientation test to detect humans (or computers, depending on your point of view), and quite correctly he points out that it is simply a probability game to break it. When it comes down to it, I don’t think we can definitively tell a computer and human apart with a specific cognition test, as it is just a matter of time before computational power and algorithmic cleverness solve that cognitive test. However I also believe we are thinking about CAPTCHAs the wrong way- we shouldn’t try to identify an automated script but rather we should make it too expensive for the script to be practical. Encryption can be broken with sufficient time, it is technically possible to just brute force AES 256, but this doesn’t deter its use. We know its problem space and work factor are sufficiently large to make brute forcing computationally impractical even if technically possible. The same principles should apply to the design of a CAPTCHA test, though it has many more constraining factors (it must be complex and hard for a computer, but easy for a human, and take into account human disabilities, etc).

So when new CAPTCHA techniques come out we shouldn’t immediately lambast them simply because they don’t provide the definitive test to distinguish a computer adversary, but whether they sufficiently increase the work factor. If they do, the spammers and other folks are going to opt to exploit a competing service with a lower work factor, because it will increase their throughput and arguably make them more money. In the specific instance of Google’s new proposal it would seem to reduce the work factor if one was simply guessing, since the chances of guessing the image orientation is much higher than a random 8 digit alphanumeric string, however with the advances in OCR techniques most alphanumeric CAPTCHAs are being analyzed rather than guessed (the success rate seems to change daily, so I don’t know how that compares to guessing the image). The real question is whether it is easier, faster, and more reliable to analyze the images and determine which way is upright, and I think that is entirely dependent on the images chosen as well as whether a correctly oriented comparison image can be obtained (which would make the analysis pretty easy) or if it had to be algorithmically determined without comparison (which may be hard). In the examples given, I think the gum ball machine and guitar are poor choices for images, since there is an easy linear line that can be used to determine orientation, probably with slightly better than 25% accuracy, since the line will either point up, down, left, or right, and the “weight” or proportions would allow for an educated guess on whether vertical or horizontal orientation is more likely. The more complex the picture, with less clues towards orientation, the better.

Personally, though, I like the MSR pet finder CAPTCHA. It may be easier to break, but I think it serves a noble secondary purpose.

~ Joshbw

Dear Web Developers,

It’s not kosher to request login information for other websites. Both LinkedIn and Facebook are guilty of asking for your various email credentials so they can harvest your address list under the guise of “making it easier to find your friends” and they are by no means unique in this practice. Doing so does two things- first it makes users accustomed to disclosing credentials to websites unrelated to the site the credentials correspond to. Phishing is a huge issue folks, and we have a hard enough time just getting users to be aware that they really are on their bank website. About the last thing we want is to water down that message and get them accustomed to providing that information on sites they clearly see aren’t the site corresponding to the credentials. Unless you move to two factor authentication the only real way to protect against phishing is user education and training, and this practice completely torpedoes that effort.

The other issue is that you are introducing another link into an already vulnerable chain. Not only does google have to worry about the gmail credentials being properly handled on their site (only sent over SSL, hashed in the database, no sql injection to disclose them, etc), but they now have to worry about how your site secures those credentials (I bet you aren’t hashing the values, since you need to use them outside your system) and they really have no control over it.

So Please, quit asking for credentials to other sites- don’t do what attackers do, otherwise you don’t give people an easy way to distinguish between the two.

~ Joshbw

Jeremiah Grossman asks a series of questions on his blog trying to determine if we disagree with the concept or implementation of WAFs, Certifications, Trust Logos, and Compliance Regulations, so I will indulge the questions.

For WAFs I agree with a certain concept of them. I believe they are bandaids rather than solutions, but that bandaids have their place. The solution is to fix the code and ultimately the robustness of the code is the only real defense for a website. However a problem can be fixed *immediately* with a WAF- a good SDLC would require time for the code to be changed. A root cause of the problem should be analyzed and the application should be inspected for related problems (very likely if the bug got into the code once, it got in more than once). The changes should be thoroughly tested to ensure that functionality is not jeopardized, that the fix works, and that different problems were not introduced. A proper change control process should manage the deployment of the fix. In short, I believe that even if resources can be thrown at the problem immediately, it does not follow that the fix would likewise be immediate. (Tangent- I believe that Firefox is too aggressive on their patch to market strategy and likely takes shortcuts that they shouldn’t. I think it better to fix something right than fast, but I am not certain that Firefox agrees) Web App Firewalls allow an interim fix to put in place between disclosure and a coded solution, and in reality not many organizations can throw immediate resources on the volume of issues that they have. WAFs also offer a bit of defense in depth, which isn’t a bad thing. So long as people focus on that conceptualization of a WAF I think things are fine- my issue is when they are treated as a solution in and of themselves, at which point their limitations will be apparent. A WAF is a generalized appliance, not a specialized solution for a specific site (even with good rules). It doesn’t understand business context and so won’t catch things like unathorized or unintended access.

Professional Certifications I believe serve little point. Their implementations are almost entirely horrible and conceptually there is no certification that says that I will be successful for a given role in a specific organization. They are a decent marketing gimmick to put on a resume to get a bit of attention, and organizations may enjoy advertising how many CISSPs they have to assure clients, but ultimately I will not trust a third party organization in place of my own impressions. When I look at the resume of a candidate I am going to look at what experience is listed to narrow down the folks I want to talk to, and then I am going to probe their knowledge to make sure that it satisfies the needs of my organization. Since that is my inclination when looking for coworkers for my own group, I put absolutely no stock in the number of certifications in outside orgs that I might engage with.

Website Trust Logos are horribly implemented- I can’t think of a single logo peddler whom I believe does a sufficient job of assessing a website (except for PCI Scanless, which is one of the few logos that does *exactly* what it claims to). I will let you in on a little secret though, since I don’t see great harm in it. I have a pair of ADT security placards outside of my home, but no security system installed. If a would be thief is going down my block he is going to see the signs in front of my house, with the possibility of an alarm system backing it up, and opt to hit my neighbor that has no visible security system advertised. It is an entirely deterrent based approach, and while worthless if anyone calls my bluff, the bluff in and of itself is not without utility. I see the various logos as something similar. At the end of the day there is nothing backing them up (and even if they weren’t utterly terrible, in order to make them at all cost effective they aren’t going to be anywhere near as thorough as a proper pen test) but if I have to choose between two otherwise equivalent websites to break into, I am going after the one that didn’t bother to even get the logo. Also, consumers don’t know any better, so it is a cheap way to get them to trust you.

And compliance regulations vary in the effectiveness of the implementations, but I don’t disagree with the concept. My view on regulations in general are that they are a way of mandating certain things that are societaly beneficial, but not necessarily beneficial to the bottom line of a company. As such, left to capitalistic pressures in a vacuum, those things would never happen (or only happen in companies not completely governed by the bottom line). For example, from an economic standpoint it is cheapest for a company to just dump pollutants in a nearby stream rather than properly dispose of them most of the time (depending on the economic power of the locale, and how likely it is for serious legal threats to originate out of the action)- see mountain top removal mining for just such a mentality in action. Thus the government needs to impose regulations to ensure that societal wellbeing is also taken into account. Conceptually I see nothing wrong with the interests of individual entities and the interests of the society being balanced by regulation- that is an optimal solution to natural trends in pure capitalism that allows for most of the efficiency of the system while managing some of the drawbacks.

The flaws arrive in the actual implementation of the regulations. If implemented poorly they can prove to be too much of a burden, overly hard to implement or understand, not fully effective, or as usually the case, all three. PCI is a great example of this- Heartford was a nice and shiney gold partner, following the regulations, and it did absolutely nothing that actually stopped the disclosure of card information. At the same time, the overly specific nature of PCI means it has to be constantly revised, that more secure solutions can technically be non-compliant, and that it is a huge burden to understand and implement the mandates. The whole thing would be much better off if it said that systems and communication channels that deal with card information must have both confidentiality and integrity maintained, followed with recommended baseline guidelines. Rather than check the controls in place, the QSA simply checks to see if they can extract card information. The problem is that PCI is too focused on checklists and not at all focused on what it actually hopes to achieve, so its implementation is pretty worthless.

Regulations only work if they are clear, their restrictions are reasonable, and if they are focused on ensuring *a* solution to the problem, rather than *one* solution to the problem. If I had to choose between my bank information being stored on an encrypted drive in a generally open data center and questionable asset disposal programs, or plain text in a data center with detailed background checks for all employees, strictly enforced physical controls that limit access to the box, and a thorough and consistently applied asset disposal program, I am going to choose the latter because that organization has a clear intent on security, rather than on meeting a checkmark on a list. (ideally I would want the latter with an encrypted drive). I think most security regulations lose focus on this.

~ Joshbw

I was paying my cell phone bill on the carrier’s website because I was lazy and waited until the last minute- in the process it occured to me, why do I have to fill out all of this credit card information again?  The short answer for this particular site was that I had recently moved and not updated my information with them, but in broader terms, why do I have to do that for every freaking website?  Why are companies so quick to want to handle payment information themselves?  The transaction charges may be a bit cheaper per transaction, but I cannot in any way imagine that dealing with the PCI DSS every year really makes the net process noticeably cheaper, at least if they are honest in their approach to the process.

At some point in the distant past I was paranoid about who I gave my card to, and was horribly discerning.  This site looks sketchy, or this site has a retarded security seal so is obviously not secure, or whatever, so they don’t get my business.  Despite this paranoia, I have had my card information stolen and used (or at least attempted to be used) three times.  In two of the instances my scary good at profiling my behavior fraud protection kicked in and charges never even posted to my account (there is something truly to be paranoid about- whatever profiling algorithms they use, they are horribly accurate about knowing your behavior), the third a handful of small charges hit my account in $20-$40 increments.  The thief was using the card information sparringly to sign up for membership websites, I believe, in order to steal contact lists to use for spam.  I reported the charges to my bank and they went away.  At some point I realized that it was impossible for me to control my card data, it was just as possible for a waiter to skim the information when they took my card as it was for someone to compromise a website and take it.  I can’t feasibly protect that asset, and banks know that, which is why consumers essentially have zero liability.  At the end of the day the banks want me to spend with the card, so they will do what the need to, accept some risk, in order to keep me spending.  I don’t worry about financial loss when my card gets stolen, I worry about the inconvinience in not having it for 10 days as my bank issues me a new one.

Which comes back to the point with my cell phone carrier- it was inconvinient for me to change my information on their site, and amazon, and netflix, and threadless, and thinkgeek, etc.  I would rather they simply all allowed PayPal as that way I only have to change my information once.  Moreover, I am more confident that one site that specializes in payment transactions will be able to save me the inconvinience of having a new card issued because they leaked the information than I am that a whole host of sites that accept payment as a small subset of their business.  In general I am not a fan of single sign on, but that is because it allows one point of failure to compromise multiple assets. With payment it is different, as it allows multiple points of failure to compromise a single asset unless you centralize it.

Using a centralized payment service isn’t just about saving me inconvinience though.  To tie back into the first paragraph, handling payment yourself is a pain in the ass.  Complying with PCI is non-trivial, and even if you think you are doing everything right, a QSA checking over your system may not agree.  On top of that, PCI is absolutely no guarantee that you are actually protecting card information, simply that you are in compliance, as Heartland (PCI gold member for the win) demonstrated.  You still have liability if you do have a breach of payment information.  With PayPal a third party is handling all of that headache- they are responsible for conforming to PCI, you have no payment information to leak, and the customer doesn’t have as much headache managing payment information.

There are drawbacks.  There is a danger of one or a few handful of payment systems like PayPal essentially becoming a payment monopoly (or duopoly) if everyone switched to centralized payment, which would effect prices.  The per transaction cost is higher, and a new login is introduced into the process flow on the website.  It also doesn’t work well for companies that may not know the exact charge up front, for example FedEx which gives you an estimated shipping cost but won’t apply the real cost until they actually weigh the package in their facility, and apply initial and revised charges to a card.  Finally, for those subscription based services, PayPal makes it really easy to centrally manage, which means they make it really easy to cancel.  Especially in this economy I doubt companies with reoccurring charges really want consumers to be able to look at all of their reoccurring charges in one place- they might realize where all of their money is going.

Still, I think being able to transfer the risk to someone else is a pretty compelling argument.

~ Joshbw

CGI Security via AppSec Notes complains that Netflix has not fixed all of their CSRF vulnerabilities. You can no longer access account information, billing information, change shipping address, or anything of value, but you can still add movies to someone’s queue. This apparently still bothers the author who has a note of annoyance that Netflix hasn’t completely fixed everything yet. I think this loses sight of realistic business goals of security- from an enterprise perspective one addresses security vulnerabilities in order to protect revenue or prevent damage. It is a cost benefit analysis, weighing whether allocating resources to address a particular vulnerability allows the greatest capitalization of those resources.

I’d posit that Netflix does not believe preventing CSRF attacks that add movies to the top of a queue to be the most effective use of those development resources. When looking at the impact and likelihood of this sort of CSRF attack the associated risk comes out quite low:

Impact- no direct loss of capital or resources, some level of brand damage. Some customers may very well be so pissed over getting sent some embarrassing video that they leave completely, which is a drop in revenue, however I would posit that these people are probably the minority. More people are likely to be pissed, complain, and probably get a free month as a token apology (loss of 1/12 of the yearly revenue for those people) but complaining smacks of efforts so I don’t imagine that this number will be horribly large either. Then there is the group that will be pissed and do nothing, no appreciable loss. Next is the group that is confused because they didn’t order that particular embarrassing video, no appreciable loss. Finally there is the outlier group that is hard to predict- the group where a couple gets an embarrassing movie, gets in a fight, and seperates over a movie (I live in a town where two middle aged men shot each other because of an argument over who parked their oversized SUV too close to the other oversized SUV, so I fully imagine there are people who would overreact to a movie). This might be a loss of a subscription, maintain the status quo, or a gain of a subscription because now the newly separated couple both wants a subscription, whereas they accounted for only one before.

There is also brand damage should this get media coverage once it is exploited. That is a hard thing to put dollars on.

Likelihood- For this to be exploited a customer needs to visit another website that actually carries out the CSRF attack. For that to happen the other website would need to choose actively to be malicious to Netflix instead of carrying out CSRF against a website that would allow monetary gain- there is no personal gain in exploiting this, only vandalism (which isn’t quite the correct word, but in the same spirit). The visitor needs to be logged into Netflix, and they need to be people who don’t frequently manage their queues otherwise they would notice the movie prior to it being sent (and may still react badly, but I posit that even fewer people would if they caught the movie before it shipped). Of Netflix’s 10 million subscribers I would assert that the number that would fall victim to this is small enough to be indistinguishable from zero.

Let’s look at the likely attacker- this isn’t organized crime, or any accomplished Blackhat. Those people are after money. This hypothetical attacker is likely a malcontent teenager who thinks it is funny to screw with a Netflix queue. That mostly rules out the attacker owning their own site that gets enough traffic to exploit this from, and also mostly rules out the attacker knowing of XSS or SQLi flaws in websites that do get enough traffic for this to exploit this from. It leaves their dinky website that pretty much only gets visited by their friends on IRC (or whatever script kiddies use these days)- probably some random blog on blogspot or something similar. In other news this will be exploited from a location that will not attract any noticeable number of Netflix subscribers.

So the likelihood is pretty nonexistent, the impact is very low, and thus the risk of losing subscribers because they were exploited is essentially 0. The risk of brand damage from press coverage isn’t much higher- someone in the press needs to find out about this flaw, grok what the heck the flaw really is, actually have a victim so they can tell a story about, and then compete for airtime with Company X is laying of 50,000 employees and congress is too incompetent to fix things. I predict the tampered roadsigns warning about zombies gets more press coverage. Finally the viewers need to care. TJ Max is our security story, biggest public data loss to date (with Heartland possibly taking the crown), and anecdotally the people I know who shop there weren’t even aware of it, and upon me explaining it STILL DIDN’T CARE. Netflix subscribers are a slightly different demographic, but I don’t see people getting really worked up about hearing that maybe they might be sent the wrong movie.

So why should Netflix fix this problem, instead of working on features that may attract more customers? The people who found this flaw care because it is their flaw- it matters because it is theirs. Unfortunately that doesn’t sway companies. For any vulnerability that is found it isn’t enough to point out the vulnerability- a business case also needs to be made for addressing the vulnerability. That is the reality of enterprise security- everything is cost/benefit analysis. If the risk is low, the response will reflect that. I’d love to see all vulnerabilities get addressed as much as the next security professional, but that is idealism rather than realism talking.

~ Joshbw

From XKCD: