Archive for the ‘Security’ Category

Being a little more anonymous online

November 9, 2016

With increased State sponsored surveillance and changes in the political tenor even in formerly moderate countries more people are asking “how to I keep my communications secure?”.

Sadly for most people the complexities of being totally opaque are too onerous, add too much complexity, or are simply not worth the effort.

But there’s no need to give up totally and just roll over. There are still things you can do to keep some of your communications at least less likely to be exposed.

If you’re in a vulnerable group – which sadly in the US today potentially means people of color, (im)migrants, women and those who don’t fit into conventional gender roles – then maybe it’s time to start taking a bit more care about your digital footprints…

(more…)

jsNoSpam – make it harder for bots to find your email address

March 6, 2016

If you want to put an email address on a web page, and have it human readable and easy to click on to open up in a mail client you run the risk of exposing yourself to one of the sleazier sides of the internet. Spam email. There are bots out there which relentlessly hunt down email addresses so their masters can deluge you with unsolicited commercial email (or worse, virus infections).

The best solution is to never show the email address – get your users to use a “Contact Us” form or similar so that there’s nothing for the bots to find. But sometimes you can’t do that, either because of how the pages are hosted or your client simply doesn’t want you to.

So… jsNoSpam was born. 100% javascript, so all client side and easy to insert anywhere that allows you to edit raw HTML and include javascript.

The script works by doing a number of things…

  • Requires you to encode the email addresses so they never appear in a recognizable form in the script or HTML source.
  • Supports decoding the email address back to a usable format
  • Allows you to display the de-coded address on the page, or to require a user action (mouse over, click, keyboard navigation etc) before revealing the address.

Because the email address which is inserted into the page via the script is clickable and usable like any regular mailto: link would be user inconvenience is reduced to a minimum, but the effort for a bot to scrape the address is increased and hopefully as there are enough potential variants in how the script can be applied it will keep it ahead of the game.

Here is a live demo of the code in action.

The code is hosted on GitHub, and is open source and unrestricted license (though it would be great if you find it useful if you comment here). It’s been tested in as many browsers as I can and also with assistive technologies (eg NVDA) but if you do find an issue please comment (or better yet fire off a pull request for me to incorporate your fix).

On their own, the techniques used (encoding the address, requiring user intervention etc) are not new, but hopefully combined they will produce a robust enough solution for people who need this workaround.

Security of individual accounts matters (but not to Starbucks)

June 22, 2015

There has been a lot written recently about major system compromises, where banks, Government departments, Healthcare, and other companies are targeted and huge collections of personal information get harvested. Often lasting for months before discovered these attacks reveal PII (Personally Identifiable Information) such as social security numbers, dates of birth, addresses, email addresses and, in too many cases, passwords.

Defending against these attacks is an on-going challenge, but storing information in a way that it can be harvested has a significant impact on users of the service – ranging from identity theft to direct financial loss.

But it is not just servers where the risks lie. Poor information security on the end user experiences compromise individual accounts and can be hard to detect, easy to overlook because of how it’s reported.

Starbucks original logoEarlier this year Starbucks was mentioned as a possible victim of one of these attacks as users accounts mysteriously were being accessed. To remedy this Starbucks rolled out an update to their iOS app and presumably their Android app. This may or may not have improved things for their website or for 3rd party apps running on other platforms. Most of their response appeared to have been PR and damage limitation rather than really beefing up security.

Recently I experienced one of these mysterious losses. While I was in Australia on business someone in Ontario Canada was apparently using my card. And thanks to the convenient auto-reload facility on my account the system kept merrily making more funds available to the thief.

(more…)