Google 2-step verification – a usability note

Google’s two-factor authentication system (they call it “2-step verification“) is a good safeguard against online criminals hijacking your account.*

After enabling 2-step verification, whenever you login to your Google account (e.g. for Gmail) you get a text message on your phone. Unless you provide the numeric code of that text message to Google, you cannot access your account.

This is classic two-factor authentication in that it ensures

1. You know the password for your account and
2. You have your phone in your possession

As this would quickly get annoying for people who login/out of their Google profile all the time, there is an option to “Remember this computer for 30 days”. This means that Google will not require two-factor authentication for a month for that particular computer & browser if the user says so.

But how does Google know that this computer is one to be trusted? This information is stored in a cookie. To safeguard my privacy I always setup my browsers to delete all cookies (and LSOs). But this wipes out the Google cookie that “remembers” my machine as well, which means I am asked again and again for 2-factor authentication. This situation quickly gets annoying. Isn’t it possible to tell my browser (Firefox) to delete all cookies EXCEPT the necessary Google cookies every time it exits?

Luckily it is. You need the following settings in Firefox:

• Accept cookies from sites
• Keep until: I close Firefox
• Exceptions…: accounts.google.com – “Allow”

This is what your Firefox Preferences window should look like on Ubuntu Linux:

…and the exception window that does the trick – this is how the critical cookies from accounts.google.com will NOT be deleted. Instead they will be preserved across browser sessions and you will not have to do two-step verification every time you login to Gmail with computers you trust:

For Windows users, the same options work just fine – here is what the options window need to look like on Windows 7:

…and the exception rule:

Try it. Shut down Firefox, start it up again and have a look in the stored cookies from the main settings panel under Privacy -> Show Cookies. There should only be cookies from “accounts.google.com” and perhaps from your browser’s homepage there – nothing else.

You now have

• Better security of your Google account due to 2-step verification
• Better usability because you don’t need to perform 2-step verification all the time on your trusted computers
• Decent privacy & lack of tracking because Firefox deletes almost all cookies every time it exits.

This is the tip of the iceberg (think malware, LSOs, unique browser fingerprints etc), but hey, it’s better than nothing.

* Unfortunately it doesn’t really help when the attacker is the government. As Wikileaks and Privacy International have pointed out with the “Spy Files” project, when it comes to government surveillance Gmail users are screwed.

The financial services industry view on cybercrime

I recently attended Jim Oakes’ “Cybercrime, Global Underground Economy Developments and Challenges” talk. All the hype about his 30-year service for the police, anti-fraud teams, financial services organisations yada yada made me very sceptical to begin with, but the session turned into a quite useful overview of the (depressingly many) ways you can be ripped off by criminals while doing business with/through your bank.

…

I let this draft lie for a few months now, as I wasn’t sure how to digest the hordes of information in Jim’s presentation into a more friendly, easily digestable message. Shall we just say it’s pretty bad out there?

Practical advice:

• DO NOT use the same password for different websites. Use something like Oplop to generate passwords and a password manager to store them.
• DO NOT do eBanking from your smartphone just yet. I have some reservations about the iPhone, but Android phones can certainly currently not be trusted.
• If you need to do eBanking using a computer (laptop, desktop etc) then start the computer with a bootable CD or USB disk and then do your eBanking. Unless you are personally targeted by law enforcement or criminals, this should give you a computer you can trust. Don’t take my word for it – take Krebs‘ word for it. Computer security is in *such* a sad state.

The myth of the pimples-ridden malware author

Overheard in an Internet Cafe recently:

(guy storms in and purposefully walks towards the counter)

Distressed guy: “Hi, I have a virus on this USB stick and I can´t use it, can you clean it for me?”

Internet Cafe attendant: “…”

Distressed guy: “Look, I didn´t do anything funny, just because some little c*** has nothing better to do but write a virus I can´t access my files now!”

I take issue with this statement. It regurgitates the popular misconception that malware (also known as a virus, a worm, a trojan) is software written by someone who hates mankind. It is their effort to take blind revenge on the world, to mindlessly harm everyone for no real reason other than malice.

Er… no.

Malware takes effort to create. This means skill, patience, equipment and time. All this means money.

Slightly paraphrasing Mikko Hypponen, most malware is created for three reasons:

1. Money via criminal activities. See Peter Gutmann’s figures in his “The Commercial Malware Industry” from years ago to glimpse at just how much money is involved in this global underground market.
2. Idealism – which creates the composite term “hacktivism”. Groups like Anonymous fall in this category.
3. Control – this is state-level information warfare waged either against other nation-states or against the state’s citizens.

Some years ago, malware might have been an annoying prank of kids who had a gripe against the world.

This is no longer the case. Things are far more serious now.

Cleaning malware while travelling: A case study

I have been on the road for the past few months and using plenty of Internet Cafes for all my digital endeavours. As I result the USB sticks I use to save my pictures, documents etc while I travel have been infected with all sorts of malware.

Malware that is obvious is the least dangerous kind. It means its creators are not organised or skilled enough. The truly worrisome malware is invisible. You don´t know you have it, but it quietly monitors all your actions.

So I was intrigued when my USB stick started displaying typical silly malware behaviour. The folder icons in Windows changed – they were not “shortcuts to folders”, but really they pointed to executables somewhere deep in System32 that would do its nastiness and then show you the contents of the intended folder. Other than that, everything looked normal.

Well, it was obvious malware was there and the USB stick was infected. Antivirus software installed in public Internet Cafe PCs could not detect or clean it, so I had the pleasure of doing it manually. Here is how:

1. Get a system you can trust not to lie to you – to show you the absolute truth and nothing but the truth. A pristine Linux installation does just that, and unless you happen to have a netbook with Linux installed with you while travelling, creating a bootable Ubuntu Linux CD or USB stick is your best bet. The computers I had access to were ancient and could not boot (start) from a USB stick, so I had to create a bootable Ubuntu CD following the steps detailed at http://www.ubuntu.com/download/ubuntu/download
2. Now you are using a computer you can trust. Plug in the infected USB stick. You will probably see all sorts of new files there, stuff you haven´t put there. Delete it one by one. In my case I had filenames starting with “._”, others starting with dot-space, all sorts of tricks that will make files harder to view and control in Windows or Macintosh machines. After you have deleted all files that don´t belong to you, check for an autorun.inf that tries to execute the malware when the USB is connected to a computer. If it´s there, either edit out the malware items or simply delete it (which is what I did).
3. Next, I had a surprise waiting for me as I connected the now clean USB stick to a Windows computer – I could still not see my original folders! The reason is that the malware had hidden the folders by changing their attributes to /system and /hidden – so Windows Explorer does not display them by default. This can be corrected from a Command Prompt (Start -> Run -> cmd) by changing directories onto the USB stick and using the “attrib” command. My original folders were “pics”, “stuff”, “maps”, “portable”, “truecrypt”  etc so I issued the following commands to mark them as NOT hidden and NOT system folders:

• attrib -H -S /D /S pics
• attrib -H -S /D /S stuff
• attrib -H -S /D /S maps
• attrib -H -S /D /S portable
• attrib -H -S /D /S truecrypt

Et voila! All was visible, usable and normal again.

Goodbye silly piece of malware!

How I managed to donate to OpenStreetMap

Using Internet cafe computers while travelling can be a proper nightmare. I know of people who got so fed up with fighting to clean their USB sticks from viruses all the time that they bought a netbook to use while travelling.

As I have been travelling by bicycle for a few months now, I am very careful about what I carry. Weight and space is at a premium. So I have tried as hard as possible to keep myself from buying a netbook to avoid using Internet Cafes. I am well aware of the risks I am taking, but for the time being I am still finding using Internet Cafes borderline worthwhile. It also helps that my trip will finish in less than 2 months so by this point the investment in a new netbook is just not worth it.

So I use Internet Cafes around Chile and Bolivia. I have seen a couple of well maintained machines (the pinnacle of which are the Ubuntu machines in Rancagua´s bus terminal!), but the overwhelming majority of them is in an appalling state. Illegal copies of Windows XP, not receiving updates, with illegal copies of antivirus software not receiving updates, etc etc… all wrong. Using such machines feels like digging with your bare hands in a patch of mud right after you have seen a flock of sheep relieve themselves on it.

Such a machine gave my USB stick a virus that hid my folders and replaced them with executables. It replaced folder icons with its own shortcuts to ensure you were tricked into executing it with your current privileges every time you wanted to access a folder on the USB stick.

Tricking the user into executing script by double-clicking on a "folder" icon

The antivirus software of public machines proved useless – it did not even detect anything. I had no idea what this virus (call it malware, call it trojan, I don´t really care exactly what genre it falls in) actually does. But I will assume the worst. It eavesdrops on my every keystroke, steals my passwords, my credit card information etc.

As it happens I really wanted to donate some money to the OpenStreetMap Hardware Upgrade Fund, but I didn´t want to jeopardise my credit card information. I needed to use a computer I could trust not to steal my credit card information. Here is how I created one:

1. I found a computer with what seemed like a decent Internet connection with Mozilla Firefox installed. On Firefox, I installed my favourite download manager as an extension – DownThemAll!. Great, I can now make massive downloads easily.
2. I downloaded the latest Ubuntu ISO file with DownThemAll. It´s a large file (700MB) so a download manager is necessary – otherwise you run the risk of the download hiccuping and getting corrupted if the network link goes down for a few seconds. It can also be faster to use DownThemAll, as it downloads multiple segments of the file at the same time.  After a couple of hours I had an Ubuntu ISO file on the (probably infected with malware) computer I was using.
3. I then created a bootable Ubuntu USB drive following the instructions on http://www.ubuntu.com/download/ubuntu/download . Unfortunately this did not help my cause because the public computers I could reboot and attempt to boot from USB where so old that they did not support booting from USB! (we are talking 2003-era hardware, not exactly top-end for its time either…) So my only remaining option was to burn the ISO to a CD. I bought a blank CD and burned the ISO on it, and then booted one of the computers I had access to with the CD.
4. Success! I was now booted into an operating system I could trust not to be infected, since Windows viruses on the computer cannot jump into the Ubuntu Linux environment started from a CD. I was able to simply open a web browser and provide my credit card information for my OSM donation in confidence.

So there you have it. If you are travelling and concerned about your passwords or other sensitive information (and you should!) this is a method of getting a system you can trust. It does suppose that you have access to a computer you are allowed to restart and boot from removable media, but hotel/cafes around Chile seem to be quite laissez-faire about allowing people to restart their computers.

Amazon Kindle 3 review

After a couple of months of having an Amazon Kindle 3 (purchased mid-2011) and travelling with it, here is my list of good and bad things about it:

PROS

1. Decent battery life if NOT using wireless. With intensive reading it lasts upto a week.
2. The display is much easier on the eyes than a traditional computer screen.
3. You can carry a lot of books and personal documents with you in a single small device
4. Friends and family can send you books to read in digital form
5. Project Gutenberg opens thousands of books for immediate download and reading for free
6. You can buy any book off Amazon and it will be in your hands in minutes
7. Registering two kindles under the same Amazon account lets you duplicate all your paid content on both devices.
8. For 10 quid you get the Independent delivered to your device automatically as long as you have GSM coverage every morning for a month… even if you are wild camping in a forest.
9. You can browse the Internet and do emails from wherever at no additional cost.
10. You get an English dictionary for free and it is easy to lookup any word in any document while reading in a non distracting way.

Cons

1. Using the 3G wireless drains the battery in less than 24 hours.
2. The battery takes approximately 3 hours to fully charge from empty when connected to a wall plug. Upto twice as much when charging from a USB port.
3. The display is much easier on the eyes than traditional LCDs… but you still get more eye strain than reading on paper.
4. You end up buying books only from Amazon, killing any competitors or smaller bookshops.
5. You don´t own the kindle books you buy. Amazon does. They control your device at all times. Amazon can and has deleted books remotely from Kindles, a-la 1984.
6. Organising your content is very limited and labour intensive.
7. There is no reasonable expectation of privacy. Amazon can see everything you do with your Kindle.
8. The pricetag for the 3G keyboard model is quite hefty at more that 150 quid.
9. A Kindle purchased and registered in the UK is not allowed to buy from amazon.com US site. You are forced to purchase books only from amazon.co.uk which is more expensive.
10. The keyboard is ergonomically cumbersome and not suited for extensive use.
11. The web browser is of limited functionality. It doesn´t handle popups gracefully and has problems displaying pages that try to open in a new window.
12. The display is black and white only.
13. The refresh rate of the display is very slow. Eg. it´s impossible t scroll through text without it all becoming a blur. Turning pages is slow. Eg. it takes a full minute to turn 30 pages.
14. You can not do anything with the books you have bought like give them to friends or family or sell them or save them in a less restrictive file format.
15. To create customer lock in and make a good profit Amazon use their own DRM which imposes a lot of unneccessary restrictions on the content you buy. They make it easy to convert anything you want to their DRM locked down format but very hard to do the reverse and convert Kindle content to less restrictive formats.
16. There is no international support. Only English. The Kindle can display international non english characters, but thats about it. Impossible to change the interface language, impossible to type in anything other than Latin characters.

Overall, the Kindle 3 + 3G is a good ebook reader with a great global Internet connectivity package, that is almost worth the hassle if you need to travel light and can afford to buy books that will remain locked in to Amazon for good. Perhaps an easy way to unlock Kindle books will become available in the future. Perhaps you won´t mind re-purchasing books that you might want to read on another, better device in a few years´ time.

The choice is yours.

SMS 419 scams

I recently received my first SMS scam message on my ancient mobile phone:

From: +447549354914
FREE MSG: Our records indicate that you may be entitled to £3350 for the accident you had. To apply free reply CLAIM to this message. To opt out text STOP

Do not reply to such messages. Just delete them.

The +44 prefix looks like it originates from the UK (where I live, therefore local number, therefore safe) but it’s actually a “personal number” that could be routed anywhere in the world, incurring high fees even for a simple SMS reply.

More examples of such scams in this F-Secure weblog post.

When automatic “software updates” break the software

During a regular maintenance run on a MacOS X machine I asked Skype to check for software updates. It cheerfully confirmed that a new version of Skype was available for download. I allowed it to download and install the update.

Then I tried to launch Skype which to my surprise came up with “You cannot use the application “Skype” with this version of Mac OS X”.

Now, hang on.

All I did was ask the application to check if there are any updates. Updates that made it work better, closed security holes, improved stability and all that. Not updates that would stop it from working. Given that the local installation of Skype has knowledge of the OS environment and knew this was a Mac OS X 10.4.x , it shouldn’t have suggested the update  as there was no possible positive outcome for the end user.

To confirm this was by design and not a software glitch I resorted to the forums, where I found this:

Leaving aside the usability aspects of an application that prompts the user to take its suicidal advice, one has to wonder at the customer service lessons that can be learned here. Skype push out an update killing their own software (under conditions they don’t check), someone takes the time to report this mistake and the answer is “Won’t Fix”.

This is not just annoying, but damaging to the education of end users who are constantly hammered with “always update your software!” from security people.

Guess what real people would rather have: A working but potentially vulnerable version of Skype to talk with their family abroad, or an installation that “cannot be used with your machine”?

Windows Explorer: How NOT to resolve conflicts

Let’s say you have a “drafts” folder and a “final versions” folder, and every time you publish a new version of a document you drag’n'drop the latest draft into the “final versions” folder. This used to work fine with Windows XP, you’d get a prompt saying “are you sure you want to overwrite the file?”, you’d say “sure” and it was done.

 

With Windows 7 someone thought it was a great idea to confuse the users as much as possible by throwing this at them:

Could this be more confusing?

I think not. I spent a good 3 minutes staring at this. Reading and re-reading it. I had to completely switch my mental context from my primary task (what I was actually doing) to deal with this riddle. I got worried I might be trying to do the wrong thing. Was I at a risk of imminent data loss? Were my backups up to date? Was this a good day for moving files? One file is newer, the other is larger… what’s going on here? There is too much information and no “just do as you’re flippin’ TOLD!” button.

I shiver at the thought of users who are presented with this. Most of them will click the red “x” to close the window and make the problem go away.

I’d love to have a chat with the usability people who conducted the study that showed more information and more choices to be a good thing for end-user interfaces. Because from the perspective of the type of users I know, this would be an unsolvable, anxiety-inducing nightmare.

Don’t take control away from your users

From a technology usability perspective, you can’t do much worse than make your users feel they’ve lost control. It’s maddening (and a bit frightening, if we admit it) to feel that “the computer” is doing things without your consent. We’re tolerant to allowing actions we don’t understand (after all, not everyone should be a technologist or a computer scientist), but we always want to have the kill switch at hand.

End-user operating systems (Windows, MacOS, GNU/Linux desktop environments etc) always have such a kill switch – it’s usually something red and obvious on every window (like the big “X” in the red box at the top right corner in Windows XP/7). If you don’t like what it’s doing, you have the power to kill it. Why? Because it’s your computer, dammit, and you should have the final word!

I stumbled upon an example of breaking this rule the other day, when I was helping a family member reinstall a computer that had bombed:

Here is a screenshot of the “Windows Genuine Advantage Notifications” tool (a propaganda term if there ever was one) installer: All application controls (back, next, cancel) have been disabled, and so has the omnipresent “X” that is supposed to offer users the warm & fuzzy feeling of control in every single Windows application.

Installers have for years now had ways of trapping window/application interrupt requests and responding to them gracefully.

Taking away control from the end user in such an obvious manner is both unsettling and frustrating.

A practice best avoided.