OpenSSL on a Mac

Has anyone used OpenSSL on a Mac or Ubuntu? I’d like to generate a SSL certificate for my OwnCloud installation so I can test it all out and that seems to be a cheap way to go for now. I can’t find instructions how to do it on a Mac, though. I have access to an Ubuntu machine though so that could also work.

Any suggestions?


Dropbox is convenient but how secure is it?

This question is driving me a little nuts lately:

A potential security lapse and possibly misleading statements are plaguing Dropbox, a hugely popular file-syncing app. What are the issues and is concern justified?

I migrated all my client data off Dropbox and into SpiderOak but it seems SpiderOak doesn’t offer Dropbox-like sync between my team members.

I’ve been testing out BitTorrent Sync but it also have a few challenges and probably isn’t feasible for now (no remote wipe is a problem). I have been using JungleDisk for secure backup to Amazon S3. It has a sync function which works a bit like Dropbox but it could be a real pain to implement.

I am wondering if I am being a teensy bit too paranoid about Dropbox so I am looking forward to reading this article. My concerns about Dropbox are that I don’t control the encryption keys; that there have been a couple really bad security exploits lately and I will never know if some government agency wants access to the data we hold.

One option, I imagine, is an OwnCloud installation but I’m not too sure what the security implications of that are. Is OwnCloud inherently secure or does it depend entirely on the server capabilities?

Useful stuff Web/Tech

Pretty impressive two-factor authentication in the @Twitter iPhone and Android apps

Twitter rolled out updates to its iOS and Android apps at the beginning of August which included a new two-factor authentication method for verifying logins (and possibly other stuff). It is worth reading the blog post describing the solution. It begins with this explanation why Twitter opted not to go with the more common two-factor authentication model:

Traditional two-factor authentication protocols require a shared secret between the user and the service. For instance, OTP protocols use a shared secret modulated by a counter (HOTP) or timer (TOTP). A weakness of these protocols is that the shared secret can be compromised if the server is compromised. We chose a design that is resilient to a compromise of the server-side data’s confidentiality: Twitter doesn’t persistently store secrets, and the private key material needed for approving login requests never leaves your phone.

Other previous attacks against two-factor authentication have taken advantage of compromised SMS delivery channels. This solution avoids that because the key necessary to approve requests never leaves your phone. Also, our updated login verification feature provides additional information about the request to help you determine if the login request you see is the one you’re making.

I noticed this and enabled it (who doesn’t want to secure his or her Twitter account, right?) although I only found out just how impressive the technology is in a recent episode of Security Now with Steve Gibson and Leo Laporte. The whole episode is worth watching (you can also listen to the audio version or read the terrific show transcription) but the discussion about the Twitter model starts at about 29 minutes in:

Bruce Schneier also seems to approve of the technique although he doesn’t go into much detail in his post I found on his site.

Twitter has been doing some pretty interesting stuff when it comes to user privacy and this security model sounds really carefully thought out and designed to protect users even more than the more common options. The explanation Steve Gibson gave about how Twitter leverages the idea that you can only hash passwords one way to make sure it can only authenticate and not impersonate users just points to that (at least, to me). I just had to share.


A quick question for IT security professionals

I just read this paragraph in the Evernote security and privacy information page. Does this point to a good data security infrastructure?

Operational security is equally important, and physical infrastructure and operations procedures reflect that. The data center where the Evernote service operates is SAS 70 (Type II) and SSAE16 SOC–1 (Type 2) certified and requires two-factor authentication for admittance. All access to the data center is limited in scope of personnel and regular audit reviews are conducted.

As I understand it, their recent move to 2048 bit SSL keys is really good and exponentially strengthens the encryption used to secure data transmission to and from their servers but what about the rest?

Useful stuff

Secure your Dropbox with 2-factor authentication

Dropbox has added 2-factor authentication to help users protect their accounts even better:

Two-step verification is an optional but highly recommended security feature that adds an extra layer of protection to your Dropbox account. Once enabled, Dropbox will require a six-digit security code in addition to your password whenever you sign in to Dropbox or link a new computer, phone, or tablet.

The trade-off is a bit of a hassle when accessing your account at times but if you keep important information in your account, this isn’t a bad idea at all and worth doing.

Business and work Mindsets

Warning, if you visit @RosebankTheZone the @Servest_SA security guards may bully and rob you

Steven Mark Joffe - The Zone security bullies

When Dean‘s Dad posted this update on Facebook about how The Zone security harassed and robbed Dean, I was shocked. I am accustomed to mall security harassing me about taking photos, eating in areas not designated for eating and generally existing but Dean’s experience takes mall security harassment to a different level altogether. This is blatant harassment, corruption and robbery.

The Zone seems to outsource security to Servest which provides a range of commercial services. The account below is in Dean‘s words. All I can say is be very careful when you visit The Zone and don’t let yourself be caught alone with these bullies.

Update (2012-06-11): Servest’s PR people have been in touch with me and are looking into the incident.

The Zone@Rosebank

For many parents, a Saturday night is one in which their children go out. Many kids go ‘clubbing’ all around Johannesburg, attend movies and/or go out for dinner. Letting kids go out with their friends is always a concern but one in which most parents trust to be ok. Many parents assume that their kids stay together with their friends, have their cell phones on them and even know the police number. One might not understand this but here is my story….

To put this into perspective, I’m am an 18 year old, who is currently studying at Witwatersrand University. I try my hardest to succeed in whatever I can and be the best person I can be. But in every person, there is a breaking point or a weakness, one in which I discovered last night (9 June 2012). I went to Rosebank shopping mall to meet a friend. Whilst in Rosebank, I went for coffee, walked around and eventually went outside onto some type of patio/roof. (If one knows Rosebank well: Go to Aldo, go up the escalator and walk straight where there is a glass door to an outside area. That glass door was open and thus I proceeded onto the patio). After being outside for a bit, at about 11pm, my friend and I decided to leave as we were both leaving the centre.

As I was walking back inside, 2 security guards came and told me I was not allowed to be there. As the door was open, I had no intension of trespassing or breaking any sort of law whilst I was outside. I’ve never been an avid fan of Rosebank, but as of late, I have been there on Saturday nights to see movies, go for dinner with friends and meet friends. Not knowing I could not be there, I apologized to the guards and started walking. However, they then proceeded to tell me that I need to go to the control room. Not trying to make a fuss or anything, I agreed to go with them and kindly asked them to let my friend go, which they did. Whilst walking with the guards, I explained that I had no intension of doing anything harmful. I then proceeded to introduce myself, with my first Name, thinking this would be some silly situation. We proceeded in a lift, where we went two floors underground. We then landed up in a basement parking lot which started to slowly shock me as I realized I had no cell phone reception. Being a person who is aware and one who was alone, I took a cautious thesis of trying to have some resource for my own benefit, if there could be the worse. In the basement, I continued to follow the two security guards. I kept explaining that I had no intension of doing something wrong, which was correct as I had been trying to enjoy my night. It was at this point that one of the guards turned around and said that I should not change my statement or they could possibly call the police. It was at this moment that my attitude completely changed.

As I entered this room, I walked into some form of a tea room, or at least, an area where there was a kettle. As I proceeded into the control room after gaining the guards permission to enter, I was introduced to the ‘head’ controller, a young, tall man. This was obviously the control room, due to the large amount of monitors with video footage of Rosebank. In the room, I started getting a form of a casual questioning. I was asked questions such as where I live, how often I come/have been to Rosebank, what I do for a living and the question that stunned me: “Were you fucking someone on the roof?” I proceeded to answer that I live near Sandton City, where I was further asked where about which I did not answer. I said I was a student and told them that I hardly come to Rosebank. As mentioned above, I only come to Rosebank when I have to as I have never been an avid fan of the centre.

After some time, the ‘head’ guard proceeded to inform me that if his manager or someone saw that I was on the CCTV footage, I could be in trouble and the police would have to be called. As I was alone, I kept my mind focused on being calm as my frustration level started intensifying. I continued to apologize, stating that I never knew I could not be there and I had no intension of breaking any law. What struck me next was this: The ‘head’ guard then accused me of being with 3 other people which was not true. After informing the guard that I was not with 3 other people, he proceeded to say that he had also seen other people in the same place I was. As many of you may realize, by now I kept thinking of what the **** I was doing in this control room if I had broken no laws. If they wanted to call the cops, I told them they could as I had not done anything wrong. To a large extent, I fully understand they were doing their job but where does the line get drawn?

But why would this end there? To top it up, the guard then told me he would delete the footage and replace it with other footage. I had no clue as to why he was doing this, but apparently it was for my own benefit. I shut my mouth and continued to agree with him. After all there were 3 guards and one of me. What was I meant to do? I had no cell phone reception and did not even want them to see what phone I had… Yes they are security guards but what type of guards does this? I continued to agree with the guards as I had no intension of having more trouble. They kept telling me we having a ‘man to man’ conversation but if I had to sum it up, I would say much different. As this ‘situation’ started concluding, the guards then told me I needed to buy them some drinks for what they had done to me. I’m no idiot! They tried manipulating me, but I seemed to know better, at least I thought I did.

We left this control room, where the two guards who had apprehended me continued to walk with me. As we exited the lift of the first floor, they told me I needed to buy them drinks. I said I would take them to sweets from heaven but to be realistic, I had the intension of calling a friend to come help me. But these guards had better ideas. They expected me to walk with them to the garage shop to buy those drinks as it was cheaper. Now I’m no fool and thus considered: Why would guards make me walk to a garage if I was paying? I told them I refused to, so they said that they wanted money. As I took my wallet out, and opened it, the one guard was quick to grab some of my money and then told me I could leave. Without arguing I did, and left Rosebank.

I thus get back to my original point. I am 18 years old. I’m not the smallest kid and I’m not the most stupid. I have a strong mind, the ability to try associating myself with any individual and even have the power to stay calm in some intense situations. But what about your daughter who is 15 years old or perhaps your 13 years old son who is new to the Saturday nights, where he and his friends go see movies or walk around shopping centres. We focus on all these public companies and government officials who are corrupt. However, maybe it’s time to consider a different perspective. Maybe we need to look at a corporate, which spends a fortune on advertising their company and trying to gain consumers in a positive manner, yet has indirect corruption in a sector of their business. By that I’m referring to Old Mutual who own Rosebank.

Unfortunately, we live in a corrupt world. Not everything in this world is perfect and not everything will ever be perfect. But our Country, which we call home, is one which can be terrifying. I don’t need to gain self-success from this story. I need to make others aware of how vulnerable one can be, even when least expected. The ability to keep calm will only ensure your safety. But as for my ability to go back to Rosebank, or inform others of this shopping centre is one which will be depicted in the most negative manner. To a great extent, the security guards were doing their job, however, I personally feel violated. That is due to the fact that I did not jump over some fence to walk into the area I was in. I did not harm anyone or try trespass into someone’s private property. I simply was in the wrong place at the wrong time. I apologized, ensured I understood I was wrong (even though I feel I was not, due to the fact that a door was open to go outside) and even agreed to follow the procedures of going to the control room. But to be threatened, accused and have money taken from me is something I do not appreciate. So the next time you go to Rosebank, think again. Consider if that’s the shopping Centre you want your children to go to.

Mindsets Travel and places

Monte Casino security helped me change a tyre

We just came to Monte Casino to watch The Lorax with our son. When we came out and got into our car, Natassia pointed out that our front right tyre was a bit flat.

Spanner in hand

I pulled out the jack and tools and started raising the car to change the tyre in the parking area and looked up to see Monte Casino security had arrived and one of its members, Donald, was on the ground with me helping out.

I didn’t get his name but He helped me change the tyre and put the spare on. He was a great help and I appreciate the help. Thanks dude!

When I was loading the spare back under the car I noticed another security guard standing by until everything was stowed away and the car closed up. That was comforting. I had tools laid out while I was packing stuff away and I could relax my usual paranoia and finish what I was doing.