Security Stupidity

Lately I’ve been seeing this more and more on various Websites, especially ones that pride themselves on “high security” such as banks and online trading sites.

Every time I see it, however, I’m constantly reminded of how stupid it is. I’m speaking of site that require you to log in with a username and password as you normally would, but then ask you to verify your identity with one or more “security questions” such as the name of your first pet or your favorite color.

The idea is that even if someone has your username and password, they would be unable to guess the answer to these security questions unless they absolutely were you.

The two main flaws I see with this are:

1. People who know you well enough would know the answer to many of these questions. A spouse, parent, or brother/sister would likely know the name of the user’s first pet, for example.

2. The replies to these questions can be long, answered in many ways, are case-sensitive, and are often obscured and not shown in the clear. How many ways, for example, would you answer this question:

Q: What was the destination of your first airplane trip?
A: Hmm. It was to Salt Lake City in Utah. So did I enter this answer as “Salt Lake City” or “Utah” or “Salt Lake City, Utah”? I’ll try “Salt Lake City.” Oh, it said that was wrong. But did I just mistype it or is that the wrong answer. I’ll try it again. Still wrong. Great, I get one more try before my account is locked out.

Essentially what has been done here is the creation of multiple usernames and passwords for one site. All of the security questions and answers must be written down unless you can remember exactly how you entered the answers the first time you signed up. You remember that time, when you were frustrated that you had to pick five questions and answers in the first place and just wanted to sign up for the Website.

Stupid.

Press to MECO!

Once every few months I have the great pleasure of taking out my Space Shuttle Launch Countdown document and watching our magnificent Shuttle take off from the Cape. It is always with great pride and admiration that I watch a Shuttle launch, and today was no exception.

Actually, tonight was no exception. Shuttle Endeavor launched at 7:55 PM EDT. All launches are special, but night launches are even more so, illuminating the night sky with brilliant light. Everyone should see a launch if they have the opportunity. My only wish is to one day see a launch in person from Florida.

For many people I know, the exploration of space and our space program is very dear to our hearts. For those of us in IT, these feelings are even more profound as many of us feel we are the “Mission Control” of our organizations. I know I feel this way.

After the launch, I stepped outside briefly and tried to look for stars through the cloudy sky, remembering that one day not that long ago someone looked to the heavens and said, “People up there? Yeah, we can do that.”

Godspeed, Endeavor. May you return from your exploration safely.

Twisted Thursday

I’m officially classifying today as Twisted Thursday for the following two reasons:

Adobe and The Upgrade Fix
Adobe posted Security Bulletin APSB08-18 to address “clickjacking” security concerns in Flash Player 9.0.124.0. The fix? Upgrade to Flash Player 10, which was just recently released!

If you don’t want to upgrade to version 10, you can stay with version 9. This version will be fixed in “early November.” This isn’t acceptable in my eyes.
While an upgrade to Flash Player 10 is likely harmless for most folks, I’m certain there are many organizations that will want to certify version 10 first before they being installing it. Version 10 has only been out for a short time and may require existing Flash content to be updated to address security changes that Adobe has made to the product.

Simple Economics
Steve Ballmer today said that a deal with Yahoo still “makes sense economically.” The market took this to mean that Microsoft had renewed interest in pursuing a deal with Yahoo, causing Yahoo’s stock to move more than 15% higher. Speculation began immediately that negotiations between the two companies had started up again.

But wait a minute. About ten minutes later, CNBC reported that a “source close to Microsoft” stated that Microsoft had not restarted negotiations with Yahoo. Of course they haven’t. Yahoo’s stock has been suffering lately with the rest of the market. Of course it still makes sense economically, especially when you could purchase the company at a better price now compared to seven months ago.

I don’t know this for a fact, but I believe this is what Steve was getting at. If I was willing to buy my neighbor’s car for $300 in March and three months later the Blue Book value places it at $100, of course it still “makes sense economically” to buy it.

Unfortunately it’s still parked up on blocks in her driveway, so I’ll pass.

UPDATE – 3:09 PM EDT: Microsoft statement: “Our position hasn’t changed. Microsoft has no interest in acquiring Yahoo!; there are no discussions between the companies.” (link)

Are You Coming to the Meeting or Not?

Yesterday at the office a colleague accepted a meeting invitation in Outlook 2007 connected to Exchange Server 2007 as he’s done many times before. He clicks Accept and then chooses “Do not send a response.” His rationale for this choice is so that the meeting organizer is not flooded with “Accepted” and “Declined” messages in their Inbox.

An hour or so later, the meeting organizer sent him a follow-up e-mail asking if he was in fact coming to the meeting and if he had any agenda items to add on. He responded that yes, he would attend, and that the organizer should see that when the viewed the entry for the meeting in their Calendar.

Despite him seeing “Accepted on” in his Calendar entry, the organizer saw “None” as his attendance reply status in their Calendar entry. My colleague didn’t think this behavior was correct and believed he found a bug in Outlook (or in Exchange).

I explained via e-mail that this was in fact the expected behavior and that it makes sense if you think about it from the standpoint of receiving an old school invitation in the mail with an RSVP requested, but not required.

Let’s go through this step by step, assuming simple Accept or Decline (no Tentative):

Step	“New Hotness” invite	“Old School” invite
1.	Organizer clicks Invite Attendees button and selects people that they would like to invite.	Organizer creates invitations, addresses them to people that they would like to invite and mails them.
2.	Potential Attendees receive notification in their inbox.	Potential Attendees receive invitation in their mailbox.
3.	Attendee Accepts or Declines the invitation. They are presented with three choices.	Attendee Accepts or Declines the invitation. They have three choices.
4a.	Send the response now – This generates an “Accepted” message that is sent to the meeting organizer.	Send an RSVP to the organizer – The organizer will then be notified that the attendee will attend the meeting when the receive the RSVP.
4b.	Edit the response before sending – This allows the attendee to write a message that will be included in the “Accepted” (I’ll be there with donuts!) or “Declined” (I can’t make it. Don’t eat my donuts.)message that is sent to the organizer.	Edit the RSVP before sending – The attendee can add a note to the RSVP before they send it back to the organizer. Perhaps they want to know if they should bring donuts or are unable to attend and want to send an apology note.
4c.	Do not send a response – The organizer is not notified of the attendee’s choice; in the case of the attendee clicking Accept, the meeting is added to the attendee’s Calendar and they can show up if they choose.	Do not send an RSVP – The organizer will have no way of knowing if the attendee plans on attending the meeting, but the attendee can add the meeting to their wall calendar and show up if they choose.

 

What about the meeting organizer being flooded with Accepted and Declined messages? I mentioned to my colleague that Outlook includes an option to automatically process blank meeting responses as shown in the screenshot below. The automatic processing is done by the Outlook mailbox sniffer. He countered that this should be automatic, as that option isn’t selected by default, an organizer should just check the entry in their Calendar and that a meeting with 100 attendees could potentially generate 100 responses.

 

Again, this makes sense if you think about it in a more traditional sense. Most organizers won’t invite 100 people to a meeting; they may invite a dozen people or so at the most. They will also likely want to see a notification that the person has accepted or declined the invitation right in their Inbox rather than having to periodically check their Calendar to see who will be attending the meeting. Advanced users can utilize the Outlook option indicated above if they like.

Hopefully this clears up what appears to be an oddity in this behavior!