Password policy that tires

From Pearson VUE:

And they say in their help:

In our ongoing effort to secure the privacy of your personal information, Pearson VUE now requires all users to supply a strong password. Choose your new password carefully to make it hard for anyone to guess. Strong passwords must adhere to the following rules:

  • It must be a minimum of 7 characters and contain 3 out of the 4 following attributes:
    • Uppercase Latin letters (A, B, C, … Z)
    • Lowercase Latin letters (a, b, c, … z)
    • Westernized Arabic numerals (0, 1, 2, … 9)
    • Special characters (&, *, %, etc.)
  • Passwords cannot contain your username

These are policies good to have but there’s too much words to go through to understand the policy.

But wait, there’s more:

This is a huge challenge for the ever-changing self. I don’t remember much of my childhood and now the form is making me sad.

Out of all the questions I can only answer the first company I worked for. This is too hard!

Forced alphanumeric passwords

From the movie Handover 2:

Phil: Your password is baloney1?
Chow: Well used to be just baloney, but now they make you add number.

Forcing alphabets and numbers into password is just annoying for me. I have a, what I will deem to be, a sufficiently secure password and I had to uglify it with a number. The number actually makes my password harder to remember. Will my passwords be just random hashes one day?

MySQL.com compromised by SQL injection

This day just had to come:

MySQL.com compromised

MySQL.com (the official site for the MySQL database) was compromised via (shocking!) blind SQL injection. A post was sent today to the full disclosure list explaining the issue and dumping part of their internal database structure.

What is worse is that they also posted the password dump online and some people started to crack it already. Some of the findings are pretty bad, like that the password used by the MySQL director of product management is only 4 numbers (6661) and also posted multiple admin passwords for blogs.mysql.com…

MySQL have not said anything about this attack, but we will post more details as we learn more about it.

Source: Sucuri

The irony.

Cambridge refuses censorship on chip-and-PIN vulnerabilities

According to BoingBoing, the UK banking trade association wrote to Cambridge to have a student’s master’s thesis censored as it documented a well-known flaw in the chip-and-PIN system, Cambridge University’s Ross Anderson replied with the following:

Second, you seem to think that we might censor a student’s thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient. This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values. Thus even though the decision to put the thesis online was Omar’s, we have no choice but to back him. That would hold even if we did not agree with the material! Accordingly I have authorised the thesis to be issued as a Computer Laboratory Technical Report. This will make it easier for people to find and to cite, and will ensure that its presence on our web site is permanent….

You complain that our work may undermine public confidence in the payments system. What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it. [Source: Cambridge]

The reply is full of win, academic world scores one.

Setting up wireless in Ubuntu terminal

The following steps aims to set up wireless with WPA configuration for Linksys WUSB54G on Ubuntu using command line. They have worked for me and I’m just taking notes and sharing what I did. Hopefully you’ll find it helpful if you need to go through the same process. My Ubuntu version is 9.04 but this should work in newer versions too.

Prerequisites

You’ll need to have wpasupplicant If you don’t already have wpasupplicant:

[code lang=”bash”]sudo apt-get install wpasupplicant[/code]

Obtaining your WPA psk in /etc/wpa_supplicant.conf

You can use wpa_passphrase to generate a configuration file for your /etc/wpa_supplicant.conf. In the following example, my wireless SSID is ‘MySSID’ and my passphrase is ‘text passphrase’. Continue reading “Setting up wireless in Ubuntu terminal”

BlackBerry to be banned in Saudi Arabia

Likely for censorship reasons. BlackBerry devices does some encryption that has been deemed as a obstacle toward censorship and surveillance practices.

Saudi Arabia to Ban BlackBerry Service on Friday

Saudi Arabia has ordered the suspension of Research in Motion’s BlackBerry service as of Friday, as it does not meet current regulations, according to the country’s telecommunications regulator.

The suspension will cover all services, including e-mail and instant messaging, said an official from the Communications and Information Technology Commission (CITC), who requested not to be named. He did not specify what were the current local regulations that BlackBerry did not comply with.

BlackBerry’s service is to be suspended in neighboring United Arab Emirates (UAE) from Oct. 11 because it does not fall in line with the country’s regulations, the UAE telecommunications regulator said on Sunday.

RIM is also in negotiations with the Indian government over the country’s demands that security agencies should be able to intercept BlackBerry data.

In a customer update earlier this week circulated to the media, RIM said that it does not possess a “master key,” nor does any “back door” exist in the system that would allow RIM or any third party to gain unauthorized access to the encryption key or corporate data. The symmetric key system used in the BlackBerry security architecture for enterprise customers ensures that only the customer possesses a copy of the encryption key. (Source: PC World)

I’m standing on the BlackBerry side for this one.

Security update, time to upgrade Django

Django has a 0-day security vulnerability. It’s time to upgrade:

Security updates released

Today the Django project is issuing a set of releases to remedy a security issue. This issue was disclosed publicly by a third party on a high-traffic mailing list, and attempts have been made to exploit it against live Django installations; as such, we are bypassing our normal policy for security disclosure and immediately issuing patches and updated releases.

Description of vulnerability

Django’s forms library included field types which perform regular-expression-based validation of email addresses and URLs. Certain addresses/URLs could trigger a pathological performance case in this regular expression, resulting in the server process/thread becoming unresponsive, and consuming excessive CPU over an extended period of time. If deliberately triggered, this could result in an effective denial-of-service attack.

Affected versions

Any Django application making use of EmailField or URLField in the following versions is vulnerable:

  • Django development trunk
  • Django 1.1
  • Django 1.0

Read more at Django blog

Allowing self-signed certificates for pfsockopen and fsockopen

This is more of a personal note. I’m kinda busy, I’ll write more next time perhaps. Use this if you want to connect to HTTPS that is self-signed SSL certificates.

This is for placing in front of pfsockopen and fsockopen.