Updated: Never — Philip's Blog

Christophe blogs (vaguely) about preparing and hardening laptops for (security) conferences. I wonder why a laptop shouldn't always be "hardened" though?

I've blogged before about how I prefer to use deterministic scripts over fragile background magic for configuring networking on my laptop.

The @conference script on my laptop is as follows:

#!/bin/sh

rm -f $HOME/@*

sudo iwconfig wlan0 essid conf_essid

sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
sudo iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
sudo iptables -A INPUT -p tcp --syn --dport 22 -j ACCEPT

sudo dhclient wlan0
tunnel

Instead of spending a lot of time identifying and disabling unnecessary services, I just drop packets I don't care about on the floor. Much simpler!

Christophe and others also forget to mention the following:

• Be careful with ssh-agent forwarding. Remember that root on machines you forward agent connections to can pretend to be you using any of the identities loaded into the agent. If you have to run ssh-agent, don't allow it to be forwarded from untrusted machines. If you have to enable forwarding, don't load keys into the agent you don't need forwarded. (Of course you're not using the same SSH key for everything, right?)

Regarding physical security:

• Use disk encryption. Don't rely on a screensaver when leaving your laptop unsupervised, just switch the machine off. Don't suspend either.
• Don't carry unique copies of data you can't afford to lose on your laptop, have known-good backups at home. Make sure you have backups of your dotfiles too and that you can access them remotely. That may mean you need to take a copy of an SSH key on a USB stick too.
• Take a (known to be working) bootable USB stick so you can reinstall your laptop if someone steals your disk or if you break it during the conference.

Common sense, I think?

This weekend, my bank (Citibank -- yes, they still exist) decided to implement a new online banking system. For some obscure reason, they decided that relying more on JavaScript would be a good idea. That seems to be a common trend among the crazy people who develop for "the web", so I'm sure I can forgive them for that.

I can't however, forgive them for the incredible stupidity that went into the password validation the webbies put in place. For online banking, I like to use a secure password. My password consists of many characters and I chose them from all over the ASCII table. It always worked fine too. In the new online banking system however, a JavaScript "alert" happily informed me that it couldn't validate my password and wouldn't even bother to submit the form so the backend could have a go.

Since I was reasonably confident that the backend would be quite happy with my password, I decided to try to get around the JavaScript madness. I must say that my respect and admiration for the crazy people who develop for "the web" has increased quite a bit during this ordeal. Not only do they target a completely ridiculous platform, they also have to put up with unbelievably awful tools.

Mozilla Firefox has a "JavaScript Debugger" extension. Unlike every other debugger, it doesn't appear to contain the functionality to set the program counter. If it did, I could just have set a breakpoint on the function that checked the "format" of my password and then set the program counter just after that function and be on my way.

The relevant bits of the function that check the format of passwords are:

var pwdPattern3 = /[^(0-9a-zA-Z)]/;

if( pwdPattern3.test(document.SignonForm.password.value) ){
alert(pwdFormat);
document.SignonForm.password.focus();
return false;
}

Fairly stupid. I would love to know what the developers of this were smoking! Just changing that regex to match characters which don't appear in my password would do the trick though.

But how can I change this regex? It took me ten minutes to discover that the JavaScript debugger has a tiny little box in the bottom left corner containing an unsorted (!) list of what they call "local variables". That pwdPattern3 doesn't look very "local" or even "variable" to me, but I'm sure that's a JavaScript thing more than anything else. To change it, I had to double click the name of the variable, which then popped up a modal window on another workspace than the one where I had the debugger running.

Very userfriendly guys.

In the end, I got past the check though. It only took me an hour or two. I will try to report this bug tomorrow, but I have a feeling that will be even more difficult than working around it. Operators at banks' call centres are not selected for their technical abilities. In the mean time, I also changed my password (which required working around a similar check, hiding in a different file -- I would hate to maintain this software) so I don't have to go through this ordeal every time I want to pay someone.

To end this rant on a positive note: once logged in, Citibank's online banking system still works well for me. It runs (mostly, except for the JavaScript) serverside and doesn't try to look "fancy". Pity it doesn't work in w3m anymore, but I guess I'll have to learn to live with that.