Making Gmail a little more secure

Lock-icon

I love Gmail, but there have been some security concerns haunting me ever since I started carrying a smart-phone, having my gmail accessible behind nothing more than a simple swipe gesture or 4 digits PIN.

My entire life is in GMail and anyone getting access to my phone will be able to get a lot of sensitive information and even worse, utilize the nefarious “forgot password” feature that almost any service offers to gain access to more and more data.

Funny thing is, most of those sensitive data emails and password-recovery notifications are rarely accessed. My security could be greatly increased if GMail just asked me to re-enter my password when trying to access them.

From a simple “Please enter your password” on emails matching a “password reset” rule to the ability to add Filters that sat a “Password required” flag.

It would be possible to partially implement this without Google’s help by routing important (or all) emails via a third party service. That service could encrypt the bodies of messages (matching a defined pattern) and then would use a Chrome Extension (and similar solutions) to decrypt the messages for viewing.
But a true implementation from the search giant will surely put people at rest.

Google, can I please please have this?

What if I lost my laptop

So, I work for a web development agency.

And today I thought I lost my Laptop.


Oh no..

Bought three years ago at ~$1,499 (lets say ~500$)

Add a day to re-install and re-configure a new one: +$1K.


Wait.. did I use an encrypted FS ?

A nice surprise awaits the smarter thief: The source code to quite a few active and profitable web properties.

How embarrassing, your private code all other the internet. And those pesky wannabe hackers around. Not a good day to be our client.


I hope I put pass-phrases on my ssh keys

Because he now has access to the production servers and databases of all my clients.

Probably take a bit of effort, but someone might be glad to put their hands on some first class leads and marketing data..


Good thing I keep all my passwords in Chrome’s history

Yeah, including those pesky AWS, Linode, Heroku, etc passwords.

So, remove all backups, play a bit with the data bases and watch the poor bastards scramble as their sites go down for a few hours losing days of business.

No money for the prankster, but oh the look on my client’s faces, priceless.


Yep, I found it

Didn’t lose it. So its all good.

But that sure did escalate quickly..




Editors note: This post is intended to raise awarness between developers about the high risk hidden right under their fingers.
We always make sure our laptops cover all of the above points for maximum security. Do you ?



EDIT: Comments on Hacker News
EDIT: To clarify, I use Ubuntu (12.10)

The Bitcoin and the Taxi driver

I am worried again.

Whats this about the taxi driver ?

Back in 2007 I was “investing” in the stock market. The global prices of potash were on the rise and a local stock was climbing up like there was no tomorrow. I was in, I was in deep. And then it happened, my taxi drive to the airport.

We had a conversation with the driver on the way, he told me how he went to the bank to deposit around $3000 in cash and was dumb struck, when the bank asked him a commission. “I am giving them money and they want me to pay for it ?” (it does sound kind of crazy..).

So he said he is going to invest in the same stock.
Why ? Because it has been going up.

Needless to say it crashed bad a short time after, hope he didn’t make the buy.

Fast forward to today

Just finished helping a friend launch his Bitcoin business, he allows people to buy Bitcoins in Israel for shekel. And during some backend improvement sessions, he told of an issue with a particular order. Made by a taxi driver.

Because Bitcoins allow to send transfers without fees ?
Because Bitcoins allow anonymity ?
Because Bitcoins are decentralized ?

Because Bitcoins are going up.

Run Forest, run.

Have you paid the global tax ?

Bought a can of Coca-Cola lately ?

How about “Old Navy” ? Maybe even a BMW ?

You probably never gave it any thought but that money didn’t go to the “Coke producing Cows”. Part of it went to manufacturing, part to supply chains, retailers, wages, profit.. and part… to marketing.

Lets do an experiment

Look at the Coke in your hand.
Now look at a video on YouTube.

That 15 second commercial you were forced to watch ?
You just paid for it.

Can’t escape

No matter where you are in the world and no matter who you are:

Every day you pay a bit extra for almost everything you buy(*), just to have that money used to show annoying Ads wherever you are online (and offline).

The sad truth

So the next time you see Ads take up 90% of the space in the article you are trying to read.. don’t get mad. Try to enjoy them.. hell.. you paid for them.

* Or a lot extra if its a “Brands” as the marketing budged is responsible for a considerable part of the product’s price.

Seriously ? Ads ?

Some Facts

  • Facebook now has close to one billion people (that is 1,000,000,000).
  • It is one of the most recognized brands online.
  • One year after launching ‘Facebook connect’ was everywhere
  • Can easily spend a billion dollar (case in point Instagram)

So what can you do with that power ?

Option 1

Ads, continue trying to push irrelevant pictures and text anywhere you can, hoping I will click it (mostly by mistake).

Option 53

Take the $1B, give it to a team of 1000 engineers and 1000 lawyers and let them do something real instead of the crappy ‘Facebook credits’ sham.

Offer a ‘facebook pay’ button in 200 countries and take 1%.

You know what my Mom understands ?
- Facebook.

You know how my Mom is gonna be shopping ?
- “I just clicked that facebook pay button”.

There is a trillion dollar (thats 1,000,000,000,000$) roaming around yearly out there. (credit card companies processed $1.9T in 2011 in US alone)

Why Facebook ?

Problem 1

To fight the money game you need extremely deep pockets. Something the newly IPOed facebook has more than enough of.

Problem 2

Fraud. Paypal and others use complex algorithms, special teams and God knows what. But Facebook has an unique and unparalleled data base of a user’s history, friends, activities and what not.

People will think twice about losing their ‘Facebook Credit Score’ over a few $ for an online presence  they spent (literally) years building and cultivating.

Bottom Line

Now that is where Facebook’s $10B profit is hiding.

But hey.. whats cooler making a $1B/year from advertising or making $10B/year from money processing ?

Or spend that money on iphone apps that got people sending customized farts to each other, no revenues today, but surely to justify their $300M price tag one day.

 

 UPDATE (14:05 GMT): 

Share your thoughts on HackerNews comments

 

 

Outside the AB testing box

How we got rid of 80% of our support calls

The year is 2010 and yours truly is deciding on opening a Groupon like coupon site back in his country. A bit of coding + a bit of selling and we were up in the air.

Beyond being the VP-RnD, CFO and Janitor, I had the dubious role of being the Head (and sole employee) of our “Customer Support”.

A wise man said once, “To know your customers, you must know your customers“. So instead of spamming my visitors with various pop-up/slide-on/drop-left/pop-off tools for suggestions/questions/injestions, I just went on and put my personal mobile phone. Right there on the buy page, in HUGE capital letters.

Number of people who emailed our support email during the next week: 2.
Number of people who called me up (thankful during reasonable hours): ~100

The next bit might surprise you: It appears that even in the year 2010, the average 30 year old mom (that is our main demographic – I asked) is utterly terrified of using her credit card on the web.

Is it possible to buy by phone ?” She would ask.
Well yes mam, did you have problems buying on the site ?“.
Noo.. its just that I am worried about putting my card on-line“.

In the beginning I was naive enough to try:
No need, we have SSL on the page and our servers are PCI compliant” line…
Yeeaa… but.. can I buy over the phone ?“  is what I got every time.

So we proceeded with me opening the website on my PC and filling in her details, as she dictated them to me.

Not a a week has passed and the executive team started getting multiple complaints from the support staff (Me). And the VP-RnD decided that something must be done.

Something being done

Option A: Do some bad-ass A/B testing. e.g. : Move button 17 pixels to the left, change the first letter of some words to capitals and maybe even try switching the radio buttons from being round to being square.

Option B: Try to address the issue at hand.

Since my users weren’t very tech savvy and couldn’t/wouldn’t understand that the page is secured with SSL. It became apparent that they needed to be told. Proposed solution: Put a big-red-dotted border around the form and write in large, red and reassuring letters: “SECURE ZONE”

The form before:

How our buy form looked before

The form after:

Our form after being "secured"

For the Hebrew challenged, the writing in red is “This area is secured by SSL”.

 

The test

Next step: Ask (sample user: mom) to buy a coupon and provide feedback.

(In the initial test version, I also had her enter her name and email in fields that were outside the “safe zone”).

Feedback:  “I felt a bit uncomfortable filling in the name and email, since they were not secure.. but I filled anyway because its your site” (GREAT SUCCESS !!)

3 minutes later we went live, one week later I took my phone off the site.

Results: Even with increased activity, phone calls went from ~100/week to ~20.

Conclusions

You can A/B test the crap out of your site, but you might try asking your users if something is wrong first.

“Most people will assume a safe is safe if it looks like a safe safe”

 

First employee of startup ? You are probably getting screwed !

Same story again

A friend of mine just told me about his exciting new opportunity:
He met two guys who are opening a new startup. They are known in the community and already had a small exit before. For the past half year they have been working on a startup, got some code and are now just finishing with a 500K$ seed raise.

And, they are looking for their first employee with significant equity !

After some interviews and f2f meet ups, they decided to offer him a job. Of course, they can’t afford to pay market salary just yet but they are willing to give significant equity, a chance to influence the company’s direction and become a core member of their team !

And he was just about to sign up.

Me: “So tell me more, what kind of numbers are we talking about.”
Him: “Good ! Half my normal salary and 1% of the company”

Now this might sound very reasonable and exciting, but perhaps its time for…

A bit of… math !

Taking the optimistic route
– In one year the company does series A and can pay full salary
– They raised 500K at a high 2M (pre-money) valuation, giving away 20%
– His normal 100K/years is cut to 50K/year.

From the looks of it, he is pretty much saving the company / putting in 50K.

What does an investor get for putting in 50K:
- 2% of company shares
- Priority on exit
- Invest small part of his capital

What does employee get for putting in 50K
– %1 company shares (options)
– 4 year vesting plan
– Exercise price
– No priority
– No control or rights of information
– Invest large part of own capital

Strange numbers, and yet people agree to them every day.
Because their 1% will turn into a million.
And as working for half their salary(or less).. hey.. its just for a while.

How low did you compromise ?

EDIT – 14:00:00 UTC
Interesting discussion on HackerNews

We are the McDonnalds of Shoe stores

 

“I am opening a new shoe store”

That is what a good friend of mine, happily announced to me.
“Not just a shoe store, we are going to be the McDonnalds of shoe stores !”
Shoe store ? Frankly I wasn’t too surprised, having heard that quite a few times already.
And he proceeded to happily tell me of his grand plans.

The shoe store he was planning was going to open in the huge mall in the capital.
Having thousands of patrons a day, made it an ideal target for him.
And regarding all the other hundreds of shoe stores there ? He didn’t seem to worried, on the contrary:
“Its great ! All those stores just means that there is a market for shoes !”.

But, he knew that just opening another shoe store was not enough, so, his will be special. Every person visiting, will get (hold for it….) a free high-quality coffee !
And who doesn’t want coffee ? Everyone will come for a drink and buy their shoes on the way.

“Wouldn’t you like free coffee ?” he asked me. And I had to agree I would. Sure it will put them at a loss in the beginning, but he made quite a few calculations in excel and in a year or two, the shoe sales will be high enough to cover the coffee and begin to become profitable. (Especially since they planned to move to their own coffee machines and bulk deals with coffee importers by then)

We chatted about coffee types for a while and then I told him of another friend of mine, who just days ago told me of his shoe store (that was already finishing their renovation) Their idea was: “massage chairs” – You get a massage while measuring shoes – people stayed longer – more shoes bought.

He dismissed them with a wave of his hand. “Bah ! We will get those too in time, and many other stuff others have”. In the end its all about execution. He had a great team and a professional designer who just left IKEA.
“With a bit of hard work, we will become the biggest shoe shop in the mall and then spread to other cities via franchise and be like Starbucks or McDonnalds”

I like it, I said, but there are hundreds of shoe stores in that mall, why not try something different ?
Or better yet, why no start in the smaller cities and villages where there are almost no stores, and the existing ones are small and bad ?
“Thats not how you do it if you plan big !” He and his partner just joined the state’s leading Coaching firm’s entrepreneurs plan. With the help of the firm, they will get money and connections needed to reach the Mall’s weekly newsletter and maybe even be featured on the large billboard at the entrance.

Sure competition was hard, sure there was lots of it. But their idea had a unique twist and with the proper execution ? The sky was the limit.

All that was three months ago, he has already quit his job and started working full time with his partner on designing the interior and the shoes selection.
They got some money from friends and a group of investors, moved to the big city near the huge mall and started looking for a good location for their shoe store.

And me ? Well, since all the shoes stores are in the big mall in the capital and none are in the hundred little cities around it (one of which I live in), Ill be driving tomorrow, 60 miles.. to buy shoes.

True web security from Javascript injections ?

With the coming of FireFox 4, a new (and wildly unnoticed) feature was added to the browser:
CSP – Content Security Policy.

The idea behind the CSP, was to try to mitigate many of attacks and abuses we have been seeing on the web in recent years. From Click hijackings, unexpected cross-site-scripting, injections by corporate / country or internet provider routers and many more.

How does it work ?

When serving a web page, the server can now specify to the browser, exactly where data can come from and where it can go.The policy can show which JavaScript files can run (and from which domains), where XHR request can be made and even where static resources (like pictures) can be loaded from.

To be exact a new HTTP header is added by the web server:

X-Content-Security-Policy: policy

The browser (currently only FF4) parses the rules and prevent the page from doing anything unauthorized.

For example:

X-Content-Security-Policy: allow ‘self’; img-src *; media-src media1.com media2.com; script-src userscripts.example.com

(More examples here)

A small test

One useful feature of CSP, is its ability to report violations. With the help of RoR and Redis, here is a little site, where you can check if any unexpected scripts are being injected to your plain HTTP pages:

Test your connection for JS injections

Read more about CSP

Why is USB so SLOoow..


Fast disk on key ?

Have you ever noticed that if, during the copying of a file to a USB disk, you start to copy another. The performance of both drops drastically ?

A small test

Take the simple test (If you have linux)

Create a 100 mega byte file:

> dd if=/dev/zero of=100m bs=10485760 count=100

Now create two test files:

# sequential_test.sh

cp 100m /media/usb_disk/file1
sync
cp 100m /media/usb_disk/file2
sync

# parallel_test.sh

cp 100m /media/usb_disk/file3 &
cp 100m /media/usb_disk/file4 &
sync

Run the tests:

> time sh sequential_test.sh
> time sh parallel_test.sh

Performance may vary, I got the sequential_test being 3 times as fast.
Depending on fragmentation and you OS, the difference can go up much higher than that.

How USB transfers work (Stack level) ?

USB is a multi-layer protocol with multiple stages at each layer.
We will examine only the relevant culprits ignoring the less relevant ones.

Transfer a 4K block from PC to HD:

OS: Determines where on the target disk to put the block
- Mass storage: A SCSI header is created
(containing information such as size of block (4K), target block location (LBA), direction (write) and others)
– Mass storage: A Mass-Storage protocol wraps the SCSI header with its own
(holding pretty much the same info again, don’t ask why)
– Mass storage: The header from above (31bytes) is scheduled for transfer
—- USB Core: Figures out the USB address of the device and endpoint to use
—— USB Host Controller Driver: Schedules an OUT transfer of 31bytes
—— USB Host Controller HW: Sends OUT token to device
(this tells the device to expect data)
—— USB Host Controller HW: Sends 31byte packet to device
—— USB Device Controller HW: ACKs the packet
—- USB Host Controller Driver: Discovers of finished transfer
(usually via interrupt and done-list traversal)
– Mass storage: Schedules the data transfer of 4K
–*** Same transfer sequence as above ***
– Mass storage: Schedules a read of 13bytes (status header from device)
–*** Same transfer sequence as above ***
OS: Transfer complete

Resulting with 3 data transfers on the USB for a single data transfer on the OS level.

How USB transfers work (Controller level) ?

Being a Master-Slave, Shared-Bus the Host synchronizes the communication on the bus by issuing a periodic SOF (Start Of Frame) token every 1ms (1/8ms for High-speed).
This effectively  divides each second into 8000 transfer windows (from now on we will we will speak of Hi-Speed mode only)
As a result controllers cannot usually add a transfer to the current window (it will be executed on next window).

Also, the ‘done-list’ interrupts and processing is done at the end of a window.

Sample 1 byte transfer sequence:

SOF0

* Controller Driver schedules a 1byte transfer
* Controller HW adds transfer to pending list

SOF1

* Controller HW executes Transfer

SOF2

* Controller Driver goes over the done list and notifies upper layer and schedules the next Transfer

From the above example, we can see that trying to sequentially send 1byte packets (ala serial line style) puts at a practical 4000bytes/sec limit.

It does go faster

Obviously USB can work much faster, how ?

The maximum size of a single bulk-transfer packet is 512bytes. A modern host controller, can usually push as many as 13 of those if not bothered by other transfers. It can also allow scheduling of large buffer chains by the driver, allowing it to fill frames.

This puts us at a possible:

8000 frames * 13 packets * 512 bytes / sec =  ~50M/sec
(we managed to get to around ~38 at our labs)

Back to bulk transfers

As we have seen the Mass-Storage protocol has 3 stages: Header, Data, Status. With a minimum of 2 frames for each stage, that gets us to 6frames for our 512byte transfer.

Theoretical speed: 8000/6 * 512 = ~666K/second

It should be obvious now, that getting the Data stage as large as possible will greatly speed up our transfer. The larger the transfer stage the smaller effect all the other stages will have.

But even smaller sizes, for example 32K:

Header: 2 frames
Data: (32K / 512)/13 + 1 frames
Status: 2 frames
= 10 frames per 32K

Effective speed: (8000 / 10) * 32K = 25M/sec
(Only 2 times as slow, thats because we spend 5/10 frames for data transfer instead of 10/10)

In practice, most device controllers / drivers / hardware, take much more time to parse and setup a transfer folliwing a header. And the overhead for a data transfer can rise from the theoretical minimum of 5 to 10-20 or higher. Making small transfer sizes much more expensive.

And here is where parallelizm hits:
Trying to send two data streams at the same time can still work very fast, if the OS will be willing to submit them in large chunks. Alas, in most cases, in the name of parallel execution, the transfers might get chopped down to smaller blocks.

Granted for normal magnetic disks, the seek times can be unavoidable for parallel copy. But the real performance hit is usually with the flash devices, that while have no seek times and should be able to handle parallel transfers very fast, have slow setup for the SCSI/Mass-Storage handling. Resulting in very poor performance on small transfer blocks.