Time to reset some passwords

About once a year, I accidentally type my password into the user name field on a login form and click submit. Immediately, I realize what I did as I see my password sitting there, mocking me in plain text from the user name field. I did that today, and it's time to go reset my passwords. For those of you who aren't involved in web development, let me explain why.

Nearly everything you do online gets logged, but it's standard security practice to filter passwords out of the logs. However, filtering passwords doesn't help much when you type your password in a user name field. Here's an example log of what I just did:

Processing UserSessionsController#create (for 72.14.204.99 at 2010-02-21 11:43:21) [POST]
  Parameters: {"user_session"=>{"user_name"=>"Th1s1sMyP@ssw0rd","password"=>"[FILTERED]"}}
  [User Load (0.4ms) incorrect user_name or password - user not loaded]

 Processing UserSessionsController#create (for 72.14.204.99 at 2010-02-14 11:43:53) [POST]
  Parameters: {"user_session"=>{"user_name"=>"nathan","password"=>"[FILTERED]"}}
  [User Load (0.4ms) "user_name"=>"nathan" loaded]

As you can see, on my first login attempt, the log contains my password as the user name, my IP address, a time stamp, and a note that the login failed. On my second login attempt, the log contains my real user name, my filtered (correct) password, my IP address, a time stamp, and a note that the login succeeded.

Given that these two events happen within a minute of each other and come from the same IP address, a savvy attacker with access to the logs (or an unscrupulous systems administrator) could determine that my password is Th1s1sMyP@ssword just by looking at the logs. That attacker could also create a script that would prune the logs for all failed logins from the same IP address that are followed by successful logins within some short time period from a different user name. If the attacker slurped the logs into a database (and had a SQL-wielding DBA wife to help with his queries like I do), he could use a query like this:

select success.ip, success.user_name as user_name, fail.user_name as password
from
    (select *
        from login_attempt f
        where f.success = false
    ) fail
inner join
    (select *
        from login_attempt s
        where s.success = true
    ) success
on fail.ip = success.ip
and success.datetime between fail.datetime and date_add(fail.datetime, interval 5 minute)

on a login_attempt table with columns: ip, datetime, user_name, and success to give him possible user name/password combinations.

Luckily, I only have to change the passwords for 2 or 3 accounts, but many web users carry a single password with them to every site, leaving them broadly exposed if an attacker discovers the password for a single account.

YourTinnitus.com launches this week

Do you know the high pitched sound you hear when a TV is on but muted? Imagine you heard that noise constantly... and really loudly. That is tinnitus: chronic ringing in the ears. Currently, 12 million Americans suffer enough from their tinnitus to require medical attention, and 2 million patients report being unable to function "normally" day-to-day. Tinnitus can even be so extreme that it drives some sufferers to suicide.

There is currently no cure for tinnitus. Though there are ways to diagnose, monitor, cope, and potentially inhibit tinnitus sounds for tinnitus sufferers, primary care physicians rarely have the training or equipment to deal with tinnitus patients, and specialists are hard to come by. With this lack of viable medical options, two camps have sprung up: online pill pushers and high-end devices manufacturers (in the $5k range). This is where we come in. YourTinnitus.com offers an option to help tinnitus sufferers diagnose, monitor, and learn about their tinnitus. We do nearly the same thing that the $5k devices do, except we do it online for about 1/100th of the price.

After a few great months of working with the auditory neuroscientists in the Department of Psychology, Neuroscience, and Behavior at McMaster University, we're proud to release YourTinnitus.com this week. With our tools, tinnitus sufferers will be able to objectively evaluate if their tinnitus worsens or improves over time, determine how similar their tinnitus is to others who have tinnitus, and download a sound file of their tinnitus that they can let friends, family, and doctors listen to to prove they're not crazy. Over the next few months, we'll be working on even more tools to evaluate, diagnose, and potentially mask tinnitus sounds for tinnitus sufferers.

Email server recipe for avoiding spam filters

Setting up an email server and making it work with anti-spam protocols is one of those things that's 100x easier to do the 2nd time around. I follow these steps whenever I need to do it.

Prerequisites

  • Apache
  • Ubuntu 9.04 (these instructions should work for other versions, but that's what my target currently is)

Ingredients

  • postfix
  • dkim-filter - DKIM (DomainKeys Identified Mail - new standard)
  • dk-filter - DomainKeys (legacy protocol - needed for Yahoo, etc)
  • SPF records

Postfix Setup

First, we need to install an email server, postfix. I'm going to skimp a little on configuration here because with most EC2 AMIs I use, postfix is already installed. For more information see: Postfix setup and configuration for Ubuntu.

The most important parts are installation: 
sudo aptitude install postfix

and configuration of myhostname, mydomain, and mynetworks (which determines which hosts may send mail through the server). Here's the section from a sample configuration:

myhostname = yourdomain.comalias_maps = hash:/etc/aliasesalias_database = hash:/etc/aliasesmyorigin = /etc/mailnamemydestination = yourdomain.com, localhostrelayhost =mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128mailbox_size_limit = 0recipient_delimiter = + inet_interfaces = allmydomain = yourdomain.com

DKIM setup and configuration for Postfix and your DNS

Next we need to install and configure DKIM. This will make the server sign email headers so that users can assert, through DNS, that an email's origin has not been forged. It's safe to directly follow the instructions here: DKIM setup and configuration for Postfix and your DNS. The only catch may be with your DNS; as some DNS's (particularly GoDaddy) will not display the fully qualified TXT record name. If you enter "mail._domainkey.mydomain.com" your DNS may show the record name as "mail._domainkey". If it does, don't worry about it. It's just following an internal convention. When the DNS server receives queries for "mail._domainkey.mydomain.com", it will respond correctly.

DomainKeys setup and configuration for Postfix and your DNS

DKIM (described above) is the newer, standard protocol for signing emails; however, some mail providers are still using the older DomainKeys protocol (namely Yahoo). It's safe to directly follow the instructions here: DomainKeys setup and configuration for Postfix and your DNS, but watch out for a few repeats. You will have already completed the second part of the "Configurating DNS" section, and should use the second form of the Apache configuration in the "Startup and testing" section because you will have already placed a DKIM configuration in Apache:

milter_default_action = acceptmilter_protocol = 2smtpd_milters = inet:localhost:8891,inet:localhost:8892non_smtpd_milters = inet:localhost:8891,inet:localhost:8892

SPF setup and configuration for Postfix and your DNS

SPF (Sender Policy Framework) allows mail recipients to reject mail received by senders who DNS does not recognize as authorized senders for a domain. It's safe to directly follow the instructions here: SPF record setup and configuration for Postfix and your DNS, though you may need to create the "smtpd_recipient_restrictions" section in your postfix configuration.

Validating your installation

Throughout this process, you can emailing check-auth2@verifier.port25.com to Validating your email server configuration. You will receive an email reply to the address you sent the check request from. Also, make sure that the email address is from the domain you are targeting (it could be different based on the hostname or other postfix configuration, particularly on EC2). Here's an example command to send the email from your server:

echo "test message" | mail -a "From: you@yourdomain.com" -s test check-auth2@verifier.port25.com

Other limitations

From time to time, you may run across an email sending limit imposed by EC2 and you may need to request that the limit be removed.

Additionally, it's good to check that you are not listed on Spamhaus.

Choosing Posterous over Tumblr

After a semi-thorough comparison, I'm choosing Posterous over Tumblr. Initially, I wanted to pick Tumblr for no reason other than it being in NY and being funded by Union Square Ventures. However, I chose Posterous because of it's:
  • compatibility with how I write - The easiest way for me to sync post writing across my desktop, laptop, and phone is to save drafts in gmail. It seems like the Posterous team had this specific use case in mind for their product.
  • orientation toward longer-form posts - I need a place to ramble, and to me, Posterous has a look and feel that lends itself to longer posts.
  • focus on content creation - Tumblr seems like it's based on sharing other content, which is fine, but not what I'm going for with this blog.