Security

Security by Obscurity

Today this blog post turned up on Hacker News, titled “Obscurity is a Valid Security Layer”. It makes some excellent points on the distinction between good and bad obscurity and it gives an example of good obscurity with SSH.

From the post:

I configured my SSH daemon to listen on port 24 in addition to its regular port of 22 so I could see the difference in attempts to connect to each (the connections are usually password guessing attempts). My expected result is far fewer attempts to access SSH on port 24 than port 22, which I equate to less risk to my, or any, SSH daemon.

Yubikey 4

Today my new Yubikey arrived, a Yubikey 4. There’s a whole load of features packed into the YubiKey, but the only feature I really use is the OpenPGP applet which emulates an OpenPGP smartcard.

This is the only device that is trusted to see my private GnuPG keys at the points where I use them. It helps to keep track of where my keys are, as they can only be in a single place.

Facebook Lies

In the past, I had a Facebook account. Long ago I “deleted” this account through the procedure outlined on their help pages. In theory, 14 days after I used this process my account would be irrevocably gone. This was all lies.

My account was not deleted and yesterday I received an email:

Screenshot of the email I received from Facebook

It took me a moment to figure it out, but what had happened here is someone had logged into my Facebook account using my email address and password. Facebook simply reactivated the account, which had not had its data deleted, as if I had logged in.

Contact

• iain@learmonth.me
• irlxyz
• irlxyz