American Express and Security

This originally started as an email to some coworkers, but I think people here might find it more interesting.

If you have an amex online account they limit your password to 8 characters and you can only use numbers and letters. That’s not very secure (I could write a program to guess every password in those restraints in a matter of minutes.). So someone complained. (Note: I’ve complained by phone myself and got no response.)

I wish that I could use a stronger password for this site. 8 characters are NOT enough.
Response (Gaurav Sharma) 02/06/2010 05:53 AM

And the response.

Thank you for your email regarding your online password.

I would like to inform you that our website has a 128 bit encryption. With this base, passwords that comprise only of letters and alphabets create an algorithm that is difficult to crack. We discourage the use of special characters because hacking softwares can recognize them very easily.

The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of “most common keys pressed”.

Therefore, lesser keys punched in a given frame of time lessen the possibility of the password being cracked.

Moreover, American Express is committed to protecting the privacy and security of all of our Cardmembers, both on-line and off-line. We believe that our current security measures, which include our sophisticated monitoring systems to detect unusual or fraudulent card activity, provide strong, ongoing protections for our Cardmembers.

Rest assured, I have forwarded your comments to our webmaster for review. During this review, we may contact you if additional information is required.

We value your membership and wish goodness and health to you and your family.
Sincerely,
Gaurav Sharma
Email Servicing Team
American Express Interactive Services

American Express Company
Image via Wikipedia

Eight characters makes a pretty weak password. The rationalization is twofold. First, when looking though a keylogger’s output the password will be hard to identify, and if it was really long and random it would be easy to pick out. (Think the output of virus that is reporting back thousands of people’s keystrokes.)

Secondly when a password is stolen or guessed that they can detect the fraud with their “special sauce” monitoring and take care of things after the fact.

I’ll assume that the credit card companies want to protect themselves from losses of which fraudulent charges are a large part. I can attest to credit card companies alerting me my number was stolen way before I noticed it. (It’s happened a couple times, I even had my card copied by a cashier once.) So I figure they must have run tests and figured out this was the best way to protect their money.

The problem is I think they’re wrong and the limitation is part of a hold over from old computer systems. They wouldn’t lie would they?

My thougts on the kindle and techonology advancing past books

I write more for other people’s blogs then I do my own.

When I think of the Kindle, I think of an awesome device (the big one is wonderful to use) with a free data connection that needs to be hacked to be useful. Hacked to remove the ability to remove books. Hacked to allow browsing of the web. Hacked to allow my own content to be freely placed on the device. The hacking negates the free data plan because the device no longer functions along Amazon’s business model, but it’s your device – so you can use it how you like. You should be able to get your own data plan. ($20/month)

I don’t see why “E-Readers” would have to remove community behind books and libraries. I can argue that “social networks” could work around the devices and books. Especially around trading books – I’ll get into the legality of that–how authors could still get paid and the usefulness and harmfulness of DRM Encryption in that situation–some other time.

I can also argue that libraries are a place for more then retrieving books. You have librarians who are paid experts and curators of knowledge. A Kindle may have a library of books, but it doesn’t have librarians. On a side note, they don’t have quiet work areas or comfy chairs either.

But even though I have a library down the block from my house, I haven’t had the need to be in one for a long while. I have my own comfy chair, and don’t read books that often.

One thing the Kindle does facilitate that a library can’t is that I could write a book and publish it on the Kindle for free, and distribute it worldwide without cost and with an excellent margin. Sites like Lulu allow me to make print copies, but their costs are non-trivial (good rates, but not cheap). That kind of freedom is liberating. I wont argue that publishing companies are worthless, as they are not, but they’ve had a monopoly on publishing for a long time. Devices like the Kindle allowing for self-publishing make me very happy.

In my head, preferring a paper book over a kindle is akin to preferring a small black and white TV over a larger color one. I don’t see the technology being the problem; it’s a tool like any other, and it can be just as enabling for you and me as it can for companies like Amazon and BookSwim.

Comments?

Top Content jQuery Graphs

I found a really cool jQuery graphing plugin over at The Filament Group. They constantly pump out great little toolkits they make for their clients. I’m just a consumer at the moment, but I’m loving the idea that I can cultivate what I learn into something I can share back. All in time. Another iFrame today. If you can’t see the table and graph below (or if you want to check the source) check out the original document.

Three Strikes and you’re out (of internet)

Torrent Freak writes about a counter measure:

Yesterday we reported that a provision in the revamped French “3 strikes” bill will allow for the punishment of ISP account holders for the copyright infringing actions of others. Now a group of hackers has set out to compromise WiFi routers en masse, in order to create an environment of plausible deniability.

I very much like this idea. It goes to show they’re missing the point. They can’t stop people from downloading movies and in trying to they’re creating toothless laws, who will disproportionately hurt a small segment of offenders and be ineffective at stopping the behavior.

It’s similar to clients asking me to lock down their computers so their kids can’t get to porno websites or so they can limit their Facebook usage. I can do it, and have, but I tell them the kids will find a way around it, it’s much better handled though social rather then technological methods. Educating the kids about the net is a far better method for keeping them honest, but happens to be a tall order when their parents often don’t quite understand it themselves.

Recently I’ve found a rather effective web monitoring method that instead of blocking sites it just reports to the user how much time they spend on the site. It’s meant for offices and is called webspy, and works on the theory that people don’t want to spend all day at work browsing the web, they want to be “good” but just need to be kept in check. It follows the principal that when you know people are watching you’ll do a better job.

I’m not going to touch on the internet piracy 3 strike laws, but I’m glad in France they’re making sure a judge makes the decision to cut someone off the net and not the accuser. The overhead in that is so immense it probably wont happen. Who wants to jail their own community anyway? If everyone’s committing the crime is it a crime? If it’s “considered harmful” like crystal meth for example, what do you do then?

There’s a big meth problem in a lot of towns and cities in the united states, I’m wondering if “Jail” is the answer. If you have a large community doing something harmful to itself, (that may actually be a crime as well) how do you recover from that? Obviously there needs to be a group effort, and some level of amnesty. I’m curious what kind of effort would be effective.

Going back to something a lot less “harmful”, what about file sharing and copyright infringement? I don’t consider it to be harmful to society, people are making other business models work in regards to music and movies, and there’s a lot of room for growth and discovery in those directions. But lets for the sake of argument say that our current/old business models were the only ones that could work and if we want art we need to stop infringing on copyrights so artists can afford to be artists. Do we jail all offenders? Do we punish them and keep them from being able to communicate with society? Or do we find a way to convince our consitiutents that they need to come together to fix the problem?

I say constituents because it’s our elected officials that pass these laws to police how we act. These are questions they should be asking, and that we should be making them ask.

And with that I’m lost in my own rant, so I’m done. Feels good to write even if it is dribble.

MJ Had A Patent

Michael Jackson died yesterday prompting a DDOS attack on the worlds news orginizations and Google. Whatever became of him doesn’t change the fact he knew what he was doing when it came to putting on a performance and singing a song. I’m going to share one my favorite facts about him, he had a patent for shoes.

Method and means for creating anti-gravity illusion

Smooth Criminal Lean

No wires just shoes.

It’s fascinating to watch these videos, but boy is he ever weird.

Ray Anderson on the business logic of sustainability

This is a talk from “America’s Greenest CEO”. He’s transformed his petroleum intensive carpet tile company’s business practices into a sustainable business practices. That’s a fancy way to say he’s shifted from taking from the earth to make carpet (which eventually ends up as trash) and started paying attention to the whole cycle of his goods. So there’s less waste, carbon, and martrials. He tasked his company to figure out a way to use sustainable methods to sell, make and recycle carpet. The whole endeavor saved his company from the crash of 2000 and has proven to be quite profitable by design and not just on “green” marketing. (Although I’m sure it helps.)

He strives to be a model for a way to have an industry that doesn’t strip the earth of its resources but keeps control of the entire cycle of it’s goods and byproducts. Of course he does a much better job explaining it. My favorite axiom from the speech is a simple one.

If it exists then it is possible.


Download mp4 in Standard Def (54MB) or HD 480p (195MB)

Is that an antenna in your pocket?

I’m cleaning up some old draft posts that I never wrote out. This one is even more relevant today then when I planned to write it.

https://www124.americanexpress.com/cards/loyalty.do?page=expresspay

http://www.engadget.com/2008/03/19/rfid-credit-cards-easily-hacked-with-8-reader/

http://www.difrwear.com/

I own a dirfwear wallet, and while it isn’t perfect at blocking rfid tags at close range (3-4 inches) its a dam good walet and will stop distance and opportunistic sniffing. Like near a turnstyle or door frame. I met one of the creators at the last hope and played with a machine he had there setup for reading rfid cards at a distance.

100Mbit Internet

This post contains a little bit of bragging. My internet setup at work is pretty simple, we have two T1 lines (not counting our voip trunk or our DID lines but that’s sort of telephone) going into two different Cisco PIX firewalls and behind those an old Cisco 2600 to do basic routing. Network map One does NATing and port forwarding for our normal internet usage, as well as port forwarding from different IPs for our email and web servers. It’s important that the default route to the net not be the same as the email server as when people get viruses that spam everyone people will stop accepting email from your email server. The other provides vpn access to another office, which also only has a T1 Line. And while T1s are slow, it’s “enough” bandwidth for our business needs and the other office is in the middle of nowhere and can’t do much better. That being said, here in New York City we can do better. A lot better. A T1 usually offers about 1.5Mbit/second for data, I wont cover telephone applications which there are many. That’s fine for surfing the net, watching you tube videos, and email. It is slow for 25 people doing all those things, but more importantly it’s slow for downloading anything of any size. 1 megabyte for example (about a minute of audio, or one large photo – if you knew that I’m sorry to use the comparisons) takes about 6 seconds. 300 megabytes (for example the size of a decent video clip or a Microsoft or Apple security update) takes about half an hour. 700 megs (say the size of a ubuntu install cd – seriously guys no net install cd? I don’t want all your packages.) takes about an hour. t1 weekly You wont see it on this graph as it averages the speed over two hours, but we maxed out our bandwidth quite often. It’s mostly my fault, I download a lot. Our network graphs spike all the time and I can say “oh that was me” for most of them. I probably consume more bandwidth then everyone else here put together. It’s part of my job (and personality) and because I have to share the connection with 20 other people I can’t saturate it for long periods at a time (its rude). At home you probably have about 10Mbit download (700 megs in 10 minutes – but check for yourself) so what slows 20 people down for an hour here would only slow your family or roommate down for 10 minutes at home. Well last week our network graphs automatically adjusted to acomidate a new connection. fiberweekly Have a look at where it says “Maximum” that’s 28 times faster then the other graphs maximum. Technically it could read about 60Mbit a second, that’s the theoretical limit of our firewall. The Pix501 supports up to 60Mbits firewalled, while the Pix 506E does 100Mbit though its firewall it’s busy. What changed was our primary internet connection, we now have a 100Mbit fiber connection from a company called Cogent. They “lit” our building a few years ago but we didn’t have the need or $$ to change connections. It’s now super cheap (~$700 a month – a bargin compared to the ~$400 for a t1) and has proved to be quite relaible. In a few weeks we’re going to move to a Cisco ASA-5505 which will handel firewall, vpn and failover (incase we do loose connection to the internet) drop our remaining t1 line, and steal a few channels off one of the voice T1s for a backup data connection (slow but good enough to keep email flowing). All for less then what we were paying before.

Nice right? Let me put it in perspective. The 700 meg file I can now download in a minute and a half, and when we move to the new hardware it could take 56 seconds. Saving me 59 minutes compared to the origional connection. In actuality we’ll probably never hit full speed as most servers wont pump data at 100Mbit/s nor can you guarentee that you’ll get routed though the net that fast. There’s a noticable speed difference when I pull from california servers compared to new york servers compared to european servers.

My mind is blown. =)