fallenpegasus: amazon (Default)
I just tweaked my online banking configuration, setting up bill payment from a different bank account, changing some settings on some credit cards, and so forth. In so doing, I had to both set up new "security questions", and to answer some I had set up in the past.

These "security questions" are a result of a US banking regulation mandate that online banking use "Two Factor Authentication". "Two Factor Auth" means, in theory, that auth be done on the basis of "something you know", which means "password", and "something you have", which means something like a RSA SecurID or Versign VIP, or the end point of a second comm channel, like say, a SMS cellphone.

The banking industry, being fools, knaves, and villains, decided that issuing, or even selling, most everyone, a security token "was too expensive and confusing", and so instead complained, lied, and did the usual regulatory capture dance, and managed to convince the banking industry regulators (see "fools, knaves, and villains", above), that knowing the answer to a "security question" counts as a "second factor".


Now, maybe it's true that for a significant fraction of the banks' clients, using a RSA token is, in fact, maybe too "confusing". But for those of us with a clue, please give us the option! Let me buy one from a list approved varieties/branks of security tokens for a couple of bucks, register it with each of my banks, credit cards, and other "secure" sites, and then have the option to use it.

Its not even really necessary to have to buy something. It can be a little app that runs in a smartphone, or even just the ability to receive a SMS message on a not-so-smart phone.

To cut the banking industry a bit of slack, I suspect part of the issue was that Verisign/RSA decided the regulation to be a license to rape the banking industry even harder, and the industry rebelled against them.
fallenpegasus: amazon (Default)
So yesterday I tweaked my emacs and gnus configuration so that it generates an X-PGP-Sig header on outgoing messages. Now all my outgoing emails and netnews posts are unobtrusively signed. (My GPG key is here on the keyserver networks.)

In the process of doing that, I also ended up finally reading the docs for gpg-agent and ssh-agent. They are pretty neat, but I'm annoyed by a couple of crying lacks.

  • The developers of gpg-agent and ssh-agent ought to get together and converge on a common protocol, or even better, just merge and unify the tool. And hook up with the OpenSSL people.
  • The ssh-agent and the gpg-agent ought to work hand in hand with the Gnome keyring and with the KDE keyring.
  • ssh and gpg should demand load keys into their agents. That is, instead of having to run ssh-add or gpg-agent-add prior to using the keys, whenever ssh or gpg decrypt and use a local private key, they ought to then just load it into the agent for next time.
  • There is a pam_ssh module, but not an equivalent pam_gpg module.
fallenpegasus: amazon (Default)
Dear Lazyweb,

I have all my old .netscape and .mozilla directories for all my past installations of Netscape, Mozilla, and Firebox, going back to 1996. I've got cert.db, cert5.db, and cert7.db files.

I want to extract out all of the certs and keys that I had added to those databases, and then import them into my current ~/.mozilla database.

Reading the docs and futzing around with NSS signtool, certutil, and pk12util isn't getting me very far.

Surely there is a tool or technique do doing this...


Feb. 21st, 2006 03:04 pm
fallenpegasus: amazon (Default)
Want to learn how DES, and thus just about any other blockcipher, works? This is a damncool way to learn. It's DES implemented as an XL spreadsheet.


fallenpegasus: amazon (Default)
Mark Atwood

October 2017

1 234567
1516 1718192021


RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Oct. 21st, 2017 08:42 am
Powered by Dreamwidth Studios