Wednesday, February 17, 2010

Notes on KeePass from a long time user of Password Safe

I have been a long time user of Password Safe and has great appreciation for its simplicity and usefulness. As my database grows over the years, the simplicity of Password Safe (I am using version 3.20) becomes an issue. The most obvious one is that there is no way to find an entry other than to scan one by one. This process becomes laborious with lots of entry nested deeply.

As a result, I have embarked unwillingly on a journey to find a replacement for my trusty companion. I came across the KeePass Password Manager program that operates and looks very similar to Password Safe and is also an open-source project. A search on the Internet does not seem to reveal any vulnerability of this and hence with some trepidation, I decided to give it a road test and below are my experience. It is by no mean an exhaustive comparison or even to gauge its security strength.

While KeePass supports AES-128 in both ver 1.x and 2.x and only supporting Two-fish in ver 1.x, out of the box, the implementation of them is the key to the strength and vulnerability and not so much as the declared algorithm used. This aspect is not examined. The notes below are more a guide for Password Safe users on how to migrate to KeePass painlessly and to become familiar with it.

The good things with KeePass (ver 2.09) vs Password Safe (ver 3.20)

KeePass from a developer's prospective appears to be a more active community than Password Safe and architecturally a better product. While some many argue that the availability of a plug-in architecture can weaken the security of the product, the fact remains that it is there to allow people to extend and to use them when needed. Out-of-the-box, no plug-in.

This plug-in architecture is exploited to the fullest, as described below, in migrating the Password Safe database over to KeePass.

KeePass has a large active community producing a variety of plug-ins while Password Safe is more a closed system. KeePass has also spawned off other projects to produce versions for mobile and other operating systems.

Both KeePass and Password Safe are essentially portable applications that do not need to install into the machine. Both products, only KeePass version 2.x, also produce installers that allow people to install them into their machine and uninstall them when not required. I used the portable version that does not require installation.

KeePass has two versions - ver 1.x and ver 2.x - that unfortunately use two different database technologies introducing compatibility issues. Version 2.x can handle version 1.x databases with no loss of data requiring a forward conversion but a version 1.x KeePass cannot open version 2.x database unless is exported into a 1.x format.

KeePass seems to embrace the Windows Security Model better than Password Safe. While Password Safe performs perfectly in a USB drive environment in which it has read-write access to the directory, in a share machine or machine using LUA, Password Safe is found struggling. Sure, you can use the -g option to re-route the configuration file location. But this is very clumsy that you have to specify each user's profile area.

As a digression, under the watchful eyes of Process Monitor, when Password Safe's program as a limited user, it seems to generate a lot of "Access Denied" error when opening system files such as Shell32.dll and others. Just very unusual and I am wondering if they are opening them with too much privilege.

KeePass understands the LUA principle and Windows Profile. It will automatically re-route the per user configuration files in situation that requires this. Password Safe lacks this capability. KeePass ver 2.x also runs fine in non-Windows environment using Mono.

The other nice touch with KeePass in handling multiple users or sharing between machines is the availability of this feature "Enforced Configuration" that allows an administrator to define system-wide settings that each user will inherit.

The bad part of KeePass

Ver 1.x is a native product while Ver 2.x is a .Net product using framework 2. So if you are taking KeePass on a USB drive to be used on some one else machine, such as in an Internet Cafe, and if that machine does not have .Net framework installed, you cannot run KeePass2. But if you have KeePass1.x you can run it on any machine.

Start up speed of version 2 is also very much in line with a typical .Net application. Once started, there is no noticeable performance difference.

If you intend on traveling and worry about the availability of the .Net framework issues, use KeePass1.x, which is still a supported product. Not as pretty as KeePass2 but as functional as KeePass2.x. The down side is the database are incompatible.

This issue with the availability of the .Net framework is only a transitional problem as all Vista and Win7 machines have .Net Framework 2 and higher installed by default and many XP machines are progressively supporting .Net Framework. It is only a matter of time.

What extra features I would like to see in KeePass

I would like to see an option that allows me to open the database in read-only format until I reopen it without that option. This prevents user from changing the data accidentally.

It would also be a nice feature not to reveal the password permanently until one decides to show it and that stays temporarily until that entry is closed. At the moment KeePass' show or hide state is persistent not only across entries but also for the KeePass installation; Password safe always hide the password when viewing/editing the entry and only shows the password until that entry is closed.

Migrating Password Safe database over to KeePass

If you have a database in Password Safe 1.x, 2.x and 3.x format, you can convert to using KeePass. The process depends on which final version of KeePass to use and below are the steps:
1) Download version 1.09 of KeePass into a temporary directory and unzipped it.
2) Download the Password Safe Import plug-in into the directory containing KeePass ver 1.09. Since this plug-in only works for KeePass versions 1.05 to 1.09, we have to use KeePass ver 1.09. If you drop this into newer version of KeePass, they will not recognize this as a valid plug-in.
3) Follow the installation instructions in the Password Safe Import Plug-in as described in the accompanied ReadMe.txt.
4) Create a new database with KeePass 1.09 and then use "Tools/PwSafe Database Import/Import" to import the Password Safe database into KeePass.

If you are going to use KeePass ver 1.x, you can use this database without any further steps.

If you are going to use KeePass 2.x, you have to import this KeePass 1.x database into ver 2.x format. Once that is completed you can wipe the KeePass 1.x's directories and database. This completes the migration process.

Monday, February 15, 2010

Hallelujah - Well said

Well this is not a religious blog post but an echo of total support of Jaron Lanier's comments:
Yet we continue to overestimate the potential of computers and the web to behave intelligently, talking down the power of our own brains and consciousness and talking up the abilities of the machines.


"People often make themselves stupid to make the machines seem smart," says Lanier. "We are flooded with information but the only reason we are flooded with information is that the people who designed the software systems don't know the difference between quantity and quality. So if you design something like Twitter where people are encouraged to say, 'Oh, I just had a sandwich', then of course it will be flooded. To design systems like that and then to say, 'Now we have this intelligent software to filter it,' is ridiculous."
People thinks computer is smart being able to do all these calculations and marvelous things not realizing that it is the human brain that creates all these programs.

How many time people sing praises about how powerful Google/Bing search engines are but not realizing how simplistic their approach is. Give your search engine a search criteria that contains phrases that you want to include (may or may not have to presented in the given order) but excluding other given ones to see how relevant are the search results come back. Human do not search things just be the present of atomic words with no regards to ordering?

If you do not believe me, try to search the Net for manual method for removing some stubborn malware. You will be bombarded by sales pitch stuff, jamming your web browsers with totally irrelevant scan reports, and things disguised as helpful tools but in fact rogue security software. The only thing missing, if not like find a needle in a haystack, is the really useful manual removable technique supported by proper technical explanation (not it just works) from authority in the matter. The quality of the Net has definitely gone downhill.

Thursday, February 11, 2010

Malware attacks in LUA

It probably has something to do with the security model of Vista that recently more and more Malwares and Trojans are attacking and surviving in user's account. The reason it is possible is largely explained by the paper "Problems of Privilege: Find and Fix LUA Bugs":
Prior to Windows 2000, HKCR was just a symbolic link to HKLM\Software\Classes that only administrators could write to. This meant that operations performed on HKCR\.txt actually occur in HKLM\Software\Classes\.txt. Windows 2000 introduced per-user registration data, so now HKCR is a merged view of HKLM\Software\Classes and HKCU\Software\Classes (which the user can write to). If a key exists in the latter, it takes precedence. So now an operation on HKCR\.txt occurs in HKCU\Software\Classes\.txt if that key already exists; if it doesn’t, the operation occurs in HKLM\Software\Classes\.txt as it had in the past.
Note that HKCU keys take precedence over HKLM and user has all the rights to modify HKCU\Software\Classes. It is this implementation that now opens up a 'vulnerability' for Malware writer to exploit. Even rogue antivirus "XP Guardian" is exploiting this hole. This support note from Microsoft shows how to exploit this hole.

Most of these Malwares also use the "%Temp%" or even "Temporary Internet Files" folders to park their malicious executable code with total impunity.

Since most computer only serves one user, particularly notebook and netbook, it is pointless to struggle so hard to gain control of the HKLM and protected resources that required elevated privileges. The end result is almost the same - carrying out the dirty deed with total impunity. Anti-Virus program are often of little help.

This problem allowing HKCR to take precedence, even in Vista, allows attackers to exploit this hole in XP, Vista and Windows 7. Even running LUA will not be a good defense against this form of attack and anti-virus is even more ineffective.

Monday, February 8, 2010

iPad design principle is a diametrically opposite to the Apple Computer's founding one

This article by Johnathan Zittrain provides a timely warning of the danger of allowing Apple to exert such a tight control on its recently released products, namely iPhone and iPad. He provides a historical account of how Apple Computer was established based on a computer, Apple II, renowned for its ability to be reconfigured almost infinitely with third parties parts and then contrasting its recent diametrically opposite corporate view - Apple controlling everything.

He reminds us

If Apple is the gatekeeper to a device’s uses, the governments of the world need knock on the door of only one office in Cupertino, California – Apple’s headquarters – to demand changes to code or content . Users no longer own or control the apps they run – they merely rent them minute by minute.
[...]
Mr Jobs ushered in the personal computer era and now he is trying to usher it out. We should focus on preserving our freedoms, even as the devices we acquire become more attractive and easier to use.

Friday, February 5, 2010

Love-hate relationship with Fingerprint recognition system

I harbor a love-hate relationship with finger print recognition system both of government or commercial grade because I have yet met one that reliably recognizing my print. Hence when I come across this research paper, I want to know more particularly the performance of the deployed system, etc.
A fingerprint matcher can make two types of errors: a false match, in which the matcher declares a match between images from two different fingers, and a false nonmatch, in which it does not identify images from the same finger as a match. A system’s false match rate (FMR) and false nonmatch rate (FNMR) depend on the operating threshold; a large threshold score leads to a small FMR at the expense of a high FNMR. For a given fingerprint matching system, it is impossible to reduce both these errors simultaneously.

Fingerprint identification system performance is measured in terms of its false positive identification rate (FPIR) and false negative identification rate (FNIR). A false positive ident i f icat ion occur s when the system finds a hit for a query fingerprint that is not enrolled in the system. A false negative identification occurs when it finds no hit or a wrong hit for a query fingerprint enrolled in the system. The relationship between these rates is defined by FPIR = 1 - (1 - FMR)^N, where N is the number of users enrolled in the system. Hence, as the number of enrolled users grows, the fingerprint matcher’s FMR needs to be extremely low for the identification system to be effective. For example, if an FPIR of 1 percent is required in a fingerprint identification system with 100 million enrolled users, the FMR of the corresponding fingerprint matcher must be on the order of 1 in 10 billion. Such a stringent FMR requirement can usually be met only when fingerprints from all 10 fingers of a person are used for identification. This explains the need to continuously decrease the error rates of fingerprint matchers employed in large-scale identification systems.
It also lists some US government's systems' performance and the FNMR seems to be higher than FMR in just about all system. Does this means that the system will not match more often than finding a match?

I always want to know why my Fujitsu P1510's fingerprint log in system always rejects me with a rate like 20-25 tries to get one successful log in (I have not disabled that system). This paper offers some plausible explanation:
Fingerprint sensors embedded in consumer electronic devices tend to have a smaller sensing area. This factor, combined with users’ improper placement of their finger on the sensor, results in a limited overlapping area between two impressions of the same finger, as Figure 5c shows. Given the very small number of minutiae in the overlapping area, it is difficult to determine if two fingerprints are from the same finger.

One way to alleviate this problem is to utilize level 3 features to improve the matching accuracy in cases where there is only a small overlapping area between the two impressions. However, level 3 features may not be suitable for commercial applications because the sensors used in such applications usually provide only low-resolution images.

Why do I have so much trouble with fingerprint recognition system? This paper offers these suggestions:
In some cases, a fingerprint recognition system may not even successfully capture the user’s fingerprint. Failure to enroll (FTE) and failure to acquire (FTA) refer to the fraction of users who cannot be enrolled or processed by a particular system due to the poor quality of their fingerprints— for example, people such as manual laborers or the elderly with “worn-out” fingers. In practice, FTE can be rather high (a few percentage points) depending on the target population and the occupation of users in the population.
[...]
Due to nonideal skin conditions, inherently low-quality fingers, and sensor noise, a significant percentage of fingerprint images are of poor quality. Extracting features from and matching low-quality fingerprints, like those shown in Figures 5a and 5b, is a challenging problem that will require significant research.
[...]
Pressing soft finger skin on a sensor always introduces some distortion, which is generally not repeatable. Matched fingerprints may appear very different under severe distortion, as Figure 5d shows.

The paper's conclusion is reassuring to know that it is not totally my fault:
Although fingerprint recognition is one of the earliest applications of pattern recognition, the accuracy of state-of-the-art fingerprint-matching systems is still not comparable to human fingerprint experts in many situations, particularly latent print matching. Significant advances require not only a deeper understanding of friction ridge formation, but also adaptation of new developments in sensor technology, image processing, pattern recognition, machine learning, cryptography, and statistical modeling. While successful commercial applications have driven fingerprint-matching technology, more breakthroughs could be achieved with greater investment in fundamental research.

Thursday, February 4, 2010

Brisbane Office Vacancy rising - one possible explanation

Well, it was reported that Brisbane CBD average of 5.1 per cent and is the highest vacancy in the CBD since January 1995 and one possible explanation is Mincom's contribution by making 30 people redundant end of Jan 2010.

Tuesday, February 2, 2010

This is really funny - various use of iPad

This report is really funny citing the lack of originality of the word iPad,
Fujitsu Ltd. said its US subsidiary in 2002 launched the "iPad", a sleek handheld multimedia device with a 3.5-inch screen, used by retail store clerks to keep inventory data, scan barcodes and manage business operations.
[...]
Germany's Siemens uses the trademark "iPad" for small engines and motors.

The Swiss-based microchip maker STMicroelectronics has reportedly also registered "IPAD", short for "Integrated Passive and Active Devices."

In Canada, the Ontario-based company Coconut Grove Pads Inc. has since 2007 made a line of bra inserts and shoulder pads called the "iPad", according to an online report by the Globe and Mail daily.

A Japanese company that makes a product of the same name -- pronounced "ai pad" when transcribed from the Japanese -- is Awaji-Tec, a manufacturer of adult nappies with a high-tech twist.

The company says its nappies feature an electronic device that can send a signal to a remote caregiver when it needs to be changed.
[...]
Meanwhile in China, a company has used a different name -- the "P88" -- for an iPad look-alike, with a slightly larger screen, faster processor and larger memory but battery life of only 1.5 hours compared to the iPad's 10 hours.
The following comment really hurts:
But the makers of the P88, Shenzhen Great Loong Brother Industrial Co., said Apple appeared to be the copycats. 
 "We don't understand. Why did they make the same thing as us?" Huang Xiaofang, an executive at the company, told AFP. "We launched it earlier."
Well done!

Monday, February 1, 2010

iPad is not the thinnest...

iPad (or would it be iBad) is not the thinnest device on the market - a piece of paper is. Some may argue this is a stupid comparison but when a device that cannot show 70%-75% of the Internet graphic contents using Adobe flash, it is as functional to my piece of blank paper for showing the Internet contents.

Hence my rather sarcastic comparison is therefore not without merit and foundation.

Poor Apple also being caught out of false advertising displaying a web page containing flash content that can only be visualized by iPad owners with tonnes of imagination or boxes of crayons. The ability of flash to show graphic contents has proven too great a temptation for Apple to resist.

Something that every non-iPad or iPod owners could see and enjoy on his or her computers or smart phones is only a distance longing for iPad or iPod owners. But then again there are people who love to be controlled and dictated by Apple and will not mine throwing money at Jobs' feet for the contempt he dishes out to his customers.

Investing in failure to create success

A recently published article of this title contains some uncomfortable truths to many so called IT companies:
Given IT innovation is trial and error, how much should you invest in allowing for errors?

The short answer is a lot. Some IT companies are risking up to 75 per cent of their R&D budget for a winning result.

Others have invested years in seemingly losing ideas that eventually transformed into a winning one.

[...]
“A lot of companies will try a product, fail and think it's too hard and crawl back in their box. Australia is quite conservative,” Gardiner says.

However, to compete in a global market companies must take risks.

“(US companies) are risk-takers and to compete with them we have to be too.”

[...]
He believes managers today are too focused on immediate results and are reluctant to spend on developing products that will only pay off years down the track. Some will milk proven products in lieu of trying new ones, despite pouring money into research.
At the end sound advice:
His advice for companies unsure of investing in new ideas includes:
- Decide what game you are in, then play to win
- Invest in the development team and keep learning so you can discover how you can adapt
- Have lots of tenacity, patience and perseverance. A solution that is very hard to conquer is also very hard to copy, giving its owner an immediate advantage.