Tag Archives: fail

Be Careful With Google Backup Codes

I use two-factor authentication. It’s a lot more secure but it’s also a little scary if something happens to your phone. Because of that, I set up backup codes and downloaded a set of ten (you can only get 10 at a time). When it works, it’s nice – you click Try another way and enter the one-time-use code from the stash of ten instead of having a code texted to you.

What Google doesn’t tell you is, if you turn two-factor off and then back on, the backup code setup goes away. It’s not just that the codes you downloaded are invalid, it’s as if you never set up to use backup codes(1). You have to go into your security settings, select two-factor authentication, set up to use backup codes again, and generate new codes. I did not know this. I searched for documentation (“help” files are the only documentation) and I didn’t find it anywhere(2).

An analogy:

My car uses two-factor to start. It has a smart fob – detecting the fob and pressing the Start button starts the car. If the fob battery goes dead and I use the key, the car doesn’t forget how to start normally when I put a new battery in the fob.

I tested before a trip and tried to use a backup code. I didn’t see the backup codes option under Try another way, got frustrated, and pasted the backup code into the field where you normally enter the texted code. It recognized that it was an 8-digit backup code rather than a 6-digit text code and told me to go to Try another way(3). Nice infinite loop there.

When I got in using a texted code, I set up backup codes again and downloaded a new set. I logged out, cleared everything, and closed the browser. When I got back in using a backup code, the email notifying me that a backup code was used told me I had ten codes remaining. I had just used one of the ten one-time-use codes to log in which generated the email notification(4).

    The takeaway

  1. There’s no polite way to put it – the code dealing with the use-case of 2-factor on-off-on is lazy and sloppy. Everything, from your microwave to your TV, remembers a functions settings even if the function is turned off and then back on. If I set my camera’s LCD back light to 3 and turn it off, it’s at 3 when I turn it on.
  2. The documentation is incomplete. In this case, incomplete=inaccurate. The program behaves in a way that is not documented and is counter-intuitive.
  3. The dialog you get if you paste a backup code into the text code field instructs you to do something that does not work. I’m all for re-using code but dialogs need to be tailored to the actual state. A quick check (the program already has the account information) of the state of backup codes could generate a meaningful message without compromising security: If (backup code set up) then (tell the user to use Try another way) else (tell them to use an available option).
  4. This is toddlers using Logo level programming. Seriously: x=10; x=x-1; email x.

Rod Serling voice: Picture this. A man on a deserted island has almost no power left in a satellite phone. Does he gamble on a phone number he’s not sure he remembers correctly or does he try to email to an address he knows is correct? The last time he emailed, it told him he had one code remaining so he tries email. No, he had no codes remaining. His email fails. He dies.

I haven’t tried it but I think the on-off-on scenario might also break the code generation app. It would depend on whether the app generates 6-digit codes like the ones you receive as a text or 8-digit backup codes.



This isn’t saying much, but Apple is worse. It doesn’t tell you while you’re setting it up but Apple’s 2-factor is a one way street. From the Apple support page:

Can I turn off two-factor authentication after I’ve turned it on?

If you already use two-factor authentication, you can no longer turn it off. Certain features in the latest versions of iOS and macOS require this extra level of security, which is designed to protect your information. If you recently updated your account, you can unenroll for two weeks. Just open your enrollment confirmation email and click the link to return to your previous security settings. Keep in mind, this makes your account less secure and means that you can’t use features that require higher security.

Data Breach – CafePress

Just the Facts

Timeline:

20 February 2019 – CafePress is hacked and over 23 million account are compromised.

13 July 2019 – According to this Forbes article, We Leak Info adds the CafePress breach to their database.

5 August 2019 – The author of the Forbes article receives an email from have i been pwned about the CafePress breach.

20 September 2019 – I receive an email from CafePress about the “Data Security Incident”.

My Take

It’s been 7 months since the data was stolen. If it hadn’t been found in the wild by third parties, they still might not know.

It’s been at least 2 months since they found out and they just now got around to telling their customers.

I didn’t have a CafePress account. Just to be sure, I tried to log in:

Whew!

Whew!


I’ve only purchased from them maybe twice in my life and not for years. That means the hackers only got my name, email, phone number, and physical address. That also means that CafePress kept (I hope it really is past tense) purchase and account records in an internet-facing database for a long time.

A non-apology worthy of a politician caught red-handed:

"...sincerely regret any concern it may cause you"

“…sincerely regret any concern it may cause you”


So they’re not sorry. They just regret that I may have concerns. Concerns that may keep me from giving them my money in the future? That’s like saying something awful to someone and then saying “I regret that your feelings are hurt.”

“…And other information.” I learned about physical address from haveibeenpwned.com.

Later in the email is this:

“What We Are Doing

We have been diligently investigating this incident with the assistance of outside experts. We also have contacted and are cooperating with federal law enforcement authorities. In addition, we have taken various steps to further enhance the security of our systems and your information, and the affected database has been moved to a different environment.”

Not much and pretty vague. The part where the customer has to do things is so long it refers to another section:

“What You Can Do

As described in the “Additional Resources” section below, we recommend you remain vigilant and take steps to protect against identity theft or fraud, including monitoring your accounts and free credit reports for signs of suspicious activity.

We also recommend that you visit the CafePress website at www.cafepress.com and log in to any online account you may have, which should prompt you to change your account password, if you have not done so recently.”

They go on to say:

“In general, you should always ensure that you are not using the same password across multiple accounts, and that you are using strong passwords that are not easy to guess.”

There, there [pat on the head]. That’s trivial, deflecting, and condescending. A user account didn’t cause this, CafePress’s incompetent security did. How about I take investment advice from Bernie Madoff?

One more bit and I’ll stop ranting. About this. For a while.

All of the links in the email, including the big 3 credit reporting agencies, go through CafePress’s email list provider.

I know, let's make the incident email look like spear phishing!

I know, let’s make the incident email look like spear phishing!

I mean, why wouldn’t I trust a link with

…krmpkhgftlhjtmbmjrsbzjfgrpjltskzppmktwzhsrfp_vjjjfrrrrkynfhgmmfmmrr.html

as much as I trust one that goes to

https://consumer.ftc.gov?

CNN sucks

WARNING: This post contains foul language.

This is such a fail I’m not adding the “humor” tag.

The first Democratic debate, hosted by NBC and streamed on Youtube, worked fine.
The second debate, by CNN, was unwatchable. We have a modern smart TV and it has the “CNNgo” app but it wouldn’t work, even with cable credentials. Trying to stream via cnn.com was pathetic. They tried, but the servers were not up to the task. It was useless. Other streaming services worked fine so it wasn’t our network. I found transcripts (from someone other than CNN, of course) the next day.

This time, for the climate town hall, CNN didn’t even pretend not to be greedy incompetent f__ks. They’ll probably edit or take down the page but this is what it says:

Specifically states "CNN.com's homepage" $$ Nothing about GIVE US MONEY $$

Specifically states “CNN.com’s homepage” $$ Nothing about GIVE US MONEY $$

I tried watching on an iPad. It crashed and reloaded the page repeatedly. Amazingly, the countdown timer kept working. I tried a laptop and other than buffering and showing an ad with the countdown timer running, it worked-ish. For a while. See, they only showed a 10 minute “preview” before the video stopped working and they shook us down for TV provider credentials:

Democracy in action

Democracy in action

Not that that would work, I wasted enough time on CNNgo before.

M has dish credentials. We don’t have it but she pays for her grandma so she can watch her telenovelas. Even if CNN was competent enough for that to work (they aren’t), this is our f__king democracy. Whether you’re a Democrat or not, one of these people may be our next president so it’s kind of important to know what they think about things.

Here’s the thing. Even if it worked, CNN should not be shaking down voters for money in order to provide this information. It’s a privilege that they got the debate and the town hall. It’s guaranteed viewers. Lots of viewers. Embed the ads in the stream and put it on a competent service.

This is capitalism at its worst: 1) They have a monopoly for this event. 2) They shake us down for money. 3) Even if you show, via TV provider credentials, that you gave them money, it DOESN”T F__KING WORK.

CNN: you can buy better, but you can’t pay more.

Random post for 11 July 2018

You ever look at some of the spam that gets caught by email filters? Sometimes there are lengthy paragraphs of text that looks like they were scraped from random emails, texts, and web sites. Some of it is tiny, like this one, and some is white text on a white background that goes on and on.

Red Lobster spam

Red Lobster spam


Every now and then there’s something funny in it, like this bit of slam poetry.

Jamaican dance hall music
Hussydom
Peasanthood
Jamaican dance hall music
Immortalizer
Three-penny piglet
LOL, Jamaican dance hall music


This popped up at an online Sudoku site. I probably don’t want to know.
Ice cream?  Potato?  Diseased organ?

Ice cream? Potato? Diseased organ?




Forgot which spam we were writing.

Forgot which spam we were writing.



The app installation progress looks like cartoon Hitler.

The app installation progress looks like cartoon Hitler.




Dang Etsy, do you know something I don’t?
OK, OK, OK, OK, OK, Wait, what?!

OK, OK, OK, OK, OK, Wait, what?!

Random Post for 28 November 2017

I’ll start with this cartoon and get it out of the way.
I need to get one of those things that helps you make straight text.

I know it's not nice to make fun of someone's appearance or name but f__k this guy.

I know it’s not nice to make fun of someone’s appearance or name but f__k this guy.


September was safety and security awareness month at work and this is the logo they chose.
Shades of Soviet propaganda posters.

Shades of Soviet propaganda posters.


I couldn’t resist. The same words according to an on line translator.
Be Essential, Comrade.

Be Essential, Comrade.


Not to be outdone, a buddy at work pranked me in the same style. He did the spine of a manual on my bookshelf too.
Arm & Hammer & Sickle.  I didn't notice for over a month.

Arm & Hammer & Sickle. I didn’t notice for over a month.

M left this drawing for me.

M left this drawing for me.


Looks like Kid from Kid N' Play.  (Wikipedia claims fair use because it's a promo.  I'm using it in a satirical work.)

Looks like Kid from Kid N’ Play. (Wikipedia claims fair use because it’s a promo. I’m using it in a satirical work.)


Soap dispenser is appalled and angered by your lack of hygiene.

Soap dispenser is appalled and angered by your lack of hygiene.

Random Post For 28 September 2017

I found these saved on a thumb drive from about a year ago.

We’d recently seen a video of Pete, the farting wombat, eating corn.

M sent me a link to this video with the subject “OMG”. Original video is gone but I re-found it.

My reply:
Wombat did a better job.

M:
I didn’t think it was real because her scalp didn’t bleed. But then she posted six (!) follow-up videos and one of them was her going to the doc.

MORE WOMBAT, LESS TEENAGERS DESPERATE FOR “LIKES”

My reply:

More wombat!

More wombat!

Obviously, I’m easily amused.

Random Post For 17 April 2017

I forgot to turn off a Google reminder. Kind of glad I did since the images are from Atalaya Mountain, just like the last Konica photos.

Atalaya, six years ago.

Atalaya, six years ago.


I used M's tSay it in my head and count syllables on my fingers.ypewriter.

Say it in my head and count syllables on my fingers.


From work.  Uh, can you wash my windshield?  A pterodactyl $#@! on my car.

From work. Uh, can you wash my windshield? A pterodactyl $#@! on my car.


I hate meetings and doodle a lot to stay sane(ish).

I hate meetings and doodle a lot to stay sane(ish).

Random Post for 2 September 2016

A while back, M was having a bad day at work and sent this to me.

Some "Shining" stuff going on here.

Some “Shining” stuff going on here.


Yesterday, I put in a request via the “one stop shop” email for tech support.
I *thought* I was being clear that I needed help with the form.

I *thought* I was being clear that I needed help with the form.


The response today.
Nope.  Holy $#@!, where's the Tylenol?

Nope. Holy $#@!, where’s the Tylenol?


I understand now… the cat in the hat the cat in the hat the cat in the hat the cat in the hat the cat in the hat the cat in the hat the cat in the hat the catin the hat the cati nthe hatthe cat in the hat the cat in the hat the cat in the hat the cat in the hat the cat in the hatthe cat in the hat the cat in the hat the cat in the hat the cat in the hat the cat in the hat


Here’s a picture of us with John Waters in 2012 taken with M’s Powershot SD1000.
He takes a Polaroid of everyone who enters his house.

He takes a Polaroid of everyone who enters his house.

Random Post For 27 July 2016

This was in a cyber security thing at work. I love how clip art and stock photos mash up something computer-y and an old school caricature of a thief, usually a mask and gloves, to represent cyber crimes. This one is extra funny because touchscreens don’t work with these $2.00 a pair drugstore gloves.

"Smartphone in hand with gloves" by Adam Radosavljevic - GettyImages/iStockphoto

“Smartphone in hand with gloves” by Adam Radosavljevic – GettyImages/iStockphoto




Just got off of a phone call with Toyota Financial. Does everyone just put “Wait times may be longer than normal” at the beginning of their message now? It was an 18 minute call, with literally, 1 minute spent speaking to a human to get the information I needed. No touch tone — voice menu only. It got right up to the part I needed, payoff information (mysteriously under “something else” and not “payment information”), before deciding to not understand me. I could hang up or suck it up and hold. I really needed the information so I held.

Not to be too Seinfeld but, what is the deal with hold music? It wasn’t a particularly hideous mix but why does digital hold music always sound like a stretched cassette tape with the tempo and volume wobbling in and out? Is it mixed into the “please have your account number ready, blah blah” (that I already gave to the voice menu bot) from an outsourced service?

I can see some telco room in Mumbai with a 90s MP3 player jacked into the sound card of an even older PC. Not one of those cool, tidy, color coded telcos either. A working room with fans, extension cords, and cables everywhere and a UPS that died years ago beeping away — still used to get more outlets. A profitable room. The kind of room that would make an OSHA nerd weep.

Toyota really doesn’t want you to pay off early. There’s no place on the coupon for extra principal. One time I sent extra and the next bill was reduced by the extra amount. I wondered why the payoff is more than the “outstanding balance” on the bill. Sneaky buggers, the balance on the bill is just principal owed. The bill amount times the number of payments to go is considerably more.



On a more up note, I found this card for my sister’s birthday. I really like it. The card is available in the “Mischievous Menagerie” box from Pomegranate. I may try and find a print.

"Barry and Pumpkin On the Way Up" by Kathy DeZarn Beynette

“Barry and Pumpkin On the Way Up” by Kathy DeZarn Beynette