TD Canada Trust password policy fail

My browser was behaving strangely when I tried to log in to the TD Canada Trust online banking server, so just to be paranoid I decided to change my password using another machine.  I then realized that it was just me being dumb – my user agent was set to IE as I had been testing something earlier.  Oops!

However, it did all lead me to discover this gem epic failboat of a password policy:

When changing your password, please remember that it must be between 5 and 8 characters in length and should contain both letters and numbers. Special characters (e.g. #, &, @) must not be used as they will not be accepted by the system. Passwords consisting of all letters or all numbers are not recommended. Although TD Canada Trust does not require you to change your password, we recommend that for security purposes you change your password every 90 days.

Okay, wtf people.  5-8 characters seems awfully permissive, and doesn’t let me put in a nice long password… but not requiring numbers and letters?  Just recommending it?  And their system doesn’t support punctuation in passwords?  Yeesh.

It gets worse.  I decided to play around with it, and was able to change my password to the following:

  • foobar
  • 12345
  • 11111
  • aaaaa
  • the first 5 characters of my bank card number (which is the username when one logs in, and is common to many TD customers).

Obviously I’ve changed the password to one which is as secure as I can make it given their crappy constraints, but it really angers me that I’m paying through the fees I pay them for this kind of asinine security policy.  It almost makes me want to go through the hassle of switching banks… but I’m sure the others all have similar issues on one level or another.

Some days, though, this industry just makes me want to set things on fire – today is one of those days.

-Leigh

On CTF and tonsils

I signed up for the CCC CTF yesterday.  Team name: Pink Pwnies.  Mascot: Adorable.  See:

the team pink pwnies mascot

I’m going in for a tonsillectomy tomorrow morning, and will be more or less offline for a couple of days.  I’ll be checking email and maybe replying to some of it, but everything will be a little slow.

Adult tonsillectomies are a weird business.  It’s considered pretty minor as a kid because they bounce back quickly, but adults seem to have a much harder time with it.  It’s apparently a 40 minute procedure, followed by 1-6 hours of observation.  I’m being given an alternate paralytic agent rather than sux (best pharmaceutical name ever!) because my uncle had a reaction to it as a kid which is potentially hereditary, but aside from that I’m an uber-routine case.  This gives me hope for my recovery being reasonably swift.  Well that and my still being pretty young and in decent health 🙂

I’ve found some good advice (warning, giant comment thread which recently got spun into a full-on forum) on the recovery process.  After the consult with the anesthetist this afternoon, I stocked up on non-sharp food , meal replacement drinks, ice cream, Gatorade powder, and some lovely teas.  I’ll be in the capable care of my favourite internet farmer this week until he heads off to Minneapolis for the IETF meeting, after which my favourite acquirer of pink things is coming up from Seattle to keep me company.  I’m not sure when I’ll be able to have visitors, but I’ll post here again when I regain some measure of lucidity.

Wish me luck!

-Leigh

CSC491 – Second Milestone

Not quite as far along as I want to be, but definitely getting there.  Refreshed my rpm and general sysadminning memories in the process.  Still a lot to get done to have anything interesting…

A bit of background is in order to understand what I’ve been up to.  I’ve been working this week on getting the hang of working with the Planet-Lab infrastructure, and can mostly find my way around it manually now.  I haven’t figured out how to automate the interactions with it in the way that will be needed for this project, but it’s a start.

Planet-Lab is a network of computers around the world which researchers can obtain access to (eventually).  As a user, one gets a “slice”, which as far as I can tell is just a project-specific username.  The user can assign virtual machines on the “nodes”, which are the actual machines.  Users have limited root access on the nodes, and can install software, set up cron jobs (scheduled tasks), and run scripts.

So where has this gotten me? Well, read on….

Continue reading “CSC491 – Second Milestone”

Exporting cookies from Firefox 3.x into cookies.txt format

I’ve been searching for a while for a way to extract cookies from Firefox 3.x in order to use them with stuff like wget and Perl’s libwwwperl, which I have been using for a bunch of scripting.  Firefox 3.x uses sqlite to store cookies, whereas apps which let you load cookies files are looking for IE or Netscape formatted ones.  The latter were used up to Firefox 2, but I’ve had trouble keeping FF2 and 3 happy on the same machine… And going back to FF2 feels really painful without the magical search bar of awesomeness.

There’s now a beta extension up to save your FF3 cookies to the right format, which makes me a very happy camper!  It’s on the official addons.mozilla.org site but you need to sign in to the site to download it here as it’s still experimental.  Super useful though!

Also very useful and something I’d forgotten about until yesterday is this list of bookmarklets (snippets of javascript which you save as bookmarks) to manipulate form properties before submitting them, which lets you save passwords in your browser in forms where that function has been disabled, among other things.

-Leigh

CSC491 Capstone Design Class Notes and Status

For CSC491, the Capstone Design Project class I’m taking at the University of Toronto, I’m working with a project called InfoTrace.  The Citizen Lab, who run the project, are interested in global network reachability, particularly under adverse conditions such as DDoS attacks, BGP prefix hijacking, movement of server resources, etc.

Here’s what I’ve accomplished so far:

  • Tracked down U of T’s Principal Investigators for the Planet-Lab network and asked for access for the project
  • Set up this blog
  • Set up a GitHub account
  • Found some similar research
  • Read up on BGP
  • Explored several tools for doing traceroutes and related network tracing: hping3, nmap’s –traceroute, 0trace, and scapy.

A few links promised to my classmates, which are interesting on their own:

Miles Thibault is working on a business plan for a “Wikimovies” web site.  I think he’d get a lot out of some Long Tail reading:  Chris Anderson’s original article, and Kevin Kelly’s riff on it titled “1,000 True Fans“.

Denis Pankratov and Jennifer Ruttan are working on a really nifty-looking project to do accurate indoor localization with CDMA (that “other” cell phone protocol), and (blah) Ian Goldber’s paper on “Three Protocols for Location Privacy” from last year’s Privacy Enhancing Technologies symposium.

My goals, which were originally for the next two weeks but have been pushed back only one as I’ve fallen a bit behind on the “getting stuff up and running” side of things are:

  • Coming up with a database schema for storing connectivity information.
  • Getting a basic web interface up and running in django.

I’m working on these first rather than the network underpinnings as we don’t yet have access to the Planet-Lab infrastructure, so the constraints there aren’t entirely clear.  The front-end stuff will likely run on a server at Citizen Lab, so I can get that up and running right away.

-Leigh

Sup, internets!

So I have a public blog now, whee!  I needed to set one up for class, so I figured I’d do it right and just keep using it for other stuff.

I’ll be crossposting some hackerspace-related stuff to the HackLab.To page, and maybe setting up some aggregation for my classmates’ blogs for CSC491.  I post photos over at Flickr but you’ll see some here too sometimes.  Maybe I’ll even write a bit about my other big interests: information security, open source software, and equity / gender in IT issues.

-Leigh