stormbrew

Google just announced something called OpenSocial, which is a facebook apps-like mechanism running on an open platform of essentially embedded js and html. At least, that’s the jist I’m getting.

But where’s the security? Letting untrusted apps run js on my social network site (and that’s not just a hypothetical. 1 million actual users, more like 3 million the way facebook and myspace counts them) means giving them access to cookies (we do httponly, but that doesn’t cover all browsers by any means) and the ability to do a lot of really nasty things to our users.

Seems to me facebook didn’t do a closed platform so much for lock-in as for a desire to avoid security issues just like this. The hoops you have to go through to get any serious information on a facebook app, including several levels of user confirmation, are a serious hindrance to overt abusive use.

Either google has failed to make this useful to me, or they have failed to market it to me. Both of these possibilities seem very surprising.

So my bank has recently decided to start DEMANDING security question/answer pairs for their web page login system. In order to log in, you MUST answer one of your security questions in addition to your password.

They give you 5 sets of questions to choose from and a freeform field to put the answer into. Am I the only one who sees the gaping stupidity of this? If they could allow you your own questions, maybe that’d be ok. But since all their questions are easily discoverable (stuff like maiden names, high school mascots, pets, best friend names, etc. In fact, the very things that all these years password security policy has advised you to KEEP OUT OF YOUR PASSWORD, and for very good reason), change really often (favorite magazine, favorite chocolate bar, favorite restaurant), or are very gender selective (favorite fashion designer — and a big wtf to that one in general too).

If someone can take the time to find out your actual password, they can take the time to find these things out. There are only 5 questions, so at a minimum it’ll take 5 random attempts at login from different computers over a couple of months to find out what they are and do some research without setting off alarm bells with the bank.

When are companies going to realize that security questions are a serious regression in security?

qmail has a limit of 900 characters on email addresses it’ll relay.