Progress?

Parental sysadminnery: now less "reinstall the OS", more "password insufficiently complex".

That's the new "PC LOAD LETTER".

Tags: ,

25 Responses:

  1. TimeDoctor says:

    I am desperately trying to get my family to start using a password manager like 1password and it is one of the most frustrating things to teach since the value isn't understood even when they lose their passwords all the time.

    • grェ says:

      glwt; it's hard enough to get IT departments to use such things. ;.;

      Meanwhile, TLS-Client Certificate authentication is supported by pretty much every browser, even cell phone browsers; and startssl.com offers free certs, yet no one uses those. It's 2012, and we're still dealing with passwords, which ultimately are probably still being shoved into an NTLM or DES hash. :( :( :(

      PROGRESS!

      That said, if they're running OS X, Keychain is built-in, many things have hooks for it. I know many who use 1Password, but selling people on a commercial app that they can't wrap their heads around needing is difficult. I think the only reason they're successful, is because free alternatives (e.g. pwsafe/Password Gorilla/etc.) are terrible.

      I wish this were a trivially solved problem. Really.

      • jwz says:

        In this case, the clusterfuckery was "all I wanted to do was download a free app on my iPad!"

        It's kind of mind-blowing how convoluted and horrible a process Apple has made that. Multiple forms, email confirmation, more forms, more password prompts, plus the store timing out all the time, because it's Christmas. Awesome.

        And that's even before you get to the part where no part of the iOS system ever seems willing to remember your Apple password for you.

        • iOS 6 at least stopped prompting you for your passwords when you ask it to install upgrades of the apps you've already paid for, so um...progress?

          No, not really. Just the fact that they let you use your email address as your apple ID is still unforgivable: yeah, that sounds convenient, but just try explaining to a 77-year-old retired hippie schoolteacher that while 'grandma99@gmail.com' is both her gmail address and her apple ID, the passwords are different because... oh god mom, fine, just use 'iluvgrandkids' as your password for everything, sure...

          I finally just gave up and demanded that my mother and mom-in-law share all of their relevant passwords with me so that I could keep them safely stowed away in 1password for the inevitable holiday tech support concalls. That plus forcing them to install logmein on every computer they own (and, again, giving me the password) has reduced the pain to manageable levels. (Where 'manageable' is of course defined as 'right up to the point when they somehow manage to fry their Time Capsule while I am 3000 miles away'; thank god for local friends who are susceptible to bribery.)

          Whoever actually solves this mess will win everything forever.

          • MIke Cotton says:

            Let you use it, hell. They forced me to change my non-email Apple ID (which I'd had going all the way back to the mac.com days) to an email one.

        • TimeDoctor says:

          The password-rememberance issue at least seems to be a response to/in anticipation of "BUT MY CHILD JUST CHARGED $90 TO MY CREDIT CARD IN NNNNN FREE-TO-PLAY GAME" articles. You can adjust that timeout for the app store app but the whole password system sucks everywhere for every platform.

          • jwz says:

            That is obviously a problem they need to be concerned about, but explain to me how that's even remotely relevant to the use case of, "I wan to download and run a free app without typing in a CC number at all."

            • TimeDoctor says:

              My guess is the password requirement for getting free apps is either a technical limitation (apple sucks at online) or a "business need" so that they can have NNN numbers of accounts registered by default with credit cards attached.

            • Russell Borogove says:

              It's reasonable to want to associate a user id with even a free app (so the system knows when to notify you about updates), and it's very reasonable to require authentication even in the free case ("Honey, what's this 'Grindr' on your iPad?").

              (BTW, whenever I'm logged into Facebook, your blog promises to use my Facebook sign-in to identify me, and then throws an error when I submit the comment.)

              • jwz says:

                No, it's not reasonable. Not when the signup procedure is so onerous.

                I don't know why Facebook login would be busted. I know that Twitter login hasn't worked for quite some time.

            • nightbird says:

              I have an iPad Mini I bought for work, and a separate Apple ID for work. I buy iTunes cards for my work account for apps like Documents-To-Go. I'm not about to use a personal CC, and I haven't had to enter one for either paid or free apps.

              • jwz says:

                No, you don't need to enter a CC, but you still have to go through the incredibly convoluted, slow, multi-stage process of getting an Apple ID in the first place. It's incredibly user-hostile to make someone spend 20 minutes trying to pick a password that Apple thinks is good enough, then wait for confirmation mail to arrive, etc., etc., just to download free software. What's the first thing anyone with an iPad does? They try to go download some free shit! Apple makes this insanely complicated.

                Maybe they claim to have "business reasons" for pissing off their customers like this, and maybe those reasons are even fanboy-satisfying, but that doesn't make it any less user-hostile.

                • I've been in the situation of not being able to apply free updates to iOS apps that I'd purchased in the US app store because my credit card had expired, and my old credit card had expired. It was the same for free and purchased apps. Buying iOS apps and then moving to a different country is a mess (and moving back is worse).

                • Owen W. says:

                  I find that debugging the "first-run" experience is surprisingly difficult and often overlooked. Once software or hardware is already set up it's easy to say "hey let's eliminate these two extraneous clicks" but developers seem to forget about the installation process.

                  NB: Android tablet setup requires a google login and that's it. Obvious downside: you own an android tablet.

        • grェ says:

          Indeed, I hate that too. At least I don't need a machine with iTunes just to install an app on my iOS device anymore, but that's pretty mild praise for something that should be configurable.

          These pocket devices have more horsepower than my laptop of a few years ago, and yet the vendor assumption mandates consumers want to buy into their software hegemony is unfortunate, maybe we'll see future decouplings, but I won't be holding my breath. :(

          Android is better about remembering credentials (which is disturbing for other reasons at times) and they allow for one to install apps from untrusted 3rd parties with a setting flick, so that no google credentials need to be on the device at all, but there are many things which don't have apk installers and can only be fetched from the App/Play store. :( Oh, and if you have the non-Google-branded devices, good luck ever getting any system updates even (weeps over my sidekick 4g, which despite being on the flagship android carrier of t-mobile, and from the #1 android vendor of Samsung which is part of the android update alliance which claimed they would provide updates for 18 months after a device's release, and despite even housing internally a Samsung Android SDK board, still runs an older version of Android than I could run on my ADP1/G1 when I bought the thing, it could be worse...)

          I find the most troubling shift with Lion/Mountain Lion's App store and Gatekeeper though. Particularly how nebulous some of the error messages sometimes are when it comes to attempting to install 3rd party because Gatekeeper defaults to only trusting things through the App Store, some breakages don't even tell you that it's because it's from an untrusted source, leaving the user with no clue other than a download was apparently corrupt [hint, it's not most likely]. :( At least they still sell Snow Leopard which wasn't as heinous about this but I don't think I'll have much luck running that on my 2012 laptop. ;-/

          • gryazi says:

            Take heart, you could be celebrating the annual 27" iMac "oh no Jesus Christ how did all that crap get behind the LCD again?"

            This past year there's been an air filter running (ionizer specifically disabled to avoid cling-to-things-like-Mac effects), too. And last year's fix was an entire replacement this-year's-model machine (which was kinda a nice gesture as far as getting one of expansionless 2009 models off the streets, except clearly they didn't fix the design whups).

            The infuriating part is that paying for AppleCare is the most sensible solution since when the nearest Store is an hour+ away the fuel cost is gonna balance out real quick and at least it keeps the "look clearly I've thrown as much money as is physically possibly down this hole" option open for legal recourse if they come up with some excuse to refuse repair.

      • Ben says:

        I swtiched from Firefox to Safari and back to Firefox back this year. Though it wasn't the reason I switched back, I was dismayed at how badly Safari is at picking up "this is a username and password, ask to store it" compared to Firefox.

        I'd prefer to have passwords in the keychain, rather than the clownwreck of Firefox's password storage thing, except that Safari misses out about half of the time.

      • chris t says:

        I would outright love to replace all passwords for my service with client certs, but for some reason all the documentation I've been able to find makes me want to shoot myself, and it doesn't give me a clear picture of what the end user experience will be like. Can you point me to a useful howto? Something that works with apache?

        • grェ says:

          Hmm, the only place I've seen this done 'right' was a previous employer in the infosec space, I don't know if we had any public docs on our internal systems for best practice, but the biggest trick is having a decent CA that hooks to your user accounts. For better or worse, Microsoft's Active Directory CA is the only one that seemed remotely usable to this end, but even then, it took about 20 minutes of handholding infosec professionals to get them to the point of being able to have working client certs.

          I suspect this can be done with some f/oss tools as well on the CA end of things (http://ejbca.sourceforge.net seems the most promising, but I haven't used it yet and as its written in java that just seems like a different nightmare; openssl is a major headache, I don't think GNUTLS is much better in this department, heck, even puppet ended up rolling their own puppet-ca to make certs less of a rage-making fiasco, but it's pretty tailored just for puppet usage and I kind of doubt it will be very adaptable to more generic web client cert usage, but never say never).

          However, once you have a CA, then getting this working with apache is more in the land of mod_ssl configuration; and whatever your webapp is (e.g. some things, like TRAC may require a specific plugin to deal with client-certification, though you'll still need some bits in your apache configs).

          http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html is the canonical but if you dig around a bit more googling for "client certificate authentication apache" you'll find some other howtos (fwiw http://thelazyadmin.com/2007/04/windows-certsrv-ssl-certificates-and-apache/ is a decent starting point, though it's not the be all end all, your actual configs will probably vary a bit), most I find will need to be adapted a bit to whatever your environment may be, but essentially you'll have something like this:

          generate a key on your apache host, and then generate a certificate request, submit your certificate request csr to your CA (e.g. connect to https://yourCAfqdn/certsrv if running MS AD CA) get back certificate (it may be in DER or PEM format and may need to be converted grrr) configure webserver to use said certificate, and point to the CA you want to use since there needs to be a 'chain of trust' (let's say apache since you said apache, and I've used that for sure, but nginx can be configured to deal with this as well), once you get all that... HUZZAH! you've basically done step 1: i.e. gotten tls/ssl working, no client certificate auth yet That will require a bit more (and you'll need to revisit your webserver/apache configs for some other added lines)

          Now for other parts (sorry this is non-technical/specific at the moment, I do/did this for work, and I'm not on a work machine at the moment, so I don't have specific configs I can sanitize to post here, not to mention; it's been my experience even BSD/linux/distro/windows apache config file formats tend to vary a bit groan, so some real world usage has to be left up to the reader).

          Now, you need your clients to request a certificate, now if we're using MS AD's CA, there's a web server, again enumerated as something like https://yourfqdnforyourCAhere/certsrv you'll go in with your browser, be prompted to login with your AD credentials, now request a client certificate and it should issue you one. If you're using Internet Explorer on Windows, you'll get prompted about whether you want to import this into your certificate store, if you're using Safari, you'll should get prompted to add it to your keychain, if you're using Firefox, they handle certificates internally. HOWEVER, if you're using Chrome, they don't know how to deal with this last I tried, so you'll want to grab the client certificate issued via IE or Safari, get it imported into your local trusted cert store (be it Window's or OS X Keychain) at which point Chrome will be able to use it (this is sort of similar to how Chrome doesn't have proxy settings, but will use your OSs proxy setting configurations, which works, but is less granular and IMNSHO annoying as fuck). Android and iOS devices I'm not even going to get into, but it is doable iirc.

          Oh, and uhh... this assumes you're running your own CA - if so, you'll probably get some big warnings until you grab your CA's certificate (sorry this is getting a bit confusing but remember, your web server certificate, your CA's certificate and your browser's client certificate are all separate things, I'd usually do this step first, but again; not work computer/notes/etc.), and import it into your trusted certificates (be they Windows, or OS X Keychain; on *nix variants, it may vary, but usually somewhere under /etc/ssl is a good place to go digging). If you're not running your own CA, then I guess just hope they're already part of your trusted certs; startssl.com client certs will fall into this category, but I haven't monkeyed with those much, because I haven't yet found a site which takes advantage of them. Some folks use CACert, but very few OSs or browsers acknowledge them (or at least none I'd fucking trust cough linux).

          At any rate, once you go through all of that (and as an aside, dealing with EAP-TLS for wireless is a somewhat similar/related process), things just kind of work magically. You'll visit a site at https://whateveryourintranetsiteisthatisnowconfigured and your browser should pop up a dialog prompting you with some clickable icon about using a client certificate to authenticate associated with your username, click it (or if you have multiple client certs, as you may, select the relevant one for that domain/host/etc.) and BAM it should work, no passphrase needed. It is incredibly gratifying, bask in the glow of being a badass admin for a moment, because things inevitably go wrong eventually...

          It requires a lot of administrative setup, and unfortunately still a bit more end user front loading than I'd like, and as I mentioned before I really want to do this sort of thing without relying on MS's AD CA implementation, but when it does work, it's pretty awesome, almost like the web of 'the future' Oh, other nice things, disabling a user account, automagically means that their access to all intranet type things using it dies as well (or EAP-TLS wifi), so it's pretty nice for administration after the fact, but boy is it ever front loaded. I wish I had a better expert system that allowed me to make these things more repeatable (kind of like RANCID, but for my OS, instead of switch/router configs, I find the puppet/chef/cfengine modality totally obtuse and gets in my way most of the time, while something like RANCID which just pays attention to what I do and checks in config diffs to a VCS way better as far as modalities go, and more re-usable than versioning filesystems).

          I suspect this could be done on an external resource not just intranet stuff, but I haven't risked it yet... I really want to get some CA alternatives sorted out before I do so, as I don't want the MS AD dependency.

          This probably didn't make you want to shoot yourself any less, but I've definitely configured webapps that used apache as their underlying httpd with this in the past (even years ago), with clients OSs ranging from Windows, OS X, FreeBSD and Linux variants, as well as Android and iOS. Working with infosec consultants is a bit insane making at times...

          Oh, also things like - CA certificate expirations become a bit of a major headache (remember all those generating keys and requests and whatnot, you get to do that ALL OVER AGAIN LATER). But this is where things like puppet are supposed to make our lives easier, right? sigh I really wish/want client cert stuff to be more programmatically available (like, pushing out the CA cert via GPO is easy, getting individual client vert requests isn't), again this is why puppet rolled their own CA implementation as far as I can tell, too bad it's just for authing puppet and not doing things that end users might be dealing with regularly. If there's a puppet wizard who has a good write-up/recipe/whatever I'm all ears.

  2. Roger Braun says:

    So even jwz fixes his parents' computers? This is like the time when 50 Cent tweeted about how much he hates that his grandma makes him take out the trash, even though he is a millionaire.

    Some things never change...

    • James says:

      Well, that's not entirely true. Captchas are getting harder. Does that mean they will make users smarter? And if so, by instruction or attrition?