portrait picture

TIMO ZIMMERMANN

balancing software engineering & infosec

How two factor authentication is never going to be adopted

posted on Wednesday 9th of October 2019 in ,

Last year Facebook spammed people who added their phone number to increase their account security. Now Twitter did it as well. Obviously it was a mistake, at least if you believe companies driven by ad revenue and by selling customers data. What most people will take away from those incidents is that companies tell you to add your phone number to improve the security of your account, but only use it to send you more ads and other unsolicited „content“.

Now people might argue that SMS is the worst form of two factor authentication – and from a technical perspective I fully agree. For targeted attacks a SIM swap is feasible in some countries. For people primarily posting cat pictures who would be a victim of not targeted attacks most likely not.

While it is not perfect, it is an improvement from a security perspective over „hunter12“ being the only thing preventing someone from taking over an account to post spam. It also is a good introduction to the concept of two factor authentication. It uses a medium users are familiar with, understand and does not add an additional layer of – what non tech savvy users might consider – inconvenience to get started.

Getting people to adopt two factor authentication is hard. And every small step into the right direction helps a lot, but this also means companies cannot leverage phone numbers they get for security reasons to spam their products customers.
We obviously cannot expect anything from Facebook or Twitter anymore, but if you are working on any system allowing two factor authentication via SMS please consider it part of your job to advocate and explain to the organization that those phone numbers are not to be abused.


iPhone 11 – bye bye bumper

posted on Saturday 28th of September 2019 in

Life happened.
Not in a bad way like you would expect when a blog post is starting with those two words; it just happened. I wrote a recap of the Apple keynote feeling underwhelmed. Appreciating all the upgrades and small improvements but for me there simply was no “wow” factor in anything they showed. Others seemed pretty excited, especially about the option to get a new colour to show the world you have the latest iPhone. (As if the three cameras would not be indicator enough.)

A few days later I learned about two things. First, my parents needed new phones. They still were on the iPhone 6 (s). Second, I could get free phones with my phone contracts. (While this is only technically true and I am not planning to go deep on how taxes work in Germany, it is close enough to be accurate to go with it.)

So I got myself an iPhone 11 Pro Max, my mother an iPhone 11 and my dad got my iPhone X. To me it was a chance to get my hands on the larger screen, which I really appreciate and missed with the X.

iPhone 11, iPhone X, iPhone 11 Pro Max

Having used my 11 Pro Max for a week now and having played around with the 11 a few times I am actually quite confident in what to recommend to people when they are looking to get a new one! (And as every year around this time I get this question a few more times than you would imagine.)

iPhone 11 Pro (Max)

iPhone 11

If you are on an X({s|r}) I would not bother except if you really want the camera. The upgrade would in my opinion not have enough impact to justify the price.

In all seriousness, the 11 is likely the best device for over 90% of people who buy an iPhone because they want an iPhone. Most likely even for enough who know the difference between the 11 and the Pro.
That being said, the 11 Pro Max is an awesome device and you’ll have to rip it out of my cold, dead hands for at least the next 11 months.

To be very honest, the best thing about the phone (beside the screen size) is the material and feel of it. The iPhone X was the first one for which I bought a bumper – to make sure I had a solid grip on it. For any other phone before I usually got a nice case from germanmade and used it without a bumper. I really enjoy the feel of the material (which is also why I cannot stand using cheap Android phones). But believe me, I did not like having to use a bumper or otherwise feeling like I would drop the phone any second.

The stainless steel band ensures I have a solid grip and the whole last week I never felt like it is sliding away. The matte glass on the back seems more slippery than the glas on X and 11, but it is nice to the touch and does not influence the security of the grip I got. So my phone is finally bumper free again. And while it might seem idiotic to you that I rave about holding my phone without a case, it is the most notable and enjoyable difference to me.


Thoughts on Apples Special Event

posted on Thursday 12th of September 2019 in ,

Another year, another iPhone. And a watch. And an iPad. Shockingly no one was surprised. The name change could be expected, but I think there was a 50:50 chance who was right.

There were no design changes beside another added camera. Which seems to be the whole selling point. Faster chip? Sure. Better display? Okay. Another camera? Of course, your videos can now suck in 4k 60FPS and your photos still show a persons head cut off at the top. All of the features make sense and are a technical evolution from the previous generation, but to me they are pretty meaningless.

I do not really watch videos on my phone. I suck at taking pictures. I do not particularly like green as a colour. I do not game on my phone. So upgrading from my iPhone X would basically mean a new battery and zero improvement in any area I care about.

The Apple Watch is one of my favourite devices right now. And if you are not on the 4th generation already the new one surely is a great upgrade. But other than that – I would likely still go for aluminium since I usually wear it while working out and prefer the lightness and I am okay if the watch only turns on when I look at it.

Games and TV+ are the same to me. People celebrate that it is only $5. I believe that a higher price would have killed both products before they even launched. There are many indie developers who will get exposure – not that it pays the bills, but it is something, right? *sigh* – and there are likely some productions which might be worth watching. But before larger publishers and media companies are joining the game, I do not think a price that would roughly equal Netflix would work. I am really looking forward to see how content will increase and develop though.

Overall there are solid improvements for all products and the newly introduced services has potential to become relevant. To me the most exciting thing was Tim not telling us how well everyone is doing but directly starting with product introductions. ¯\_(ツ)_/¯


Security 101: documentation – policies in disguise

posted on Saturday 7th of September 2019 in ,

There are a few things you will hear every start up chant about as if it was an absolute truth. The most prominent one is likely „move fast“ — meaning „all the talk about best practices etc does not apply to us; we have to ‚move fast‘ to make it“. While this might be true in a lot of cases, I have often seen it being a disadvantage, even in the short term.

It is likely that you can get away with a lot of short cuts. Code you write today is probably obsolete in a few months, maybe even in a few weeks. Deciding to cut corners when developing your asynchronous workers likely won’t matter until you have a lot more customers than you currently have. Having a configuration file checked into git, forcing you to redeploy on each config change, can be feasible for some time. Obviously all of the technical debt comes with a few exceptions though, like having your workers separated properly in your code base and not checking in secrets.

What I would advocate against most of the time is skipping documentation. It might be tempting to follow the narrative that documentation is just a burden to maintain and that it will be outdated in a few weeks, but this is purely an organisational problem. If you document features and processes as you build them it will likely only be a very minor point on your todo list when working on large changes. And maintaining documentation as part of your feature work means it will not be outdated (or simply wrong).

This also does not mean you should write prose for everything you do. Changing the way a button looks? I would not expect any documentation at all. Adding a circuit breaker when your email service of choice is down? A sentence in a change log should be sufficient. Developing a circuit breaker solution in house? A few lines as spec to have some guidelines around design decisions are fine.

There is also the sort of documentation you write once and then leave it unchanged for months, maybe years. How do you handle your code review process? Opening a merge request and two people have to approve a change? Maybe one? Is code merged into a staging branch first or directly into production? Just write it down. It is, again, a few sentences and you are done. While it might not be a one time investment, it is a relatively small part of the work you will be doing. And it likely will not delay your product roadmap significantly.

But what do you get in exchange for documenting features, changes and processes? In the end it is still time you are not working on shipping your actual product, right?

First of all: As you scale and grow your team you make onboarding a lot easier. You have a set of documents and resources you can point new employees to to get a basic understanding of how things are working. More senior engineers have a way to see the reasoning behind certain features and design decisions, which, as you grow, will potentially look less optimal when approaching a problem from a best practice point of view. One part that makes hiring expensive is not only sourcing and interviewing, but also onboarding. Being able to reduce your onboarding cost with small, continuous investments will pay off as you scale. Especially when you are forced to grow fast.

The other reason (and this is why it is part of the „security 101“ series!) is that most documentation can serve as policy.

I can already see my infosec colleagues with audit experience reaching for their torches, especially if they were recently going through one and got remediation plans containing „date format on policy X does not match the standard format“. But hear me out, there is actually some truth hidden in this statement.

Startups usually do not think a lot (if at all) about audits, certifications or external controls if they are not operating in a highly regulated environment like finance or healthcare. The day one of those things is required it is usually a panicky “all hands on deck”-situation that no one will have a good time with.

The most common scenario in which this might come up is a partnership with a larger enterprise or selling to another business. Companies will have something like an “vendor acquisition policy” which defines which standards a potential partner or vendor has to fulfil for the deal to go through. Many list SOC in one form or another or ISO27001 for example. The moment one or more certifications is on the requirements list to close a deal you can be sure you will either have to get the certification or the deal is off. There are only a few very rare cases I have seen when someone on the highest level of management whitelisted the deal despite unmet technical acquisition criteria.

Realistically speaking you will not even be close to fulfilling any of those certification requirements by simply documenting what you do, how you do it and what is happening to your system. But you will have a lot of the foundational work done – you do not have to do it last minute. You can, as larger deals sneak up, start looking at the certification requirements and see which processes might need some adjustments, were you are currently lacking documentation or processes and how much work it will be to get your system and company into a compliant state. Having an actionable list and work for which the effort can actually be estimated will be a huge help, especially when you can use it as base for communication with your potential partner to see if you can move forward while working on the last few things – believe it or not, this actually worked in the past.

Some certifications actually make sense. Some not so much. But nearly all have one purpose beside being a checklist item: They help instil trust. Selling to end user and consumers, they show that you actually care. They show that you want to be on the front-page of TechCrunch for shipping a new feature or closing a funding round, not because you leaked PII. While this is not the purpose of many certifications and while you can be fully compliant with a few and still mess up badly, they will instil trust.

Especially for end users and consumers it often does not matter what you actually do, but if they feel like they can trust you with their data. Many will not even know the certification you mention on your marketing page, but they will still feel better that you got one. This might sound wrong to some and be assured, so it does to me. This is not about logic or facts, this is about psychology, marketing and sales. Here, trust is a currency you cannot ignore.

Documenting your system and processes will help you on many different occasions. It is some additional work you have to do, but if you start early and make it part of your regular process it will only be a very small portion of the over all work. So better start today than on the day you need it. Future you will thank you. If you are unsure how and what to document, do not worry, I will cover that in depth in future posts.

If you want to follow this article series you can either subscribe to the general RSS feed or to the tag specific one if you only care about startup security posts.


30 years of Fetch

posted on Thursday 5th of September 2019 in

Over the last two decades I used a lot of software. And I really mean “a lot”. I have seen projects come and go – sometimes the market was not ready, sometimes the developer messed up, sometimes a new app simply was better at solving the same problem, sometimes free software just became, well, good enough. Considering how short lived software is makes the fact that Fetch is celebrating their 30th anniversary even more noteworthy.

I think Jim puts it very well –

Fetch’s longevity has been a continual surprise to me. Most application software has the life expectancy of a field mouse. Of the thousands of other Mac apps on the market on September 1, 1989 I can only think of four (Panorama, Word, Excel and Photoshop) that are still sold today. Fetch 1.0 was released into a world with leaded gasoline and a Berlin Wall; DVD players and Windows 95 were still in the future. The Fetch icon is a dog with a floppy disc in its mouth; at this point it might as well be a stone tablet.

Jim Matthews

I have seen software being celebrated as a big innovation that will revolutionise everything which did not even make the 30 day mark.

I hope one day I will also be able to look back over decades and see software I am or was working on grow, have an impact on peoples life, still be in good shape and have some users who cherish it. Kudos Jim and team!