Author Archives: Kenji Yoshino

About Kenji Yoshino

Twitter: @tidgubi

Comparison of Financial Management Sites

This compares the observable security and the security claims of popular financial management sites. The security policy reviews were spread over a period of time; however, all Qualys SSL Labs tests were re-run on February 11, 2014 to ensure consistent grading.

The following aspects of each site were considered:

EV Certificate
Qualys SSL Server Test
Security Policy Review
Inconsistencies
3rd Part Tests

Summary

Service / Site	EV	Qualys Grade	Security Policy	Inconsistencies	Date Checked
mint.com	Yes	A-	B	1	January 16, 2014
PersonalCapital	Yes	B	F	3	January 17, 2014
Yodlee MoneyCenter	Yes	A-	1	A-	February 5, 2014
LearnVest	Yes	B	C	1	February 1, 2014
CreditKarma	Yes	A-	C	0	January 19, 2014

If you have other sites you would like added, please add them to the comments.

Methodology

EV – Extended Validation

Extended Validation (EV) is important, because it provides additional assurance that you are communicating with the site you believe you are. A corporate-proxy, cannot (with the exception of InternetExplorer) impersonate an EV certificate. This is a simple yes/no whether the site uses an EV certificate to identify itself.

Qualys SSL Server Test

The Qualys SSL Server Test provides a good snapshot of the Certificate, Key Exchange, cipher suites, and protocol version supported by the servers to secure the connection between the web server and your browser. This is the Qualys SSL Server Test letter grade (A–F).

Security Policy Review

The connection between your browser and the web server is only one aspect of site security. The design of the website and its supporting database contribute to security. Without being able to sit down with a developer and analyze the the internals of the website, the posted security policy and practices are the best the general public can review. This is my letter grade of whether the security policy includes feasible protections and adequately addresses security threats.

Inconsistencies

To try to determine whether the security policies can be taken at face value, I’ve compared the security polices agains security aspects of the site that can be observed and verified by the general public. This provides a feeling of how accurate, and therefore trustworthy, the security policies are. Granted, some of the inaccuracies might be to make the security policies understandable by the average person. This is the number of inconstancies identified between different areas of the security policy and/or the actual website.

Making “Steve Gibson” Coffee with an AeroPress

Steve Gibson described how he uses an espresso machine to make a “perfect” cup of coffee in Episode 422 of Security Now!. For those of us without espresso machines, I’ve modified the recipe to use an Aerobie AeroPress. This method minimizes oxidation of the coffee.

What you need:

AeroPress
(recommended) Stainless Steel Filter
16oz Coffee Cup/Mug
Fine Ground Coffee (I ask Starbucks for a flat bottom drip grind)
Hotpot/Kettle
16oz filtered water

Instructions:

Put 2 AeroPress scoops of coffee (approximately 4 tbsp.) into the AeroPress.
Heat 16 oz water to 195° F. If you don’t have a precise heater, bring the water to a boil and let it sit for 30 seconds (ref Peet’s).
Pour approximately 4oz water into your cup.
Place the AeroPress on your cup, and fill to #4.
Use the AeroPress stirrer to stir the coffee 30 times.
Re-fill the water back to the #4
Use the AeroPress plunger to press the water through the AeroPress.
Pour any remaining water into your cup.
Enjoy your coffee.

Favorite iPhone 5 Case

My favorite iPhone 5 case is the CM4 iPhone Wallet Q Card Case. This case claims to hold 3 cards, but I’m only comfortable keeping a credit card and my driver’s license in it. It securely holds these two cards. I think 3 cards would be secure, but I think they would stretch out the leather. Some people worry about losing “everything”, but I see this as only having to keep track of one thing.

When I need to carry cash or additional cards, I grab my old Kenneth Cole REACTION since it is a pretty slim bi-fold wallet.

Editing the WordPress Comment Form

I don’t collect email addresses or URLs for my comments, but never removed the default ‘Your email address will not be published.’ text from my comment form.

Removing the email address and URL fields was simple using the 'comment_form_default_fields' hook with the following code in my theme’s functions.php:

add_filter('comment_form_default_fields', 'remove_email_url');
function remove_email_url($fields) {
        if (isset($fields['url'])) {
                unset($fields['url']);
        }
        if (isset($fields['email'])) {
                unset($fields['email']);
        }
        return $fields;
}

I couldn’t find a simple tutorial for editing other aspects of the comments form and I didn’t want to dig into the theme and edit the /wp-content/themes/twentytwelve/comment.php file.
After poking around http://codex.wordpress.org/Function_Reference/comment_form and looking at the /wp-includes/comment-template.php, I realized the difference between the 'comment_form_default_fields' and 'comment_form_defaults' hooks.

'comment_form_default_fields' allows operation on the $fields of the comment_form.
'comment_form_defaults' allows modification on the $args of the comment_form.

Addition to my theme’s functions.php:

add_filter('comment_form_defaults', 'remove_publish_email');
function remove_publish_email($args) {
        $args['comment_notes_before'] = 'All comments are moderated.';
        return $args;
}

Discover Card Increases Password Lengths

I’m not sure when it happened, but https://www.discovercard.com has now increased the maximum allowed password length from 10 to 16 characters. If you’re concerned someone trying brute force your password, go change your password.

tidgubi.com

(computer) tips, security, tools