Category Archives: Miscelaneous

Hotel Rice Cooking

Growing up in an Japanese household, I love my sticky white rice. Many times, going on a trip means leaving sticky white rice behind, but I received a Tupperware Microwave Rice Cooker. I was skeptical at first, but after experimenting with it on a long business trip, I can make passable rice in the microwave.

The hotel I was staying in had a 1200W Microwave. For this microwave, I found 1 cup of rice, 1.5 cups of water, and 15 minutes on 50% power seemed to be just about right. For smaller, less powerful microwaves, you’ll need to increase the cooking time or power level.

My initial try was 1 cup of rice, 2 cups of water, and 5 minutes at 100% power. There was still a lot of water sloshing around, so I poured some out and put it back in for 2 more minutes. The remaining water boiled over and ended up leaving my rice dry.

Yodlee Security

This review was performed on February 5, 2014 and is part of a series of comparisons of financial management sites.

Yodlee Labs has been around for a while. While it doesn’t have the slickest interface, it seems to be compatible with the most financial institutions.

moneycenter.yodlee.com uses a EV certificate with a 2048 bit RSA key.

moneycenter.yodlee.com receives an A- on the Qualys SSL Test run on February 11, 2014. They support TLS v1.2, but they allow SSL v3.0 and prioritize RC4 cipher suites. They also allow 2 key TDES to be negotiated.

Security Claims

  • Yodlee Labs – Security Policy
    • “Data and Password Encryption”
    • “Network Intrusion Detection Systems”
    • “Physical Security Measures”
    • “Rigorous Audits and Inspections”
    • “No Yodlee employees have access to your password.”
    • “The transmission of data is protected using industry recognized encryption standards, such as 128-bit.”
    • “Users’ passwords are transmitted and stored in encrypted format at all times.”
    • “Access to servers requires multiple levels of authentication, including biometric (hand print scan) procedures.”
    • “multiple layers of firewalls are used to guard against unauthorized access to the network.”

Analysis of claims

Yodlee has all of the right security claims. They discuss solid site security and even electronic shielding. The shielding is probably more than is necessary, but it’s nice as long as there’s not a trade off to gain the shielding. They discuss firewalls and IDSs to provide logical network security. The encryption claims of data in transit and encryption of bank passwords is good. That no Yodlee employees have access to your [Yodlee] password, implies that they are hashing your Yodlee password instead of encrypting it. This ensures that someone who manages to compromise the password database cannot decrypt your Yodlee password. They also discuss frequent security audits of their infrastructure.

The two things Yodlee does not mention are how the encryption key for your bank passwords is protected and scanning of the Yodlee website for potential vulnerabilities.

Inconsistencies

I was able to identify 1 minor inconstancy.

  1. They claim 128-bit encryption; however, they support a cipher suite with a 112-bit key.

Conclusion

Since the the “how” for encrypting passwords is more of a nice to have, and vulnerability scanning might be included in the security audits, I give Yodlee an A- for their security policy.

LearnVest Security

This review was performed on February 1, 2014 and is part of a series of comparisons of financial management sites.

LearnVest mixes financial services, free advice, and account aggregation.

www.learnvest.com uses a EV certificate with a 2048 bit RSA key.

www.learnvest.com receives an B on the Qualys SSL Test run on February 11, 2014. They do not support TLS v1.2, but they allow SSL v3.0 and prioritize RC4 cipher suites.

Security Claims

  • Safe & Secure
    • “128-bit secure socket layer technology (SSL) and SHA-256 encryption”
    • “secured by VeriSign, scanned daily by McAfee SECURE”
    • “LearnVest’s data is guarded 24/7”
    • “We use biometric checkpoints, multiple keylock entry and constant video surveillance.”
    • “Your money can’t go anywhere.”
    • “LearnVest will never sell your username, password or any identifiable information about you to anyone.”
    • “LearnVest’s privacy policy has been vetted and approved by TRUSTe”
  • Security & Legal
    • None.

Analysis of claims

LearnVest’s security claims are pretty good. Their site physical security sounds great. The SSL/TLS claims sound good as does being VeriSign secured and scanned by McAfee. While secondary to security, their privacy policy sounds good and is vetted by TRUSTe. LearnVest also mentions that its user interface does now allow users to transfer money.

The three things that LearnVest does not discuss are protection of bank passwords, an Intrusion Detection System (IDS), and scanning/analysis for Site exploits (e.g. SQL injection).

Inconsistencies

With the very limited security claims, I was still able to identify

  1. “SHA-256 encryption” – None of the cipher suites supported by LearnVest include SHA-256 and some enabled cipher suites use MD5.

Conclusion

Without protecting bank passwords, using an IDS, or testing for security vulnerabilities; I can only give LearnVest a C for their security policy.

Google Chrome Print Selected

Chrome Print SelectedI accidentally stumbled upon this hint, because Marriott’s site as of January 2014 does not print nicely. The menus expand on their print css, so the real content shows up after a page long list.

Anyway, Google Chrome has a built in “Print Selected” function, but the option only appears when you have text selected. Just select the portion of the page you want to print, click on the “Menu” icon (3 horizontal lines), and select “Print…”. Near the bottom of the Chrome Print dialog, a new checkbox has appeared labeled “Selection only”. Check this option, and Chrome will update the preview.

Credit Karma Security

This review was performed on January 19, 2014 and is part of a series of comparisons of financial management sites.

Credit Karma is primarily a site that allows you to receive free weekly credit reports from TransUnion, but it also has financial management features.

creditkarma.com uses a EV certificate with a 2048 bit RSA key.

creditkarma.com receives an A- on the Qualys SSL Test run on February 11, 2014. They support TLS v1.1 or v1.2 and have also disabled SSL v3.0.

Security Claims

  • Our Security Practices
    • Secure Connection using 128 bit encryption/li>
    • Secure Connection using a DigiCert EV certificate
    • “Our data center is monitored around the clock by security personnel.”
    • “We enlist independent, third-party experts in the field of application security to assess our site for vulnerabilities.”
    • “Read-only Access”
    • “Firewalls and Other Security Precautions”
  • FAQ
    • “industry-leading security precautions”
    • “security is independently assessed by third parties.”
    • “128-bit encryption”
    • “servers are physically protected”
    • “We only use your SSN for this first score retrieval, and we do not store it in our database.”

Analysis of claims

Credit Karma says most of the right things, although more details would make me feel better about what they do say. Their claims about connections to their web server are consistent with the SSL Test. They mention the physical security of their data center and firewalls. The 3rd party assessment and testing of their site security is where I would like to have a little more detail. What are the qualifications of the 3rd party testers and what types of vulnerabilities are they looking for. The Credit Karma web interface is also designed so it is read only and does not provide a method to transfer money. It is comforting that Credit Karma does not store Social Security Numbers. They must establish some sort of authenticated token with TransUnion when retrieving a credit score for the first time.

The two things that Credit Karma does not discuss are protection of bank passwords and an Intrusion Detection System (IDS).

Inconsistencies

I only identified one relatively minor inconsistency between Credit Karma’s security claims and the observable security of the site:

  1. None.

Conclusion

Without protecting bank passwords or using an IDS, I can only give Credit Karma a C for their security policy.