In a further sign of desperation, Rick Perry is actually bothering to create negative ads against 3rd place (in polling) and 3rd rate candidate Rick Santorum! Somebody could correct me if I’m wrong, but I usually see this type of focus on a candidate that is polling in first or second place, kind of strange but then again this is Rick Perry we’re talking about!
A lot of media sites and blogs are misquoting the president from last nights 60 minutes interview. I’m actually surprised even CNN has also fallen for this, here are the “headlines:”
Also, from RNC twitter;
RNC @RNC 23 mins
Obama: Recovery ‘Probably Takes More than One President.’ bit.ly/sgUo0V Let’s start w/a new POTUS in #2012.
So did the president really say that?
Let’s look at the transcript. Here is the original question from Steve Kroft (transcript, last page);
Kroft: You declared your candidacy. And you said, “The reason we’ve not met our challenges is a failure of leadership, the smallness of our politics, the ease with which we’re distracted by the petty and the trivial, our chronic avoidance of tough decisions, our presence for scoring cheap political points instead of rolling up our sleeves and building a working consensus to take on big problems.” I mean those were eloquent words and true words. Unfortunately, they’re still largely true today. Did you overpromise? Did you underestimate how difficult this was gonna be?
The president’s answer:
Obama: I didn’t overpromise. And I didn’t underestimate how tough this was gonna be. I always believed that this was a long term project. That reversing a culture here in Washington, dominated by special interests, it was gonna take more than a year. It was gonna take more than two years. It was gonna take more than one term. Probably takes more than one president.
The president is clearly talking about changing the culture in Washington, not the actual economic recovery. The video and the transcripts are pretty clear, it almost seems like somebody misinterpreted this part of the interview and that view has snowballed into something else.
Update 1: Well, that didn’t take long, Romney already has a misleading ad misquoting the president on this;
Update 2: Others outlets are finally reporting that the quote is being taken out of context, and that Mitt Romney is at it again. Remember you heard about it here first at LGF!
Yfrog has released a statement called “Yfrog Security Update” which is somewhat misleading and explains the current status of the email upload feature.
Yesterday yfrog noticed this feature was not secure and implemented a couple of measures. The first one was to make the yfrog email address less prominent. Before Wednesday, yfrog used to show this email address in the upper right corner for a logged in user. Making it easy for anybody looking at your screen to copy this email.
Then yfrog disabled the post by email feature. Posts by email would result in an error email message being sent back to the sender notifying them the feature is disabled.
Tonight, the yfrog generated email address is not shown at all, and the feature seems to still be disabled.
Yfrog’s security update seems to indicate that while this feature is currently disabled, they plan on changing their scheme for generating email addresses and re-enabling the feature.
I’m going to assume they’re going to generated a key that is more complex, at least including numbers. They’re calling this an “email PIN”, I guess to make it more obvious that it is not to be shared. I assume the email will be similar to what twitpic uses (which I believe is just numeric).
However I do take issue with this statement in the email;
Why we Disabled Email Upload
At yfrog, we constantly evaluate our internal security mechanisms across all the facets of our service. Even though our email upload feature has not been compromised or broken into, we are taking this opportunity to evaluate the feature and secure it even further.
yFrog is not really being honest here. Their email upload feature has been clearly “compromised”. We clearly showed on here on LGF how easy it is to derive these email addresses using the previous scheme. Their security update message confirms this, that’s why they’ve disabled this feature, and they are very likely changing the way this email is generated.
If they insist on this feature, I also expect them to at least do the following:
* Invalidate ALL existing yfrog emails and regenerate them for existing users
* Allow users to be able to change (or have yfrog regenerate) their yfrog email, in case the user thinks they’re email has been compromised
* Allow users to opt-out of this feature
* Only accept email messages from a given email address or phone number (via MMS)
As Sony’s PSN issue has shown us, it’s better to be honest with the public earlier. Yfrog should just admit that the scheme they used for this feature was flawed and that they’re working on a new one that is more robust.
Unfortunately, I still think that posting to an account with this “secret email” address is still an unsafe way to operate. I think an honest debate needs to happen to settle if social media sites should continue using this feature (for example twitpic and facebook have this feature, although with different email generating schemes).
yfrog has (had?) a feature to send images to your twitter/yfrog account via MMS or email. This process requires NO password, and it relies on the yfrog email for your account being “secret”.
The email for yfrog is of the form; email@example.com, basically an attacker knows everything except the “yfrog-generated-word”.
Also note that until earlier today, this generated email was being shown in your page. Why is this a problem? Imagine your gmail page or facebook prominently showing your “password” while you are logged in. Anybody looking over your shoulder could get into your account (here’s an image of the changes yfrog implemented over this).
So how hard is it to crack these emails if you don’t happen to peek at another user, turns out, not very hard at all.
I created several twitter accounts based on the same gmail address, thanks to a feature in gmail that lets you put dots in the name. Since twitter only lets you use 1 email per twitter account, this feature becomes very useful. Here are the results;
I tried 24 fresh new accounts, the last 3 are 2 personal accounts and the test at the cannonfire blog post.
Right off the bat, notice we already have a dupe: “lusion”, which kind of indicates yfrog uses a very simple and small dictionary.
The next interesting generated words are:
* g[udom], d[udom], t[udom]
Which obviously is “udom” with a variation on the first letter.
A common pattern seems to be that there are variations of prefixes and then the last sequences of the word are repeated.
* gu[ness], na[ness], ba[ness]
* my[ment], do[ment], he[ment]
* lu[sion], zoo[sion] (there’s also voot[ion] but maybe that’s another sequence)
* jan[ist], tif[ist], gyj[ist]
* jin[ity], batu[ity], jag[ity]
You see the patterns. We’re either dealing with a static dictionary, or a very simple algorithm that is at least reusing the postfix part of the word. The prefix may also be reused, if it’s randomly putting together strings.
It’s pretty scandalous than an app would use an email address for security, but it’s even worse that said email address is so easily guessed. In my small test of 27, I got 1 repeat and found many repeated substrings. It wouldn’t take much effort for an attacker to do this, specially since he/she just has to send a set of these combinations via email and wait for one to hit.
I hope yfrog permanently turns off this “MMS” feature (which they may have done), in the meantime the best option is to go to your twitter settings->applications and “Revoke Access” to the yfrog application.
Or maybe twitter can do this for all users, this app is dangerous because it’s a big security hole leveraging the twitter API and leading to easy abuse.