What do you do with RSA tokens after the breach? I just hate to throw away a perfectly functioning RSA token even if the seed file has been compromised, so I re-purposed this one to be a lotto number generator.

I found Artem Dinaburgh's talk at Blackhat 2011 one of the most interesting presentations at the conference. In short, he talked about why and how often bit errors occur in hardware (more frequently that most would think). If they affect a DNS entry, your system can end up at an unintended site.

Artem registered several 'bitsquatting' domains and received over 52,000 hits over six months, proving that the theory is valid. To mitigate, he suggests registering the bitsquat domains for high traffic sites. For others who have numerous and/or lenghty URLs, registering all of them can become cost prohibitive. The bitsquat URLs for my employer total over 21,000 for example.

I got curious about this and decided to write a Python program to examine a URL list for potential bitsquatting sites.

Check it out at: http://code.google.com/p/bitsquawk/

Artem Dinaburgh's paper

I applauded PayPal when they started supporting token based authentication. Why can't everyone (like banks) offer two-factor authentication for $5.00?

I felt much better having my PayPal account protected with real two-factor authentication. No one can access my account, even if they have my username/password right? Wrong!

While logging in recently, I noticed a "I don't have my security key with me." link and decided to see just how they handle that little situation...

In short, if you click the link you can get in with just your credentials and the answers to your two security questions (and no token).

Yes, I verified that you can do this. It did let me know that from now on I would need to use my token to get in (like that would do anything to stop the person who just hacked my account). Just to see, I logged out and back in. They failed on that one too, I was able to get back in without the token a second time.

They didn't require any other verification (secure email link would have been nice). I also did not receive notification that my account had been accessed without the token that I thought I had made a requirement. Yet another failure.

It seems PayPal is more concerned about making it easy to spend money and not receiving support calls, than they are with the security of their customers.

Ok, so I went back in and put some ridiculously complex and random answers in for my security questions. I'll probably close my account if they don't fix this though, and I don't expect that they will. Surely I am not the first person to notice and report concerns about this.

Yeah, I'll think I'll cancel my account.

Sure we all know that computer viruses can spread to humans, but I want to know if human viruses can spread to computers? I'm concerned that my systems might get swine flu.