Category Archives: Security

Prep Your Computer For Screen Sharing

It can be intimidating and a little risky to share your screen with a wide audience. Whether for a work demonstration or some streaming fun there is some basic hygiene which can help avoid disclosing personal info or even what apps you rely on.

Here are some ideas to keep your computer ready for screen share at any moment.

Auto-hide Task/menu Bars And Docks

Screens are getting wider and sometimes even a little shorter than in years past; so consider automatically hiding or moving widgets such as the taskbar or dock, menu-bar (most common on Mac), or sidebar. This leaves more room for what you’re trying to show and more space to work. You can usually push the pointer to the edge or press a key to get them when necessary.

  • Windows 10:
    right-click the taskbar
    -> “Automatically hide the taskbar in desktop mode”
  • MacOS:
    “System Preferences”
    -> “Dock & Menu Bar”
    -> “Automatically hide and show the Dock”,
    “Automatically hide and show the menu bar”

Solid Color Background

Unless you really need or want to share your background then consider keeping it a solid color. Black might even help save bandwidth or battery life depending on what you’re sharing or the kind of display. There’s also no risk of NSFW photos appearing from within your albums.

  • Windows 10:
    right-click the desktop
    -> “Personalize”
    -> “Background”
    -> click drop down
    -> “Solid Color”
  • MacOS:
    “System Preferences”
    -> “Desktop & Screen Saver”
    -> “Apple”
    ->”Colors”

Practice Using Do-not-disturb

Windows 10 has “Focus Assist” and MacOS calls it “Do Not Disturb”, though whatever the name, practice turning on and off these features. They can help avoid revealing private messages or reminders during a screen share or stream. You may even be able to automatically enable them or set them to turn off after a set period of time.

  • Windows 10:
    right-click the speech bubble in taskbar
    -> “Focus assist”
    -> “Priority only” or “Alarms only”
  • MacOS:
    click sliders icon in menu bar
    -> “Do Not Disturb”

Separate, Smaller Monitor

Sharing or streaming for a separate screen allows you to manage other tasks or private data without sharing everything. This is especially useful for presenters or recorders who may also be taking notes, checking things off, or handling private questions while sharing. In my experience using a smaller screen helps since some viewers may have small screens which make it harder to read scaled down text from a larger, shared view.

If you must work from one screen consider exploring virtual ‘cameras’ or virtual screens which can take a slice of your larger/wider monitor, without sharing it all. Sometimes an entire virtual machine, or VM, can help since its window can be shared and its settings configured for sharing differently from your host computer.

Specialized Profile

Consider a special share/streaming user account on your computer which only includes the apps, contacts, and files you know are safe to share or stream. This can help if special screen resolutions or settings are needed yet different than your usual working profile.

Spare Headset And Mic Check

Headsets work best since they reduce the need for your computer to cancel any noise or echo from other folks talking along with you. Consider also keeping an extra headset within reach in case of technical difficulties, such as battery exhaustion or software glitches. And do a microphone check periodically to ensure you can be heard without problems.

SQRL’s Fatal Flaws

Steve Gibson‘s SQRL authentication has two fatal flaws: future identities are too easily compromised and using it with multiple devices becomes more difficult over time. Since it relies on derived keys to generate each identity a single, compromised identity-unlock-key (IUK) puts all past and future secrets at risk. At least until one knows it has leaked.

SQRL tries to mitigate this derivation weakness by its ‘rekeying’ feature. Though that rekeying requires updating the identity file on all devices that need it as well as revisiting all previously used services. One must go through the rekeying and revisiting process any time ones IUK is compromised.

Such rekeying doesn’t help when one doesn’t know the IUK has been compromised. Meaning attackers with the key could create an identity before a user has tried. Then when the real user signs into their ‘new’ identity the attacker also has access, they may even have primed the account with weaker privacy settings.

Password Vaults have a similar weakness which could expose all past secrets, but no future ones. And since there is typically a different (random) password for each service the size of the data an attacker needs to extract is often larger. Bigger payloads are usually more difficult to exfiltrate completely and are more likely to be noticed.

As far as I can tell there doesn’t seem to be a solution to these fundamental issues with SQRL. But I’d love to be proven wrong. So if this assessment has any inaccuracies or you have thoughts to share then please leave a comment.

UPDATE: Full disclosure, I created a premium plugin for the KeePass Password Safe.

Thinking Of Password Strength Like Slot Machines

Instead of communicating password strength—specifically unpredictability—as ‘bits,’ let’s consider using slot machines as a metaphor. Bits of entropy are the traditional way of describing the randomness and variety, though it can be intimidating or too abstract for some users. It can also overlook that each ‘character’ in the equation is actually an entire word, since those are easier for users to remember. Slots are relatively simple machines which randomly rotate among variations of options and line up together like letters or words in a passphrase. So this metaphor may help users better understand the strength of their passwords.

Let’s imagine that slot players are thieves looking to steal the money in your bank account. Slot positions or wheels can be thought of as each character or word in your password or phrase. And the varieties of slot fruits represent the possible characters or words in your secret. Now if a player happens to line up each of them they’ll strike jackpot and get access to all your money. Preventing unwanted jackpots like that requires choosing passwords or phrases that are unpredictable. So we want a lot of different fruit (characters/words), as many slot positions as practical (as long as possible), and no pattern among the slot choices (no relationship between them). More is stronger.

It’s important to keep in mind that if we choose a password as a collection of words (not random characters) then our ‘fruit’ or dictionary cannot be counted as each character. In that case it must be counted as each whole word. Attackers know that people often use words because of frequent passwords leaks. So any pattern we choose should be considered public knowledge.

Now, to gauge how strong a password (jackpot) is we can multiply the number of possible words/characters (fruit) together repeatedly, one for each slot position. Consider that three words with two slots is 3 x 3 or 9 possible values. Put another way we take it to the exponent: 3 ^ 2 = 9. Guessing randomly the attacker/player would probably hit the jackpot in half as much, on average. So that password would typically require 9 / 2 or 4.5 guesses to get right. That’s really weak.

Expressing that as attempts gets out of hand quickly since at 1000 words/characters with 3 slots we’ve got 1,000 ^ 3 or 1,000,000,000 which is one billion. A dictionary or fruit basket of 10K with 5 slots would be 100,000,000,000,000,000,000 or one hundred quintillion, on average guessed in fifty quintillion attempts. If these numbers are too unwieldy we could use the ‘bits’ method to make these numbers easier to read and reason about. Then our 10,000-5-slot password would be log base 2 of 100 quintillion or about 66.4 bits. Still it would be important to remember to take care when filling in the ‘fruit’ or dictionary number to avoid counting characters when we’re actually using words.

P.S.

Each of the password requirements (many kinds of ‘fruit’, multiple slot positions, unrelated ‘fruit’ choices) is important, and that makes strong password/phrase choices hard to remember. Typically we also have many accounts with a variety of website and services. Ideally each account should use a different, unrelated password than all the others. For this reason a password manager makes life more practical. Properly designed they can encrypt all the random passwords or phrases with one, strong-yet-memorable password. If you aren’t using one please try making it a part of your daily routine for a month. It could save you a lot of time and headache by avoiding the loss of your accounts or funds.