This evening I decided to get around to encrypting my MacBook’s harddisk in accordance with our company security standards.  When we bought this first batch of MacBooks we thought hard about how we woud maintain the security standards we have in place for our Windows and Linux based laptops.  We concluded that in order to do this we would have to pay for encryption software (we use an Open Source package on Windows/Linux platforms), but security is worth paying for.

So I followed the instructions and installed Check Point Full Disk Encyption for Mac on my lovely shiny new MacBookPro.  Everything seemed fine and I was happy to see the ‘restart your computer now’ button appear quite quickly.

Unfortunately, 5 seconds after clicking that restart button I was greeting with a console error message:

Couldn’t init Graphic!

FATAL ERROR

Nothing would boot any further.  Eeek!  Quickly I get onto my desktop PC and start googling.  Low and behold there is a known issue with new MacBookPros and Check Point FDE 3.0. It doesn’t work!

Okay – at least it’s a known problem, so there must be a fix available.  After 5 minutes of registering on Check Point’s website to see the solution, I am informed that ‘To view this solution, Advanced access is required.’

So Check Point release a product that silently bricks my MacBook and then tell me that in order to find out how to fix the problem I must pay for a support contract.  Nice!

Maybe I should go round to their house, shit on their carpet and ask them for money to clear it up!

The structure of the Verified by Visa (and its Mastercard equivalent, 3D-secure) means that an online seller will not be able to keep my credit card details and re-use them later (for nefarious purposes) as I only provide my password directly to Visa NOT to the seller themselves.

Great, I thought!  Until I noticed that the site that was asking me to setup my password (and I would presumably have to re-enter my password at a later date) did not identify itself in any meaningful way. Check it out for yourself https://www.securesuite.co.uk.  Notice that the ‘site owner’ does not appear in the Firefox/MSIE7 location bar and even if you examine the SSL certificate it seems to be registered to a company called CYOTA Inc. The only mention of ‘Verified by Visa’ is buried in the Organisational Unit entry in the certificate.

Now we can obviously google our way to finding out that CYOTA Inc are owned by RSA who probably provide the systems for Verified by Visa, but really…

The whole process is predicated on the buyer knowing that they are providing their password to Visa and no-one else so I find it incredible that Visa, CYOTA and the issuing banks are not addressing the confusion they are causing.

Worse still they aren’t just confusing the public about Verified by Visa, they are also positively ENCOURAGING user to ignore the warning signs of phishing attacks.

After attempting to import my Firefox password list only to told that I had exceeded my allocated number of of entries by -97 (yes, minus 97).  Hmmm!  a few emails back and forth to the (very helpful) Passpack support team, plus the dicovery that I have third party cookies turned off on Firefox (forgot that) and I got it up and running.

So do I like it?  Well it’s exactly what I wanted, but not actually what I need.  You see it forces me to be a bit too secure.  In order to login to a website without remembering the password, I have to:

1. login to Passpack – no problem it supports openID (and I can have ‘remember me’ turned on my computers)
2. perform the humanity test (a nice one actually – just click the black square)
3. provide my packing key – which must be a fairly long and safe key.  This is slightly annoying as I am an incredibly bad typer and have trouble typing more than 2 keys in the right order at the best of times.  So trying to get a 20 character packing key right when I can’t see what I’ve typed takes numerous tries.
4. locate the appropriate entry for the site I wish to visit.
5. click the link to be forwarded to the site
6. click the ‘Passpack it!’ bookmarklet (if I have the bookmark tool bat turned on – I don’t normally)
7. and there, Robert’s your mother’s live-in-lover.

Now I know that this would probably be a lot easier if the domains in my password file (not sure why the don’t), but it’s all such a bloody palaver.  Compare that to the Foxmarks experience:

1. I go to the site I want to use
2. Firefox prefills my details

Okay so there is a downside.

• I can’t store any data, just passwords
• I can’t use other browsers
• I can’t use a public access (or a friends) computer

Well, I’m thinking that I’ll stick a copy of Firefox passwords on my Truecrypt encrypted USB key to cover most of those issues.  Sorry Passpack – but you’re just too secure for me!

Now if only Foxmarks would support openID, I’d be have just one password to remember.  I’m not sure what I’m going to do about my accessing on my iPhone though!  Any ideas?

Any organisation provides me with a ‘secret’ number or a passphrase (or restricts what passphrase I can use) that I have to remember to login is effectively putting my data at risk by forcing me to write that passphrase down.  I can remember pin for my debit card and another one for my credit card, the password for my email is easy as I use it everyday), being asked to remember 2 more numbers (not of my choosing for an online account I use once every 6 months… Why would I?  How could I?  So I write it down… and remove any semblance of security!

If they can’t pick-up on the OpenID movement couldn’t they at least have the decency to let me choose my own damn password?

I’ve been waiting for a good robust plugin implementation that would give me a chance to play with openID as a provider (I want to implement an OpenID/OpenLDAP gateway for a work project), so I downloaded and installed it.

It took me a couple of hours to figure out how to delegate my domain to an OpenID provider and allow me to log in to my WordPress instance with its own domain as the OpenID url. But it all worked out of the box, first time.

So well done Will – damn fine job sir!