Location Oriented Services

Introduction

Lately I have been using a VPN service. Using a VPN for daily browsing has many advantages. If you are not already using it, please give it a try. A great feature that comes when browsing through VPN is that the websites are fouled to believe that you reside in a different country than the one you actually do. Unfortunately, this is the route of many problems, as it seems that many websites contain services that function based on the user’s country. This matching is being performed by the user’s IP address which is changes when browsing through VPN. For the purposes of this article, these types of services will be called “location oriented services”.

Types of location oriented services and security

Normally, location oriented services, should include types of services that are complementary to a web sites functionalities (e.g. advertisements). However, a lot use user’s location to apply security practices. For example, paypal or facebook, when accessed from a different location than usual, might request you to confirm your real identity (i.e. by requesting a passwords change).

From security point of view, switching country practically means nothing. Even if this done every 2 seconds. People travel all the time; others use corporate VPN service every day to work remotely, while others use VPN for anonymity. Therefore, people may appear to be in different countries than they reside for a number of legitimate reasons. Consequently, applying security practices based on the switching of countries is a clear confession of failure. Web sites should not depend on user’s location in order to draw any kind of conclusion.

A better approach

A case where location oriented services have a usefull application is for language auto-selection in multilingual websites. In order to do so, the IP approach (as described previously) or an alternative approach can be followed. This alternative approach is by using the “Accept-Language” HTTP header. The accepted languages can be set by the OS automatically, or by the user and is part of the HTTP protocol, which practically means that there is native support to all web programming languages.

Consequently, if the web site needs to provide location oriented services, (except security) the “Accept-Language” is the way to go.

Legal matters

A critical aspect of the location oriented services, which are based on the IP address, is matching of user’s IP address to country. Critical questions are drawn regarding the provider of this information, and if sharing it is legal. Moreover, sharing this information should be part of the contract with the ISP and a fact that the user should be aware. As this is a huge issue, it becomes a great candidate for a future article.

Conclusions

Instead of conclusion, two things:

1. Use VPN, its for your own good!

2. Resist in sites that use your IP to detect your country and provide services based on that!

 

P.S. As a VPN provider, I am using, for almost a year, those guys Private Internet Access and I am super happy with their services!

 

One Password is Enough

1. Introduction

Security and password choosing should be one of user’s main concerns. Unfortunately, password choosing is a painful procedure which occurs very often. Moreover, based on a latest study, 38% of users prefer to clean a toilet than think of a new password! Thus, a lot of users end up using the same password, in more than one web site.

2. Facts

1/ It is essential to keep separate and secure passwords for every web site you use.

2/ It is impossible to memorize as many passwords as the websites we keep accounts to.

3/ There are some tools (i.e. password managers, browser plugins) that help you solve this problem, but having a new tool adds complexity to your daily tasks and habits.

3. Memorize one password – that’s enough

Clearly the problem starts when we have to manage (or memorize) more than one password. This becomes more painful if the passwords are hard-to-guess. However, there is a simple way to overcome this problem. We only need to memorize one password and one simple proceudre. Having those two ingredients, it can be guaranteed in high percentage* that we will use different passwords for every web site we use without the need for an external tool.

*This percentage depends strongly on the simple procedure mentioned above. We can define types of procedures that result in reaching a percentage near 100%. 

4. How to do it

Sit down and think of a secure password. Don’t wait for a registration form to popup, it will become painful. If this is hard, just use a password generator.

In general your password should have the following characteristics:

  1. At least one capital and one lower case letter
  2. At least one symbol (i.e. #, $, ^)
  3. At least one digit
  4. Length higher than 5 characters

A more detailed guide on how to choose a secure password.

4.1 Let’s get our hands dirty

Reaching this point means that you have your secure password. Let’s call this the matrix password. You need to memorize your matrix password.

It’s time to create a method. The method will apply some rules on the password and will produce a modified version of the matrix password. This will be the final version of the password and we are going to use it when subscribing. The method is something that needs to be defined by us and needs to be kept secret. Its secrecy is equally important as the password’s.

Find below some examples of how the method is defined and applied to our password.

4.1.1 Example1 (graphic example)

For the examples, we assume that our matrix password is: ff$$12Tr0

Method: Add the first and third letter of the web site’s name after the first letter of the matrix password.

one password img1 One Password is Enough

4.1.2 Example2

Let’s use a more complicated method.

Method: Add the first and second letter of the web site’s name after the first letter of the matrix password; add the last letter of the web site’s name to the end of the matrix password:

Let’s generate the passwords:

Web site: amazon

Final password for amazon account: famf$$12Tr0n

Web site: google

Final password for google account: fgof$$12Tr0e

Web site: facebook

Final password for facebook account: ffaf$$12Tr0k

 

Site Password
amazon
famf$$12Tr0n
google
fgof$$12Tr0e
facebook
ffaf$$12Tr0k

As shown in the table above, the all generated passwords are slightly different. If one password is compromised, it is quite hard to uncover the method and apply it reversely in order to generate the matrix password.

In general it is good idea to use two different methods. The first will be the main method which is going to be used in all web sites while the second one will be used in case you are forced to change your password (i.e. by the web site itself – the case of an expired password).”

5. Conclusion

In summary, 38% of people hate the idea of thinking a new password. Just ask yourself and you will probably get the same answer. Using the procedure described in this article, it not necessary anymore to think of new passwords. You will need just one, so make sure this is a secure one.

 

My favorite color

When I was a kid, a famous question among kids was: “what’s your favourite color?”. All children had a favourite color. Maybe, in terms of psychology this has a special meaning, but I ‘m no expert in this field, even if it is about my own psychology. So I will just focus on the favourite color part. As a grown up, I think I found a color I really like. So, my favourite color is #0f0f0f.

FYI: Below, you can see a couple of #0f0f0f stripes mixed with stripes of black (#000).

#0f0f0f
Black
#0f0f0f
Black

What’s your favourite color?