In case you still think banks know what they are doing

Working with Weboob has confirmed my suspicions that banks’ IT departments are clueless (at least the French ones).

It’s not only that they have terrible websites with snake-oil security (i.e. keypads are easily logged, they only bother regular users).

It’s that their approach to security is from another world. When I was working with a client that was a bank a few years ago, they forced on us a lot of stupid things in the name of security, but to make things work the chosen solutions were worse from every point of view, including actual security.

This is not a technical problem; the problem is a lack of technical people where they should be.

The cherry on the cake is the BNP Paribas bank. They have been historically terrible at configuring their DNS server (with a tendency to return a different IP depending on yours, and of course those two IPs gave two different versions of the site… unless one of them was out of commission).
And now, for over a year, they have been forcing SSL connections to RC4 128 bits, which is a known weak cipher. If you try to force something better, the server will reject you!

Banks try hard to be taken seriously, and they usually are. I just can’t help laughing at them.

Posted in Security | Tagged , | 1 Comment

New GPG key

I have set up a new OpenPGP key, to benefit from better security settings
and better storage practices of mine, and will be transitioning
away from my old one. The old key is not compromised in any way.

The old key will continue to be valid for some time, but I prefer all
future correspondence to come to the new one. I would also like this
new key to be re-integrated into the web of trust.

Full details here.

TL;DR?

gpg --recv-key 0x3463EA5A518A9C75
gpg --check-sigs 0x3463EA5A518A9C75

# either just sign locally
gpg --lsign-key 0x3463EA5A518A9C75
# or sign and publish in the web of trust
gpg --sign-key 0x3463EA5A518A9C75 && gpg --send-keys 0x3463EA5A518A9C75
Posted in Meta, Security | Leave a comment

Contributing to Weboob without programming

There are often good-willed people around open-source software that while they do not know programming or the specific technologies used, can greatly help the project.

So, what are we looking for? We do not have any translation support for now, so that is out. However, there are a few things you can already do:

  • Provide new website support ideas. To be helpful, you can provide us with everything you know like available APIs and workarounds, existing tools (Python preferred), etc.
  • Provide better logos. Many logos have been hastily done and could be better; the only requirement is that it has to have a parodic or humorous aspect, for legal reasons. I would consider replacing logos that are vulgar a priority.
  • Write packages for your distribution of choice, or simply lobby them to package Weboob and keep it up to date. Since websites break all the time, old versions can become useless quickly.

The simplest way to do that is to create new issues on our tracker. Accepted contributions will get mentioned, unless of course you do not want to.

Posted in Weboob | 1 Comment