Suspicious login notification

Nat, can you provide the text that you'd like to send out in the email, and also confirm the writeup on this?

Carlos, this takes precedence over bug work.

Started work on this. Should get to the point where I can use the email text by Friday.

Email Message Text:

Dear User,

To help protect the integrity of your KARL account, KARL sends notifications when your account has been accessed from an unrecognized browser or device. We have detected that your account has just been accessed from a new browser or device: auto generated Browser/device info.

If this was a legitimate login, please ignore this message. If, however, this login was not authorized by you, then your KARL account may have been compromised. To protect your account we recommend that you immediately change your password (link to https://karl.soros.org/reset_request.html). If you have any questions or concerns contact the KARL support team at <email address hidden>.

-The KARL Team

---

Open to suggestions or edits on the text.

I also have a clarifying question: is there a limit on the devices that KARL will be able to store cookies on to mark devices as recognized? From a user experience perspective, I just want to make sure that users are not prompted each time they login from a non primary device - they should just be warned the first time. For example, if they user accesses KARL from home or from their tablet, they should only receive an email the first time they login, but not subsequent times. I just want to make sure we're on the same page.

-Nat

They will be warned each time a new, previously-not-connected "device" is used. (Or whenever the cookie for a "device" disappears for some other reason.)

"Device" == browser/computer combination.

This is now testable on branch suspicious_logins.

What changes do I need to make to the production/staging INI files for either of these feature changes?

—Paul

> On Nov 16, 2016, at 2:27 AM, Carlos de la Guardia <email address hidden> wrote:
>
> This is now testable on branch suspicious_logins.
>
> ** Changed in: karl4
> Status: In Progress => Fix Committed
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1640540
>
> Title:
> Suspicious login notification
>
> Status in KARL4:
> Fix Committed
>
> Bug description:
> tl;dr If a username is logged into from a "strange" place, send the
> user an email.
>
> Users have a primary browser on a primary computer. Occasionally
> they'll login from their home computer or phone. Far less
> occasionally, they'll login from some random browers/computer
> (Internet cafe, etc.)
>
> If a login is hijacked, it will be used in a completely new
> browser/computer. The user should be emailed that their login is being
> used from a new "device" (browser+computer combination.)
>
> Specs
>
> - When someone logs in, set a persistent, random cookie that identifies that "device" (browser+computer)
> - If they login again, we'll get the cookie and know that they are from a "trusted" device
> - If they login again and there's no cookie (including the very next login after we roll this out), they'll get an email
> - If for some reason they lose the cookie, we'll treat that login as if it was from an untrusted device
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/karl4/+bug/1640540/+subscriptions

You *could* add a device_cookie parameter to the karl settings if you want to set the name, but if you don't, a default name will be used, so it will work anyway.

Hmm, the device cookie should be random, which I believe you are doing here:

https://github.com/karlproject/karl/commit/9f9049bd11e329dd1aa12f4ebf067002cee96ac3#diff-55ed5975cfd275eb68ec2671cf1dfc2fR185 <https://github.com/karlproject/karl/commit/9f9049bd11e329dd1aa12f4ebf067002cee96ac3#diff-55ed5975cfd275eb68ec2671cf1dfc2fR185>

Ahh, wait, that value is for the *name* of the cookie, not the value. Is that correct?

—Paul

> On Nov 17, 2016, at 6:28 PM, Carlos de la Guardia <email address hidden> wrote:
>
> You *could* add a device_cookie parameter to the karl settings if you
> want to set the name, but if you don't, a default name will be used, so
> it will work anyway.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1640540
>
> Title:
> Suspicious login notification
>
> Status in KARL4:
> Fix Committed
>
> Bug description:
> tl;dr If a username is logged into from a "strange" place, send the
> user an email.
>
> Users have a primary browser on a primary computer. Occasionally
> they'll login from their home computer or phone. Far less
> occasionally, they'll login from some random browers/computer
> (Internet cafe, etc.)
>
> If a login is hijacked, it will be used in a completely new
> browser/computer. The user should be emailed that their login is being
> used from a new "device" (browser+computer combination.)
>
> Specs
>
> - When someone logs in, set a persistent, random cookie that identifies that "device" (browser+computer)
> - If they login again, we'll get the cookie and know that they are from a "trusted" device
> - If they login again and there's no cookie (including the very next login after we roll this out), they'll get an email
> - If for some reason they lose the cookie, we'll treat that login as if it was from an untrusted device
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/karl4/+bug/1640540/+subscriptions

Yes, I didn't want to use an obvious name, but that's why I also left the option of setting it instead.

I set this up on karlstaging (which is VERY slow at the moment) and logged in from what I thought was a new "device". I didn't see an email get generated.

It did work locally. Maybe I will need to debug on staging? Did you use a different computer or just a different browser?

I barely used a different browser…I used Firefox in “Private Mode”.

Can you kick the tires on staging and see?

—Paul

> On Nov 18, 2016, at 5:28 PM, Carlos de la Guardia <email address hidden> wrote:
>
> It did work locally. Maybe I will need to debug on staging? Did you use
> a different computer or just a different browser?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1640540
>
> Title:
> Suspicious login notification
>
> Status in KARL4:
> Fix Committed
>
> Bug description:
> tl;dr If a username is logged into from a "strange" place, send the
> user an email.
>
> Users have a primary browser on a primary computer. Occasionally
> they'll login from their home computer or phone. Far less
> occasionally, they'll login from some random browers/computer
> (Internet cafe, etc.)
>
> If a login is hijacked, it will be used in a completely new
> browser/computer. The user should be emailed that their login is being
> used from a new "device" (browser+computer combination.)
>
> Specs
>
> - When someone logs in, set a persistent, random cookie that identifies that "device" (browser+computer)
> - If they login again, we'll get the cookie and know that they are from a "trusted" device
> - If they login again and there's no cookie (including the very next login after we roll this out), they'll get an email
> - If for some reason they lose the cookie, we'll treat that login as if it was from an untrusted device
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/karl4/+bug/1640540/+subscriptions

I was not able to use the staging server or even ssh in. Is something wrong with it?

Yeh, FC did a kernel update and threw production/staging into some issues.

—Paul

> On Nov 19, 2016, at 12:53 AM, Carlos de la Guardia <email address hidden> wrote:
>
> I was not able to use the staging server or even ssh in. Is something
> wrong with it?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1640540
>
> Title:
> Suspicious login notification
>
> Status in KARL4:
> Fix Committed
>
> Bug description:
> tl;dr If a username is logged into from a "strange" place, send the
> user an email.
>
> Users have a primary browser on a primary computer. Occasionally
> they'll login from their home computer or phone. Far less
> occasionally, they'll login from some random browers/computer
> (Internet cafe, etc.)
>
> If a login is hijacked, it will be used in a completely new
> browser/computer. The user should be emailed that their login is being
> used from a new "device" (browser+computer combination.)
>
> Specs
>
> - When someone logs in, set a persistent, random cookie that identifies that "device" (browser+computer)
> - If they login again, we'll get the cookie and know that they are from a "trusted" device
> - If they login again and there's no cookie (including the very next login after we roll this out), they'll get an email
> - If for some reason they lose the cookie, we'll treat that login as if it was from an untrusted device
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/karl4/+bug/1640540/+subscriptions

I received the email this morning, everything looked fine, so false alarm on my part, sorry.

—Paul

> On Nov 19, 2016, at 7:07 AM, Paul Everitt <email address hidden> wrote:
>
>
> Yeh, FC did a kernel update and threw production/staging into some issues.
>
> —Paul
>
>> On Nov 19, 2016, at 12:53 AM, Carlos de la Guardia <email address hidden> wrote:
>>
>> I was not able to use the staging server or even ssh in. Is something
>> wrong with it?
>>
>> --
>> You received this bug notification because you are subscribed to the bug
>> report.
>> https://bugs.launchpad.net/bugs/1640540
>>
>> Title:
>> Suspicious login notification
>>
>> Status in KARL4:
>> Fix Committed
>>
>> Bug description:
>> tl;dr If a username is logged into from a "strange" place, send the
>> user an email.
>>
>> Users have a primary browser on a primary computer. Occasionally
>> they'll login from their home computer or phone. Far less
>> occasionally, they'll login from some random browers/computer
>> (Internet cafe, etc.)
>>
>> If a login is hijacked, it will be used in a completely new
>> browser/computer. The user should be emailed that their login is being
>> used from a new "device" (browser+computer combination.)
>>
>> Specs
>>
>> - When someone logs in, set a persistent, random cookie that identifies that "device" (browser+computer)
>> - If they login again, we'll get the cookie and know that they are from a "trusted" device
>> - If they login again and there's no cookie (including the very next login after we roll this out), they'll get an email
>> - If for some reason they lose the cookie, we'll treat that login as if it was from an untrusted device
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/karl4/+bug/1640540/+subscriptions
>