January 31, 2010
From the better-really-late-than-really-never dept. and Slashdot YRO: If you use Tor, you’re cautioned to update now due to a security breach. In a message on the Tor mailing list dated Jan 20, 2010, Tor developer Roger Dingledine outlines the issue and why you should upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha now: ‘In early January we discovered that two of the seven directory authorities were compromised (moria1 and gabelmoo), along with metrics.torproject.org, a new server we’d recently set up to serve metrics data and graphs. The three servers have since been reinstalled with service migrated to other servers.’ Tor users should visit the download page and update ASAP.
Unfortunately for me on one of my computers, along with the security upgrade, there’s also a bit of TLS · weirdness happening which keeps the Tor client from ever joing the network. Good thing I’ve got other computers with alternative OSs on them that I can use for my anonymous work on the intertubes.
Posted in +Relevant -Timely, Anonymity, Computer security, Cryptography, Email, Instant messaging, PSA, Web | Leave a Comment »
January 24, 2010
From Mozilla is mo-better dept: Of the many incremental improvements that v3.6 offers over v3.5, my favorite is the built in plugin detection that works on a per page basis.
Considering that out-of-date, easily exploited plugins are one way to lose control of your computer (and the valuable information that you store on it), this is a nice touch, and an easy way to keep everything important up to date.
For minimalists and control freaks like me, there’s an even easier way that’s been available for a while now: run Mozilla’s online Plugin Check service as your start page – that way you know which of your plugins are enabled and their status before you venture out into the big bad web. And it even works with older versions of Firefox in case you’re not able to upgrade.
Posted in Computer security, Open Source, Web, You are the last mile | Leave a Comment »
January 20, 2010
From the silver-lining dept and Slashdot: Here’s one possible outcome of Google’s recent spate of problems with the Chinese government: They’ve now decided to make HTTPS the default transport option for their Gmail service.
While this move didn’t get as much attention as all the other “big issue” stories, it is a minor victory of sorts for NGOs and activists whose activities might attract the attention of the Chinese government. By making secure transmission the default, non-tech-savvy users no longer have to go through this to protect their communications.
Posted in +Relevant -Timely, Computer security, Consumer, Cryptography, Cryptography (the lack thereof), Email, Web, You are the last mile | Leave a Comment »
October 8, 2009
From Wired and the dept-of-deja-vu-dept: A researcher who examined 10,000 Hotmail, MSN and Live.com passwords that were recently exposed online has published an analysis of the list and found that “123456? was the most commonly used password, appearing 64 times.
Forty-two percent of the passwords used lowercase letters from “a to z”; only 6 percent mixed alpha-numeric and other characters.
That’s right, only 6% used mixed alpha-numerics, and this isn’t the first time that it’s been documented just how dunderheaded some people can be when it comes to doing the Right Thing™.
Great Zeus on high, how hard can it be to come up with a decent password? Not too hard, I dare say…
Posted in Email, General incompetence, Ranting and raving..., Web, You are the last mile | Leave a Comment »
September 5, 2009
From the at-least-they’re-not-chainsaws-we’re-juggling department: For those of you keeping score, it’s been a while since I’ve blogged on privacy or security issues.
That would be because we’re currently finishing up development and testing the latest version of the VaultletSuite 2 Go, v2.9.
Stay tuned for more “P” Word once v2.9 goes into production!
Posted in +Relevant -Timely, Blogging, Computer security, Shameless self promotion | Leave a Comment »
August 24, 2009
From Slashdot, the New York Times and the what’s-olde-is-new-dept: The NY Times has a story… on a weapon now being wielded by bad guys (most likely in Eastern Europe, according to the Times): Trojan horse keyloggers that report back in real-time. Real-time keyloggers were first discovered in the wild last year, but the …Times article should bring new attention to the threat.
So now that the Bad Guys™ are hoovering up your validation credentials in real-time (not “real” real-time, but faster than before), they’ve managed to break one particular implementation of a Two-Factor Authentication scheme.
Not bad, but the real threat is quite a bit less esoteric: continuous reporting of keystrokes gives miscreants a larger window of time to operate in. The dangers presented by keystroke loggers could be largely mitigated by using some not-so-common sense: Keeping your computer clean and healthy and maybe even switching to a minority · operating system (while keeping your newly developed good habits) means that you’ve just eliminated a large majority of your security threats.
So you think getting people to “do the right thing” by their computers and data is impossible? It wasn’t too long ago that people weren’t washing their hands before eating or preparing food, nor were they covering their mouths when they sneezed.
Good computer hygiene practices can be learned. And understood.
Posted in Computer security, Consumer, Cryptography, Malware, Shameless self promotion, Web, You are the last mile | Leave a Comment »
July 8, 2009
From Slashdot, Wired, and the when-is-a-secret-not-a-secret-dept: The nation’s Social Security numbering scheme has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual’s date and location of birth.
Knowing someone’s SSN is a key part of identity theft. Just by knowing this easily obtained (or guessed secret) means that somebody can assume your identity, rob you blind, and then leave you with years of pain and suffering trying to document that you weren’t the one who ran up tens of thousands of dollars of bad debt.
Protecting your not-so-secret SSN is impossible due to the fact that everybody with a financial interest in “knowing you” (worse than the biblical sense) has easy access to this number. Further complicating matters is the fact that these same entities have no financial incentive to protect it because they’re not the one who pays the price for wrecking your financial life. You do.
So what to do? Put a freeze on your credit and lift it manually everytime you need access to modifiy your lines of credit? Pay an outrageous sum to the · big · three so that they report any “suspicious” activity related to your credit history?
What’s really needed is a fundamental change in thinking: Up until now, business and government have confused your Identity with Authentication. They are not the same thing! While the former might identify you within a database, the later confirms that you are indeed the account holder (yourself) through the use of a secret that only you would know. For a more concrete example, think of your email address and the password that you use to access your email: the address identifies you, your secret password authenticates that you are the email account holder (more or less).
As you can see, much has to change before this problem gets fixed.
Posted in +Relevant -Timely, Consumer, Cryptography (the lack thereof), General incompetence, ID, Identity Theft, Policy | Leave a Comment »
May 20, 2009
From Slashdot and the whatcha-got-on-under-all-that dept: “Not content to simply follow the ‘anything to protect American lives’ mantra, freshman Representative Jason Chaffetz (R-Utah) has introduced a bill to prohibit mandatory full body scans at airports. Chaffetz states, ‘The images offer a disturbingly accurate view of a person’s body underneath clothing … Americans should not be required to expose their bodies in this manner in order to fly.’
Sounds like the dreaded and shopworn “monster under the bed” is back. Again.
So let’s try another little thought experiment: It could be amusing, if not enlightening, to propose that *every single one* of the TSA’s employees (sorry, no excuses) be body scanned by these devices, and then have those images made available online, if not simply displayed at random in public places like, say, an airport. Just to see how they would react.
I’d bet good money that a significant portion of them would have a problem with that, if not stage an outright revolt against their employer for using a technology on them that’s as invasive as this is.
Perhaps then they might get a bit of insight as to why some of us resent having to “drop trouser” in a public place. And to what end would we travelers be obligated to participate in this dehumanizing security farce? Ah yes, that most wiley and elusive “monster under the bed”.
I feel better already knowing that the TSA’s on the case.
Let the TSA what you think signing the Privacy Coalition’s Stop Whole Body Imaging petition.
Posted in General incompetence, Hardware, Humor, Policy, Ranting and raving..., Security theatre, The monster under the bed | Leave a Comment »
April 30, 2009
From the that’s-quite-a-joke-you-got-there-dept: 60 Minutes said that “The Internet is infected“. Meanwhile, Conficker was getting quite a bit of press in other venues too. Towards the end of May, Univision interviewed me about the danger it represented. Many [Windows] computer users waited for the impending doom and then…
…nothing happened. And many had a good laugh.
Except that something important did happen, and quietly too: Conficker began calling home and morphing into something else. And an interesting homemade diagnostic eyechart was published. And discussed.
The important thing to remember is that people were warned and had ample opportunity to mitigate their risk – As far back as January 2009, 1 in 3 Windows PCs were still vulnerable to Conficker, a full 80 days after a patch was published by Microsoft. That means the patch was issued in October of 2008.
Talk about a slow motion train wreck that could have easily been avoided.
Of course, if you’re running Linux or OS X, you probably snickered, felt superior and/or laughed up your sleeve, because you ducked this one. This time.
Posted in +Relevant -Timely, Computer security, General incompetence, Malware, You are the last mile | Leave a Comment »
February 12, 2009
From WashingtonPost.com’s Security Fix: A glitch in a computer security program embedded deeply into Google’s search engine briefly prevented users of the popular search engine from visiting any Web sites turned up in search results this morning. Instead, Google users were redirected to page that warned: “This site may harm your computer.”
Why, of course the the Intertubes can damage your computer. Especially if you’re running an unpatched version of Windows as “administrator”, with no firewall, no anti-virus, and browsing with insanely out of date versions of Internet Explorer and flash, among others.
This is the default position I take when teaching “Practical Privacy and Simple Security” for people working in adverse conditions: assume that it’s insecure until you’ve taken the appropriate steps to assure otherwise.
Fortunately, in this case it was just a minor string matching goof writ large.
Doubly fortunate is that it’s not that hard to protect the valuable information that lives on your computer’s hard drive and enters and exits through your network connection.
Posted in +Relevant -Timely, General incompetence, Humor, Shameless self promotion, Web | Leave a Comment »
