Unfortunately for me on one of my computers, along with the security upgrade, there’s also a bit of TLS · weirdness happening which keeps the Tor client from ever joing the network.  Good thing I’ve got other computers with alternative OSs on them that I can use for my anonymous work on the intertubes.

From Mozilla is mo-better dept

Considering that out-of-date, easily exploited plugins are one way to lose control of your computer (and the valuable information that you store on it), this is a nice touch, and an easy way to keep everything important up to date.

For minimalists and control freaks like me, there’s an even easier way that’s been available for a while now: run Mozilla’s online Plugin Check service as your start page – that way you know which of your plugins are enabled and their status before you venture out into the big bad web.  And it even works with older versions of Firefox in case you’re not able to upgrade.

From the silver-lining dept and Slashdot: Here’s one possible outcome of Google’s recent spate of problems with the Chinese government: They’ve now decided to make HTTPS the default transport option for their Gmail service.

While this move didn’t get as much attention as all the other “big issue” stories, it is a minor victory of sorts for NGOs and activists whose activities might attract the attention of the Chinese government.  By making secure transmission the default, non-tech-savvy users no longer have to go through this to protect their communications.

Forty-two percent of the passwords used lowercase letters from “a to z”; only 6 percent mixed alpha-numeric and other characters.

That’s right, only 6% used mixed alpha-numerics, and this isn’t the first time that it’s been documented just how dunderheaded some people can be when it comes to doing the Right Thing™.

Great Zeus on high, how hard can it be to come up with a decent password? Not too hard, I dare say…

That would be because we’re currently finishing up development and testing the latest version of the VaultletSuite 2 Go, v2.9.

Stay tuned for more “P” Word once v2.9 goes into production!

So now that the Bad Guys™ are hoovering up your validation credentials in real-time (not “real” real-time, but faster than before), they’ve managed to break one particular implementation of a Two-Factor Authentication scheme.

Not bad, but the real threat is quite a bit less esoteric: continuous reporting of keystrokes gives miscreants a larger window of time to operate in.  The dangers presented by keystroke loggers could be largely mitigated by using some not-so-common sense: Keeping your computer clean and healthy and maybe even switching to a minority · operating system (while keeping your newly developed good habits) means that you’ve just eliminated a large majority of your security threats.

So you think getting people to “do the right thing” by their computers and data is impossible?  It wasn’t too long ago that people weren’t washing their hands before eating or preparing food, nor were they covering their mouths when they sneezed.

Good computer hygiene practices can be learned.  And understood.

Knowing someone’s SSN is a key part of identity theft. Just by knowing this easily obtained (or guessed secret) means that somebody can assume your identity, rob you blind, and then leave you with years of pain and suffering trying to document that you weren’t the one who ran up tens of thousands of dollars of bad debt.

Protecting your not-so-secret SSN is impossible due to the fact that everybody with a financial interest in “knowing you” (worse than the biblical sense) has easy access to this number. Further complicating matters is the fact that these same entities have no financial incentive to protect it because they’re not the one who pays the price for wrecking your financial life. You do.

So what to do? Put a freeze on your credit and lift it manually everytime you need access to modifiy your lines of credit? Pay an outrageous sum to the · big · three so that they report any “suspicious” activity related to your credit history?

What’s really needed is a fundamental change in thinking: Up until now, business and government have confused your Identity with Authentication. They are not the same thing! While the former might identify you within a database, the later confirms that you are indeed the account holder (yourself) through the use of a secret that only you would know. For a more concrete example, think of your email address and the password that you use to access your email: the address identifies you, your secret password authenticates that you are the email account holder (more or less).

As you can see, much has to change before this problem gets fixed.

Sounds like the dreaded and shopworn “monster under the bed” is back.  Again.

So let’s try another little thought experiment: It could be amusing, if not enlightening, to propose that *every single one* of the TSA’s employees (sorry, no excuses) be body scanned by these devices, and then have those images made available online, if not simply displayed at random in public places like, say, an airport.  Just to see how they would react.

I’d bet good money that a significant portion of them would have a problem with that, if not stage an outright revolt against their employer for using a technology on them that’s as invasive as this is.

Perhaps then they might get a bit of insight as to why some of us resent having to “drop trouser” in a public place.  And to what end would we travelers be obligated to participate in this dehumanizing security farce?  Ah yes, that most wiley and elusive “monster under the bed”.

I feel better already knowing that the TSA’s on the case.

Let the TSA what you think signing the Privacy Coalition’s Stop Whole Body Imaging petition.

…nothing happened. And many had a good laugh.

Except that something important did happen, and quietly too: Conficker began calling home and morphing into something else.  And an interesting homemade diagnostic eyechart was published.  And discussed.

The important thing to remember is that people were warned and had ample opportunity to mitigate their risk – As far back as January 2009, 1 in 3 Windows PCs were still vulnerable to Conficker, a full 80 days after a patch was published by Microsoft.  That means the patch was issued in October of 2008.

Talk about a slow motion train wreck that could have easily been avoided.

Of course, if you’re running Linux or OS X, you probably snickered, felt superior and/or laughed up your sleeve, because you ducked this one.  This time.

From WashingtonPost.com’s Security Fix: A glitch in a computer security program embedded deeply into Google’s search engine briefly prevented users of the popular search engine from visiting any Web sites turned up in search results this morning. Instead, Google users were redirected to page that warned: “This site may harm your computer.”

Why, of course the the Intertubes can damage your computer.  Especially if you’re running an unpatched version of Windows as “administrator”, with no firewall, no anti-virus, and browsing with insanely out of date versions of Internet Explorer and flash, among others.

This is the default position I take when teaching “Practical Privacy and Simple Security” for people working in adverse conditions: assume that it’s insecure until you’ve taken the appropriate steps to assure otherwise.

Fortunately, in this case it was just a minor string matching goof writ large.

Doubly fortunate is that it’s not that hard to protect the valuable information that lives on your computer’s hard drive and enters and exits through your network connection.