Archive for the ‘Privacy’ Category

NSA peepers

Posted: June 9, 2013 by IntentionalPrivacy in Cell phone, Privacy, Social media
Tags: , , , , ,

Coming on the heels of the Verizon snooping story last week is a remarkable article by The Washington Post that alleges the NSA collects data, codenamed “PRISM,” from “Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.” http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html Make sure you watch the video also.

Then there’s the AP surveillance case, which you can read about here.

One of my favorite quotes from one of my favorite movies, Sneakers, is where Cosmo saysThere’s a war out there, old friend. A world war. And it’s not about who’s got the most bullets. It’s about who controls the information. What we see and hear, how we work, what we think… it’s all about the information!”

Yes, I believe that’s true.

Business Insider wrote another article here about a statement issued by US Director of National Intelligence James R. Clapper Jr., which declares PRISM is used lawfully to gather foreign intelligence.

What can you do about snooping?

  • Don’t use Facebook, Yahoo, Hotmail, Gmail, Skype, YouTube, etc.
  • Maintain your super secret data on an encrypted computer running something like SELinux using TEMPEST technologies that never connects to the Internet. Never!
  • Don’t use a cell phone to make important calls and don’t carry a cell phone with you. In fact, don’t make important calls from land lines either.
  • Have your super secret conversations in person in a windowless room that you’ve swept for bugs.
  • You ought to be shredding your discarded paperwork anyway!

I mean, I could go on … but is any of this practical? Not really (except for the shredding).

The ACLU says:

In 2012, Sens. Ron Wyden (D-Ore.) and Mark Udall (D-Colo.) wrote, “When the American people find out how their government has secretly interpreted the Patriot Act, they are going to be stunned and they are going to be angry.”

Am I surprised about the WP expose article? No. The sad thing? Do I feel safer because of this snooping? No, not really. Yes, I understand that there have to be tradeoffs between privacy and security.

Is anybody surprised that Gmail Vault permanently stores drafts of email?

Posted: June 3, 2013 by IntentionalPrivacy in Privacy
Tags: , , ,

I read an article at SC magazine yesterday about how Gmail Vault saves every draft of every email–as well as versions of drafts–timestamped, sent or unsent, from a Gmail account that uses Vault. Vault is an email storage service that costs $5/month for organizations that use Google Apps.

If the organization that you work for uses Gmail for their email server, then they could have access to every email in Vault without even having to ask for your credentials. Note: this doesn’t mean that your organization will access your email, or even that it’s legal, but they could have access if they wanted it.

What does this mean to you?

  1. Don’t assume you have privacy in organizational email. You really don’t.
  2. Don’t assume your personal email is private, unless you use some kind of encrypted email program. Think of any information sent in email as being sent on a postcard.
  3. Don’t send personal email from your organization’s email, even those pictures of cute kittens.
  4. Don’t receive personal email to your organization’s email. Not only is it unprofessional, but do you want your boss to have the possibility of knowing … about family, medical, or financial issues? (Or see those pictures of cute kittens?)
  5. If you need to start an email that you’re not sure you want to send, write it out on paper. That can be shredded and will be difficult to reconstruct.

That article brings up another question: How can you encrypt personal  email? There are some alternatives to investigate to see if one of them will work for your situation. Here are some providers of free, secured email:

  • A Canadian company called Hushmail offers free encrypted email. You can see what they offer at https://www.hushmail.com/. But anyone you send Hushmail to has to have a public encryption key or also sign up with Hushmail.
  • S-Mail is an Irish company; their email encryption service is also free. You can investigate them further at http://s-mail.com/
  • Comodo SecureEmail also has a version that’s free for personal use, which works with Windows. Comodo is an international company with a US headquarters based in Clifton, NJ. Their product is explained here http://www.comodo.com/home/email-security/secure-email.php

I’m going to test drive each of them and report back on ease of use.

http://www.scmagazine.com.au/News/344955,google-vault-saves-every-gmail-draft-youve-ever-written.aspx

Leave no trace …

Posted: May 31, 2013 by IntentionalPrivacy in Cell phone, Privacy, Security or Privacy Initiatives, Social media
Tags: , , , ,

I ran across this new app called “Wickr,” available from the iTunes store. I haven’t tested it yet, but it sounds amazing. It is supposed to be available for Android soon. Best of all, the basic version is FREE.

What does Wickr do? It’s an app that sends encrypted communications—photos, video, texts, email—to people you trust. Then, at a predetermined time, that communication will self destruct. It uses Advanced Encryption Standard (AES), Elliptic Curve Diffie-Hellman (ECDH), and Transport Layer Security (TLS) algorithms for encryption, which Wickr talks about here https://www.mywickr.com/en/downloads/RSA_Security_Announcement.pdf

Caveat: Don’t lose your password! You lose access to your account. Also, make sure that you read the “Frequently Asked Support Questions” before you install the app, so that you understand how it works.

More stories about Wickr:

http://news.cnet.com/8301-1009_3-57462189-83/wickr-an-iphone-encryption-app-a-3-year-old-can-use/

http://www.npr.org/2012/12/04/166464858/online-privacy-fix

http://bits.blogs.nytimes.com/2012/06/27/an-app-that-encrypts-shreds-hashes-and-salts/

How Authentication Can Save Your Information

Posted: May 26, 2013 by IntentionalPrivacy in Identity theft, Privacy, Social media, Tips, Vulnerabilities
Tags: , , , , , , , , , ,

Twitter recently added a new security feature that allows you to have your phone send a security code that you use as your passcode when you log in. While it’s true that using more than one type of account verification can make your account safer, does Twitter’s new two-factor authentication really make your account safer? Maybe not. Watch Josh Alexander explain it in this YouTube video and decide for yourself: Personally, I agree with Josh Alexander that Twitter’s SMS-based two-factor as presented in the video doesn’t go far enough to protect your information.

What makes a safer log-in? Well, believe it or not, when your bank makes you enter your user name on one screen [hopefully using HTTPS; there should be a lock somewhere on the page] and then the next screen has a picture that you chose and/or asks a challenge question or might even save information about your computer like the IP address. If the picture is wrong or you expected challenge questions that didn’t appear, don’t log in! If you log in from a different computer, you may get one or more challenge questions that you must answer before you’re authorized to enter your account. Adding SMS onto one or more of these authentication methods might make your log-in safer.

Yes, it’s painful, but it’s safer.

Why is what the bank does safer than what Twitter’s doing?

Because if you’re not really at the bank’s site, the hackers won’t  know which picture you chose or the correct challenge questions to ask you. Hackers can’t (yet) make a bank website using your picture or the correct challenge questions, so it won’t be your account log-in.

What else makes online banking safer? According to this article http://news.yahoo.com/blogs/upgrade-your-life/banking-online-not-hacked-182159934.html, use WPA2 on your home wireless router, make sure your computer is virus free (OS patched, use an up-to-date antivirus program), and don’t use public Wi-Fi nor public computers. Another tip: Don’t choose challenge questions that anyone could easily find out about you, such as your mother’s maiden name. Under some circumstances, you can use your phone for online banking. Make sure you use a password screen lock on your phone. They also recommended that you have a remote wipe program installed on the phone; if your phone is lost or stolen you can remotely delete all the data off your phone. (Yes, remote wipe actually works. I tried it and bricked my iPhone, but the Apple Geniuses came through like champs!)

Payment cards that are Near Field Communication (NFC) are experiencing charging errors in the UK

Posted: May 19, 2013 by IntentionalPrivacy in Financial vulnerabilities, Privacy, Vulnerabilities
Tags: , ,

Payment cards that are Near Field Communication (NFC) are experiencing charging errors in the UK

What is NFC you say? It’s a card that is intended to work without it having to touch the card reader. The problem is some people are getting charged twice even though they didn’t take the card out of their wallets or purse. It’s a good idea to get a RFID-shielding cover for your debit / credit cards and your passport. Or you can make a cover from aluminum foil, instructions here http://www.rpi-polymath.com/ducttape/RFIDWallet.php

Note: the cover might not keep the card or passport from being read entirely, but it will cut down on the distance that the contents can be read at.

I do not recommend trying to damage the RFID chip.

This story is a timely reminder to keep an eye on your financial transactions!

Reason with Reason.com about Privacy …

Posted: April 27, 2013 by IntentionalPrivacy in Issues, Personal safety, Privacy, Vulnerabilities
Tags: , ,

Do you think more public surveillance cameras will make you safer? Will they make you feel safer? Or will they allow the authorities to track down perpetrators more easily? Reason.com’s article “Saying Privacy Is ‘Off the Table,’ NYC Police Commissioner Demands more Surveillance Cameras” is very enlightening.

Code 2600

Posted: March 27, 2013 by mikemarotta in Historical and future use of technology, Issues, Privacy, Vulnerabilities
Tags: , , ,

B-Sides Austin March 21-22, 2013, kicked off the night before with Jeremy Zerechak’s 82-minute documentary about the origins and present reality of computer privacy issues.

Code 2600 introduces modern cyber security via Sputnik and the Cold War which brought about the Defense Advanced Research Projects and the first computer network. The film also weaves in the threads of telephone systems and phone phreaking, and the transmutation of the computer from the behemoths of corporations and governments to the homebrew hacks that birthed the Apple computer. The result was an assault on your privacy which is magnified today by government agencies and private companies that compete for the control of the information that you create about yourself.
Code2600
More subtly, in the Cold War, we could see our attackers. We would know who launched the missiles. Today, the clues left by a cyber-attack are harder to trace. The war is going on right now with the governments of the USA and China hacking each other, as well as Britain hacking Norway. And corporations are really the leading edge players: everyone – civilian or military, government or corporation – uses the same operating systems and applications programs. The military is no longer the leading edge of technology: they buy it from the same places that you do.

The success of AOL was a milestone. When the computer information service bought Time-Warner it heralded the blossoming of the information age. But we are still in the middle of the story. We will not know for 50 years how this plays out.

“What should we be teaching young people about computers?” is the wrong question. Young people should be teaching us about how they use their devices, apps, and media, because that is the future.

Official Movie Trailer on YouTube here.

DHS can seize your electronic devices at border

Posted: February 11, 2013 by IntentionalPrivacy in Privacy, Traveling
Tags: , , ,

Read this article at http://www.wired.com/threatlevel/2013/02/electronics-border-seizures/ about how the Department of Homeland Security (DHS) can seize and search your electronic devices at the border without cause. The border as defined by DHS extends 100 miles inland from the physical US border.

How long can they keep your devices? It’s not really defined, although according to the Electronic Frontier Foundation (EFF), devices are usually return within 5 days.  How long can DHS keep your data and what can they do with it? Again, according to the EFF, procedures are not clear for handling sensitive or confidential data.

If you need to travel with electronics, the EFF has a guide on how to “make your data less vulnerable at the border” at https://www.eff.org/deeplinks/2010/11/effs-guide-protecting-devices-data-border. Always make sure that you back up your data before traveling, just in case any of your electronic devices are confiscated, lost, stolen, or damaged.

If you value your privacy, the EFF website is worth reading on a regular basis.

Facebook and More Privacy Issues…

Posted: February 8, 2013 by IntentionalPrivacy in Privacy
Tags: , ,

Read this article about a new feature that Facebook has in beta. If you value your privacy–even if you don’t have a Facebook account–it will scare you.  http://slashdot.org/topic/cloud/facebooks-graph-search-kiss-your-privacy-goodbye/ As Jeff Cogswell, the author, recommends, try the three searches at the middle of the page https://www.facebook.com/about/graphsearch/privacy.

I don’t post much on Facebook, but I still don’t like it! Not one little bit.

New vulnerabiltity discovered in Universal Plug and Play (UPnP)

Posted: February 8, 2013 by IntentionalPrivacy in Identity theft, Privacy, Vulnerabilities
Tags: , , , , , , ,

What is Universal Plug and Play? It is a protocol that allows network devices to talk to each other and it often runs on devices unless it is turned off. I have listed a few examples of devices that might have it enabled, which include such devices as home routers, printers, smart TVs, IP cameras, and home automation systems, but there could be many other types of devices that could have it turned on.

The first thing to check is your home router. How do you find out if your router is vulnerable? Rapid7 is a security research firm that has a free website-based tool that will check your router, available here http://upnp-check.rapid7.com/. Click the button “Scan My Router.” You do not have to install any software. It should take about 30 seconds to run.

If you want to check more than your router, there is a program on that page that you can download and run.

There is also a link to a page listing answers to frequently asked questions as well as a link to a more in-depth, technical explanation if  you’re interested.

Older Entries
Newer Entries