Archive for the ‘Everyday Security’ Category

I’ve been meaning to mention this, but with my declining use of Facebook I didn’t have an example to show. This happens all kinds of places, but I’ve found Facebook to be one of the worst offenders.

So someone posts a link to something you want to read. Being a little paranoid, you copy the link and paste into your other browser.


http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.businessinsider.com%2Fsan-francisco-bagel-store-sells-nyc-bagels-2014-2&h=wAQEFDrUN&s=1

But what is all that junk? Some of it is tracking, so Facebook can tell what you clicked. Maybe it’s just the source website and not you personally, but you can’t tell. The rest is character encoding that obscures matters even more.

For some reason this happens to me even more with mobile browsers, where the lack of tools makes it annoying to escape.

First, get rid of the character encoding:

Eric Meyer’s URL Decoder/Encoder

Go to that page, paste your junky url in the text box, and click “Decode.” There you go, actual readable text. It’s a bit of JavaScript that converts the encoded characters back to normal ones.

Next, copy just the part that is the actual url and paste that into your other browser. If you can figure it out, at any rate. This example is pretty simple, it’s everything from “http” to just before the “&”. In http-speak, the & means the stuff after are parameters. Maybe you need them to find the right page, but a lot of times you don’t. But they sure are handy for tracking stuff.

So when you get down to it, the actual thing I wanted to read is at


http://www.businessinsider.com/san-francisco-bagel-store-sells-nyc-bagels-2014-2

If I were so inclined, I could write a little script that would strip off all that other stuff. Ideally, it would be something I can host on a trustworthy server and would semi-automatically load the desired page after deciphering the location.

I read an article this week, and thought of it last night when I was at Bed Bath & Beyond, a chain housewares store.

Has Privacy Become a Luxury Good?

It was a last-minute thing and I didn’t happen to have one of the discount coupons that occasionally show up in our home mailbox addressed to “Neighbor.” So I paid full price for something I might otherwise have gotten a discount on.

But at the store there was a sign saying I could send a text message to some number and get a discount coupon on my phone. If I’m not going to give them my mailing address for one, I’m certainly not giving them my mobile number.

So I didn’t get the discount. It might not seem that way at first, but it’s paying for privacy too.

Another way to handle it is like “my” Safeway loyalty card (or the phone number linked to it, anyway.) A friend signed up years ago, and since then several of us have used the same phone number to access the discounts at the store and she gets any associated with card activity. I’ve used that phone number at stores all over the place (including Canada.) Sometimes I give that as my phone number when I have to provide one for a store account (like Fry’s rain checks.)

I’m usually kinda lax on installing OS updates, but I just came across the iOS 7.0.6 announcement. It’s pretty scary:

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

Apparently this allowed a certain category of attackers (“with a privileged network position,” so not just anybody) to see or modify data ostensibly protected by SSL. How could the session not be properly validated?

I don’t see many details online yet (look at the CVE site later) but now that a patch is available there will presumably be more discussion soon.

In the meantime, I’d be making with the updating…

Just found this, some mostly unnamed researchers have looked at the patch and determined OS X has the same problem. Ouch.

Apple security flaw could allow hackers to beat encryption

Update the Second: Well isn’t this interesting…

Apple’s SSL/TLS bug

The issue is a programming error, one that circumvented a necessary verification condition with an errant line of code. Every single programmer ever has made this error at some point, sometimes after an embarrassingly large number of years of professional work.

The hard part is making sure something or someone in your process catches it before it ships, because even the best programmers get tired and miss something. And that is a subject for an entirely different blog.

Ars Technica’s Lee Hutchinson has only posted the first installment, but this looks to be a seriously good piece on self-hosting email:

How to run your own e-mail server with your own domain, part 1

He starts off with a good dose of reality: it’s a lot of work, and when you screw it up you can make your online life really miserable really quick.

If you want to run a Linux mail server, either on your own physical server or a virtual hosted one, start reading. I’m collecting parts for my new server and I expect this to be useful even if I’m running OS X.

If you have never considered running a mail server, I’m not going to try to talk you into it. Maintaining your own for a few users is smaller in resources than a corporate server, but only somewhat smaller in complexity. You might, however, want to read how it works just to understand how email can be so broken.

I’m not typically a joiner on the whole change-your-userpic/post-this-banner thing, but I wanted to mention the upcoming day of online protest against surveillance. To participate, you can find info on the The Day We Fight Back website.

I’ll be honest, when I first heard of it it sounded like a movie promo. Didn’t Independence Day have a tagline like that? Anyway…

Just changing your Facebook picture isn’t going to accomplish a whole lot, but a few things I’ve seen encouraged are much more practical:

First, and most important:

Write your Senators and Representative and tell them (politely) what you think about the NSA getting all up in everyone’s business. (They are doing it to everyone, including your Senators and Representative. You could mention that.)

If you are a US citizen, this is the single most useful thing you can do (presuming you don’t also have a boatload of money to follow it up with.) If you are in California, we have the special pleasure of being represented by Senator Feinstein, the chair of the Senate intelligence committee. And, no, I haven’t exactly been agreeing with her statements on this topic.

A comment on sending emails to politicians is in order, however: use an email address you don’t mind being forever subscribed to their mailing lists. Because you will.

Second, use HTTPS wherever possible (and if you run a website, get a cert and enable it for your users.) Most people don’t use encryption, and some law enforcement agencies have straight up said they consider encrypted communications to be suspicious on that basis alone. The more we do it routinely, not only the less unusual it is but also the harder it will be to lump everyone in as a terrorist-by-association.

Getting certs for my domains has been on the to-do list for a while, although I admit I haven’t done a whole lot about it. Paying for yet another thing is kinda annoying, so I haven’t gone that route. I tried to get a free one, but ran into problems because I don’t use the “correct” email as my domain contact. (You wouldn’t either, if you had a choice: spam galore.) One of these days I’ll figure that out.

Putting a banner on your site or posting to your own social media accounts is only valuable if it has the chance of encouraging someone else to do one of the above. Write your own tweet, blog post, interpretive dance, whatever, if that is your thing. Awareness is important, nothing starts without it. But action is what changes things. And technologists have for too long ignored how politics works.

I wanted to comment on this, because it’s kinda scary: someone’s personal domain was hijacked to get at his twitter account. Ars has a discussion about what happened, and the user himself did basically everything right. It was the employees of various companies (mainly his domain registrar) that facilitated the attack.

Picking up the pieces after the @N Twitter account theft

I use a personal domain for some of my email, so that hit close to home. My registrar allows me to “lock” my domain settings, basically meaning nobody can change anything until I login and unlock it. Would that have stopped something like this? I hope so. But even the best measures are not always successful at thwarting a determined attacker.

Now I’m going to get on an airplane, have fun contemplating the implications.

I spent some time today fiddling with browser settings to get some website to work, so I thought I’d talk about the browsers I use and why.

First, I don’t actually want to claim one browser is better than another. I have the ones I do because they serve my purpose and that’s as much as a recommendation you’ll get from me.

My primary browser is Firefox, I use it mainly because I was able to install the NoScript plug-in. This lets me control site by site which domains are allowed to execute JavaScript and Flash. When I globally disabled them, I immediately discovered a more civilized web experience: most commenting systems require JS and many annoying animations involve Flash.

Unfortunately that also means if I do want some nifty thing, I have to figure out what to enable. Which of the 25 domains identified have the JavaScript that runs this video? It often takes several minutes of trying different options to discover which set of cookie and script settings will make something function, and then I can permanently allow only those. Sometimes I can’t figure it out at all, which leads to Browser Number Two…

Since I’m on a Mac, I got Safari by default. I leave it with nearly the standard settings that accepts cookies and scripts from everything. (I do block 3rd-party cookies.) I use it for websites I trust and use frequently, or the occasional one I can’t figure out which combination of security settings will make the stupid thing work. My most used feature is “Reset Safari” to blow away all cached data. It’s sometimes fun to start fresh and go to a site just to see the absurd numbers of cookies it sets merely loading the front page.

Now of course I have some work websites that require a lot of scripts to function, but I don’t want to be constantly logging in. For that I create an entirely different user on my Mac, and login there when I want to do work. New user, new browser settings (but similar policy between browsers.)

These two browsers served me well for a long time, and then along came Facebook. As much as I get annoyed by it, I use Facebook a lot so I didn’t want to login all the time. And it requires a ton of cookies and scripts. For a while I tried to limit what it had access to and muddle through, but one day I realized that other websites were using Facebook’s cookies.

How did I figure that out? So it goes like this… Since I’ve been attempting to learn Italian for a while, I started changing the language settings on a few sites. This meant that Facebook’s Like button became “Mi piace.” One day I went to Another Website That Shall Remain Nameless and found a familiar little blue icon: “Mi piace.” I had not provided any language preferences to that site, so it had to be getting it from Facebook. Not cool. I installed Chrome, and now that is my Facebook sandbox so it doesn’t have to share with anybody else.

This reduces the browsing information collected from my machine, but it is hardly simplifying my life. When I see a link on Facebook, I copy it and paste it into FireFox to open. Maybe it works, maybe I have to make some temporary changes to my NoScript settings. Maybe it still doesn’t work and I try Safari. Maybe I no longer care and I give up on that cat video. A few sites I’ve given up on entirely because there isn’t enough value to be worth the effort.

I first saw this yesterday, but Ars has a much better article about it:

Protesters show up at the doorstep of Google self-driving car engineer

Update: more articles

In defense of militant anti-Google protests
The tech protests get personal — and ugly

Yesterday morning, a group of protesters demonstrated at the home of a Google engineer. The flier they handed out to his neighbors is super creepy, clearly they have been stalking him and his family.

He owns a home, which generally means your name and address are a matter of public record. If we owned a house, so would ours, but for now we don’t. What we do have is a mailbox service, which is our legal address for every purpose that doesn’t specifically require a residence address. It’s a nice thing to have for convenience (no change of address when you move, someone always to accept packages) but it has some interesting side-effects.

I can give out my mailing address, not exactly with impunity, but for purposes I might not be comfortable with otherwise. For example, I’ve attended some retreats where the participants’ contact info is distributed. I can talk about being away from home without a stranger knowing where our empty apartment is. My amateur radio operator’s license uses the mailing address (and that’s easily located public information.)

We also have domains registered, which if you are going to abide by the “rules of the Internet” requires a functioning postal address. If you look up any of my domains (and I must presume that the entire Internet has the ability to do this) you will see only the mailing address. It’s not impossible to get our residence address, but given California state law the valid reasons for it being released to a third party are very limited.

Now the downside of this is that when you do have to provide proof of residence address (it happens on occasion) it can be quite a bother. Which reminds me, I have to change the vehicle registration back to the mailbox now that we have a parking permit for the car — subsequent renewals don’t require documentation, and they don’t care what is on your drivers license.

Just to report back about Global Entry: wow! There was a pretty big line, but once I made it through the crowd headed to the regular line I was nearly out as fast as I could walk. (No bag to claim either.)

It took two minutes at the kiosk because I had to read the instructions. It scans your passport and then fingerprints. Next I headed over to the crew/diplomat line where there was one person in front of me. But the officer waved me over, other passenger still at the counter, and let me go with a cursory check of my kiosk receipt.

I didn’t need to fill out a customs declaration, either. I indicated at the kiosk I had food, as I always do when I’m carrying snacks, but most of the time I don’t have to talk to APHIS anyway so little different there.

So whether or not you agree with the data collection required by the program, it sure does get you through faster if you aren’t flagged for inspection.

Yesterday I decided to finally take a look at the iOS app E*Trade has been telling me all those wonderful things about. I’d been kinda skeptical about managing my brokerage account from my phone, but sometimes it’s nice to check on stuff. (Like if I actually transfered that money from savings to cover a check.)

Other reviewers can discuss the features (which seem a little clunky and definitely overly complex) but what I wanted to investigate is how the app secures data over the network.

The info about it from the App Store says it’s all wonderful and secure and stuff, because data is stored on the server and never on the device. That’s nice. And the website is all about how secure it is. Spiffy. How, exactly, is data protected as it goes from here to there? No Comment. Not even marketing copy about “Industry-Standard 938,842-bit Encryption.”

When I started up the app, the first thing I got was a giant agreement to read and accept. It was clearly written by lawyers, because there is an entire paragraph where they disclaim any and all liability for network data security. The user is responsible for ensuring the device’s connection to the Internet is reliable and secure, blah blah blah. (I tried to find a copy of this online, but haven’t yet.) As far as I can tell, they can send everything absolutely in the clear and according to the user agreement it would be just fine.

So I did what any self-respecting, security-aware user would do (no, not fire up Wireshark, or at least not yet) I call them up and asked.

The mobile trading support guy said “Of course everything is encrypted.” Ok, good. I recall my comment about SSL answered by “whatever that is.” Ok, he’s not a developer. I mentioned it would be nice if the description of the app actually said something about the encryption standards used, and he agreed.

What I got out of this exercise is that E*Trade almost certainly contracted out the development of their mobile apps (which is normal) and their customer-facing support staff doesn’t know much about the details of data protection for them (which is disconcerting.) I know enough iOS developers that the people who built the app were probably not so stupid as to ignore data security, but there was a breakdown in communication between them and the online documentation. I hope my feedback actually gets to someone who knows what SSL is.

In the meantime, if I absolutely must do something while away from my computer, I’ll turn on the VPN connection and at least keep it from being sniffed over the air. And look for an app update with a full description of how the app protects my data in transit.