I’m not typically a joiner on the whole change-your-userpic/post-this-banner thing, but I wanted to mention the upcoming day of online protest against surveillance. To participate, you can find info on the The Day We Fight Back website.

I’ll be honest, when I first heard of it it sounded like a movie promo. Didn’t Independence Day have a tagline like that? Anyway…

Just changing your Facebook picture isn’t going to accomplish a whole lot, but a few things I’ve seen encouraged are much more practical:

First, and most important:

Write your Senators and Representative and tell them (politely) what you think about the NSA getting all up in everyone’s business. (They are doing it to everyone, including your Senators and Representative. You could mention that.)

If you are a US citizen, this is the single most useful thing you can do (presuming you don’t also have a boatload of money to follow it up with.) If you are in California, we have the special pleasure of being represented by Senator Feinstein, the chair of the Senate intelligence committee. And, no, I haven’t exactly been agreeing with her statements on this topic.

A comment on sending emails to politicians is in order, however: use an email address you don’t mind being forever subscribed to their mailing lists. Because you will.

Second, use HTTPS wherever possible (and if you run a website, get a cert and enable it for your users.) Most people don’t use encryption, and some law enforcement agencies have straight up said they consider encrypted communications to be suspicious on that basis alone. The more we do it routinely, not only the less unusual it is but also the harder it will be to lump everyone in as a terrorist-by-association.

Getting certs for my domains has been on the to-do list for a while, although I admit I haven’t done a whole lot about it. Paying for yet another thing is kinda annoying, so I haven’t gone that route. I tried to get a free one, but ran into problems because I don’t use the “correct” email as my domain contact. (You wouldn’t either, if you had a choice: spam galore.) One of these days I’ll figure that out.

Putting a banner on your site or posting to your own social media accounts is only valuable if it has the chance of encouraging someone else to do one of the above. Write your own tweet, blog post, interpretive dance, whatever, if that is your thing. Awareness is important, nothing starts without it. But action is what changes things. And technologists have for too long ignored how politics works.

I wanted to comment on this, because it’s kinda scary: someone’s personal domain was hijacked to get at his twitter account. Ars has a discussion about what happened, and the user himself did basically everything right. It was the employees of various companies (mainly his domain registrar) that facilitated the attack.

Picking up the pieces after the @N Twitter account theft

I use a personal domain for some of my email, so that hit close to home. My registrar allows me to “lock” my domain settings, basically meaning nobody can change anything until I login and unlock it. Would that have stopped something like this? I hope so. But even the best measures are not always successful at thwarting a determined attacker.

Now I’m going to get on an airplane, have fun contemplating the implications.

I spent some time today fiddling with browser settings to get some website to work, so I thought I’d talk about the browsers I use and why.

First, I don’t actually want to claim one browser is better than another. I have the ones I do because they serve my purpose and that’s as much as a recommendation you’ll get from me.

My primary browser is Firefox, I use it mainly because I was able to install the NoScript plug-in. This lets me control site by site which domains are allowed to execute JavaScript and Flash. When I globally disabled them, I immediately discovered a more civilized web experience: most commenting systems require JS and many annoying animations involve Flash.

Unfortunately that also means if I do want some nifty thing, I have to figure out what to enable. Which of the 25 domains identified have the JavaScript that runs this video? It often takes several minutes of trying different options to discover which set of cookie and script settings will make something function, and then I can permanently allow only those. Sometimes I can’t figure it out at all, which leads to Browser Number Two…

Since I’m on a Mac, I got Safari by default. I leave it with nearly the standard settings that accepts cookies and scripts from everything. (I do block 3rd-party cookies.) I use it for websites I trust and use frequently, or the occasional one I can’t figure out which combination of security settings will make the stupid thing work. My most used feature is “Reset Safari” to blow away all cached data. It’s sometimes fun to start fresh and go to a site just to see the absurd numbers of cookies it sets merely loading the front page.

Now of course I have some work websites that require a lot of scripts to function, but I don’t want to be constantly logging in. For that I create an entirely different user on my Mac, and login there when I want to do work. New user, new browser settings (but similar policy between browsers.)

These two browsers served me well for a long time, and then along came Facebook. As much as I get annoyed by it, I use Facebook a lot so I didn’t want to login all the time. And it requires a ton of cookies and scripts. For a while I tried to limit what it had access to and muddle through, but one day I realized that other websites were using Facebook’s cookies.

How did I figure that out? So it goes like this… Since I’ve been attempting to learn Italian for a while, I started changing the language settings on a few sites. This meant that Facebook’s Like button became “Mi piace.” One day I went to Another Website That Shall Remain Nameless and found a familiar little blue icon: “Mi piace.” I had not provided any language preferences to that site, so it had to be getting it from Facebook. Not cool. I installed Chrome, and now that is my Facebook sandbox so it doesn’t have to share with anybody else.

This reduces the browsing information collected from my machine, but it is hardly simplifying my life. When I see a link on Facebook, I copy it and paste it into FireFox to open. Maybe it works, maybe I have to make some temporary changes to my NoScript settings. Maybe it still doesn’t work and I try Safari. Maybe I no longer care and I give up on that cat video. A few sites I’ve given up on entirely because there isn’t enough value to be worth the effort.

I first saw this yesterday, but Ars has a much better article about it:

Protesters show up at the doorstep of Google self-driving car engineer

Update: more articles

In defense of militant anti-Google protests
The tech protests get personal — and ugly

Yesterday morning, a group of protesters demonstrated at the home of a Google engineer. The flier they handed out to his neighbors is super creepy, clearly they have been stalking him and his family.

He owns a home, which generally means your name and address are a matter of public record. If we owned a house, so would ours, but for now we don’t. What we do have is a mailbox service, which is our legal address for every purpose that doesn’t specifically require a residence address. It’s a nice thing to have for convenience (no change of address when you move, someone always to accept packages) but it has some interesting side-effects.

I can give out my mailing address, not exactly with impunity, but for purposes I might not be comfortable with otherwise. For example, I’ve attended some retreats where the participants’ contact info is distributed. I can talk about being away from home without a stranger knowing where our empty apartment is. My amateur radio operator’s license uses the mailing address (and that’s easily located public information.)

We also have domains registered, which if you are going to abide by the “rules of the Internet” requires a functioning postal address. If you look up any of my domains (and I must presume that the entire Internet has the ability to do this) you will see only the mailing address. It’s not impossible to get our residence address, but given California state law the valid reasons for it being released to a third party are very limited.

Now the downside of this is that when you do have to provide proof of residence address (it happens on occasion) it can be quite a bother. Which reminds me, I have to change the vehicle registration back to the mailbox now that we have a parking permit for the car — subsequent renewals don’t require documentation, and they don’t care what is on your drivers license.

Just to report back about Global Entry: wow! There was a pretty big line, but once I made it through the crowd headed to the regular line I was nearly out as fast as I could walk. (No bag to claim either.)

It took two minutes at the kiosk because I had to read the instructions. It scans your passport and then fingerprints. Next I headed over to the crew/diplomat line where there was one person in front of me. But the officer waved me over, other passenger still at the counter, and let me go with a cursory check of my kiosk receipt.

I didn’t need to fill out a customs declaration, either. I indicated at the kiosk I had food, as I always do when I’m carrying snacks, but most of the time I don’t have to talk to APHIS anyway so little different there.

So whether or not you agree with the data collection required by the program, it sure does get you through faster if you aren’t flagged for inspection.

Yesterday I decided to finally take a look at the iOS app E*Trade has been telling me all those wonderful things about. I’d been kinda skeptical about managing my brokerage account from my phone, but sometimes it’s nice to check on stuff. (Like if I actually transfered that money from savings to cover a check.)

Other reviewers can discuss the features (which seem a little clunky and definitely overly complex) but what I wanted to investigate is how the app secures data over the network.

The info about it from the App Store says it’s all wonderful and secure and stuff, because data is stored on the server and never on the device. That’s nice. And the website is all about how secure it is. Spiffy. How, exactly, is data protected as it goes from here to there? No Comment. Not even marketing copy about “Industry-Standard 938,842-bit Encryption.”

When I started up the app, the first thing I got was a giant agreement to read and accept. It was clearly written by lawyers, because there is an entire paragraph where they disclaim any and all liability for network data security. The user is responsible for ensuring the device’s connection to the Internet is reliable and secure, blah blah blah. (I tried to find a copy of this online, but haven’t yet.) As far as I can tell, they can send everything absolutely in the clear and according to the user agreement it would be just fine.

So I did what any self-respecting, security-aware user would do (no, not fire up Wireshark, or at least not yet) I call them up and asked.

The mobile trading support guy said “Of course everything is encrypted.” Ok, good. I recall my comment about SSL answered by “whatever that is.” Ok, he’s not a developer. I mentioned it would be nice if the description of the app actually said something about the encryption standards used, and he agreed.

What I got out of this exercise is that E*Trade almost certainly contracted out the development of their mobile apps (which is normal) and their customer-facing support staff doesn’t know much about the details of data protection for them (which is disconcerting.) I know enough iOS developers that the people who built the app were probably not so stupid as to ignore data security, but there was a breakdown in communication between them and the online documentation. I hope my feedback actually gets to someone who knows what SSL is.

In the meantime, if I absolutely must do something while away from my computer, I’ll turn on the VPN connection and at least keep it from being sniffed over the air. And look for an app update with a full description of how the app protects my data in transit.

I’ve been using FileVault to encrypt the drive on my travel machine for a while now, but I’ve only recently enabled it on my everyday machine. I rarely take it anywhere, but since I bought a nice new tiny laptop that will change. (I’ll discuss the mechanics of enabling it another time.)

Mostly this hasn’t made any difference in how I use my laptop, but here and there I run into something. (If you don’t already have your Mac configured to require a password, FileVault will enable that. Many people do, and many corporate IT policies require it.)

I had to take the new machine in for repair this week, and as part of the routine intake process they ask for the login and password. Uh, no. That’s pretty normal for me, I usually wipe a machine before I hand it over but I didn’t have time. Now if the service issue were software, this obviously wouldn’t work. But so far I’ve not needed to take something in overnight for anything other than broken hardware.

I dutifully inform them the encrypted state of the drive, and they will get back to me if there is a problem. But what exactly does that mean for them? FileVault 2 is full-disk encryption (unlike the original FileVault) so when you start up the machine you immediately get a login screen. If you don’t log in, it won’t even finish booting. After replacing my logic board, the repair tech will have to attach another bootable volume, use the Option key on startup to select where to boot from, and test it that way.

When I travel, I always shut down the machine before I pack it away. Not only does that mean it can’t accidentally wake up in transit (risking your hard drive if you have the old spinning kind, or your battery either way) but if anybody steals it there is no chance someone is getting into my hard drive. Now if they had my password-protected laptop and it were only sleeping, technically it would be “easier” to gain access. But by that I mean if a skilled and determined attacker were interested, there might be weaknesses in the OS or other things that could be compromised to allow unauthorized access. Might. If you are being tracked by a government agency and your laptop gets taken off in a black helicopter, perhaps you have some concern. The sketchy dude who lifted your MacBook Air from Starbucks? Unlikely.

Now one thing Sketchy Dude is likely to do is open it up to see if it works. If your laptop is able to connect to a wireless network and you have some kind of location tracking program enabled, then you might be able to find out where Sketchy Dude is. That wouldn’t happen if the machine were shut down. (It also wouldn’t happen if he wipes the drive before connecting it to a network, which thieves who know anything about computers will do.)

I haven’t enabled Find My Mac because if someone has taken off with my laptop, I’m not counting on getting it back. (It’s fully backed up, after all.) It also means it’s not constantly reporting its location, and there’s one less source of information about me to exist in somebody’s giant database. (I do use it on my phone, as that’s a different story.)

So enabling disk encryption hasn’t changed anything for me, but that might not be the same for someone else. If you really hate entering a password, you aren’t going to like FileVault.

Update:

Well, I did find one thing: Safe Boot doesn’t work with FileVault (see the link in the comments.) When I was having migration problems, the Apple tech recommended I restart with Safe Boot but I couldn’t. Unfortunately she also didn’t know that was on purpose. (Fortunately, for FV2 anyway, the migration issue didn’t seem to be related to encryption.)

Resources:
Complete guide to FileVault 2 in Lion

Rich Trouton’s blog posts about FileVault 2 (for hardcore IT folks)

I got my Global Entry interview and approval today, finally. (If you live in a city that is not Metro DC, it takes months to get an appointment.) I had to think about it, because basically I’m paying for the privilege of giving the government a ton of information and then I’m supposed to (not totally guaranteed) get priority access to TSA and Customs.

My friends who use it think it’s the best thing ever, and I’m flying more right now. It’s a lot of personal information, however. (I’ll leave for another day the discussion on buying one’s way out of TSA security theater still forced upon other travelers.)

I had no idea what to expect from the interview. My big joke last week at 30C3 was “Will attending this talk affect my Global Entry Interview?” Are there bonus points for being a white person of European heritage? Close relation of career government employees and contractors? Would my history of charitable donations be scrutinized for subversive organizations? I didn’t actually think we are so far over the cliff that this would be an issue for me, but with the news swirling around lately and the long history of negative actions “not determined by” race and ethnicity, I suppose I was happy I was at SFO and not some of the other places I’ve lived. And, as sad as I am to say this, not brown.

I have no idea what could have come up as a problem because the interview was mercifully short and uneventful. The officer wanted to confirm my residence and mailing addresses, check my documents, and take fingerprints. But there were some pretty pointed financial questions about my income. Aside from “Have you ever been arrested?” pretty much all he wanted to know is where my income came from. Like every third question, as if I would answer any differently. (Yes, that’s the point.)

There might not have been so many if I had a current employer they could verify. It might even have been different if I had my interview somewhere other than SFO, as the officer didn’t seem especially surprised to see a software person sans regular paycheck. Apparently there are a lot of those around here. I didn’t get to see what was on his screen he was comparing my answers to, but I could make some guesses. (When I said I had been through the London airport last week, he knew it was because I was coming from Germany.)

If I didn’t know how this worked, that would have been kinda creepy.

My husband won’t sign up for it because it’s too invasive. I sat down and looked at it: what I had to provide, what I’ve already provided to various government agencies for other purposes, and what I know must have already been collected about me because of who I am and where I’ve been. It’s already there, all of it, even the fingerprints. This is pretty much taking the mini-background check done whenever I buy a ticket and doing it all up front.

Do I like it? No, not particularly. I don’t like a lot of things my government does with my personal information, and I know they have a lot of it. And I’ve seen more than enough news to be convinced that the security state is growing at an alarming rate. Am I practical enough that I will choose to participate to get this benefit? After a good bit of internal discussion, yes. If one day someone in power decides that nerdy users of encryption, opters-out of nude airport scanners, and supporters of civil liberties charities are a menace to society, I’m gonna be in trouble. Will that happen? I can’t answer that. I do know that I’m going to deliberately consider my actions in this regard and not change a damn thing.

Realizing I’d forget ideas if I didn’t, I started a page to list topics to write about. You can find it here:

Everyday Security post ideas

Suggest your ideas! You can always find the list from the sidebar under “Resources.”

Let’s start with something simple: phone passcodes. I’m going to assume that anyone reading this knows they should have a passcode on a mobile device. But what are the options?

The standard 4-digit pin that is ostensibly protecting your important stuff (phone, ATM, whatever) is really no more than a nuisance to anyone seriously wanting to get in. It will keep a random thief from immediately reading all your email and posting selfies to Facebook, but anybody who’s smart will turn off the phone and take it away from cell coverage for further investigation.

There are only 10,000 combinations and in some cases (like mobile phones!) there are programs out there that just try all of them. Still, it’s better than nothing, so even if you can barely remember your own phone number you should at least try. Just pick a non-horrible one and find out what you need to do in the event you forget it [iOS.]

Decent modern phones also offer more complex passwords, but then you have a more complex thing to remember. Plus, typing a good, strong password on a phone is a major pain. Android phones also let you choose a pattern you draw on the screen with your finger, which might be easier for some people to remember. (My husband says his is “pretty complex.”) On iOS, if you choose a longer password but make it only numeric you get a bit of a compromise: a potential attacker can see that it’s only digits (the numeric keypad is displayed) but doesn’t know how many digits it might be.

I currently use a 4-digit passcode, but I’m starting to experiment with a longer numeric one – I enabled it for a short time and it wasn’t too horrible (and I’m a “might not remember own phone number” person.) It would mean that the handful of people who occasionally have legitimate access to my devices would have to learn something new (or get their own to play games on) but it would be overall more secure. This is particularly true if you suspect your electronics might be inspected at a border crossing, like some of my more activist friends.

And that leads me to a short discussion of the fingerprint sensor on the latest iPhone: I have this phone but I’m not using Touch ID right now. I’m still contemplating it, based on the uncertainty of some legal theories. I admit that for the vast majority of people this is way out there, and if you are a person who otherwise would have no security on your phone, the last thing I want to do is discourage you from using the fingerprint authentication. It’s so much better than a 4-digit passcode in basically every other way, and easy to use.

As things go in the legal world, until there is a case that decides the implications of biometric authentication, the situation is open to interpretation. I’ll leave it to lawyers to explain the details, but basically there is a question if it is legal (in the US, at least) to force you to give up your biometric information (something you are, your fingerprint) where it wouldn’t be if you were required to give up a password (something you know.) If Touch ID allowed me to also have a passcode, even a lousy 4-digit one, I’d be all over it. But as I’m a part-time member of the tinfoil hat club larger security community, for the moment I will continue contemplating. (Here’s an article discussing some of the concerns.)

So now that I’ve gotten through all that, I’ll admit I’m a bit of a slacker for not choosing a longer passcode. I promise to work on that.

Some more resources:
Understanding iOS passcode security
An Overview of Android Lock Screen Security Options [Beginners’ Guide]