I am blown away by reports that IE6 is still used by large segments of the surfing public. Why was it not abandoned long ago? The pain of switching?
If you haven’t been following the stories the best summation and collection of links might be this one from the Washington Post.
Data Protection Day (Europe), AKA Data Privacy Day (North America), has come and gone. My best find of the day occurred immediately after getting back to my desk after my presention for the Jan 28th event. That was when I found http://www.startpage.com/.
Are you tired of Google scooping up all your search info? Or, more accurately, are you tired of giving it all to Google? Then you may want to try StartPage. It is supported by Dr. Katherine Albrecht of Spychips fame.
In the InfoSec field we have been saying it for years:
Biometrics are not a magic bullet for security.
If you make a security check difficult to defeat in one place the attackers will look at weaker points. Enrollment has always been such a point. How do you know who’s biometric data you are putting into your system at account creation time?
Then there is biometric theft. The raw data can be stolen and so can the the biological material — fingers have been done and it’s only a matter of time before hands and eyes are tried.
Finally is the technology that robust? Apparently not. A Chinese woman fooled Japan controls by having surgery to alter her fingerprints to get back into Japan. Clever to swap prints, or portions of prints, from one hand to another. That gets around the rejection problem if transplanting from a ‘donor’ — both willing and unwilling. Ironic that the story is about someone trying to get into Japan given that Tsutomu Matsumoto’s work and the resulting gummy finger story came out of Japan.
Actually, he tried to do more that go off-grid. Writer Evan Ratliff Tried to Vanish. It seems it is pretty difficult to do today. Still if he had abandoned using social media during that time he may have succeeded for longer.
I do take issue with the Wired piece on this point:
Hunters scoured the pictures on Ratliff’s Flickr page, writing software code to extract information about the camera used and search for other photos it had taken
You don’t need specialized software to do any extracting. Common features of any operating system combined with freeware can get you everything you need. Maybe custom software was written to search for other photos. So the phrase is only slightly misleading as written. But it does a disservice since most people just don’t get how easy it is to learn about posters from their photos. In most cases all you have to do is right-click and get image properties. But you certainly don’t have to write any code. As I mentioned before, this information is stored in all Yammer photos because, like Flickr, Yammer doesn’t sanitize the metadata.
Still, the article is well worth reading to get a sense of just how much tracking is possible. It’s not all big brother (gov’t) monitoring and it’s not all baby brother (corporations, including the retail sector) monitoring. Some of it is due to our own self disclosure proclivity.
Despite the xp in the name xp-AntiSpy can be used with every Windows operating system since Windows 2000: 2000/XP/Vista/7. I love this program. It’s tiny and does what it says it does. I make it a part of my hardening process for every Windows installation. As the website says, you could make all of these settings yourself but it would take half an hour … and I would add the manual process is prone to errors and omissions.
Christian Taubenheim is the author of this donationware utility. Just one word of caution, make sure you use one of the official domains to get it. It’s either xp-antispy.org or xpantispy.org. The other variants of this name, especially the .com have at one time or another hosted porn adverts or malware. Chris’ two sites are clean and I trust his utility. Cheers, Chris!
Why do I call this a security utility? It all has to do with hardening. The attack surface of an operating system is, in part, all the services that are running. The smaller the attack surface the less likely your system will be compromised. One of the side effects of using what is ostensibly a privacy utility is that excessive services will be disabled. Fewer services = Smaller attack surface.
About six months ago I got the idea that someone should build a website to track changes to the Terms of Service(ToS) for the more popular web services.
Why? Once we latch on to these must-have services we really are at their mercy. They can change their ToS at any time. Facebook and other SocNets have already made multiple changes in the powers they have over the information we choose to store with them. So we need to take them to task occasionally and that can only happen if we notice the changes. I even came up with a name for my imagined site: ToSWatch.
Well the good folks at the Electronic Frontier Foundation have created just such a project. They call it TOSBack. Not quite as catchy as the name I envisioned but, hey, I didn’t have to do any work. Check out their worthwhile project.
One service I would like to see added to the list is Yammer. More and more people are yammering where I work and I think we had better watch their ToS. One interesting Yammer ‘feature’ is that, last I checked, they will permanently keep all photos you post, even if you delete them.
Emergency locator transmitters (ELTs) are installed in virtually all aircraft. They are designed to activate after very strong G-forces. The idea is that upon crashing they will broadcast a signal that can be used to locate the aircraft. This is in case no one on board can get to the regular aircraft radio after an incident and/or in case the regular radio is destroyed. Subsection 605.40(2) of the Canadian Aviation Regulations say:
a person may activate an ELT during the first five minutes of any hour UTC for a duration of not more than five seconds for the purpose of testing it
This is very useful. It lets pilots know for certain, through testing, that the ELT is operational. It can be tested without resulting in a SAR operation being launched.
How is the 911 service different? I would like to be able to be sure my VoIP service is setup with the correct address for 911 service. There are a few reasons why the 911 service doesn’t have the same testing provisions.
I have a lot less respect for Vint Cerf than I once had. He’s worked for Google for a while now and I was cautiously optimistic but last week he so downplayed what Google knows about the users of it’s services that I just can’t take him seriously. Writing about Cerf’s statements at the mini-conference, reporter Cade Metz says:
Vint Cerf may not know who you are. But Google’s servers do - and when a subpoena or national security letter arrives on the doorstep, you can certainly be identified
I challenge anyone who hasn’t done it yet to check out Google’s new ‘Dashboard’. I did this and saw enough data linkages that I would be reluctant to publish a snapshot of my Dashboard.
And, as Metz points out, the dashboard completely misses the IP address correlation that Google can do. All of your search could be tied together and connected to what you see in the Dashboard even if you don’t use iGoogle.
I don’t use iGoogle and I regularly clean out my Google cookies but that doesn’t do anything about the IP address correlation. I’ve said for years that search data is getting awfully close to mind reading and I stand by that.
The news that a judge punished a lawyer for unnecessarily publishing personal information seems like a good move:
A judge has chastised a lawyer for including the social security numbers and birthdays of 179 individuals in an electronic court brief
But what about the 150 passwords published by the San Francisco District Attorney?
Punishing these individuals seem extreme but consider what is at risk.
These ’simple accidents’ are the types of example I use when trying to convince co-workers to not take data across the border. It’s not that we think border agents are malicious. It’s just that they, border agents, can make mistakes just like you and I or attorneys. Mistakes will be made with your data so limit the chances of exposure where you can.
In the UK town of Bath, Bluetooth is watching.
Tens of thousands of Britons are being covertly tracked without their consent
It’s also going on in the Netherlands and in many other places without our knowledge. If you are not using your BlueTooth device or are not using the BlueTooth feature on a portable device (think: cell phone) turn it off.
Bruce Schneier Security Focus