Whose Net? Our Net!

Whose Net? Our Net!

On Dec 14 the FCC carried out its corporate masters’ plan to gut net neutrality, responding to millions of astroturfed “comments” from dead people, etc.

This action made the work of the Electronic Frontier Foundation all the more critical.

On Feb 7, one of the EFF’s key founders, John Perry Barlow, passed away.  Some remembrances: Cory Doctorow, EFF, Kevin Kelly.

This was a very, very great loss for freedom… freedom of the mind that only a chaotic and open Internet can guarantee.  It was a great loss for humanity as well.

Kottke shared Barlow’s rule for being an adult.  I think it’s worth reproducing here.  Read them and aspire.

1. Be patient. No matter what.
2. Don’t badmouth: Assign responsibility, not blame. Say nothing of another you wouldn’t say to him.
3. Never assume the motives of others are, to them, less noble than yours are to you.
4. Expand your sense of the possible.
5. Don’t trouble yourself with matters you truly cannot change.
6. Expect no more of anyone than you can deliver yourself.
7. Tolerate ambiguity.
8. Laugh at yourself frequently.
9. Concern yourself with what is right rather than who is right.
10. Never forget that, no matter how certain, you might be wrong.
11. Give up blood sports.
12. Remember that your life belongs to others as well. Don’t risk it frivolously.
13. Never lie to anyone for any reason. (Lies of omission are sometimes exempt.)
14. Learn the needs of those around you and respect them.
15. Avoid the pursuit of happiness. Seek to define your mission and pursue that.
16. Reduce your use of the first personal pronoun.
17. Praise at least as often as you disparage.
18. Admit your errors freely and soon.
19. Become less suspicious of joy.
20. Understand humility.
21. Remember that love forgives everything.
22. Foster dignity.
23. Live memorably.
24. Love yourself.
25. Endure.

I like the dynamic tension between some of them.  For example, 4 and 5, or 9 and 10.

I feel a responsibility to continue on what he started for us.  You can help: donate to the EFF, the Freedom of the Press Foundation, and other causes that speak to you and that will help us hold the line against creeping corporatist fascism.

The Internet is the greatest opportunity humanity has had yet to avoid the tragedy of the commons – let’s not blow it.

Rest in Peace

 

Again, 10?

Again, 10?

Back in 2016, I swore off Windows completely and especially Windows 10.

One of the reasons was a “feature” called Telemetry, that basically amounts to “Windows 10 is 100% spyware.”  It was widely reported at the time, along with an elaborate hokey-pokey you could dance to disable most of it.  My choice was, “Aww, the heck with it” but many people chose to continue.

Now we have the “1709” or “Fall Creators” update before us, and guess what?  It’s time to reinvent that hokey-pokey!  Not only is all the Telemetry back on, but it’s harder than ever to disable.

Recommendations for software products are popping up to help you manage this, but if software products were put forth that disable features of a non-spyware operating system the way these things do, we’d probably consider them malware.


It seems that Microsoft has decided they can’t make decent money selling consumer operating systems, so they will go all Facebook and sell all your data instead.  If you have been wondering why Win10 was free – or nearly so – now you know why.  Only this is, if anything, worse than Facebook.  At least Facebook can only get to things you decide to upload to it.  Windows 10, if that’s your operating system, has… EVERY-DAMN-THING!

So – hey – here’s an idea.  If you want a free operating system, I have a deal for you!  Click on the cute penguin to get started.

Nukes Inbound to Hawaii! NOT!

Nukes Inbound to Hawaii! NOT!

The word on why we got treated to a false alarm about missiles heading for Hawaii is this:
(over-simplification alert!)

  1. What was supposed to be an internal-only test message got misdirected to the live alert system
  2. When presented with the much-maligned, “Are you sure?” prompt, the operator did what we all do reflexively.

They clicked Yes.

There’s a security lesson here.  Stop and take a breath and read all these prompts.  Clicking OK automatically is the road to ruin.  So many security-sensitive things are prompted like this.  You get this one chance to stay safe.  Take it.

Scam Busting

Scam Busting

Email scams have been a problem almost as long as there has been email.  Today’s joint is not about the basics of that, I have dealt with those before.   Scambusters is a great source of detailed information about these scams, and how to avoid being taken in.  But what I want to explore here is a practice that is a source of some consternation: scamming the scammers.  People reply to email scams as if they were interested in the “offers” or “opportunities.”

Their motivation for doing this is wasting the scammers’ time, supposedly keeping their attention away from others who might be taken in, while they are responding to people who, in turn, are determined not to become victims.

If you explore 419 Eater, you will find a lot of material there about this practice, including a page of discussion about whether or not this is ethical.  What is not well-treated on that page is, the fact that emailing lies intended to induce action based on false pretenses is exactly as illegal when it’s in reply to same.

419 Eater has been around for fifteen years.  A more recent innovation has been, not surprisingly, to automate the process of scam busting.  One example is Re:scam, a service of the New Zealand org NetSafe.  Its purpose is also to drain profitability out of email scamming, by wasting the scammers’ time in unproductive conversations but here using bots posing as willing marks, not volunteer cyber-vigilantes.

 

Now for the bad news.  I forwarded an email to Re:Scam and a reply came back telling me the service was on hiatus.  A forward to another site publicized recently, sp@mnesty.com, simply bounced.  No specific word on why these are not currently functioning.  Possible reasons include, issues with the technology working well… issues with the resource requirements (i.e., costs), and issues with the legal authorities.  Again I caution readers on the legality and ethicality of fighting fraud with fraud.

Be careful out there!

OMC: Oh MyCloud!

OMC: Oh MyCloud!

In a revelation that should surprise exactly nobody, security researchers have revealed that Western Digital MyCloud drives have a built-in backdoor.  AI hard-coded username and password give privileged command line access to the device, which may then be compromised however the attacker sees fit.

This feature defect was disclosed responsibly enough to WD last July.  After six months without a fix forthcoming, the researchers went public with it.

My usual handling of devices like this is to presume they are all similarly compromised.  I do not, repeat, NOT connect them to their “cloud” services.  In fact, I only use items like these if I can see how they can be used in a state where they are specifically forbidden from connecting to the Internet, and still be worthwhile to me.

With this one, at least, it turns out my level of paranoia is insufficient.  A malicious webpage, visited from a machine on the same local area network as this MyCloud, can execute a script that pwns the device.  Now I have to consider whether all such devices can reasonably be expected to have the same mode of possible compromise.

 

 

Have a Random New Year

Have a Random New Year

Randomness is important.  You use it in the physical world when you shuffle a deck for a game of cards or roll a D12 for a result in Dungeons & Dragons.  But you need it even more in the digital world, and it’s more difficult to come by.  You need randomness to select one-time-use keys that you share for symmetrical encryption, to select strong passwords or passphrases, to run fair games at things like online poker and casino games.

The problem is, that for all the miraculous things it can do with random input, software is very bad at generating it.  Algorithms are deterministic, even if they are designed to be difficult to predict. When you use a function like RAND() in Excel, or get randomized challenges in low-stakes gaming, you’re usually getting the output of what’s called a pseudo-random number generator (PRNG).  The PRNG takes a numerical value, called a seed, and generates a series of new values from it.  If the seed is known, then the new values are easy to predict.  If the seed is not known, it’s a lot more difficult — but not impossible.  If you reuse the same seed you get the same sequence.  This property can be useful sometimes, for example, if you want to be able to reproduce a series of plays in a game.  But mostly, it’s a very bad flaw in any process that needs randomness.

PRNGs are fine when it doesn’t matter.  But when it matters you need to harness the unpredictability of the physical world.  One great Internet resource, random.org, uses atmospheric noise to generate its random numbers.  At that site, random bits are available anytime you want, in many forms.  Some are free and some are available to paid members.  It’s an important function for the safety of the Internet as a whole, and it’s worth supporting.

Another use of physical randomness is in EFF’s Dice passphrase scheme.  If you read the instructions, you’ll see that they really don’t want you using a computer — which might be compromised — in any step of the selection of a password/passphrase that matters.

Internet companies have to generate thousands of strong keys per second for encrypted sessions.  Cloudflare, for example, found a very groovy way to solve this problem:

[Photo: Dani Grant]

So my New Year’s wish to you: keep it random!

 

Safer Social Media

Safer Social Media

click through for more privacy tips, via Gizmodo

We live in the age of social media, that’s for sure.  Facebook claims over 2 billion people as its users.  Twitter is how we first get breaking news, how we know it’s time to turn on CNN or MSNBC to see what happened when the earth moved in Iran, how the Executive Branch of the US government distracts the press and the people from its horrifying agenda.

To keep up with sorta friends from high school, third cousins, and D-list celebs, we give Internet companies startling amounts of information about ourselves and our activities.  Not using social media at all is an option, but not one many of us take.  I use Twitter 99.5% in read-only mode.  I use Facebook and LinkedIn not at all.  I use Google+ more actively.  Some of you reading this just went either, “uh, what’s Google+?” or, “I didn’t know anyone still used that!”

The reason I don’t use Facebook or LinkedIn comes down to the privacy nightmare that these social network products are.  As the saying goes, “If you’re not paying, you’re not a customer.  You’re the product.”  Consider that whatever benefit you get from the use of these sites, you pay for it with information about your life, your family, your friends.  Everything you post is analyzed in detail that would shock you.

So the least you can do is not to overdo the sharing.  Lock down what you place online so that only the audience you intend can enjoy it.  It means, in general, going into the Privacy and Security settings, and taking a lot of options that are not the default.  Because the products you’re using are guiding you to share and share and share some more.  The more you share, the more their shares appreciate.

Here is a roundup of fairly current articles that will guide you how to max out the privacy possible in all the major social media products

Like everything in information security, this is a trade-off.  How much you want to protect your privacy vs. how much you want to take advantage of the instant connections and the interest groups you can find in the virtual worlds of social media.  Not everyone will choose my complete abstention from “major” networks, and I don’t expect them to.

But one final word: To whatever extent you can live with it, please try not to use these products on your phones.  Yes, I know, the spur-of-the-moment selfie or that Hey, Internet! Look At My Food! moment when you’re out and about can be irresistible.  But every single social media corporation does much, much more than you visualize with the information you give it by letting it operate on your phone.  You location — at all times.  Your contacts.  Whatever your phone’s camera can see or its mic can hear.  Anytime.  Please, think about it.

Told Ya

Told Ya

Maybe this is churlish, but I told ya. And told ya, and told ya.  I struggle to empathize with this person. Not because she’s suffered a massive loss… who hasn’t?  Not because she’s now got to rely on the kindness of strangers… who hasn’t?

But I cannot wrap my head around this mindset about a computer, that allows one to make it such a powerful horcrux of oneself and still not take the very sensible approach Tom Riddle took of making several, redundant copies.

I think that some people, as they notice their computer becoming more and more central to holding the essence of who they are and what they do, imbue it with a magical inviolability.  Surely something so powerful can never fail or go astray, they seem to think.

With decent backups, the potentially life-altering injury illustrated in this tweet would instead be a day or two of delays and annoyance while the restores were running.

So yes, it may be churlish to see Lisa’s deep distress as an object lesson for others.  If it is, then call me a churl.  But do your goddam backups!  I’ll take that trade.

 

Safer Email

Safer Email

Today let’s think about how to be safer using the oldest internet application still in common use: email. Email predates the Web by about twenty years. So when young people accuse it of being “for old folks” (meaning, people like me) I have to admit they may have a point. But email is still far and away the best mode of communication for business correspondence, and for the exchange of personal messages longer than 160 characters.

And long before the web, but shortly after the creation of email itself, spam was born. In addition to being annoying, spam can create some information safety issues. So there are two main things I want you to remember when seeing spam in your inbox: use the spam you get to better train your filter, and never click on any links nor open any file attachments.

All modern webmail clients have built-in spam filtering. Personally, I use Gmail to read my mail, even mail from other domains (such as safer-computing.com). The benefit of using an established webmail system as your mail reader is that the provider’s spam filters have been exposed to billions and billions of emails, and so they are very well-tuned for a low rate of both false positives (when the filter puts a valid email in the spam folder) and false negatives (when it delivers actual spam to your inbox). The less of either, the happier you are with the result.

You train spam filters by identifying both false positives and false negatives for it. For example, in Gmail, there is a “Report Spam” menu option or button in every non-spam folder and a “Not Spam” button in the spam folder. You should make use of these whenever possible. That means occasionally visiting the spam folder to look for those false positives. The more you do this, the less it will be necessary – because the filters adjust their criteria better to the kind of email you get and even to your subjective tastes about what is and is not spam.

One notable subset of spam you always want to be excluded from are the scams. Disney vacations, prizes in lotteries (that you don’t remember entering), gift cards and many more unbelievable windfalls show up in your mailbox by the hundreds each month. As you no doubt know, these are nothing but scams to get your personal information or attempt to extract redemption fees to claim these imaginary prizes. Mark them all as spam.

And of course, there really is no dead Nigerian prince whose family lawyer wants to pay you 20% of $1.6 billion to help them expatriate the money. The only thing that you will get for responding to these is an escalating series of demands for fees to cover the assorted (made-up) mechanics of moving the (imaginary) money and finally (never) paying you. Sending these emails is a crime, and you can report it to the FBI at https://www.ic3.gov/complaint/

Phinally, phishing. Phishing is the sending of emails carefully crafted to look like they come from a legitimate organization, such as a bank, a government agency like Social Security or the IRS, or an employer. The typical phishing email will have a message designed to create some sense of urgency, and links crafted to resemble the links to the legitimate website being spoofed. For example, the email may alert you to a credit card fraud attempt, and the links embedded go to chasebank.com (for example). The problem here is, Chase Bank’s website is really at chase.com. When you go to chasebank.com, which was created by the scammers, you will indeed find the familiar login screen and so on. When you log in through this screen, you will land on the familiar opening screen of chase.com. However, because you logged in through the scammers’ fake page, they’ve snagged a copy of your ID and password in the process. It is easy to do that and then pass your valid credentials along to the real site, so your experience is the same as usual. The fake login page looks very real because the scammers can easily go to the public pages of the real chase.com and grab copies of all the graphics, fonts, content, style sheets and even a fair amount of the programming code needed to make certain pages look and work the way the real ones do. The result is a presentation that even professionals will have a hard time distinguishing from the real thing. It sounds like a lot of work but it pays very well. One single phishing attack in April netted $495K from a Michigan investment firm. And any given phishing email can go to millions of users at a time.

The lesson here is, never click on links in emails, unless the senders are personally known to you, or for things like password resets that you know you initiated within the past few minutes. Certainly, for financial and government services, you should navigate to their websites by way of known links you have previously saved as bookmarks or stored in secure password-manager records. If you use a search engine to make initial contact with an agency or company, make sure that you skip past the sponsored links and click only on the most relevant non-sponsored one. Phishing emails, like all scams, should be reported to the FBI at https://www.ic3.gov/complaint/.

Whether it’s spam or phishing when an email arrives that “wants” you to click on its links, leave it wanting. Especially, never click on “unsubscribe” links in spam email. Doing that simply confirms for the spammers not only is your email address valid, but you actually read their email. They will reward this by showering you with much love. And spam. Well, mostly spam.

 

A Modeling Job for You

A Modeling Job for You

.

Motherboard, a part of Vice magazine, has published a very good Guide to Not Getting Hacked.  It’s also available as a PDF.

One of my favorite sections draws from the EFF Threat Modeling page.  “Threat modeling” may sound like something a management consultant would explain to you with 19 PowerPoint slides for only $45,000.  But it really just consists of considering these five questions:

  1. What do I want to protect?
  2. Who do I want to protect it from?
  3. How bad are the consequences if I fail?
  4. How likely is it that I will need to protect it?
  5. How much trouble am I willing to go through to try to prevent potential consequences?

Ultimately the goal of information security is not to protect the information assets absolutely.  Protecting anything absolutely is not even theoretically possible.  What we’re trying to do here is, make the information assets more trouble to attack successfully than they’re worth.  If stealing a new sprocket design from the engineers at Spacely Sprockets is worth $4 million, then we have to make it cost an expected $4.5 million or more to get.  That way, even success is failure for the attacker.

But if preserving that design is worth $4 million to us, we’d be idiots to spend $4.5 million defending it.  We could post it on Facebook and save ourselves $500,000.

Threat modeling is really just taking a breath, refusing to panic, and applying all-too-UNcommon sense.