So yesterday I decided to setup a test lab to play with Windows 2008 Server. Microsoft has announced the retirement of mainstream 2003 support , which is happening this July. I was able to download a licensed ISO of the 64-bit Windows 2008 Server from MSDN Academic Alliance, which includedStandard, Enterprise, and Datacenter editions (and 3 other install options that were just “server core” — I don’t know the differences).

My host machine is Ubuntu Linux 9.10, AMD quad-core, 3.5G of DDDR3 ram. I have two 160GB SATA disks in a non-RAID configuration. I know it’s far from ideal but I try to split VM’s between these drives to help I/O performance. I am using Virtualbox 3.1.6, non OSE. I’ve been using the command line tools to manage my VM’s lately. It can seem daunting at first (it was for me) but you will soon become accustomed to the syntax. Read the rest of this entry »

Good article in the LA Times business section today – Online, your life is searchable. It’s good to see this issue getting a larger exposure. From the article:

Online information about consumers comes from several sources. Public records such as campaign contributions, property sales and court cases are increasingly posted on the Internet. At the same time, marketers are collecting information about consumers’ Web browsing and buying habits. And then there are the thousands of online communities such as Facebook and Twitter, where users supply the personal information themselves.

There is a great (if not really long) article by Simson Garfinkel over at the Technology Review discussing our privacy and the need to be vigilant and proactive. Privacy by inaction doesn’t cut it in our digital age. Keeping your head low won’t keep your name or picture out of the massive government and private-sector databases. We need to be more vocal and more active in protecting ourserlves and our data.

Garfinkel concludes that what is necessary is an “online passport”: A global, ubiquitous electronic-identification system, backed by business and government alike. Currently there are a myriad of systems to verify our online personas: your banks each have one, every e-mail account you use is different, any company you do business with online and your facebook and myspace. Now each of these systems is designed and implemented in different ways by different people and contain their own strengths and weaknesses. While I see the benefits of a single, well-designed and strong authentication system, I also see it’s drawbacks. It creates a single point of failure. Sure we can pass laws protecting it and standards for auditing it. But what happens when an attacker gets a hold of your credential? Instead of just having access to one account, he has access to all of them. Because now every government office and online retailer trusts that single system, and nothing is ever 100% secure.

Anyway, it’s a good read and contains a good discussion of the legal history of privacy and how it’s evolving and will continue to evolve. Discussion is what we need; a solution to the privacy problem will not be a quick and easy fix. Read the full thing here.

Related Blogs

• Related Blogs on Anonymity
• Right of a blogger’s anonymity: a selection of views | Journalism …
• Local SA meeting busted, anonymity destroyed. « Trudging the …
• Nightjack: the cloak of anonymity and the mankini of hypocrisy …

• Related Blogs on Privacy
• Privacy Lives » Blog Archive » Events of Interest: Fordham …
• Google and Personal Privacy – Is it really that bad? You Decide …
• Blue Herald » Blog Archive » Goodbye Privacy

• Related Blogs on Security
• Security and Hacking: Reporting Cyber Crime | The Blog Herald

A while ago my colleague blogged about the importance of secret questions in keeping your online accounts safe. We came to the conclusion that security questions, in many implementations, can actually decrease your overall level of security. Security questions are a secondary means of authentication used when the primary method fails. So when you forget your webmail password, you’ll be asked a pre-arranged secret question that you must answer to reset your password and regain access to your account. During the presidential election last year, VP candidate Sarah Palin’s Yahoo email was hacked, because of weak secret questions and a little googling. A paper was published recently with some hard data, it can be downloaded here, and makes for an interesting read.

From the abstract:

All four of the most popular webmail providers — AOL, Google, Microsoft, and Yahoo! — rely on personal questions as the secondary authentication secrets used to reset account passwords. The security of these questions has received limited formal scrutiny, almost all of which predates webmail. We ran a user study to measure the reliability and security of the questions used by all four webmail providers. We asked participants to answer these questions and then asked their acquaintances to guess their answers. Acquaintance with whom participants reported being unwilling to share their webmail passwords were able to guess 17% of their answers. Participants forgot 20% of their own answers within six months. What’s more, 13% of answers could be guessed within five attempts by guessing the most popular answers of other participants, though this weakness is partially attributable to the geographic homogeneity of our participant pool.

Read the rest of this entry »

An often overlooked aspect to security is the swap partition. A swap partition is a partition used to temporarily store data when ram is low. Any thing that might be stored in ram could be placed in your swap partition, such as passwords and encryption keys. These passwords and keys could be retrieved by a malicious person, and used to access your online banking accounts, e-mail accounts or encrypted files.

Today we are going to walk you through simple AES encryption of your Linux swap partition. All data stored in your SWAP file will be seamlessly encrypted with a different random key, every time you boot. This will render any examination by a malicious person worthless.
Read the rest of this entry »