There is a great (if not really long) article by Simson Garfinkel over at the Technology Review discussing our privacy and the need to be vigilant and proactive. Privacy by inaction doesn’t cut it in our digital age. Keeping your head low won’t keep your name or picture out of the massive government and private-sector databases. We need to be more vocal and more active in protecting ourserlves and our data.

Garfinkel concludes that what is necessary is an “online passport”: A global, ubiquitous electronic-identification system, backed by business and government alike. Currently there are a myriad of systems to verify our online personas: your banks each have one, every e-mail account you use is different, any company you do business with online and your facebook and myspace. Now each of these systems is designed and implemented in different ways by different people and contain their own strengths and weaknesses. While I see the benefits of a single, well-designed and strong authentication system, I also see it’s drawbacks. It creates a single point of failure. Sure we can pass laws protecting it and standards for auditing it. But what happens when an attacker gets a hold of your credential? Instead of just having access to one account, he has access to all of them. Because now every government office and online retailer trusts that single system, and nothing is ever 100% secure.

Anyway, it’s a good read and contains a good discussion of the legal history of privacy and how it’s evolving and will continue to evolve. Discussion is what we need; a solution to the privacy problem will not be a quick and easy fix. Read the full thing here.

Related Blogs

• Related Blogs on Anonymity
• Right of a blogger’s anonymity: a selection of views | Journalism …
• Local SA meeting busted, anonymity destroyed. « Trudging the …
• Nightjack: the cloak of anonymity and the mankini of hypocrisy …

• Related Blogs on Privacy
• Privacy Lives » Blog Archive » Events of Interest: Fordham …
• Google and Personal Privacy – Is it really that bad? You Decide …
• Blue Herald » Blog Archive » Goodbye Privacy

• Related Blogs on Security
• Security and Hacking: Reporting Cyber Crime | The Blog Herald

A while ago my colleague blogged about the importance of secret questions in keeping your online accounts safe. We came to the conclusion that security questions, in many implementations, can actually decrease your overall level of security. Security questions are a secondary means of authentication used when the primary method fails. So when you forget your webmail password, you’ll be asked a pre-arranged secret question that you must answer to reset your password and regain access to your account. During the presidential election last year, VP candidate Sarah Palin’s Yahoo email was hacked, because of weak secret questions and a little googling. A paper was published recently with some hard data, it can be downloaded here, and makes for an interesting read.

From the abstract:

All four of the most popular webmail providers — AOL, Google, Microsoft, and Yahoo! — rely on personal questions as the secondary authentication secrets used to reset account passwords. The security of these questions has received limited formal scrutiny, almost all of which predates webmail. We ran a user study to measure the reliability and security of the questions used by all four webmail providers. We asked participants to answer these questions and then asked their acquaintances to guess their answers. Acquaintance with whom participants reported being unwilling to share their webmail passwords were able to guess 17% of their answers. Participants forgot 20% of their own answers within six months. What’s more, 13% of answers could be guessed within five attempts by guessing the most popular answers of other participants, though this weakness is partially attributable to the geographic homogeneity of our participant pool.

Read the rest of this entry »

An often overlooked aspect to security is the swap partition. A swap partition is a partition used to temporarily store data when ram is low. Any thing that might be stored in ram could be placed in your swap partition, such as passwords and encryption keys. These passwords and keys could be retrieved by a malicious person, and used to access your online banking accounts, e-mail accounts or encrypted files.

Today we are going to walk you through simple AES encryption of your Linux swap partition. All data stored in your SWAP file will be seamlessly encrypted with a different random key, every time you boot. This will render any examination by a malicious person worthless.
Read the rest of this entry »

So last week I got my new Acer Aspire One, awesome little netbook here. First things first, I had to remove Windows XP Home and put Ubuntu 9.04 on it. Everything runs pretty good, the webcam works, and the microphone works properly after setting the sound capture to ‘HDA Intel ALC268 Analog (ALSA)’.

Being so small I wanted to encrypt the hard drive with luks, in case it was stolen or lost. Initially I used the alternative install ISO to do this. The install was complicated due to the installer complaining about the lack of a CD drive, and the performance hit was just too big. So, I decided use the Netbook Remix and do just /home encryption, as that is where most settings and personal files should be stored.
Read the rest of this entry »

Last Thursday wired.com, through the FOIA,  obtained 100’s of pages of  documents that detail seven years of the FBI’s use of malicious software in tracking down hackers, hitmen, extortionists and terrorist suspects. The released documents, available for download here, are of course heavily redacted. The software is called CIPAV, or “computer and internet protocol address verifier.” From the documents it’s capabilities include: reporting a computer’s IP address, MAC address, open ports, a list of running programs, the operating system type, version and serial number, preferred internet browser and version, the computer’s registered owner and registered company name, the current logged-in user name and the last-visited URL. After sending this information to FBI servers via covert channel, the software sits quietly and monitors your internet use, reporting the IP addresses of every connection made while on the Internet.

Read the rest of this entry »