Category: Internet matters

Posts about the internet

Operational security for disclosing wrongdoing

Wired on the steps now required for whistleblowers to leak evidence of wrongdoing to journalists, in an age of ubiquitous surveillance:

“Get a dedicated computer or tablet: the cheapest Windows laptop will do. And pay cash, as our normal laptops have a host of automatic synchronization and similar services. Our personal web browsers also contain all sorts of location-identifying cookies. Even if you’re logged in to but don’t actually visit Facebook’s home page, a subpoena to Facebook can still reveal where you connect and what pages you visit — every “Like” button reports to Facebook that you are visiting that particular page, at a particular time, from a particular IP address.

Leave your cellphone, your normal computer, and your metro card (like SmarTrip) at home: anything that speaks over a wireless link must stay behind. Then go to a coffee shop that has open Wi-Fi, and once there open a new Gmail account that you will only use to contact the press and only from the dedicated computer. When registering, use no personal information that can identify you or your new account: no phone numbers, no names.

Don’t forget: if you get anything at the cafe, or take public transit, pay cash. Be prepared to walk a bit, too; you can’t stay close to home for this.

Of course, the job still isn’t finished. When you are done you must clear the browser’s cookies and turn off the Wi-Fi before turning off the computer and removing the battery. The dedicated computer should never be used on the network except when checking your press-contact account and only from open Wi-Fi connections away from home and work.”

Related: Wikileaks and whistleblowers

Concept for making use of Google’s ‘Inactive Account Manager’ feature

Presumably after considering the consequences of doing so, Google has become a sort of unusual executor of the digital estates of users who opt in to their ‘Inactive Account Manager’ feature.

They are given the option to set how long a ‘timeout period’ must pass before the system kicks in.

They are then allowed to automatically notify and potentially share data with up to 10 “trusted friends or family members”.

They can then add an autoresponder message, either for anyone who emails them or just for contacts.

Finally, they can set up a system to delete their account.

In a way, this looks a lot like a Dead man’s switch.

The concept

This system relies upon the autoresponder feature.

If you have data that you wish to make publicly available only after your death, encrypt it with a secure-yet-commonly-used algorithm like AES.

Put the key in the body of your Google post-mortem autoresponse email.

In all likelihood, the key will circulate and people will be able to decrypt the files which you wish for them to decrypt.

I am sure Google thought this through, but it seems to me that this system might encourage suicides. There can be a certain attraction in going out by means of a dramatic gesture, and this system makes it a lot easier.

Apology for eaten emails and comments

These days, I need to be extra-vigilant in terms of filtering possible spam and malware. I also get a substantial volume of spam comments and emails each day. As a result, it is almost certain that I am occasionally missing legitimate emails and comments, deleting them from spam folders that I don’t have time to check through manually, or never even seeing them because they are automatically blocked on a different basis.

The blog’s spam filtering systems are fairly sensitive to links, so if your comments are being eaten try posting them without links.

Similarly, for email, I am more likely to open an email from an unknown sender if it is in plain text (not HTML) and includes no attachments.

iTunes updates

The decision of whether or not to update iTunes is always a wary one for me.

On the one hand, it is possible they are patching essential security bugs that are leaving one or more of my devices vulnerable.

On the other, it is likely that the update will include at the very least a gratuitous and confusing user interface change, and at most will be another transformation in the functioning of the whole program. I don’t want to need to learn new software every time Apple decides to mix things up again, and they have an unfortunate habit of eliminating good features and introducing deliberately frustrating ones.

‘backed by certain states’

In a slightly ominous development, GMail is now warning me that: “We believe that attackers backed by certain states may be attempting to compromise your account or computer” and urge me to: “Protect yourself now“.

This is probably just further fallout from the Stratfor hack. I wish it wasn’t happening while I am so completely occupied with urgent school assignments, climate work, and continuing efforts to do paid photographic work.

Phone hacking – everything is a computer these days

This video shows off some of the realistic attacks that can be performed against office-type landline telephones these days:

The presentation in this video was made by by by Ang Cui, a researcher from the Columbia University Intrusion Detection Systems Lab.

More information about the ‘symbiote’ protective software mentioned in the video is on their site. Weird that hacking your own phone to address failures in the firmware might be the best way of improving the security of your network…

I wonder if the Columbia researchers collaborate at all with U of T’s Citizen Lab

Shell ad parody generator

With this website, you can make your own satirical version of Shell’s “Let’s go” ads:

Shell is one of the most enthusiastic companies taking advantage of how climate change is melting the arctic in order to drill for oil there and thus cause even more warming. Shell is also the largest single investment in the portfolio of the University of Toronto.

Toronto 350.org is calling on the University of Toronto to sell its stock in Shell, as a starting point for a general campaign of fossil fuel divestment.

Anyone want to try Silent Circle?

Given the unencrypted email and phone traffic is now likely to be intercepted by state intelligence services, and given that services like Skype probably have backdoors that render their encryption ineffective, would anyone be interested in trying out Silent Circle: a new encryption platform backed by Phil Zimmerman, creator of the original PGP?

According to the people running the service:

We do not have the ability to decrypt your communications across our network and nor will anyone else – ever. Silent Phone, Silent Text and Silent Eyes all use end-to-end encryption and erase the session keys from your device once the call or text is finished. Our servers don’t hold the keys. Our encryption keeps unauthorized people from understanding your transmissions. It keeps criminals, governments, business rivals, neighbors and identity thieves from stealing your data and from destroying your personal or corporate privacy. There are no back doors in our systems, nor will there ever be.

The service costs $20 per month and includes encrypted phone, text, email, and video chat capabilities. In recognition of how such services only become useful once they have a certain base of subscribers, each subscription lets you also sign up one friend for the service for free.