Category: Links

Categories
Links

Passwords: uniqueness, not complexity

Graham argues that there are three tiers of sites and that you should apply variable password policies to each tier. The key lesson is to have unique passwords across the tiers so that a tier 3 site being hacked doesn’t endanger your tier 1 sites. You probably want unique passwords for each tier 1 site.

At the first tier is your e-mail account. Since a hack of your e-mail account means hackers can reset passwords on all your other accounts, it would be terrible if that password were lost. This should both be very complex, as well as wholly unrelated to any other accounts.

At the second tier are important e-commerce sites, like Amazon.com, NewEgg,com, Apple.com, and so on. The major sites are unlikely to be hacked. You could probably share the same password for all these accounts.

At the third tier are the unimportant accounts, like StratFor, where it wouldn’t be catastrophic if your password were lost. Again, you could choose a third, simple password, like “passwd1234” for all these accounts. It’ll probably get stolen within a year, but who really cares?

While I agree, in part, I still think that a highly complex passphrase (not password) and a strong password daemon like 1 Password is probably the best approach for most people. That way you can enjoy strong, unique, passwords and generate new ones for each account you open.

Categories
Links Writing

Harsher data protection sanctions are coming [but will they matter?]

Fleischer:

I regularly hear people claim that there’s not enough legal enforcement of privacy. In some places, as a matter of practice, that may well be true. But there is no shortage of overlapping authorities with the power to bring or adjudicate privacy claims. Curiously, in privacy circles, most of the focus is on the enforcement actions of the DPAs. But in practice, the DPAs are just one of many different authorities who can and do bring privacy enforcement actions. And the trend is clearly going up, both in terms of the numbers of laws that can be violated, in terms of the severity of sanctions, in terms of the numbers of complaints that are brought, and in terms of the breadth of authorities who are involved in enforcing privacy.

Fleischer is Google’s chief privacy counsel, so he’s got a pretty good eye for what’s coming at Google (and other large data collectors and processors). I wonder, however, about the actual effectiveness of the legal challenges he refers to: Canada’s privacy law didn’t stop Streetview from coming into Canada but instead mediated some of its most invasive characteristics. Similar things can be said about powerful network surveillance apparatuses that are deployed by Canadian ISPs. My worry is less that large companies will be whacked with large fines, but that the regulation will serve to legitimize a lot of practices that legally are acceptable without being according with our social norms.

Categories
Links

Punching through The Great Firewall of T-Mobile

Punching through The Great Firewall of T-Mobile:

T-Mobile UK are moving towards a mobile network which works (technically) in a very similar manner to the Great Firewall of China.

Most people don’t run their own server. If you don’t, then you’re pretty screwed.

On a technical level, what T-Mobile is doing is pretty cool (assuming it is, in fact, the same techniques as China is using to attack TOR of late) but is otherwise pure evil. T-Mobile’s behaviours are a clear indication of why strong network neutrality rules are absolutely necessary: without regulations and punishments carriers will happily screw their customers if it might save, or make, the carriers a buck.

Categories
Links

ContraRISK: Bad password advice

contrarisk:

In the December issue of Computer Fraud & Security, an article by Prof Steven Furnell – ‘Assessing password guidance and enforcement on leading websites’ – presents some fascinating original research into the password practices of various leading websites – and also paints a somewhat…

Whenever I read about bad passwords, I’m reminded of XKCD’s comic on password strengths.

 

Categories
Links

Rethinking the Unthinkable About SOPA

Lauren has a cogent framing of the legislative hurdles that might lead to SOPA getting through the House and Senate. I think that the ‘lets put up banners’ is a cruddy way to inform the public of SOPA’s implications. I agree that full-on blackouts of majors sites is a poor public relations tactic and unlikely to positively raise public (and legislative) awareness).

What might work, however, is highly targeted blackouts. Why not prevent the Congress, Senate, and White House, along with all other government bodies throughout the US, from accessing key sites such as Google, Facebook, Wikipedia, and so forth. This would make legislators realize what they’re about to do, its implications, and create a large enough media event that the public might wake up to what’s going on in Washington. Companies needn’t target the public themselves but just create a focusing event that brings SOPA and its problems to the public’s attention and legislators’ attention at effectively the same time.

Now, would political organizations get around ‘blockades’? Sure. The aim wouldn’t be perfect enforcement of a blockade but to capture real attention on SOPA and its harms, and make those harms tangibly real to the folks responsible for voting (or not) on this POS bill.

Categories
Links Writing

Is Silicon Valley too smart for its own good?

While Agrawal’s article argues that those in Silicon Valley are developing for people who’re as saturated as they are, I think that he’s really missing what makes the Valley what it is. For decades, we’ve seen interesting ideas and products come out of California that are absolute flops. They’re not flops because the products are necessarily bad but  because the deliverables don’t identify a real problem or offer a real solution. That’s not a bad thing, and critiques along grounds of ‘flops’ (and crafting products for the future, rather than the past) misses what’s important about the Valley’s function as a thought incubator: ideas are crafted and honed, underlying principles and technical challenges are ironed out, and eventually some bits and pieces of “failed” ideas and products tend to be integrated into the future’s successful product lines.

Innovative development, much like scholarly work, is often intellectually exciting and vibrant while lacking a direct market output. It’s because we can test, experiment, and play that cool things ultimately come out of the ether. If we demand that most, or all, of Silicon Valley’s (and academia’s) projects meet existing problems, and avoid dreamlike solutions to undefined issues, we’re going to see a lot less interesting and novel things that (seemingly) pop out of nowhere.

Categories
Links Writing

Why Mobile Carriers are a Threat to Us All

Paul Thurrott reports that Microsoft is no longer guaranteeing that mobile updates will be delivered to end-users and will no longer give guidance about when/if those updates will come.

I suspect that Microsoft’s actions are the result of carriers not caring one lick about security and actively opposing performance updates to “old” phones. Carriers aren’t themselves affected by security deficiencies that they are largely responsible for prolonging, and if new cool features are automatically provided in a smartphone update then the customer is less likely to rush out and buy a new phone with the same features. Carriers need to be held accountable: if they know there are security updates and refuse to let them go out to customers, then customers’ contracts should be broken with those same carriers. If customers experience actual harms, then the carriers should be legally – and financially – liable.

Microsoft, and the other mobile OS vendors, need to realize that the most important customer base is the people buying phones, not the device manufacturers or carriers. The latter two groups are important, yes, but if Microsoft can’t convince end-customers to pick up their phones and be happy about the choice a few months later then Microsoft is going to turn into an Android-like OS manufacturer. We already have one too many of those.

Categories
Links

3 things I really want to see from my windows phone ASAP

xczachx20:

  1. Screen Capture capability
  2. An Call of Duty Elite App
  3. A tumblr App

I’d happy trade #2 for a functional version of Google Maps that:

  • was a native app;
  • worked with the GPS;
  • provided transit directions.

The Bing Maps functionality might be decent if you drive. It’s shit if you take transit.

As a bonus: be great to (easily) disable all the Microsoft Skydrive garbage.

Categories
Links

Side Channel Attack =/ Cracking Encryption

From the article:

BlackBerry messenger is “significantly less encrypted compared to the BlackBerry email that corporations are using,” Leif-Olof Wallin, an analyst at Gartner Inc., based in Sweden, recently told Bloomberg News. “Any kind of cryptographer should be able to crack it without the involvement of (parent company, Waterloo, Ont.-based Research in Motion).”

BBM for consumers is sufficiently encrypted and it isn’t a simple matter for ‘amateur cryptologists’ to easily break it. No: the deficiency with the communications encryption
is that RIM uses, and possesses, a common global key to provide transit security to BBM messages. In the case of users that are linked to a BlackBerry Enterprise Server (BES) the BES administrator is responsible for establishing the encryption/decryption keys. As a result, RIM is incapable of breaking the BES infrastructure. It should be noted that, with consumer BBM traffic, the supposed attacker is a transit middle-man and not the government. RIM protects end-users from this – which doesn’t happen with a SMS message – and makes no bones about being there to protect consumers from legitimate (in the sense of legally justified, rather than normatively acceptable) government interceptions.

Categories
Links Writing

Tracking Your Every Move: ‘Enhancing’ Driver’s Licenses at the Cost of Privacy | Dissident Voice

The potential for ubiquitous surveillance that emerges with Enhanced Drivers Licenses (EDLs) could only be imagined by the Stasi in Communist East Germany, but is a genuinely looming specter for contemporary North American democracies. Provincial and state governments in North America are proposing to ‘enhance’ driver’s licenses in coming years by including a Radio Frequency Identification (RFID) chips in them. These ‘enhanced’ licenses emit unique identifiers and will be optional when they are first available to the public, though they will be required to enter the United States using a driver’s license beginning in July 2009. The proposed Enhanced Driver’s Licenses (EDLs) are intended to be associated with border security, but are also accompanied with concerns linked to individuals’ reasonable expectations of privacy.

An early piece I wrote on enhanced drivers licenses.