post

Frontline’s United States of Secrets

frontline-ussecrets

Last night was part two of the PBS Frontline program called United States of Secrets. It was one of the best, most thorough overviews of what is going on with the NSA’s vacuum surveillance that I’ve ever seen.

You owe it to yourself, and the future of our children, to be aware of what’s going on.

NSA Finally In The Light

nsa-logoI’ve been deeply concerned about the massive, sweeping surveillance going on for over TEN YEARS! Whenever I bring up this topic (and online security in general) too many of my family and friends just shrug and say, “Oh well.” Frankly, I just don’t understand why most people don’t seem all that concerned about our fundamental erosion of liberty caused by the NSA’s mass surveillance.

Thankfully the Edward Snowden whistleblowing finally shined a light on what I intrinsically knew was going on shortly after 9/11 (see Snowden’s revelations and the overall controversy at The Guardian’s NSA Files website section). Yes, I feel vindicated for my paranoia but that attestation is not something I longed for…instead I hoped the government’s drive to classify their constitutional violations and illegal activities as “keeping America safe from terrorism” would stop.

Unfortunately that whistleblowing has made it increasingly hard for companies who sell their technology outside of the United States. For example, the NSA was inserting hardware in Cisco routers which caused CEO John Chambers to write a letter to President Obama asking for it to cease…now.

We’ve only seen the beginning of the backlash and erosion of our competitiveness around the world since no one trusts us anymore.  [Read more...]

post

Skype to be renamed “Scrape”?

skype-backdoorSomething happened four and a half years ago that made me stop and wonder what the hell really happened: Skype was mysteriously taken offline so I dashed off this post: Skype. How big *is* the back door?

Confirmation of my paranoia back then has become clearer with articles about how Microsoft has setup Skype to be “scraped” by the National Security Agency like this one Skype: Reportedly Funneling Your Calls To PRISM Since 2011:

Skype, long thought to be a privacy haven for its encrypted communication, reportedly began integrating its systems into the NSA’s PRISM program as early as November of 2010, nearly a year prior to joining Microsoft in the fall of 2011, according to a new report from the Guardian

Skype reportedly began sending audio and text messages to the NSA, which shared the data with the FBI and CIA. The Guardian also reported that Skype, under the helm of Microsoft, worked closely with the NSA to enable the collection of video calls starting in July 2012.

Or this one Microsoft Hints Skype Calls May Be Fair Game for NSA:

Microsoft indirectly hinted that Skype communications can be intercepted and handed over to the National Security Agency, according to two privacy and security researchers’ interpretation of the latest statement by the company regarding NSA surveillance.

For security experts, that means Skype calls are at the mercy of NSA requests, just like traditional phone calls made with landlines or cellphones. In other words, the U.S. government, through its PRISM program, can legally compel Microsoft to hand over Skype communications, something that the company previously denied was even possible at a technical level.

I always try to leverage my strengths and use them to see what’s coming next. Rarely do I take on face value any announcement, strategic move or even terrorist ‘attack’ since I’ve been wrong every single time I did so. Only when I try to read between the lines or do a smell test on whether something feels right — all while taking in to consideration the facts I’ve been sticking in my brain through all my research and knowledge — that I become paranoid enough to take action and one action is to move off of Skype. More on that to come…

Good discussion from a quite varied group of folks on This Week on ABC:

post

The Ends Justify The Means?

TEJTM101Was at two high school grad parties yesterday and found myself having disheartening conversations with several young people who had just graduated high school. We talked about what they’d be doing post-high school, their visions about their future lives and whether they thought what they wanted to do was achievable, and what kind of world they thought they were inheriting from those of us were close to passing it on to them.

I was not prepared to hear their sense of sadness, fear, pessimism and, especially, their true befuddlement that the BIG lesson they had been taught by those in power was that:

  1. It was OK to lie to the world to start a war and no one is held accountable
  2. If you are a huge financial institution and instrumental in facilitating a global economic meltdown, not only will you not go to jail but your company is saved and it’s back to business (and bonuses) as usual within a year or two and no one is held accountable
  3. That a “terrorism Pearl Harbor” is excuse enough to spend trillions abroad while at home our infrastructure fails and our country embarks on the largest runup in mass surveillance while trampling on our Constitution’s Fourth Amendment and no one is held accountable (at least not yet)
  4. The richest and most powerful nation on earth has the highest incarceration rate in the world, while many of the crimes (especially ironic compared to no jail time for those in #2 above) are petty in nature.

While I tried to continually steer the conversations toward a more positive note—and part of their funk might have been partially attributable to our crappy, rainy weather yesterday—they continued to be gloom-and-doomsters about the state of our country and how uncertain they felt about the future.

gordon-gekkomother-theresaThe lessons taught to (and learned by) these young people? The ends justify the means. Makes me wonder if the next several decades may make many of these young people look more like a Gordon Gekko character than a Mother Theresa, and that our country’s ethical decline is now systemic and most of the skids-are-greased to make it easier for the United States to become a totalitarian country.

post

Google Chrome: Why I Said, “No thanks”

chrome-iconThough I use Google Chrome all-day, every-day…I radically minimize the use of plugins and extensions. Why? Because it’s like going to the hardware store to get a new housekey made and having to agree in writing that, “You agree the locksmith can make a duplicate key and use it whenever he/she cares to do so.

The thing is, as I described in my September 2011 post, “Don’t Just “Allow” Permissions for Cloud Apps,” there are just too many opportunities for rogue infiltration of my computers if I load ones that are inherently insecure (because I’d have to grant access to all my tabs, web history and more). I just don’t agree willy-nilly to terms and conditions and actually think-through what sorts of potential insecurities and “holes” I’m opening myself up to if I choose to use an extension or plugin.

Google makes it clear that you have to be very, very careful when you load Google Chrome extensions. I’m often blown away when I see how many developers, many of whom are outside the U.S., deliver NPAPI extensionsGoogle says on that page that developers should strongly consider these security considerations with NPAPI:

Including an NPAPI plugin in your extension is dangerous because plugins have unrestricted access to the local machine. If your plugin contains a vulnerability, an attacker might be able to exploit that vulnerability to install malicious software on the user’s machine. Instead, avoid including an NPAPI plugin whenever possible.

Though Google is working on an experimental new plugin/extension API called “Pepper,” today I decided (in advance of a client session) to experiment with Google Remote Desktop. It works well, my client uses Chrome, but when I went to implement the extension on my main machine I encountered this:

Chrome Remote Desktop 'agreement'

Wait a second. What is that last sentence, “Perform these operations when I’m not using the application” I’m agreeing to if I install it?

Figuring that it would be fast to discover more detail behind that bullet point and get comfortable I wasn’t opening myself (and our entire office network) to who-knows-what, I did a Google search on that phrase. Basically I found nothing. Then I went to the Google Chromium project (the project behind Chrome the ChromeOS, etc.) and looked at their “security brag sheet.” Again, nothing.

Does this mean that, if my computer and Chrome are running and I’m not around, that Google (or whomever they grant access to) can view any of my computer’s desktops? Security neophytes would think, “Come on…your locksmith analogy is a straw man argument and Google would never allow that sort of intrusiveness.” Maybe, but if CISPA passes (PDF), like I posted about yesterday, Google won’t have a choice in opening up desktops to intelligence and policing agencies (though, in Google’s defense, they are rattling their sabers).

I clicked “No thanks” to using Google Remote Desktop until Google reveals—and their description is verified by security specialists—that Google Remote Desktop isn’t a backdoor. You should too until Google makes it crystal clear what we’re signing up for when we install their, and third-party, extensions.

post

@SendInc Sends Stuff Securely

Snagging your insecure email!Never, never, never send sensitive or private information through email. Doesn’t matter if you’re at home or work on a secure network when you see how email really works.

Please don’t even get me started on why you are just asking for trouble if you send anything secure over email while you are naked in a coffee shop on Wifi.

This all came to a head today as a client’s accountant asked me to complete a Form W9 for payments last year and get it to her within five days. Since this person didn’t have a local fax machine which she had control over…that was not an option. Yes, I could have filled it out and printed it off and snail-mailed it, but I resisted that with all my being since doing so runs counter to my increasingly paperless life and just seemed inefficient and dumb. 

I’m well aware of all sorts of email encryption solutions out there to secure email: PGP; Hushmail; encrypting a Zip file; but all of these solutions require someone to be reasonably tech-savvy in order to use them or to adopt a solution like Hushmail as a primary service. Let me tell you that — after supporting family, friends and setting up support infrastructure for my company and others — the vast majority of people are NOT tech-savvy and I just want to be able to send stuff securely and digitally without having the recipient match my technoweenie skill-set!

So that made me wonder: Why couldn’t sending a non-techie a secure file(s) be easier? Fortunately I was pointed to a great solution.  [Read more...]

post

Encrypt Your Communications with Silent Circle

Millions of us are always on, always connected and accelerating our use of the internet for everything from tweeting a LOLCat video to banking, stock trading, or sending private emails. As such you’d better believe that the crackers and hackers are trying to figure out any possible way to vacuum data you would rather keep private for their own nefarious purposes…

…and the number of attacks will continue to grow, especially as more people globally have faster internet access and powerful connected devices brimming over with all sorts of personal data like credit cards, social security numbers, bank and stock account information, and those photos you took of yourself you probably shouldn’t have. 

Phil Zimmerman photo

Phil Zimmerman

Today is the debut of Silent Circle, the brainchild of cryptography and encryption expert Phil Zimmerman, and they offer a number of encrypted services for voice, text, video, email and more.

Is secure communications necessary? Since virtually everyone I meet is completely clueless about the insecurity of coffee shop wifi, sending private stuff by email, or how trivial it is to track everything they do online, then yes. If I receive one more email from someone in my social circle which contains usernames and passwords, a PDF with their social security number in it, or a reply to one of our email offers with the customer’s credit card information in the email — all of which are in-the-clear and ready to be harvested by anyone with access to email or email relay servers around the internet — I’m going to blow a gasket.

Phil Zimmerman is a guy who made a name for himself when he released Pretty Good Privacy (PGP) back in 1991, a technology which inadvertently was released by him in a Usenet news group (he thought the “U.S.” Usenet designation meant postings weren’t accessible offshore). Turns out the code found its way on to the internet since all of Usenet was available to anyone, anywhere they were connected. The U.S. Customs service went after him for allegedly violating the Arms Export Control Act (the U.S. government long considered cryptography a munition) but, after three years, all charges were dropped. I became aware of Zimmerman in the early 1990s because of that and watched what happened to see if this guy would get thrown in to federal prison.

But wait…isn’t technology like Silent Circle the National Security Agency’s (NSA) worst nightmare?

[Read more...]