Password reuse visualizer from Mozilla

security Comments Off

Feb 212012

When you use the same password for every online account, there could be trouble down the line if one of those sites was breached. You gotta mix it up these days. As part of their Watchdog initiative, Mozilla released an add-on to help you see how you're reusing passwords, and to hopefully keep your personal information secure.

Ever been told not to reuse the same password across different websites? With this add-on, you can visualize your passwords and the sites you use them on. By looking at this visualization, you can get a quick idea of which passwords you've been using the most, and the kinds of sites you're using them on. As you continue to change your passwords and update your password manager, the picture will improve!

Personally, I don't save any of my passwords. The risk of my computer getting stolen and some random person gaining access to my online accounts is too much for me to handle. Of course as a result, I have to put up with the craptastic experience of trying to remember passwords with a variable number of capital letters, symbols, and digits.

[Mozilla]

CONTAGION/CONTROL: Speculative Futures Graduate Colloquium (Call For Papers)

digital humanities, security, simulation, technology, Visualization Comments Off

Feb 032012

Scholars

Why I Might Be (although I would rather not be) Leaving Dropbox

Academhack, Privacy, security, Web No Responses »

May 032011

Last week I publicly (via Twitter—really what other venue is there?) mentioned that I might be leaving Dropbox. What ensued was a rather lengthy conversation between me and others as to why I would do such a thing. Soon after the conversation started, the folks at @Dropbox noticed and joined the discussion. Why would I think about leaving Dropbox, a service which I often cite as one of the most useful around for educators? One word answer: Privacy. Based on some recent reports, I now have reason to be concerned about the degree to which Dropbox can keep files secure and private. When I expressed these concerns via Twitter the folks at Dropbox responded with some helpful information, and an invitation to write their legal department with any concerns I might have (140 characters being insufficient for adequately addressing the matter. And as I said on Twitter, credit to Dropbox for listening and engaging in a conversation.)

I started to write such an email, and then changed my mind, why not publicly layout my concerns, and let other educators see what the issues are, after all I feel somewhat responsible since I have spent so much time praising Dropbox. Rather than have a private dialogue with Dropbox it would be better to make it public, yes? So here goes.

The Background:

For those that don’t use Dropbox, think of it as an automatically syncing flash drive in the cloud, an excellent way to keep files synced across multiple computers and have them available on whatever device you have in front of you at the time. (Here is the official explanation.) Because of Dropbox I never need to carry assignments, syllabi, or journal articles that I want to read with me, or on a flash drive. These are just stored in the cloud and I can access them anytime the need arises. And this is just the tip of the ridiculously useful iceberg that is Dropbox. If you want more, just look at all the times it is mentioned on Profhacker (or just Google Dropbox uses and see what I mean). Dropbox has become one of the most important services in my media/computing ecosystem. On a scale of one to ten for usefulness and ease of use Dropbox is an 11.

The Problem:

About a month ago I started to see reports that expressed concern over Dropbox security, questions about the encryption being used, and who has access to the files you store on there servers. Basically there are to two sets of concerns. The first is that by design Dropbox is insecure. You can read the whole article, which is mildly technical but amounts to a concern that it would be fairly trivial for a nefarious party to steal one file and thus gain access to all your files without you necessarily knowing. The second is that Dropbox updated their Terms of Service to reflect the fact that they have access to your files if needed. In other words if the government subpoenas Dropbox, Dropbox has the ability to turn over your files in unencrypted form to the officials. (I know what some of you are thinking: Who cares, I am not doing anything illegal? . . . but wait I promise you should.) Both of these issues boil down to the fact that the encryption of your files takes place on the Dropbox servers, not on your own computer. In other words the question is who has the keys to your file(s) and where are those keys stored.

One way to think about this concern is to imagine your files are being stored in a lock box. One way to do it would be to put the files in a lockbox keep the key and send the whole box to Dropbox. In this way Dropbox has no way to unlock the files. But rather than this method what Dropbox employs is a technique whereby you send them your files they place them in a lockbox and give you the key, but have another copy of the key that lets them look in your box anytime they want. Why would they do it the second way instead of the first? Several reasons but I think there are probably two main ones: 1. Ease of use for Dropbox customers. A system where they (the server) handle the encryption rather than one where you manage (the client) has several advantages including a “lighter” Dropbox program on your device since it doesn’t have to handle encryption and the ability to retrieve files for you, even if you forget or lose your password. 2. Dropbox doesn’t want to cross the government.

Dropbox has responded to these concerns with a lengthy FAQ, which I encourage everyone to read. But, honestly the FAQ troubles me, and makes it even more likely that I will seek an alternative cloud service as it leaves many questions unanswered.

My Concerns:

Lets start with the transparency of this issue. What Dropbox is claiming, or appears to be claiming is that this change in the TOS does not reflect a policy shift, but merely an attempt to clarify what has been the policy all along. I’ll take Dropbox at their word on this, but I still have concerns about their wording.

“That said, like all U.S. companies, we must follow U.S. law. That means that the government sometimes requests us (as it does similar companies like Apple, Google, Skype, and Twitter) to turn over user information in response to requests for which the law requires that we comply.”

What Dropbox seems to be implying here is that they are required by US Law to have what is known as a backdoor key (the ability to unlock any file) and give it over to the government when served with a subpoena. But this is not actually the case. If Dropbox has the ability to unlock the files yes they have to give that over if they receive a request. But that doesn’t mean that they have to build a system that would allow them to do this. In other words if they didn’t have the ability to unlock your files the government couldn’t ask for that key, because Dropbox wouldn’t have the ability to unlock said files, they could only give over the encrypted versions of the files to the government, rather than the actual files themselves. This is what is essentially the issue in this article, about the government wanting to be able to WireTap the Internet. My understanding though, and I have asked a few lawyers about this, and their opinion was that the current state of the law does not require companies to serve up plaintext files.

Okay, at this point I hear many of you saying that you want this feature, that you want the government to be able to access the files of “the badies,” and since you have nothing to hide from the government you are not concerned. Let’s table that for a moment, and I’ll explain in a second why this is a dangerous view, but for now, irrespective of this issue there is a more significant one, which affects every user, regardless of whether or not you feel that you have something to hide from the government: A system which by design enables a third party to decrypt your files, is by design not secure. Or, a secret between two people can only be kept if one of them is dead. A system which by design has a backdoor to enable third party access is vulnerable to a security breach. As a way of thinking about this consider the relatively recent case where a Google Employee was accessing user email and chats. Yes, Google is concerned about user privacy, but any system, no matter how good the engineers has holes unless the user is the only one with the keys. So here is the rub, by trusting Dropbox and their current system you are not just trusting Dropbox but a host of employees. Any system designed like this will have a security breach at some point. It might not be a large one, it might not affect many users, but it will happen, you are just rolling the dice, gambling that you are not going to be the one effected (a fair gamble in most cases). Its not just software that you are trusting, but people, and people are usually the weakest link in any system.

Now just as importantly for me is the type of atmosphere this private-government partnership entails. I realize many of you might not agree with this, and I don’t want to turn this into a big discussion here (a discussion I am more than willing to have in other places), but I prefer to play corporate interests against the government, keep those two forces working against each other, rather than siding against the public. One of the particularly damaging developments we have seen in the web over the last 5 years is the ability of governments to control what happens online thru extra-judicial means, collaboration with companies to curtail our privacy. For me at least it isn’t a matter of having something to hide from the government, but rather knowing that I maintain control. Control of my own data, and the data of others who have entrusted it to me seems to be an essential component of dignity.

But What Do I Care?

You don’t have to imagine that the government would want your information to see some problems here. Let’s imagine that through an engineering problem (a problem with the code), an employee problem (see Google case above), or a deliberate hacking attack, Dropbox files suddenly become available. I actually have a good deal of student work, evaluations, letters of recommendation etc. stored there at any given time. Aside from my own paranoia about data and privacy there is a good bit of data that students and others with whom I work are entrusting me to keep private. Lets imagine that your grade roster is stored on Dropbox and that gets compromised. Once that file is unlocked and passed around there would be no getting it back. Leaving aside what kind of FERPA violation this may or may not be, I can imagine many students who might be harmed by this type of info. Have you stored judicial letters (for plagiarism cases) on Dropbox? I can think of a lot of information that I wouldn’t want out there even if it wouldn’t directly harm me.

Now about 80% of the stuff I store on Dropbox has no privacy issue associated with it, things like journal articles or chapters I want to read, or syllabi & assignments, or my running schedule, or stuff that is publicly available elsewhere like my CV. But there is enough there that I am concerned and looking for other options.

I will also note here that given the recent FOIA filings by conservative groups going after professors that being paranoid about data isn’t a bad thing, removing the option from others to share my data (this is why I use my own email more than I use the University provided one).

It’s true I have become somewhat paranoid here, using a VPN when on campus to ensure that the University can’t monitor my internet use, but I don’t think you have to be too paranoid to see this as an issue.

Questions for Dropbox

Having said all of this I think there are probably several things Dropbox could make clear that would help.

1. How many employees have access to user files? Is there a dual control system (do two employees have to sign off on access, or are there are a certain number of employees who can do so on their own)? Are records kept anytime users files are accessed this way, so that the company creates a clear audit trail? Do employees (and or any contractors they deal with) have background checks?

2. Under what conditions do they give the government data? The FAQ suggests that they would fight these requests if they found them to be lacking in merit. Have they done so? Can they make transparent this process? Hard data on this?

3. What is being done to fix the architecture issues? (Here Dropbox runs into a problem as the more it says about its security the more susceptible it is to vulnerabilities, but the less it says the less trustworthy it seems. Security thru obscurity really isn’t a good idea.)

4. Does Dropbox think it is their legal responsiblity, ethical responsiblity, or both to share information with the US government? Would they do so without a warrant? The policy says “request” what constituents a request?

The Other Options

1. As the Dropbox FAQ suggests the first option is to encrypt your file before it syncs with Dropbox. If you encrypt your files before syncing them with Dropbox, using something like TrueCrypt, nobody else will be able to access them. The disadvantage to this is it makes it such that your files are not accessible on your iPhone, iPad, or Android device. In other words a not so useful option.

2. Use Dropbox only to store public, or pseudo-public information. Again 80% of what I store on Dropbox I am not concerned about so maybe I just only store that type of stuff on Dropbox.

3. Go back to using a flash drive. (Uhh, no thanks.) This also doesn’t let me use it across other platforms (iPad, phone, etc.)

4. Create a partition on my phone that would store these files. They would always be with me, and I could run something like Samba File sharing and Root Explorer. This would make it more than trivial though to access the files. Really I like cloud features.

5. Switch to a different service. Both SpiderOak and Wuala seem to offer services similar to Dropbox which encrypt the files on the user side. Both of these have applications for all the devices I use (iPad, Linux Computer, Android Phone).

6. Set up my own Dropbox type service on my home computer. Sure this can be done, or I can just run a VNC back to my computer and fetch the files I want, but this is less than optimal. There is also an open source Dropbox being developed, called Sparkleshare.

7. Pogoplug. Pogoplug works by creating your own cloudserver at home.

There is one meta-issue here. As the leader in this type of service, many other applications rely on, and provide support for syncing with Dropbox, for example iAnnotate or GoodReader—usability that would be sacrificed by switching services. And as the easiest and most frequently used, Dropbox is the easy one for me to recommend to faculty members who are less than computer savvy.

Right now I am investigating SpiderOak, Wuala, and PogoPlug. I will let you all know what I discover. My preferred option though would be for Dropbox to address the current issues, cause you know I really do like their service.

Sorat Tungkasiri: Internet Child Safety at Home

Internet, New Media, parents, safety, security, Testing, uncategorized No Responses »

Mar 262011

Abstract

Child Internet Safety

This presentation is designed for parents with children who have access to the Internet to better understand the current dangers that exist in the world today.

The talk offers offer background information about past and current threats and trends. The focus of the talks will be: Your Child's Life Online, Internet Predators, Cyberbullying, dangers of mobile devices, Online Gaming, warning signs, Internet Safety Tips, and much more.

Speaker Bio:

Sorat Tungkasiri is currently a Coordinator at the New Media Center. He first joined the Princeton University community in 2004 as a SCAD, then as a web developer for the Educational Technology Center. Sorat is currently seeking a Masters of Arts Degree from Columbia University with the concentration in Communication, Computing Technology in Education.

Children texting

Your child’s life online

The increasingly "online" lifestyle of children today can cause new and sometimes unforeseen issues for parents. Kids today are in chat rooms, on social networks, writing and sharing information on microblogging sites like Tumblr, doing online gaming, texting friends, and even sometimes doing their homework online.

Tungkasiri showed a public service announcement called “Think before you post.” The complete video can be seen here.

According to statistics presented in the talk, 55% of teens are using social networking sites like MySpace and Facebook. Even larger percentages of younger children are involved in virtual worlds like Disney’s Club Penguin and Nickelodeon’s Nicktropolis. It was widely reported this past summer that Facebook surpassed the 500 million user mark; the less popular MySpace has over 100 million users. However, Tungkasiri noted, it seems likely that over 40% of the profiles on these sites are fake. ”The danger in fake profiles”, he explained, “is that those profiles can be used to gather information by predators.” Further statistics cited in that talk estimate that children under 18 spend between 8-18 hours a day online; more ominously, it's likely that 1 in 7 children are sexually solicited online.

Most sites have privacy settings that can help to keep personal information private. When privacy settings are ignored or configured incorrectly, dangerous online situations can take place. Tungkasiri cited the example of a girl named Rebecca who decided to put up an invitation to her birthday party, complete with address and other personal information, on Facebook. She inadvertently set the permission level of the invitation to "everyone." Within hours, thousands of strangers had accepted the invitation, and Rebecca and her parents were forced to cancel the party. In another similar case, 50 unknown guests showed up at a party that was intended to be private.

Tungkasiri offered suggestions to parents to help to protect their children on social networks:

Follow or friend your child on social networks
Make sure children choose appropriate screen names, without terms like “sexy” or “hot”
Check their friends list regularly.

Internet predators

NAMBLA or the North American Man Boy Love Association, exists on Facebook as a group. This group is just one example of the kinds of pro-pedophilia groups that exist on Facebook and other social networks, despite strict rules against such group activity. These kinds of groups exist for the purposes of fostering sexual relationships between adults and children, and are a great resource for predators. A recent news broadcast on this subject can be seen here.

While NAMBLA , upon inspection is a group that makes its intentions clear, there are other more subtle ways in which sexual predators stalk children. Predators often perform a process called grooming, a methodical method by which predators select prey, deliberately choosing to connect with vulnerable children with the intent of creating a secretive sexual relationship. Tungkasiri noted that calls to toll-free 800 numbers are not listed on phone bills, and cost nothing to the child, and are therefore now being used by predators to bypass parental oversight.

Tungkasiri listed several signs that indicate a child might be being groomed. These include:

Spending a lot of time online
Using an online account belonging to someone else
Receiving phone calls from people you don’t know or making calls to numbers you don’t recognize
Recieving gifts, mail or packages from people you don’t know
Turning away from friends and family
Becoming withdrawn or secretive
Minimizing the screen or monitor when you walk into the room

Predators use a method called SITS, or establishing 'Similar Interests Trust and Secrecy.' The guiding principle to this sort of relationship is usually a pact in which the predator requests that the child keep the relationship secret, something just between the child and their new, sympathetic "friend."

Online gaming has become another way for predators to connect with your kids, because online gaming allows for relaxed, casual conversation, similar to a phone call, but without the same level of parental tracking or controls. By joining children in a gaming space, predators have already established a common interest, and can easily develop trust through the fun and exciting team and collaborative elements of a game, or establish a rapport through play. Parents should consider setting rules and restrictions, choose games fitting for the age of their children, and should monitor gameplay. To underscore these points, Tungkasiri showed a video that outlined the dangers of online gaming.

Cyber-bullying

Cyber-bullying is often the topic of news reports with a tragic ending, and may be the biggest threat in children’s lives today. Some people, referred to as angels of death actually target vulnerable teens in the hopes of encouraging them to suicide or other self-damaging behavior. One example of this is the viral video Star Wars Kid, where a child recorded his super-hero acrobatics in a high school video studio. Cyberbullies at this school got a copy of the video, and spent hours of editing and remixing it to make fun of him.

In another example theTop 6 ways to kill Piper described the ways in which a real 6th grader might be killed in an animated short made by her peers.

Tungkasiri noted some ways in which parents can combat cyber-bullying:

Take an active role in your child’s online activities
Frequently check credit card and phone bills for unfamiliar account charges
Take your child seriously if they report an uncomfortable online exchange
Advise kids to never trade personal photographs in the mail or over the Internet
If your child meets a new “friend” online insist on being introduced
Contact your ISP and law enforcement if your child receives pornography via the Internet

Dangers of Mobile devices

Tungkasiri described some of the ways that phones and other mobile devices can be misused, putting children in danger.

Sexting is the act of simulating sex over the Internet, sometimes done with phones over the SMS messaging system, but also using video chat that exists on newer phones, as well as other videoconferencing methods.

Textual harassment is where people engage in text based battles, hurling insults or threats in a silent, but still very hurtful way.

If the child's phone is under control and supervision, it becomes less dangerous. Parental controls exist in most modern phones. Parents can check, and block, track, or remove applications of the phone, to make sure that they aren’t being misused by children.

Parental controls

In the second session of this talk, Tungkasiri then focused on how to enforce parental controls on various devices and platforms. He explained that the parent should use an administrative account on the child's computer and give the child a non-administrative account

Tungkasiri demonstrated how to set parental controls in the following platforms:

Windows 7 Parental controls overview

Mac OS Parental Controls overview

Firefox addons

MySpace privacy settings

Facebook privacy settings

YouTube privacy settings

Geotagging & cybercasing

Another danger lurking in technology is literally invisible. Geolocation sharing is an important passive data sharing technology that provides specific location data along with photos and other messages. Used by a predator, it could lead directly to a child, disclosing personal facts about them, including their personal appearance, the location of their home, car, or other information. Similarly, bluetooth, a common local networking protocol, can be used to track the presence of specific people via their devices within a 50 foot radius.

In a demonstration of Icanstalkyou.com Tungkasiri demonstrated that cameras and cameraphones that record geolocation data can show where the content from a particular photo was taken. The site shows how to disable geotagging in your phone, so that this danger is diminished. Tungkasiri demoed how to download a photo from the internet and then use a free digital photo data (EXIF data) viewer to see all of the recorded information on the photo. Picasa has this functionality built in. Also, many solutions exist for removing EXIF data from photos. One example is EXIF Cleaner.

Safe sites and services

Tungkasiri showed some examples of kid safe browsers and browsing services, including:

kidzui browser: http://www.kidzui.com/

kido’z service: http://kidoz.net/plus/index.html

Webkinz: http://www.webkinz.com/

GirlSense: http://www.girlsense.com/premium/

there.com

Club Penguin: http://www.clubpenguin.com/

Moshi Monsters: http://www.moshimonsters.com/

Final tips

Tungkasiri reminded us to keep an open dialogue with our children, and to stay on top of what they are doing. Don’t allow an unmonitored computer to be housed in a private space like a child's room. Keep it in a high traffic area, and keep an eye on what’s going on there, so that you can help them to stay safe, or to give help if they encounter unwelcome activity on the internet.

Podcast from Day 1 available here. (MP3)

Slides from day 1 available here. (PDF)

Slides from day 2 available here. (PDF)

TSA Gone Wild

airport, flying, infographic, security, TSA No Responses »

Nov 212010

Wow – finally some backlash on TSA’s “Security Theater”.

At the bottom of the infographic is the following:

The TSA has spent roughly $40 billion dollars. Homeland Security’s acting inspector general, Richard Skinner, says: “The ability of TSA screeners to stop prohibited items from being carried through the sterile areas of the airports fared no better than the performance of screeners prior to September 11, 2001.”

In all fairness, I don’t know the date of the above quote. The infographic appears to have listed a large number of sources. I think it is well done.

Via: Criminal Justice Degree

Apr 222010

Anyone, anytime, anyplace.

By virtue of its mobility, portability, and ease of connectivity, wireless connectivity provides users with unprecedented freedom, suggests H. Vincent Poor, Michael Henry Strater University Professor of Electrical Engineering and Dean of the School of Engineering and Applied Science.

Wireless communications is among our most advanced, and rapidly advancing, technologies, he notes. New wireless applications and services emerge on an almost daily basis, and the number of users of these services is growing at an exponential rate. More than half of the world's population uses cell phones, and this is only one of a dazzling array of wireless technologies that have emerged in recent times.

At the April 21 Lunch ‘n Learn seminar, H. Vincent Poor, surveyed the technological landscape, some of its history and societal implications, emerging developments, and recent issues in wireless research.

Railroads reached near ubiquity in terms of the number of countries using the technology in 125 years. The telephone took nearly 100. Personal computers took 25 years. Remarkably, the mobile phone has taken just 15 years. More than just a personal communications device, it has become an engine of commerce in both the developed an developing world. Indeed, the technology has permitted countries in the third world to leapfrog the need for extensive land lines.

The results are extraordinary, says Poor. There are now more than 8 billion text messages a day, picture messaging has become standard, mobile gaming is growing, and video messaging has begun to emerge. We are approaching 5 billion cellular subscribers with explosive growth in wireless applications covering all key areas, from science and medicine, transportation and commerce, security and defense, through entertainment and social networking. And, as a result, it is a very lucrative business, accounting for more than $1 trillion a year.

The main challenge of wireless, notes Poor, is to provide the services familiar to wired systems, but with mobility. The challenges grow with higher capacity, and more simultaneous users in quickly moving vehicles. New 4G networks promise to provide reliable high speed connectivity for highly mobile users.

The one clear trend, says Poor, is the convergence of computing and communications. The cell phone, now an iPhone or an Android, is now both a computing platform and a communications device. In the years to come, he predicts, cars and homes will become nodes on the internet, inventories will be tracked automatically through built in wireless sensors, and we will habitually use a range of location-based and social networking services.

In his talk, Poor highlighted three areas of wireless research. In each, the application, or “pull” is matched by the “push,” interesting research at the physical layer, the theory and methodology of data transmission.

The first involves securing wireless transmission, a more complex undertaking in the absence of a physical infrastructure. It is possible to exploit the fundamental physics of the network, says Poor, to make them more secure. The idea takes advantage of the fact that individual network connections exhibit different physical properties due to the randomness of radio propagation. On-going research in this area involves coding theory, cryptography, game theory, and cross-layer network design.

The second research area involves sensor networks and distributed learning. Individual sensors within a wider grid measure a subset of large data sets, and each sensor can communicate with neighboring sensors to make optimal inferences about their physical surroundings.

The third research area involves the interaction of the wireless infrastructure with social networks, imposing a complex new structure. A famous problem in social psychology, the small world problem, suggests that any two people on the planet are separated by six degrees of separation. Small network analysis can model individuals and their local and long-range interactions. It turns out, says Poor, that if two people are separated by enough distance, you can conclude that they are separated by a fixed degree of separation and you can compute the figure based upon the size of the world and its population.

Speaker Bio: H. Vincent Poor is the Michael Henry Strater University Professor of Electrical Engineering at Princeton University, where he also Dean of the School of Engineering and Applied Science. His research interests lie in the area of wireless networking and related fields. Among his publications in these areas is the book MIMO Wireless Communications (Cambridge University Press, 2007). Dr. Poor is a member of the National Academy of Engineering, and is a Fellow of the IEEE, the American Academy of Arts & Sciences and the Royal Academy of Engineering of the United Kingdom. He received the 2005 IEEE Education Medal and the 2009 Edwin Howard Armstrong Achievement Award of the IEEE Communications Society.

The podcast and presentation are available.

2cultures.net(.au)