Big Brother is Watching You

[O Really]

No offense, but you're an old, stable liberal that doesn't have his whole life on his phone like younger folks do, probably don't have skeletons in your GPS and you don't have very controversial clients.

I am, and I don't, although I depend heavily on it for many uses. In my case it's more I run my life with it (and the laptop and tablet) more than it contains my life. It's a matter of choice and how to use the technology. Like Facebook. Everybody in the firm has to have accounts on Facebook, Twitter, LinkedIn, but you still choose what personal information you post and who gets to see it. It's not my fault (or Apple's) if some people choose to put deep dark secrets on their phones or go places they wouldn't want anybody to know.

I think it's reasonable to assume (even knowing it's not 100%) that there are cameras everywhere you go, that anything you put online is discoverable by somebody if they really want to, and that nothing will remain secret if it is or becomes of significant interest to enough people.

[Vrede too]

I agree with you re NSAbook. However, a phone is personal property like your briefcase and its data is only online if one chooses a cloud backup. Even then, there should be some expectation of privacy from government snooping, just as we've debated re call and text data.

[O Really]

I'd go along with the "phone is private property" if we're talking about data held only in the phone. But that's not email, for example. What's in the phone is just one copy of who knows how many, scattered out all over the webisphere.

[rstrong]

But that's not email, for example.

Now that people are waking up to privacy issues, that's changing in recent years. Microsoft for example refuses to hand over email without a court order. And refuses to hand over email on a server in Ireland to authorities in the US. Encrypting server data so that not even the server owners can decrypt it, is more and more common.

More companies have their own email servers. As do more people like myself. More people encrypt.

If you don't leave your mail on the server, it's not there even with a court order. The Apple Store (annoyingly) keeps setting our employees' iPhones up with POP3, which removes all their email from the server.

What's in the phone is just one copy of who knows how many, scattered out all over the webisphere.

Again, this was an early cloud problem that's being quickly fixed. Cloud backups are being encrypted. (The case we're talking about is a good example.) You have the option of banking up to a local hard drive instead. And you can simply use common sense and NOT upload sensitive documents to OneDrive or iCloud.

Sure, FaceBook and Android users leak data all over the place. But that doesn't include most business users and most anyone who cares about privacy and security. Even Android shows signs of finally being locked down, with new phones like the Blackberry Priv coming with tools to stop 3rd party apps from leaking data. The Google and Apple stores are getting more strict about removing apps that leak data.

[Vrede too]

Remember all the wingnuttery about the government implanting tracking and monitoring chips in citizens? Turns out people bought their own. Now, the government just wants access to them.

[bannination]

Remember all the wingnuttery about the government implanting tracking and monitoring chips in citizens? Turns out people bought their own. Now, the government just wants access to them.

Turns out most people will hand their info directly over to the CIA -- I mean facebook willingly anyway.

[bannination]

I think requiring companies to make something new, as opposed to stopping certain things, is a bridge with future repercussions that we might not want to cross.

I think the key here is that if Apple can crack their own encryption, it's crap encryption anyway. If they're forced to have back doors, then the data might as well not be encrypted at all because encryption with back doors is not encryption.

I've not followed the story closely, but I suspect is has less to do with making back doors into the encryption and more to do with the limited number of guesses you have on the password before the phone 'securely' wipes itself. I think what the government is really asking for is a hardware bypass to that limit. Since the pin is only numbers as I understand it, and only goes up to 10,000, hell I could crack it in under a second if I had unlimited tries.

Even if it was a normal password, most passwords can be cracked in minutes on commodity hardware.


EDIT -- A good website to test how long your passwords would hold up: https://www.grc.com/haystack.htm -- These should really be considered the max time it would take to crack a password. If someone is using rainbow tables the time is going to be significantly shorter.

[O Really]

I understand a reasonable level of security for personal information, but I'm not sure why anybody would prefer a situation where nobody can retrieve their data. For example, I use Dashlane password manager. It encrypts and keeps passwords for everything you have, and will generate strong passwords for each site if you like. Access is via a "master password." Here's what they say if you don't remember your master password...

"There is no existing password recovery procedure. Your master password is the key to all your data. A succinct explanation of this is provided here. For security reasons, it is not stored anywhere, neither on your computer nor on our servers, so that it cannot be stolen. Your data is totally undecipherable without your master password. Therefore, we cannot reset your password or provide you with an alternative way to regain access to your data. You can, however, reset your account so that you can continue using your Dashlane account.

Reset account

If you are unable to remember your password at all, you can reset your account.

To do this, click on the link below and enter the email address that is linked to your Dashlane account and click Submit. We will then send a confirmation number to your email address. Take this number and enter it on the new page to reset your account.

Important: this will cause all your data to be deleted. This is the only way to use Dashlane again from the same email address."

So if you've got a bunch of passwords - particularly if all are different and machine-generated, which looks something like "dT%42##Fu" and you forget your master password, you're screwed. Unless you write it or store it somewhere (unsecure) or print a paper or electronic list of your passwords (unsecure). Realistically, because you have to use it fairly often, and it's the only one you have to remember, you're not likely to forget the master password. But I'd be happier if I knew somebody could help me retrieve mine if I did forget it - or could help my estate executor if I croak. (yes, I know - leave the password with the lawyer (unsecure).

[bannination]

I understand a reasonable level of security for personal information, but I'm not sure why anybody would prefer a situation where nobody can retrieve their data. For example, I use Dashlane password manager. It encrypts and keeps passwords for everything you have, and will generate strong passwords for each site if you like. Access is via a "master password." Here's what they say if you don't remember your master password...
<SNIP>

So if you've got a bunch of passwords - particularly if all are different and machine-generated, which looks something like "dT%42##Fu" and you forget your master password, you're screwed. Unless you write it or store it somewhere (unsecure) or print a paper or electronic list of your passwords (unsecure). Realistically, because you have to use it fairly often, and it's the only one you have to remember, you're not likely to forget the master password. But I'd be happier if I knew somebody could help me retrieve mine if I did forget it - or could help my estate executor if I croak. (yes, I know - leave the password with the lawyer (unsecure).

** note ** gross oversimplification.

That's just it, if they *could* recover your password and reset your account -- it is the same thing as having a post it note on the side of the server. If their server is ever hacked, your decryption key would reside with them, therefore the attackers could access your passwords.

What they are doing is secure. If they are hacked, they do not have your decryption key, only you do. The data the attackers would get would be mostly useless.

Hackers, armed with this knowledge, if they see a service that offered a way to retrieve your encrypted passwords... well, they'd be a HUGE target obviously.

[rstrong]

Unless you write it or store it somewhere (unsecure) or print a paper or electronic list of your passwords (unsecure).

It's worth mentioning that printing your master password isn't all that insecure a practice by today's standards.

Sure, you don't want it stuck to your monitor. But if you put it in between the books on your bookshelf, the Russian hackers can't get at it. The Chinese military can't get at it. The NSA can't get at it.

Just don't label it "My Dashlane Master Password." Don't use "dT%42##Fu" or anything that looks like a password. If someone finds a piece of paper with simply "Well, at least it’s not Monday.", they won't know that it's your password. And that's a secure password that's easy to remember.

BTW....

The first generation of password systems let you use anything you wanted. So people used common words. "12345." Family names. And so now both our email server at work and mine at home are under 24/7 dictionary attacks, along with the top 100 passwords and 1000 common names.

The second generation of password systems use pre-generated garbage like "dT%42##Fu". The point being to force something not in the dictionary. But no-one could remember these passwords, and so they were often written on a Post-It note stuck to a monitor.

The third generation relaxes that a bit, requiring upper-case, lower-case and at least one numeral. You could use something you could remember, like "Born2Cycle". Again, the requirements are to force something not in the dictionary. "superchicken" is as secure as "Born2Cycle", even without the mix of characters.

If someone tries to brute-force a hashed password file - which will likely be easier as quantum computers mature but it already happens with traditional computing - then the longer your password is, the better. It won't matter whether you use a mix of letters, numbers and symbols. "dT%42##Fu" and "Born2Cycle" will be FAR faster to brute-force than "Well, at least it’s not Monday." simply because of the number of characters.

[O Really]

Thanks - it's good advice.

[O Really]

Real question for the IT guys - what are the most significant (and likely) security risks to a regular garden-variety person with regard to their tech? I'm guessing it isn't Russian, Chinese, or CIA hacking, and is probably more like identity theft and attempts on card and bank account numbers?

[rstrong]

I'd call ransomware the biggest problem these days.

Adobe keeps adding features to PDF files, including the ability to embed JavaScript programs. And probably unintentionally, executables. And so what was once merely a document format is now a security nightmare. And since PDF files can come encrypted - asking you for a password - they can't be scanned by anti-virus software.

One of our office workers received an invoice in PDF format - not unusual - and it asked for a password - also not too unusual. At which point the ransomware executed and started encrypting all the document, database and image files on her local drive and mapped network drives. It also left image and text file instructing the user to contact an email address on the TOR network. We didn't contact them, but standard procedure is for them to demand about a thousand dollars worth of bitcoin to give you the password to decrypt your files.

Symantec Endpoint Protection on the workstation did not notice the problem. Nor did Kaspersky running on the firewall appliance.

We were lucky - this happened first thing in the morning. I shut everyone down, figured out which machine was infected by which user directory was encrypted, and restored the overnight backup.

We've taken two additional security measures to *lessen* the chances of this happening again:

- The antivirus add-in on the email server software now deletes encrypted PDFs by default, unless they come from an address white-list specific to encrypted PDFs.

- We've minimized the mapping of network drives.

[rstrong]

I think it's Symantec that's now saying that anti-virus scanning is dead. It doesn't work any more.

Which is why they sell Enterprise "EndPoint Protection." Which, yes, includes anti-virus scanning. But it also lets you lock down USB ports on the PCs on your network. Or make them accessible, but not allow executables on them to run. It'll let you lock down workstations so that only selected apps will run. Etc. The goal is to stop the viruses before they get into the PC.

Microsoft's Security Essentials / Windows Defender gets poor ratings in tests vs. other anti-virus scanners. But we've found that it's not at all unusual for it to detect and stop viruses that have gotten past Kaspersky on the firewall and Symantec on the workstation.

[Vrede too]

Petition to (House Judiciary Committee) Chairman Bob Goodlatte and Congress:

“Our Fourth Amendment rights should be upheld when it comes to our email and digital communications. Please support a speedy passage of the Email Privacy Act -- the most popular bill in Congress -- to ensure the government can't access our email without a warrant. And reject any changes that would weaken this commonsense, much-needed legislation.”

[Vrede too]

Thank you for contacting me with your concerns regarding the Email Privacy Act. As your representative in Washington, I want to ensure that your opinion is heard and I appreciate that you took the time to write me.

On February 4, 2015, Representative Kevin Yoder (R-KS) introduced the Email Privacy Act. This bill would amend the Electronic Communications Privacy Act to require federal agencies to acquire a search warrant before accessing private emails. I am an original cosponsor of this legislation because I believe that all Americans have a right to privacy in their online communications, a right which should not be infringed upon without a legal warrant. Rest assured that I will support this bill if it comes to a vote on the House floor, and I hope to see it passed into law....

Sincerely,
Mark Meadows
Member of Congress
(R-NC11)

[Vrede too]

New York judge rules in favor of Apple in earlier locked iPhone case

Conflicting rulings now, SCOTUS eventually?

[bannination]

I'd call ransomware the biggest problem these days.

Seconded... I get word docs all the time that are ransomware sent to my email address on this server. (I don't virus scan emails send to this server since it's only me getting them.) It's fun to watch what comes to me.

Some day when I'm bored I'm going to run them in a VM and watch the havoc.

[Vrede too]

Say NO to Encryption Backdoors for Government Agents

Tell Congress you oppose any legislation that would mandate backdoors for government agents into encrypted devices.

"Properly understood, strong encryption is our best defense against online criminals—including terrorist organizations. It is the backbone of the Internet economy and vital for the protection of both free expression and privacy. The government’s demand on Apple would coerce a private U.S. company to hack its own device, threatening the trust of millions of customers and placing our technology industry at a significant disadvantage abroad."
-- House Judiciary Committee Democrats

[O Really]

Techies correct me if I'm wrong (wrong in facts - I'm never wrong on opinion ) but isn't the FBI request and related court order over Apple de-activating the auto-lock from the terrorist's phone, after which the FBI would get into it by themselves, brute force, I assume? And then the FBI would (likely) be able to get it decrypted themselves?

Where did the back-door request for decryption come from?