security

This Ars Technica seems very dire. It’s a huge breach of trust for Intel hardware.

Chris Duckett ZDNet article (A VPN will not save you from government surveillance) is informative, if a little hyperbolic: Under the laws that force telcos to store customers' call records, location information, IP addresses, billing information, and other data for two years, there is a small caveat for journalists that forces agencies to obtain a warrant when seeking to uncover a journalist’s source. Neither the journalist, nor the telcos, will ever know that such a warrant existed, but these provisions were essentially a figleaf to shut up the Canberra press gallery under the auspices of protecting democracy and freedom of the press when the data retention laws were being considered – and it worked.

In the United States we have few privacy protections. We now have fewer than we had 6 months ago. We represent little more than a pool of cash to be exploited. My personal strategy is to make the collection of my data cost as much as possible because I like to believe that there is a point that it loses its value to those doing the collecting. With the repeal of the FCC rules governing collection of data by ISPs, I now use a VPN 24/7.

I sure do like Slack. It’s a hugely convenient service that I actually pay for.1 Many of my best friends are on Slack and it’s a continuous source of enjoyment and intelligent discussions for me. But I use it less now because I can’t trust its security. From Techcrunch: Slack has a lot of functions, but end-to-end encryption isn’t one of them, which makes the platform a no-go for some users.

This story by Brian Krebs is an amazing breakdown of an iCloud phishing ring. It not only provides a lot of detail about the thinking behind these phishing services (and all those phishing emails you get) but it’s a study in human nature too: This is where the story turns both comical and ironic. Many times, attackers will test their exploit on themselves whilst failing to fully redact their personal information.

Email is more than just a communication tool for me. With unbelievably inexpensive storage options and incredible search and filtering my email is now a filing cabinet. I make the extra effort to organize my email archive because it improves my search experience, but even if I just moved everything to an archive folder my email is a data collection I count on. But what if my email host went away.

Living in a country with the second best espionage infrastructure in the world, I like to think I’m prudent. Be that as it may, there’s always more to consider and I’ve shared this site with many of my friends. It’s a good primer on securing your devices and personal infrastructure. This is a topic I regrettably think about a lot. I’m not even close to an expert though. You can get a pretty good summary of my position on the privacy episode of Nerds on Draft.

From Brian Krebs: That’s because in addition to compromising the download page for this software package, the attackers also hacked the company’s software update server, meaning any company that already had the software installed prior to the site compromise would likely have automatically downloaded the compromised version when the software regularly checked for available updates (as it was designed to do). Read all the way to the bottom for the updates.

A new study out last month from the Pew Research Center show that americans understand the security risks online but are pretty bad at protecting themselves. The survey also finds that Americans are not always vigilant in the context of mobile security. For instance, 28% of smartphone owners report that they do not use a screen lock or other security features in order to access their phone, while around one-in-ten report that they never install updates to their smartphone’s apps or operating system.

From Betanews: In Philadelphia, Magistrate Judge Thomas Rueter said: “Though the retrieval of the electronic data by Google from its multiple data centers abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States”. He ruled that there was “no meaningful interference” with the account holder’s “possessory interest” in seeking to access the data. This is a very slippery slope.