Should the Internet of Things Be Regulated?

There’s a big problem with little devices on the Internet. A lot of them have really sloppy security. They have default passwords which require extra effort to change. Some have their own Web servers for no fathomable reason, and others have unsecured Wi-Fi connections. People install them with very little thought and no configuration.

These devices are vulnerable to attacks that take them over remotely, incorporating them into botnets. The October 21 attack on Dyn’s DNS servers made many websites unreachable for a large part of the day. The attack came from thermostats, refrigerators, security cameras, and light bulbs. It’s like an episode of The Twilight Zone.
Continue reading Should the Internet of Things Be Regulated?


A bumpy week in government surveillance

William Binney (Wikimedia)It’s been quite a week. It may well be true that Trump was wiretapped, even if he was making it up. NSA whistleblower Bill Binney said, “I think the president is absolutely right. His phone calls, everything he did electronically, was being monitored.” Contrary to Trump’s charge, there’s no evidence Obama had anything to do with it. The intelligence agencies are a power of their own, apart from what any administration tells them to do.

Meanwhile, WikiLeaks claims that “the CIA lost control of the majority of its hacking arsenal.”

WikiLeaks says the archive appears to have been circulated among former government hackers and contractors, one of whom provided WikiLeaks with portions of it. The website says the CIA hacking division involved “more than 5,000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other ‘weaponized’ malware.”

These reports confirm the impression that not much changes in the intelligence world, regardless of who is in office. The “Deep State” goes on. It provides stability, but it creates power centers that no one can do much about. Whether the intelligence agencies barge ahead independent of executive control or Trump replaces the leadership of the intelligence agencies with people loyal to him, it’s bad.

The reports tells us that the intelligence agencies need to resort to exploiting security holes to get information. That’s good news, in a way. It confirms that they don’t have widely usable backdoors into systems. Encrypted applications such as Signal and WhatsApp are still secure, as far as I can tell.

It’s clear that the CIA has its own security problems. We should be glad it doesn’t have backdoor code, or there’s no telling who’d have it by now.

This breach just adds to the reasons to take security seriously. Whether it’s the CIA or some free-lance crook trying to get into your devices, you want to keep them out. This means the usual array of precautions: Use strong passwords, don’t run suspicious attachments, use security software, beware of USB sticks in the mail, set up a firewall, etc. There’s no reason to have high tech just for its own sake, especially considering how many “Internet of Things” devices have utterly sloppy security.

When doing anything on the Internet, remember the words of Barty Crouch, Jr., in Harry Potter and the Goblet of Fire: “CONSTANT VIGILANCE!” Especially against Barty Crouch, Jr.

GPG, encryption, and signatures

A useful feature of this blog, at least for me, is getting me to do the things I should be doing. I’d let my GPG software slip to the point that it didn’t work with my current version of Thunderbird. This past weekend I got it back up to date. Since my PGP key was five years old and not strong enough by current standards, I revoked it and created a new key.

GnuPG logoAt the same time, I updated my Enigmail add-on for Thunderbird, which is what lets it encrypt and sign messages and decrypt and verify incoming ones. From now on, I’ll sign many of my messages. You’ll need to have some kind of PGP / GPG software on your end to verify the signatures; if you don’t, you’ll just see some meaningless-looking characters at the end, so it’s harmless.
Continue reading GPG, encryption, and signatures

The real problem exposed by the Cloudflare leak

The reporting about the Cloudflare leak had me puzzled. Apparently reliable reports said that its parser bug had leaked customer sites’ HTTPS data, including passwords. My immediate reaction was to wonder how this was even possible. You can’t pull data out of someone else’s HTTPS transactions without their private key. I asked about this in a comment on a Dreamwidth post that raised the matter, and was told I was being “belligerant” by asking. Hmm … At least one IT person doesn’t want me asking. Something interesting must be going on.
Continue reading The real problem exposed by the Cloudflare leak

How to be an anonymous source on the Net

“They shouldn’t be allowed to use sources unless they use somebody’s name,” declares Donald Trump. This is a clear call for sweeping censorship, and it makes anonymity more important than ever. If Congress rubber-stamps him, it will be more dangerous than ever.

When the free press is threatened, anonymous Internet accounts can keep the truth coming. It isn’t easy. You don’t know which ones are reliable and which are just grabbing for attention. Still, whistleblowers and leakers are sometimes our only source of the truth. Some put their names on their work and risk the fury of their governments. Others stay anonymous so they can stay where they are and keep the information coming.

Being anonymous is hard.
Continue reading How to be an anonymous source on the Net

Confide is eyes-only communication, but is it secure?

Screenshot from getconfide.comThe messaging app Confide got a big publicity boost from Donald Trump’s using it. It does seem like a useful thing for highly confidential communication, if it works well. (Also for evading public records requirements.) It lets you read a message only once, a line at a time, with no going back. But it’s valuable only if it’s really secure, and some people have disputed that.
Continue reading Confide is eyes-only communication, but is it secure?

Should you take your phone on a plane?

A few weeks ago, Sidd Bikkannavar flew back to the United States from South America. He’s a US citizen by birth and an employee of NASA’s Jet Propulsion Laboratory. The US Customs and Border Patrol demanded that he provide the passcode to his phone. They threatened him with detention and seizure of his phone.

The phone may have contained JPL confidential information, so CBP was not only snooping on Bikkannavar, but spying on another government agency. CBP is much more on Trump’s side than NASA is.
Continue reading Should you take your phone on a plane?