Archive for category personal privacy

chip and pin! Finally! (maybe)

Since my first trip to Europe 5 years ago, I’ve been trying to get a chip-and-pin credit/debit card. As far as I have been able to find out, other than a single credit union in DC, there is no way to get a chip-and-pin card in the US. American Express and others have chip-and-signature, but that’s not the same, even if they try to tell you that it is. For example, you can’t use chip-and-signature at unattended gas stations, vending machines or many other places in Europe.

It looks like, finally, the American card industry is willing to truly join the EMV card world, and issue chip-and-pin by 2015. It only took 10s of millions of credit cards numbers being stolen within a single month or so, to get them to move.

Almost all of our credit and debit cards were re-issued to us in January, by several credit unions and other financial institutions. That had to be expensive for all of them, and there is talk of the banks suing Target over their breach.

While this won’t end credit card fraud completely, it will definitely make it more difficult.

Just one more thing to think about as I work on my personal privacy…

Advertisements

, ,

2 Comments

Upgrading my personal privacy one small step at a time

I got my start in computer security from the personal privacy side of the equation. Revelations over the past year have made me realize that I have become complacent, and it is time to upgrade some aspects of my personal digital privacy.

My first “paper” on security was an essay that warned that “someday, the government and large corporations will be able to search and manipulate hundred of¬†millions of bytes of information, giving them improper leverage over individuals, who won’t have the same access to computing power or storage”. I got a B. My high school English teacher said the writing was very good, but she couldn’t accept the premise ūüė¶ That was in the late 1970’s.

I’ve had, but rarely used PGP/GPG keys for email since the early 1990’s. I have friends who probably encrypt about 10-25% of their email, and sign almost 100%. Others encrypt and sign more, or less. Some are more consistent about this, some less. I felt that this wasn’t necessary for me, as I was a small enough needle in a large enough haystack, that “computational privacy” probably wasn’t needed in my particular case.

I’ve run my own email servers on my own hardware, off and on, for years. I’ve done the same for personal web servers, photo galleries, and other personal storage. Over the past few years, I’ve made much more use of hosted services, like Gmail, and WordPress.com (for this blog) instead of building, maintaining and securing them myself on my own hardware under my own physical control. I’m going to have to re-think some of those decisions, I guess.

The Snowden revelations, coupled with high-profile cases of seizures of data and equipment from hosting providers, and the inability of those service providers to stand against the abuse of certain government powers has led me to believe that it’s time to step things up a bit.

I want to upgrade my personal privacy stance over the next few months. I’m going to have to re-learn lots of the details of encryption, look at products that didn’t exist a few years ago, look into newer encryption algorithms and key search technologies. I expect I’ll need to make changes in the way I use email and the web and in general communicate. There are a lot of good resources out there; I’ll share what I find.

I don’t plan to wear a tinfoil hat, become a crypto-anarchist, bury guns and ammunition in the desert, or buy gold. This isn’t going to be a knee-jerk reaction, just some slow steady Kaizen ¬†to improve my digital privacy.

, , , ,

1 Comment

new GPG Key

With the recent revelations about privacy issues in the United States, and new recommendations about algorithms and key lengths, I’ve generated a new GPG key.

I’m also providing my prior public keys in case anyone still has old email encrypted or signed with those keys.

Here is my most recent key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
mQINBFLspJ8BEAC7NMUlCttCzSOGI9V0+13uhXmd7rMHksBwZIJJ3kFgJpymJMq5
fnshgIn3i59OIjYeDlmpPMjaTpiL3dQ8WgeQm/J2r0aJeaR3D8gnOqDr6W2VkCNE
6u+y10EiY0kF1WQTnAM2U3SkW+fPw1DBR5+KwMx0jrDoJNvbD6dYzd2TCQo4sN8Y
nGr69NZ2xI9OPHvlluPWfBOHuoB5SEUpI5c/8HHRFgXS06iAyEpystu3ebZDUZaA
EuyEovxygqanwwdsOYpP/aZWbz/UnoyRMvVrHnHphgKlsVvNue41Z9IGGqyd6okM
YBkyS9Sh7cfm9gfQpjuS1hpU03i8D7bsml8SonCgJ4FG3thw2aTfjFm0ZJq+gQNk
4qMb0U7EHkIOJgyWwS+/1tJA3teUuoBHqbFRcc2W2qUv1Ezyz0Z99Rp0NwmO0AZq
muxk/ZT5R3d7ihy9qKhLcfWJoyXzE0meHPhjIGldx1o5xtXmCMX5/IgE9j1u7LVo
NsI27KQoj/ORxsolZZFJjfvvARujm9Vdhon2MxvrfR1Bt+1PTQuX+tD0eGIztdaZ
ZhZeALU00DaDLkVYQlTBLGl6QB3Nh2YDDaEIo8sfXbSeGdSrIK6d9tgoh/UE7QaO
YlxwAXCMys7uqijXSgsYbah9qVHL0Sd1tS4HmzJj8/6nzmXwZoIxUuDCAQARAQAB
tDBUb20gRS4gUGVycmluZSAoSmFuMjAxNCkgPHRvbS5wZXJyaW5lQGdtYWlsLmNv
bT6JAjoEEwEKACQCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlLsrhECGQEA
CgkQcMP7B3sV+GVeAQ/5AWXXwyVbR9/n8AO2pAVJeHXz6o3PlI7NsOya7smWrbnT
b/GF8pepG6MJYnJScWTu0x9VGwZEgRjb7r56AkIngstWwa7Xc5TqmkAYM8VilvZp
2idPiw+95Id8YU/GzeyM9kFk4rkNlmj47ePKqZk4wiB0zr6q60UYh4xOHKL9ESMp
pa4vKIKaYRyDjekYlerGTNmgBadW0G5ScxAdHP6XYyYYNKEPdTS9+T3GrdQLIDuR
KrTKoeoJ6PdcCy5LKJOrrYWAvom5MrE16e/NMs8RwubQimRwGEvnCoqLtseW4hpT
RlMH8ey1nY0cGiadVi7cMYBw6R4MdmqwGKC/vu8C1OipWqs7l/Rh7J4G32p6qZ67
6JtFhtpdEYcqTq/G+MvLZTK5qZeXctS/C5Y+kUCqT/nRnuC34crtW3jqvLWSkkRx
gVgXGempUFieGuiDZfImJJMEGL29jETscCzOVPxDnKA6t+Chah7Q2J9rU1+Nbk6e
S3PHiNSGrvoeGgP9/dtfgOb5/8Env6m+dH0BRSnXJXtuZtfyIWswbdTqW0EZkkuF
Y+pzuFnmUpNQKc7GXYo+ZkSWaUb9QeMhWKQmCa5wZ/lPwHk913S387MtXchby425
Xjn+xiuSnTuMVNr11LVmUlZXHk8tQrmProTEWTxgHxLQpfFVXA6X30wlzFDUadmI
RgQQEQoABgUCUuynGQAKCRA+7nd+FwgS4KauAJ0XmwH3449fm6wm2OYFJC6ZbMiV
bwCdFbZ1MBP1Yx2n7G7aijtHLToutua5Ag0EUuyknwEQANMog3yAdVIou/QVIElO
pF/S9H6G1yv2YZTe34W9VnEKj0ImNVOJjkWXqNapC673YSy9l1T8np6l+wNGs2WW
LZp90d6CUJC8DjFkRpWVCfjJaWfrLatVt+HlK6k4kZFy/uH1trYg+gHwBsgEX8SM
Hnqr0GhG6M+lrGYpCcJi7/4y5geV+j2FK5L8RD1hjcev9NC3++ESNiyf3cyL4RY0
69tGJk26T5nmuRRcHGDiKEk91JFpF9mVhnb9zuywuw5lzv5+n9ye0q7hIJWUqJRQ
boVy/HoQMTcJha05Ce0QNdoZoBBmsoMeYu492Hzqgf6FoOMcy9glxvkTgjWpSxMB
6B7y6OH+dFXoqsBSaE6dqf7lWFxjl57LOaUM0ccLLi0eBDdkYmsICVHIm9J+6qaX
0z3eRRa9Fopb0KkaM2etuTeFdNSKlzg/iXvyXi3YWqz7+cgpHR4YmwyhF5ZMby+q
on72Wd+YfNCUD3W27E4i4y8cLRs03U6Amf5iEErM1EW7Bghq0oOQYnkc+NyRDpQi
qp+4Y/74kTAE49BLvRiNsLIuF6TWTqzc7WGFi5flUwifKiNKwJwuOMwBUSiPse2x
5G2nB4sOvMwzCpDqMpaYEPjkwfd6onVIN+L26BXilXP1YgpOnbxilv53ZzJoGcAJ
ZIxihdWIQDwpQnoIdlll2tmdABEBAAGJAh8EGAEKAAkFAlLspJ8CGwwACgkQcMP7
B3sV+GVwYhAAp+06MYAfjazrHdiOCXTJFW9YTO30B6sb/Dkp8k+EJCaMt+DFZLaG
A9gXM4AtC04tv83NTWHoS4qtrnzWeb/FYILHjFZK/cMxl20ou02640aX91rHFYSe
ADT35bL93CwJao13IxkXUm9QvyU/v0N8pJSeJjm4JjBC8P9X0lsL+ntGwwyCj4Px
KqZMzZKAf6pPM1/lI6AkixtxPAnZx7HCHRxCquuhsoZUJ0tn4Z+pETgLj6SDsi7b
aj8rK5d27H37hcrWqn4rN/xlsrTUL0eUVN8p8osTR0Dm53jduYo076rEKYMn5lyj
XUBE2CLcqCcbNLesB/QXn3oDBhr46dMXFqRLyv+SIX+Gis6uSyhVgyTocJnktwnL
Aic0tFqc09bICBCTKSBaHADPyhbboQQzT0IlBcEb2Shhy2r2Hl6mwbG4bbS94dol
ynEzAhc9j2/A5NLnv7Vzpte93hL4dwOQ1V4twyuQH9206RJKqEt+3nbXmMOrkCpO
YXyGkE0H88Nr5KkYgo81ByveW9U39ABSfaxdYdCDO37J0Q9D9Ua9G7ZgFPFfhsAl
fZ8CNfGS/Re5BqVDYZ+b60s4fBQUpY0vXoN8/nsnqXhmaz+NgbAbWuTXuDu6+tMj
ZJZVI7IOPvnfytZXBBqEu1j8EsdQMRR8vreglclfcqynE78evHv1X24=
=SE+1
-----END PGP PUBLIC KEY BLOCK-----

Here is my key from 2006:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
mQGiBEQSETMRBACWXd8/2l0AJqquyaYooKFs+qvrDv6Sa/UJrlFHxiKCTMp3l5Np
Ok7YTcuMY7fzMTv1Hidwcr2qkUHGPtxVbtG/Y3cwrZxzIflO9+5X4j28O8uIxe/8
unC5LsFAl5qDBbjDjQTAXSHdmFhQaKbinV1Yelue6AWFnWXWHyFMM7UqEwCgsrVV
p3TuW8t9/8sCHqt0bE+4OxED/inPmmHYx8PqxuCR7C8Z/NrAYS9lttlq9eY8AapL
T0gpF0V16YJbWpHglAEKRkDVN5/8J9QT8tbc85JpnZ9iG09nKk+ajGiF0n281RkO
0alDnOk8CF3q+BWv3xKrn4p2q0gSryHp8wRwZIMHWvzqgOSOm0Cjm1aAlb3Rfjvv
hHGrA/0Vpu8cQ4zRP5ZXX3p8kdYYXWjX0j4F5TOr/8Ekgq1/OTGNEaLhj2PD28Ao
hpWL3ulffXCVkWF6Pe5N5ik2aYu0deL+ofgHu7cAo5n9gSjpCfGeFK8AZRnX+dvy
8lx+ig70DYrV0v0Peyr00pYnHs8Uaf6/0pkiG4UHyC2LU28PX7QbVG9tIFBlcnJp
bmUgPHRlcEBsb3BzYS5vcmc+iF4EExECAB4CGwMCHgECF4AFAkQSHDwGCwkIBwMC
AxUCAwMWAgEACgkQPu53fhcIEuDbpQCfd/tPxdDqHpXDsV0l0XTsJx61dZoAn0JV
pLJCj72K7OtY6U1XCWzg/PnniJwEEAECAAYFAkQTvXMACgkQpFCQLAnT5k3NnQP+
OhyAkSRgRHeFaYuc+TB/dRJ/lMtVLsbt4qfdEoAUKIauokgGvta6J8HRCZOh7/ko
7R9XDBSpEihw6qYwDD88OlobZJlDvu1QgfVgreft6URbzUUSMq+2blr9A6vrKayn
tyc6Xnrfyb4nn6tEVBjKNBzYr+H6hQH9xC/7uK9To5CIRgQTEQIABgUCRBXQdQAK
CRDdom9SQKd+Jt5oAJ9/OcWut3OQKywQcZkBfz4yr1n/5gCfbFFbyzXNkGRSXeve
om+fIoklGZiIRgQQEQIABgUCRBWI8QAKCRBjG6gPu3lAiU6UAKCpzbs5GFlahheX
HLjlwiRYTZTa/gCguT2R1cQHm7ngSnxm431BEsxXDy2ISgQQEQIACgUCRBYYIAMF
AXgACgkQUfAt06xxHoKUCgCdH7YYl2OrHMAsQ2t6xNrP3iPlKVoAoKP/mM2HPMQq
Sd4symHcxU6WqyJWiF8EExECAB8FAkQSEpECGwMHCwkIBwMCAQMVAgMDFgIBAh4B
AheAAAoJED7ud34XCBLgLqcAoLKtXuz5TO40FHGUfkXl/52wCQ/CAJ4inFwDnXzP
3xu2FbTmuvEmsu9dxLQaVG9tIFBlcnJpbmUgPHRlcEBhcnBhLm5ldD6IWwQTEQIA
GwIeAQIXgAUCRBIcQAYLCQgHAwIDFQIDAxYCAQAKCRA+7nd+FwgS4AvDAKCKxydL
s1IEBh8PF7lT7rC1YlNfLQCfcxrve/6swAKw50OaMFndWbx/aXGInAQTAQIABgUC
RBIRXQAKCRAU0saVnGgBUbsHA/9H59r4Xtsmbaa9RC5UE3jGg8yEd4lGAg9xLKjP
3g/Jpm+Y/D57TXTzGCffbyPjMrnMJzOo1aBxc2cO28+tCV3Dn8Peqh1wJFmD/OGt
YDZnvTH7pGulxg7n6zaFPfzV7vqykbd6d3cLN/kU2LVzOmVR9BQ+1EyyZyCVKf58
H/rmHYicBBABAgAGBQJEE71yAAoJEKRQkCwJ0+ZNw+UD/i5Hj8ZVQ8wzkCmBMgId
rv/oH1pDZSamOuz733lgY0oJ1sol2hKDB7F+tOrv3+BeZ8CoyR5XmD15L+o35lXd
jpgxPfWbwPzBV+b/QLkMRZSUyIqUhl6rJLp0AbouGrQ+vQ1nIkfFNe/S3Ag4L3yb
hg9kgcigfnBAtn/kxZbXhHuyiEYEEBECAAYFAkQTvkwACgkQ5r/NLxCBo3zmPwCe
MfbDozk77VZeydwdBqjz4X+2A54AnR+uGeLSfgEqXvu2BnwebmZ3gAS3iEYEExEC
AAYFAkQV0HIACgkQ3aJvUkCnfiZWagCfXuDf07S42+EEVKxQZwZQRqH9OxIAnRc2
/8S5EXIThxUPK4OwyhjyilADiEYEEBECAAYFAkQViPEACgkQYxuoD7t5QIkAYgCf
X5UliXq7EE6xAE1Rgwmwh2OaPC8AniKyYN5T2mUYQ0xx1EuRBXX8yR4xiEoEEBEC
AAoFAkQWGCADBQF4AAoJEFHwLdOscR6ClfsAoLKgwdwnoDEWLjnFElPno/5N5f3l
AJ47joWAdiYt9YCzIeMw7FKnoQuYrIhcBBMRAgAcBQJEEhEzBwsJCAcDAgEDFQID
AxYCAQIeAQIXgAAKCRA+7nd+FwgS4EPyAJ4+FptOUmrydpLnD9WJdSrP1jXwRwCf
fGV8PkBZ0b13yEtEkYbCqWiZmO+0H1RvbSBQZXJyaW5lIDx0cGVycmluZUBzY2Vh
LmNvbT6IXgQTEQIAHgIbAwIeAQIXgAUCRBIcQAYLCQgHAwIDFQIDAxYCAQAKCRA+
7nd+FwgS4FoJAKCoyxkwEduJgLXjiRvsZmd/5/d32QCdEQhbXVaSt1x9A7vCkQ6a
2BhG8CaIYQQTEQIAIQIbAwIeAQIXgAYLCQgHAwIDFQIDAxYCAQUCRBW5YAIZAQAK
CRA+7nd+FwgS4AEnAKCNpNXpffvHs9LVzDT8RgKCoIdrxgCgnPSOvzp6QWzfF8vh
vCh2J0hqOoeInAQQAQIABgUCRBO9cgAKCRCkUJAsCdPmTTuRBADIr5QfAQlujHyy
KEgalv4XkrfW8J9v5BTE34xFJ7MXhNGah1Bs7rvhSFWeAOw711/W22IpoTdbYqAd
8++LqQKjdoITF8M5lw3Q24zAgd3sEPxSMn18V+X+RPcY9GPvrAlfck+I0g8sdyGV
PSL8Vho/DqS2o33PWYm0Pl+C5xG8BYhGBBMRAgAGBQJEFdB1AAoJEN2ib1JAp34m
GcYAn1XhdRqkyO+UOqeMsELX+bwdHIj8AKCMF6r0HBY4XUCA5MaaYtVBnf4tfYhG
BBARAgAGBQJEFYjxAAoJEGMbqA+7eUCJ65wAoN0MOKv7alZUhlqVH6zT4sU3gKVl
AKDDsua/iPrwuFr53jraEyb/b3vgwYhKBBARAgAKBQJEFhggAwUBeAAKCRBR8C3T
rHEeglsEAJ0WPqMu9ziqGd/LicnVy8XpsNQeIACgqqsywmB+H++yGwhgWDVcxGJX
Ll+IXwQTEQIAHwUCRBISKwIbAwcLCQgHAwIBAxUCAwMWAgECHgECF4AACgkQPu53
fhcIEuDFAwCdHoek533QesV5TLAoUUyXbkNkYdYAn2yZ1xevYyMq1oVu8Sa182vR
47pptCFUb20gUGVycmluZSA8dGVwQGV2aWxtaW5pb25zLmNvbT6IXgQTEQIAHgIb
AwIeAQIXgAUCRBIcQAYLCQgHAwIDFQIDAxYCAQAKCRA+7nd+FwgS4AriAJ41kQev
MJ9PQB/4GZOtPiM/ta+kpQCgqJLEztBwOFfjva4HufR0SCptyaCInAQQAQIABgUC
RBO9cgAKCRCkUJAsCdPmTUUaBACKy5cp7lWmdSaJkevqjMXvlBrCECj1RqLfzVfT
aJQtL7smCb4QKonU77LyO9Ppe3pRCeyEEtwPJYcfWBlpKuCdBzE+teecOp3pSXjp
U2ZR3HPcNOOJvB2JOaOuNZMNS6V+Z2D/oSKGnYgzEd/hlvdUO1y3yDNV7imOqrMC
zhFbAYhGBBMRAgAGBQJEFdB1AAoJEN2ib1JAp34mukoAnid/4xgCA2foC3PPSv6B
MajVLNJaAJ9+k5x/XJNVO7SVkvp/xMbplsXTD4hGBBARAgAGBQJEFYjuAAoJEGMb
qA+7eUCJEcEAoNeSzqICrvXcB+Zs0A9Dq3yOxaoeAKCD0CKiddS1cWHLkfCL5oPl
DqEga4hKBBARAgAKBQJEFhggAwUBeAAKCRBR8C3TrHEegjhWAKCttLLaF8R4K6Yu
8vmE15qNZ3H8xQCdEjcOQ5mSO9qBu/af63fQUkwi7QmIXwQTEQIAHwUCRBISRgIb
AwcLCQgHAwIBAxUCAwMWAgECHgECF4AACgkQPu53fhcIEuBA+wCcC2+Q69vPGck6
nomHIcXi6cQCe1AAn02Xx2+xRtFSz7Fs/kiHgzOlz23ktBtUb20gUGVycmluZSA8
dGVwQHNkcml3Lm9yZz6IXgQTEQIAHgIbAwIeAQIXgAUCRBIcQAYLCQgHAwIDFQID
AxYCAQAKCRA+7nd+FwgS4C3PAJ0WO/CkgSlStNsbw/ZPFbQzWtGX1wCeO4V4sk9M
O5jxBwv/u4sBQcgjEUOInAQQAQIABgUCRBO9cwAKCRCkUJAsCdPmTVNdA/0ejMoi
B55LDFCaExPOHhLFezVvhCAqAz+Ks87Fhuvv3hHiKTvN0n38zRYrLN+r3Zh48Ih1
OoW8bJqUSsr8y07Alv4GZndCvidE8xWaCUgbk0zBo78ArJ3pcRIuF8hk/uLqmXs/
ATrYBuHsIFd3iOS9tWbf7wCmRWuadyRrNEhKOYhGBBMRAgAGBQJEFdB1AAoJEN2i
b1JAp34mn+IAn2P7M48r5ZMKgyAK2Cjn1jcJZljfAJ4nCXUN3Ab5YQkXVCsvFVGV
0JbF24hGBBARAgAGBQJEFYjxAAoJEGMbqA+7eUCJvnAAoIMpPk3fhxxRTuNBvaWf
LUfkUwP8AKCTzG+wOo+eZ61aRZTf//Run8Fq6IhKBBARAgAKBQJEFhggAwUBeAAK
CRBR8C3TrHEegnMRAJ0TPsy9KWCrr2lUj+79krHXgw2N/gCfdcE+mfhZyN4L+q3J
RuVbjAU2/iKIXwQTEQIAHwUCRBISZwIbAwcLCQgHAwIBAxUCAwMWAgECHgECF4AA
CgkQPu53fhcIEuAsngCgnnvQ/moMpUzXmepqIblB0CwdikYAn3lKx86ZT9ZuACre
PsfgZWtyS7dgtB1Ub20gUGVycmluZSA8dGVwQHRodWt0dW4ub3JnPoheBBMRAgAe
AhsDAh4BAheABQJEEhxABgsJCAcDAgMVAgMDFgIBAAoJED7ud34XCBLgczoAn0+H
bdwszcpUeC99gXMKT6WTe5lrAKCsTlkEzB6+VzdHXwZjYc73bsK4aYicBBABAgAG
BQJEE71zAAoJEKRQkCwJ0+ZNyyQD/0BrmB8a6Bgib+dJncgzVxgChTJfZFM5W/tV
b/3KYcGgElCxKvgXhYsQJz9IM4npQWi/g9+ESrmRIDdoj/sPQZ2Y+wtbOxXu1T2c
jkUacfMYb5uW1TbTjfDTnABvsYoKu9txQgNqH+tx4K6lBaA4Ja06seuLBz12GB/V
To0gQd0GiEYEExECAAYFAkQV0HUACgkQ3aJvUkCnfiY8+QCfZ3gr3nXzZMklFNen
zMaPbSsdTL4An0tseCWvpdOSz2r2m1rzZ3d4c9bViEYEEBECAAYFAkQViPEACgkQ
YxuoD7t5QIk7PACgvVYeR/JODli1ZeEV8n7GOhUceFQAn1jMUaf9FOWNtYHzFwmK
J4xmHZVPiEoEEBECAAoFAkQWGCADBQF4AAoJEFHwLdOscR6CPEEAn341yon4r1+L
wjMiqSXWtELne0dGAKCnRNLM6JYs6IDPOdzG/qAPFcSjxIhfBBMRAgAfBQJEEhJ1
AhsDBwsJCAcDAgEDFQIDAxYCAQIeAQIXgAAKCRA+7nd+FwgS4Oh/AJ0fsMR8foMb
41/+/YkFikOKV9F6GQCgkNEfvxuyUdiFHeVuQxGGRc2kgoO0LXRvbS5wZXJyaW5l
QGdtYWlsLmNvbSA8dG9tLnBlcnJpbmVAZ21haWwuY29tPohgBBMRAgAgBQJL/rdf
AhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQPu53fhcIEuD3QgCeLgk4dIl5
QjSJ4U5afh4aIUtl9lEAnR1xHBxOjBJkJOyUIUQWfJLaVDlguQENBEQSETQQBACV
m8Qta1Sv0Nr2EDUxcUx1/Tuzh1EygSYKFUIiIXDctfe63bIeO/YSu2BKJ1u/IdGa
bT/5wGNdzmxmHqm61ZyCCISM2zmYCCDfVBCam23Xk7QXLnluud5BwLAvnsjdk0y8
N8dvZz/AKBalG/uijEL2O3GWglpcDt+L5qFbin135wADBQP/UsBHpz0ByNgMPV++
LPUUWro2+Rvj0E7wf5g8teAcrIrIsxQ40jnQfHfW0w/mMKS5cfqyMjIkCqM9yUmQ
MVxa7F3OT+7dXa2MoM71J11Mnub8SmzLaNGrnKbwDBYD1Thw/DnwDQcgK+ehNqt+
YB72QVV2fvbduI5rfylqKV0Yj1uIRgQYEQIABgUCRBIRNAAKCRA+7nd+FwgS4ON6
AJ9Cs/Ct+tNugkzqd8DTSU2ETJaAtQCfTOBeR9XFAB902TW361129iPswbE=
=IVpW
-----END PGP PUBLIC KEY BLOCK-----

Here is my original key from 1996:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
mQCNAi2Ax94AAAEEALlglEMTuVebDOrthGmj9wCaHFw/W0m+WVYTjvQk9ct7xJcP
E3dp0Xdq3E/CNJCY8P/zrPcbSvgzaR5WY1xTSihmMFMJFbqJ0FAB4c3lWpoRRXWx
GpsQysXF/jQT5pUXE/wsClXFM83CkqSQNRBE6RBMR0Y65GQNMxTSxpWcaAFRAAUR
tBpUb20gUGVycmluZSA8dGVwQHNkc2MuZWR1PokAlQMFEC9nSh2Nn20OMr4bUQEB
TRgD/00eOvoF3fQFwgfL5jz5N2QGik+AaUPgt+KnujAINcAum0VIoyv+ZtjuccbI
efLqmmlpIxnFxK9m+rqdgrtXw2LL/5fgCwUCYom2WB/d6OmsPMZLOKhsYJ1xNBdF
qYpAH1WD2w3nY5U3VpinLxlvNzKKrbNeGdtPbiHwCoLvz6sbiQCVAwUQLy5kvpME
DvqCGoWtAQHtjQP/RmIGjDf84Bpv0mkDFbbvbhnYdgutFEOkOne6vMKJ+3sJTdsi
EEZdeDytidqvdHpkMtVkiOj/kBWndWmLzbCbxlXisjjzj8jTYxrfoN0IxYYCeVKe
KwTUpRewmhL2/57wJXviMXso3dNLcwP+RSHSchfLPQwpqprHCvf9iauzHuOJAJUC
BRAvHok6bCg0Y9cHbF0BAXFZA/9GXCfMpiEw65CZWgbuJPSkRw0e5FoB3cj5v+Gc
yBwKMmpx/aDzoWA9k/Zlc6/o8XdMgWrAmMIzjTIFcpG6lJJ0dqS6qDYp++bxFqDR
KM7DhpougZ2u0Nxl54F0EfFK2imfOgVMM1hOx2pHu3esbiNv22bM2H7en+mS8CUA
pBT0oYkAlQMFEDPzbb0rYghCgt6juQEB6O4EAJLtH6aiHHPNX8MVLrCj+9cBcmhl
2CK2vjC4BC7Eu98tMRm1hi2QoEZPxPotSl9lrAc6VfCrx1DAuFzy/QvEuH1AZqJt
fEvksXBJV5ufyXhLc73sl9Agt6PkQFNb2Jbizlo7cHwdldIms0KPrqNQIKufTuuQ
XWqXZxDTg+hjf9lRiD8DBRAz4l1iUfAt06xxHoIRAi9yAJ4zgrrsdt0daw9uElG7
1G4zZa/zkQCdFtejMjzRgFcpZ69Wv1/TKiBSCdeJAJUDBRAyHkabgEp1EPeh9ysB
AQggBACUBzGS2ylMymYTZZnEZ7y9zKsS0dOrEZ41NsMVc3hqZ6Q46+rw2vUX/UcR
gMu10A3M2cuIuKd6n1uFTQom9+OLp5qUJ66ecqg10Pwo26I+lLEyRxYE8/4aei/v
iysiW4OhSrmVpxVLRVqxCSnGaN/TO85D/B/TIoMtAWAYfZiTwokAVQIFEDB5HQFn
1gtYHuhxIQEBTokB/1TYp82r7k2UwL3WCCIBtBqFCAjGN2QocNWcZEb3DFz0r1Kz
9KMuNKPy61KvA0wUSuINRsrkZ+oFRN6sKkWPUqKJAJUDBRAwcEIm0WPXZsfOfw0B
AWMbBACpHoslfC0cLhr5H5Sg6Um1/BQ6gGNwrZZH7xZfj6ihGu4h7pJkKxY6lN18
2To55fz6VyBuPdOwURgPHmX2cWSblIfxNjw+foEX6Nr6cLWj0cr6RJFKgn+RqKzx
yxROeUp7dP+HDrsNDxSw4Xfm1zRUELqvAWhMpuwEGuo/XrErAokAlQMFEDBrLwyk
UJAsCdPmTQEBrDwD/RERUTE+Lk4RTHRhHTTjulIWeFY2AoXGEtrqxMirmBgjT4aC
DygrKBrd3qNdbrZIfHMIuPK02VmOF/r1va0PyfuYGFbi68s2oUr6E5nNmMvmjFoF
+GR802v4uZ8CGo1U6Gchi1yLv3ctLsjfgkQY+ESoXqdZueLrdLmgbB+wNeGoiQCV
AwUQMGstM7CxcYNNuhCRAQHAUgP9EKPx4VLZhkR/cEVZD9Tsb5KbPpGwe0MMUJE6
AsBpSEB9f9u4cG52+SGrjlA3YTfEvzIWQ8KMoY9tcGccwut21wS0kYJzSpepqVrO
rPKxYoG5mSO4wJV0Ky8dKCjpQ7UhkXkVdAC/9VvzKBZcjAYSYtERrQf279Ro2+AW
eW1br5aJAJUDBRAwbIbe1eCuZnXGy0kBAdufA/91ahpgcRo/WI0lPMjO0OSNy+Gl
g9x4dpVf5mIvQq4ENN8yrhzOgt1gooL5GSxgg2baMyUdGqEwYKXB0fWjQjU1Y7E+
A4VtgyCCRRlWXVZP3pBYAZ8XppIWjN8nhE3WW4kZsrcMoLiipGKNAFcy9c2IwgVS
b3xv3i9/jgUcoSw/KokBFQMFEDBsJ5t3fs8hRzwYFQEBP3MH/RLXS8Xv4JuNr8U3
ZLiLq4tvdqBIX7bCw8BII9BHacN4tYlS9M6fuUvxRZ5VjdkQJhS6q9DI+viQiJI1
aBrkJRprIZSRf87DczQAQi7s75sDO59jFLMjrOmfGmoCAbYNXHRFV5EIQk8U8ePK
PZ/TSqriiHr7Em067g2LoV1f3Ue6TgDZryMDD2lwdYfWVb+gGNiVQ9DQr6Ntdt7L
Y0ysmGxsdZB53LleUNu4zd2u5Y5rswHzWlVr/WzuaiMwv+n+cjBG403BkZ78PIep
xZqIV/G50wHCv8LyOfheUc9Bw5rnRa3ceBoG7DFjIewuJHBX0Rr6+NTx0HgNJRXY
dNgg9cyJAJUDBRAway9w7O/VJ/p5N+UBASStA/45WcDO2+1wFiNvlFTP4NqqLHD2
yE/nxlzZ4sr4mZwvqh5Ss84fqez/m1tUuI/NT9NmRw90cWx+P9B9coBdu9Bt0daI
UnXwbuUxzPEq/naealT6Hb6LwcL+JqdrDNGWIBxHg/jccN2dia2YJJH3+h2hI+Is
hKxOqtCZG8zsn16etIkAlQMFEDBrBNKvZPwzK6PyvQEBD6oD/jO0hRyioJcfG39c
dtKi8oeL5Gm2IoI7i7FCVCJqQltmDqjUOJI7Ioed6/Tzh+KJSdLlYvYmo5K0Wvgv
Es1PSF9ihCd5fzvDdSljAsqXQ31fLDZd77/Y/h/PkRcEGG0ZHGfP3TNV4zoHdwn4
SCJruI5ExvvEh3FPq0NUdgO8i/beiQCVAwUQMGoe7uI11LPFgBXjAQGrNgP8D2nf
ujoEa0dlX4w7Y0huxPWHpdIoOhMexmtqiWgfyPQLWw4Eq/mnAjdF4KuFlU1C/smd
OnvcJ3n6pIiUurPpw9CPFb8xVPaxCmQgUsxDx0877rTLDRCLfr53cZyR5R2N/5gk
N8r6PiP64Mob5rg9dRD8DbvFKBv6L+FuTgsqzc6JAJUDBRAwafD8Ct9/qBjwLNkB
AZbbA/4h/EqLS2xEbAk3Ifd6brn1ucFzBUGTfhpKJjds/zI62zECObUBy8KJpNUj
HHNYR3IRMhT2ZHHap5aKiATw4ZBrILyvYY1lZA34DHKAo3/QztFHaU5gT9qJiFSY
wqi5q9bjLJdXszaX7wnb6dVqAB3Sbh6bSNd+MFChuR8XHET5BIkAdQMFEDBp78L5
oc+fdQfBNQEBim8C/Al37Ao842+iSsTEJtBY10AUP6r1CmsT1XEaodNvRCijcSpG
5wQHK70JbLJBOGe7NGzAVuAV6qzIZ3/xniZqTOXPFH+DrO04KYq22Br4GAKrd1dq
BCHoJFW3TY3avGOtJIkAlQMFEDBp7KLsTGln+UCrhQEBJ4cD/3xBaYiuzp7t85HO
2gsyv4LiYvY7PkaJhxoeQNv4MimRFX53l7DFvIYrvQs5XqNvELgVzp1OJdaQN09+
ECV3+I+i49dm7cg43nl8dNsBl8Xdk0wEGgx7Z0x2gh6v/JqxUV+GY3tImqxgtxIy
v9A2wOv+OR/XNNRMIVwDHFl8U88piQCVAwUQMGi8R17lrK5my3PdAQGWoQQAlC5D
9UD4NMxga1qHevWNPXk8XcbiKB7r2z50aCnGjs33Z+HFjg90TlRRp3g7uK9AyWYF
7ISUFDQScQ3dbTo82/L+P9D1eRls+BMWElGyibyCEs8N5rs2v/+KsTWKqn947srZ
fGm8O+GecJbua3Pf9VtBQybxw1hu42LkxqUKFlqJAHUDBRAwaY6jm5WgJWLQSkkB
AV2VAv9mc+YEblGLRcrttCMz3PLxOhOIMxrIpcH+kwr7swvhahGBBxucLxJDrGNJ
2ac/1UglYIqa0ju1LdRwgg4JUBxh0tUNi8BMh2qNzFiJQV1bc3N3hYPWj2fa3TNX
wHDXRfOJAJUDBRAwGWMhZXmEuMepZt0BAVi0BACNu/hS3l/Wydz9iOqSlrePEkwb
YhpJwQB8NEPQxOO2XbZPvkaij1w2oOADcH7UsMw01CjADqZVBkPau+Gjs1mAoWQd
E+dVcO8DYlx1H1bek/FCSrle6GuuBfDeNcedFMweHhVEO55EAqS1f5f5QEvrf2P9
QzZONS/j7M6op16mFokAlQMFEDAPRLR4JPhVIxVm3QEBApgD/0VX1UdASMbWTWjg
SFnIo8z16F2dvEpG0f1rSWxB2JCMjbPPhN7mH7Ak/Vd+6D6fnQr2OlSxe6TQnUcf
MPNrIL15CUMx8vAasumNFp8FC5/BQ4yhHgaXTmT8px6TeT/8F6PNPd0c0ciRPUaB
v87RaGEwl8VfQTXjLY0V4U97UNe1iQCVAwUQMA8/cs2oBGsAN8d5AQEpXAP+M1hj
QnK3Eh9GURePQ92wZbHgb/8o59R3nNZCdaCIDpUfJGXMApbRdzjibkexZZONO8W1
UcBWduUAV2gUTj61ghIu1o/5JVIfWW3OlqXJqGnp9xlwREgrhHEESMWgk5nKfnK9
bFpEq0qsyAC4+YxD1Xn/g64CzAS2W/F/6TDPT7+JAJUDBRAubhTjFNLGlZxoAVEB
AXrNA/90ZZ57TgE7TtzFhTmHu++yBmP8KKEqKxM6ec614povixQJvFX+EXb1wUa1
FZUj9FUCVqWD2y/5uvk8HJ7MepvC4c8Irkc7QOLnQNuF1FAtswxhyWBhrYBQXVnb
MWk8OuPKKHq2ESiPyOFuqzcMD4NuZ3EzL5jmwU9NJR3Ylh2NLYkAVAIFEC5s0h4V
rDLOPlxS/QEBoUoB90dpuj4q2Fxu1AsGYEWcPymx3Q0PHrwMcQwPyPB90A0w6QKR
ifHz6V9Hb3ubqqyx2Ovg2MUWoftgwUSnf1wkEokAlQIFEC2bXE5hqrGydnZ6rQEB
nXwD/2mz0CBQM5Pk5fty050LcirZje1Ykx/WZ32nN9wXmOV+Hyq846yacHysyC9N
VjFzPfslyw5W6uzou2gW3B9n6qqm0AiwABgIuTb8tOowZBSvUjmVhuxxPkNuHuqG
Q1I0oUwDmWbnsoZSIuPNiYmxc0uPkC1VsYoH5D7XcEeXonIpiEYEEBECAAYFAjtE
3FIACgkQ5r/NLxCBo3xBhQCfb0/uo1VXAJ4m6q/1OcXdjiI6qoAAoPsnJ/wvG4+N
TkuP1ISfyWLbEVdSiQCVAwUQO0TcffLlZUzmDiptAQEpSwQAjkqg3jYhTDLQ7ztw
K8koz1CorcPue6Cci4twax+2Q6hbChAnTbDvqodPakCYwEfS2up6aXcKpGQa5IPe
RnF5RYQthKBSUE9YWrSLm5ZPYBSTGZLf4Hhn6381I6L3tbvOc6M4Jo+VpI1vXnIn
a8z1MUsfb6QfIuMyKyUhqYJrtZ2IRgQSEQIABgUCQcoR2AAKCRDdom9SQKd+Jtj6
AJ9W/+UaeYQBhDJvhN+mb24GvBAQngCcDe6Eura36S755DRSKZac+GqyQZ2IRgQQ
EQIABgUCNRB0oAAKCRC3BYzpPWXloPUqAJ98UKbWyrkFhcBKIR03v/BzBbLKLQCg
5dpZb0Vr0jsAHb+fC11CRa7KTPqIRgQQEQIABgUCPtutfAAKCRCSAt0MlIMOrUkK
AJ46u1nmmb6MX5ErbCCpB7PEuKqZqQCg0YIwUI38J8Q0qEk/tUACsQ1J+AaIRgQT
EQIABgUCPrg+bAAKCRDYw7lS6Rq5uVJrAJ40TVuPDvpWJaC6unpV2VOKbnCncgCg
r0oF1vMDaKAYhI9puegpZAF9AFyIRgQTEQIABgUCP0uttgAKCRARKrfhNu2SIgxB
AJsGu3VMU55NM6j57FtR5w/GmFK9ngCffiUghFCEx1030DbVDfypDBhkCxKJAJUD
BRA5gHXomGpB7xiMt8kBAcLUBACBoBKdzQboeUW7wGbHHOZ9vR0Di9MpT74/2lNK
WN7G4R6+UAwiZNI3+AJVe56w3EgvOKhIRytgM0PbvS09CCC8gNUTHf1aXRf+0YJM
4zIyn607yPW6wKYgCIyXZXPu4BBm9QHd7VAj3zbZDtHB9JHeKVUWX7XHz0rq9GRm
3K5O7IkBFQMFED0AF/y27RCtRrQFywEBctQIAIuSeYoocMZcCS8WPbXywkY0IdSS
rUyqGgRpd8Iyc4mrl2xCG67jXkIAdnkFTLgNVvZijR2UA2ciVyaY1KXJ0H1bKRxE
7DCwSXC9vqzLNdLBOFGFOWt7IBMcj1UecqJfHTPNl33pKszaPeN3gM2H80sti/0j
pw+DMTp1zULJiDYRSMSyMgpbhAAop2l1cylzNizO43MqFcEXBdPCwuj1x/yd0BCB
dfuEmvrLsYpPrUqjWlYOSmNqpjuwaTnxe9Y4Ftul068uVEmDWe0qMfvuKqQkq3y8
71tgutYJBJoxiw8tSE0mViDv2JJJAy9rAl4wcZJN+3NR4xWiNany3SThRX6JAJUD
BRAvJ+6QjZ9tDjK+G1EBARiIA/4gCuZTfnbzLhQSmAe+tCWf3039F4wyj9mb2QPw
XgItjeKrMxLpbmeHa3568auGlf+XjvD5MFLGw2EJj9MvgYms9GPUIt/qKfuIcmPC
3pG1SgAfVOXWnwHmljpa26m/yoESk1cWhOtBTxN8XWJgXiU+fQQGV2mBte/9D3xj
JbuiGQ==
=ow5q
-----END PGP PUBLIC KEY BLOCK-----

, , , ,

Leave a comment

IPv6 – CGN and Teredo Considered Harmful

There, I said it. The so-called “IPv6 transition strategies” are making it harder, more complicated and less secure to deploy IPv6 than just “doing the right thing”.

Carrier Grade NAT (CGN) and Teredo (among others) are the last gasps of an IPv4 world, and have no place in the modern Internet. While they may have short-term advantages to network operators, they will cause problems for their end users until they are finally phased out. Dual stack would be a better transition process, especially for customers.

keep-calm-and-dual-stackCGN is, as much as anything else, a way for carriers with a large network or large installed base of end users to make the fewest (and hopefully least expensive) changes in their networks. They are betting that by introducing a small number of large-scale NAT devices on the border between their networks and the Internet that they can avoid making sweeping internal network changes, or upgrading CPE (Customer Premise Equipment).

At best, even when working correctly, CGN breaks end-user accountability, geo-location and the end user experience. On top if that, it will slow IPv6 adoption, and force “true IPv6” users to adopt a host operational work-arounds and complicate deployment of next generation mobile and Internet applications.

CGN is inherently selfish on the part of the network operators that deploy it. They are saying “I want to spend less money, so I’m going to force everyone else to make changes or suffer in order to continue to talk to my customers.”

Or, as Owen Delong put it in his excellent look at the tradeoffs in CGN:

Almost all of the advantages of the second approach [transition to CGN and avoid investing in IPv6 deployment] are immediate and accrue to the benefit of the provider, while almost all of the immediate drawbacks impact the subscriber.

The next part of my rant has to do with Teredo, a “last resort transition technology”.

Like CGN, Teredo promises to allow end-user equipment to connect to the public IPv6 Internet over IPv4. It does this by “invisibly” tunneling your IPv6 traffic over the public Internet, to a “Teredo gateway”. A Teredo gateway performs a 4to6 network translation and passes your traffic onto the desired IPv6 destination. Teredo is implemented transparently in some Microsoft operating systems and can by default provide an IPv4 tunnel to the outside world for your IPv6 traffic.¬† It can, also provide an “invisible” tunnel from the outside world back into the heart of your network. And of course, all your network traffic could be intercepted at the Teredo gateway.

Teredo security has been a hot topic for years, with some concerns being raised shortly after Teredo’s standardization in 2006, and RFC6169 finally providing IETF consensus in 2011. Sadly, Teredo security must still be discussed, even though it is 0.01% of network traffic to dual-stacked resources. Fortunately, there’s a move in IETF to declare 6to4 technologies (including Teredo) as “historic”. Teredo will complicate network security until it is gone.

I for one, cannot wait for both CGN and Teredo to be consigned to the dustbin of history.

Leave a comment

Security – why programmers should study computing history

You can now add LinkedIn, eHarmony and last.fm to the long list of major sites that have had poor password security in their user database designs.¬† The saddest part is that in the case of LinkedIn, at least, this was apparently completely avoidable. (I haven’t found enough details to comment on the others, yet.)

Protecting stored user passwords is not rocket science.  This problem was pretty much solved in the 80s and 90s: Use a salted one-way hash function of sufficient strength to resist a dictionary attack.

(LinkedIn’s mistake was to use hashes, but to not salt them. )

That’s it.¬† Really.¬† UNIX has been using a salted hash since about 1985, initially with a hash based on DES. Since that time, as computing speeds have increased, new (salted) hash functions based on MD5, Blowfish, and SHA-2 have all been introduced.

In other words, stored password security has been a solved problem for at least 25 years. The concept is the same, only the algorithms have needed to be updated as Moore’s Law has dictated.

This is just one reason that programmers (and sysadmins) should study history, if only the history of computer security. Oh, if you’re not a cryptologist, for security-critical functions, please use well-vetted library functions.

A few references:

, , , , , , ,

Leave a comment

obligatory Google+ post

It seems everyone has one.¬† I can’t really add much to all the tens of thousands of words that have been written, so I’ll just point you to the beginning:

http://www.slideshare.net/padday/the-real-life-social-network-v2

Leave a comment

Bye, Dropbox

Dear Dropbox,

It’s not you, it’s me.¬† You see, I care about my privacy and what I share with friends and the Internet at large.¬† I also care about what I share with you and other companies.

I was hesitant to use your service, but I read your terms, and got the strong impression that you cared about my privacy and security.

Alas, that just wasn’t true.

So, I’ve deactivated all three of my Macs and my Droid, and deleted my Dropbox account.¬† Fortunately, I didn’t use that password anywhere else, so I’m done.

Your service was convenient, so I’ll check our your competitors to see if they have a better security posture and more transparency.¬† If so, I’ll likely end up paying for their service.¬† Thanks for showing me how useful a sharing service like yours could be, but too bad I couldn’t stay with you.

,

Leave a comment

Seven Firefox plug-in for online privacy

I came across this CSO Online article again, after seeing it last year.  It is still valid, and has a good list of plugins for Firefox to enhance your privacy.

These days, I wouldn’t think of browsing without NoScript, and I use AdBlock Plus regularly, although not 100% of the time.

I think that these days I’d add LastPass to the list for password management.¬† When I started my conversion to LastPass, I had over 370 account/password pairs in my home-brew password database.

 

 

Leave a comment

The more things change (wiretapping the internet)

I feel like we’ve been here before.¬† The Administration is planning to sponsor legislation to make it easier to (legally) “wiretap the Internet“.¬† Based on what little has been written, it appears that Justice is arguing that CALEA (and more!) should apply to the Internet.¬† If that’s the case, then every manufacturer of Internet routing and switching gear would be required to build in the capability for law enforcement to activate a “tap” remotely and with no way for the provider to be aware of it.¬† Oh, and LE gets decryption assistance, too.

This will not end well.¬† I don’t have lots of answers, but I’ve got a lot of questions.¬† Feel free to answer them in the comments ūüôā

1. Why bother with the legislation?  The Bush Administration already illegally authorized wiretapping.  Oh, you want the evidence admissible?

2. Which equipment will this apply to?  Large core routers and switches, certainly.  What about my home router?  What about equipment manufactured in China, Russia, Taiwan?  So, all networking gear has to have government approval before installation?  What about a VM appliance, or a home-grown BSD-based firewall?  Will it become illegal to create your own firewall, or use an open source based router/firewall?

3. How will the requirements to support decryption work?¬† Will US citizens (and companies) be forced to use NERF’ed encryption?¬† Will the end-to-end SSL/TLS model be deliberately broken to force enabling of¬† a man-in-the-middle attack?¬† How will this play against PCI requirements to use best practices.¬† We’re already seeing massive data spills of credit card and personal data, and the common denominator is often poor or nonexistent encryption.

I don’t claim that there is no need for increased ability for law enforcement to collect and process digital evidence, including network traffic.¬† That need is real, and in our collective best interests.¬† But this legislation, as currently described, is impractical and over-reaching, prone to abuse and unenforceable, and completely changes the balance of power between individuals and the government.

Leave a comment

on protecting your email – extreme edition

I recently helped a friend of a friend create a new email process for himself.¬† He’s a journalist and wanted a little more protection than is usual.¬† He’s been noticed by governments, corporations and others, and has had some problems with his email being stolen in the past.¬† He’s had a laptop stolen and some of his email appearing in print.

His situation is far from typical, but it was an interesting thought experiment to see how “secure” one could be, if paranoid enough and accepting of enough cost and inconvenience.

We looked at several threats against his email and personal and professional files, and came up with some easy changes that could cut his risk significantly.

One of his suspicions was that at some point his US-based ISP had been forced to turn over some of his email.¬† For that reason, I recommended that he find an “off shore” email provider.¬† I recommended going to a provider in the EU, as they have much better privacy laws, and a history of telling other nations to buzz off. ¬†Sadly, the UK isn’t a good option, as between the “special relationship” and the Official Secrets Act, even their own citizens aren’t well protected.¬† Their ongoing debate about their national identity cards shows a certain bias for the government at the expense of their citizens, although this may be settled, at least for now.¬† I think the Netherlands, Germany or Switzerland would be good email homes, as there seem to be numerous options for hosted email in those countries, and the few that I checked into all offer SSL-protected web mail.

Next, we talked about installing PrettyGoodPrivacy to protect his email in transit.  PGP has been acquired (and re-acquired) since the days of Phil Karn, but they still have a solid reputation.  If you are a geek, then you can get and install the open source gpg (Gnu Privacy Guard).  Commercial PGP offers good email encryption, good file encryption and even hard drive Whole Disk Encryption (WDE).

Another part of his “threat model” is theft of his laptop to get his files.¬† While encrypting hard drives are becoming more available, there may or may not be OS level support.¬† Check out offerings from Seagate and Hitachi as well as some laptops from Dell and IBM which include encrypting hard drives.

If you don’t select a hardware drive encryption solution, you can use PGP or TrueCrypt. ¬†If you just want the data encrypted and you don’t care if someone might know that you have encrypted data, then PGP. ¬†If you are concerned about someone knowing that you have secrets, then TrueCrypt.¬† Since TrueCrypt can make invisible (or at least hard to detect) partitions, that’s an additional level of assurance.

As an international traveler, your laptop is subject to search at any border, including the US ports of entry.  France and China have also been mentioned as countries with some level of laptop threat at their borders.  There are a few ways to get your data through the entries, although some may raise red flags.

First, you can just encrypt some files, or even the entire hard disk with PGP.  This may raise questions, and in some jurisdictions (UK,
maybe US), the authorities may be able to compel you to divulge any passwords to unlock the files or drive.  There have been two people jailed in the UK for refusing to divulge their passwords.  US law is unclear, as the Circuits have ruled in different ways in different cases, if I recall correctly.

If you want to carry encrypted data without it being apparent, then you can use TrueCrypt to create an encrypted “volume” which will look
like a regular file. ¬†Just name the file something innocuous, like “refrigerator-ref-manual.pdf.zip”. ¬†Even if “they” try to un-zip the file, it will appear to be a damaged ZIP file. ¬†Oh darn, too ¬†bad.

Bruce Schneier offers a novel while complicated solution:¬† encrypt with a key that you don’t know.

But best of all is to not actually carry any data at all… ¬†Store your data at your non-US ISP, and keep nothing on your laptop except a web browser. ¬†You can always get to your data as long as you have a net connection, but you don’t carry it where it can be seized or lost if your laptop is stolen. ¬†If you need your data when you aren’t connected, then just put the data at the ISP and clear it off your laptop before you travel, and then download it at your destination and then carry it around.¬† This method has been recommended in the corporate security press for protecting corporate secrets.

One novel idea is to not carry a laptop at all.  Carry an iPad and use it to read your email and access your data.  Store nothing on the
iPad, and clear the browser cache frequently.  No one will know how to search it at a border, as there are no currently no common tools to
image an iPad.  Even when those tools arrive, there will be no data to find.

So, how’s your paranoia level?

Related Articles

, ,

Leave a comment

%d bloggers like this: