[ Video: Facebook Privacy Issues ]

Fellow geeks, if you would, do me a huge favor and copy this text and put it in a safe place…

—–BEGIN PGP MESSAGE—– Version: GnuPG v1.4.5 (Darwin)

hQQOA11AgtNhPwrtEBAAzaEnUxjIz8sK4o//mROU59VrueX4+NkO58w3JgytYBdm paHwG7ZwE8JNJsOSxRFaGML+gC954ivV7j0fiRfMUnyziYM+KX8DIXWTls2Dq80i wE7WBz1Inr1gwS4s8uEfMiXHRxldAu2iaFx4AyqFI58vKkh6UsQF2UxMaoc+SuQS aDQioG00SDsc1JJPJwScolpp55CYBwYvGzFUklstgydjkM7AoBXdva4ZYZCg/vCN HzwH4yO6Uorw1tJkciyBv25ja23SDzpt8RCUI0vZqMUymvASgnxJO93tHVcX1Ecz 8wRyd04OMCecqvhR2KOwiVsNsVC9e/+99DC+x5c+WKH1pES5lMA+gScrSGaucrF0 ozyL2n/+roX2c5D4BF2U7iPpePvb2IjojSELmyQYgYGuPDEJawWdbjuy1w1xnGww 2n8Ihh6q67vhsuRJuE4cMhCFA1A+Rz/ecDx3o2CKRMAfzz5dQ+3N3bRhiDpfwfdO 8HeREJRaaEH3BwC3easpxZQPVgQ7C8g4bHq/3jgHK0Ru0As8QMMG1uT3dqTh7jlt hgZy0k9oIdQdg0IzzeQO1qnaA1PcjDdqoBl1EmB+C5HGsrJVKeyvydJkU/1kCgtv 36wsFztb2dOCowHmzaXKjkv8/+H8UHq79OZSt26G3TCzOAUVyBLoyqPrVYWEyFcP /2yisgsRvV4AI9E++I5JSUZS3KF2e7ATemivURKAa9dqehEpkgw4/LE6mLqWMe7Y UfpOP5WufDoNf8odAylWlBZk/vBiI7cD12Llzs05CObxpTZGBL2HqBDvZu1rTeH8 QEIldTBphCit4WACqtOxYc+7absg/X71c+8tlDjCXz0Vl9O1GLKrtDuT6wBXnIdk +Dr+1uFCLpjAVU8SIGd3REhV6S+lpf+ZcB+IG5EjfjFKEKm2p1KTkDxj1IwH6yt7 k8Pq04Ef5RV0Q9SgfvHoFD1LJvZGRmZj2thWeXclxG6v//Vue76Rmfd40mNdkoKs BaAHhalockopsIWGmVwS68cTjZzmCMl3EJwwS32R3TyYYhrqnlUmHPgNzlG0Juqo piNsEvk0zqmhySET6BeLe2zJSEKszUsYvV2kaur7MlBSWMTcSkxgOpRmDmDeYXZ5 dgTlJsgmrNeNs4iEjt21DtHnAywksSSuzSJZFmWnqSea3jjnw0cA1ccQYbXn+9yZ Ay7BNDfjqB8Qs82w1TfboepAdHMK5v4FyNdKlyt1XCwpIcQN6PjtUDvkv67k7SJT +bNjdXtALKC2h+Y4owAnM+48CgaVnv2E4mnp818VmE4CXuLG/Cmgipm5GQgVttJ5 q0O434hilfLyAem3hcaMpK3U+ltJH6uDFezDTh7G/+QR0ukBfW+MPwqt+ApACj2b GEGG1oB0U7K5nuett2xjsKbE+0V7Vv/6Sk2VKds/IRwYb+ER8wLJKEULzTKM2ADe a9cs7wLApN3az0t+ueBzCVC+EefzlQX+H7V9uWmrV95XehFNpJX0+hFFgd+uWEBZ mgFMrwZbB9xaL8EFp4cKxCBOWdqZnc/Zc39fMfISZIFGp+w3sU0q1Lp1KILubWbK Mw4YIhklj539e6uFKZHJvY/0PzRp1D08a9AzvLRnwb7tDHgd9qbPA8+YrUx083yV d8bu2uOxB4wMOnpr88OBYNpsF8QF4b4jp3XWm6/7nnexVTsx6KVxdLQQXZYmC2ZC mY9EI1oaC9niOu4IicsJEMWY3PaPfEnjh+mifvIunN92jMOtOHkF+0Aeymf2n0Rt K25Xr6kFksjQRFhyvrT+BJd41FiJSANc7XC1b+/pVLufmlGPA+ZwWksoBvyw7kCi IHjEk7gg9VkduRa1F2sXLmU1MgKCCFT+ptl/C+nXBFa3RwCE3xB4uzbd33kzLJbd HT1qOVo2JZWTZ3MgzBpglv9NSKliPE7A1Ms9lhZL6IAk11U2RNypwTRCp8MkIHLI JsGm8m9cC61T/XDmRPZ9R7iLNPf/fc7iEdL6w5sX+OzCkcPUHTUyC4Aoxe3hQXnX X+KQ/bACGgwxmcvYhmxqjw+sHcDuxlCohq1VeUPbW8fq8oSV0trGeudZU7UBGCy9 hncZiBbNJGzbBHmMfVOsKw9cH+nVobbEJp5pSYGwLLXtdfqV59kdE95LEaHpol1r BRqDSZq9KSLtUnIwTl9qV+Cg1bGhZpOd0hIAQPQzxDfoBH3oUJlfHREalgg5d0/Q WwKR1bcAEuahwOwQbL5U6rFLLVtkyEtapCjM3D3kuMuMqhNwXio+GVT5w+ZdAafF GDIIDyPnypZfunBfGK5nj5e4sbBhE2IdZiA77yoTUp2hqSldjO+2+fuYITS+5RDi EKNC2Thj8avhl+x57o49IOYIDfSyaghVhtCHD/dgFroA0FXBTs9NKptpx6jslCp4 XuTpciLFuFP0uT9UZHeOuBhIzQe4TyOyMpZ734PlZQbE2AuIRBN0sXUJ0ENeJZTg tjifhgpNo6TJrHn1DMgaKMrMxTDrRJn77+iB6YBdY2WLZD/lk9lQ+QtHo/IBTOI+ NZIyqFG9z6E/tMDdGJPTjY+ltLFZEAEvLEVgxazd81nMJwr8aOKSMSQB4IYGE7bx 4DyAbs/uVjt1ERnTAib6PNAvUQ== =wftQ —–END PGP MESSAGE—–

A short beginner’s explanation of why you can’t truly “hide your IP address”.

Hiding Your IP Address

Being an information security consultant I am often asked how to balance the need for online passwords that are both hard to guess and easy to remember. There are a number of solutions out there for dealing with the problem, but the system that I’m about to outline below is an elegant hybrid of simplicity and security. It works for me, and I think it can work for you as well.

The Problem

The main issue we’re all grappling with is the number and complexity of the passwords we need to remember. Ideally, we would never share a password between any two sites. They would all be different and at the same time highly complex. Unfortunately, this doesn’t mesh well with reality. The human brain just isn’t up to the task.

Simplification Through Classification

The way we get around this limitation is to classify our online accounts according to risk. In other words, we’re going to determine how important each of our accounts are, and then put them into one of three (3) groups. For the purposes of this article we’ll use the military classifications.

1. Top Secret
2. Secret
3. Confidential

Next we’ll simply group your Internet account types into each of these categories:

• Top Secret Banking, brokerages, financially or identity-oriented sites. Think about your social security number and other sensitive personal data. Any accounts of this nature you want to protect with your strongest layer of security.
• Secret Personal email, blogging sites, important forums, etc. These are your main accounts that you use on a day-to-day basis. They aren’t ultra-sensitive, but they a huge part of your life and need to be secure.
• Confidential Product forums, mailing lists, etc. These are your low-risk accounts, meaning that if one were to be compromised it would be annoying but not a major problem. We’re still going to have relatively strong passwords here, but they’re going to be simple in comparison to the two higher levels.
** Also keep in mind whether or not a site supports encrypted logins or not when assigning your accounts to these groups. Never put an account into the top two groups (Top Secret or Secret) if that site doesn’t support encryption. We don’t want someone possibly intercepting one of your upper-level passwords.

Designing Our Password Schemes

Ok, now that you have your accounts grouped properly it’s time to design our three password systems. We’ll start with the Top Secret:

Level 1 — Top Secret: For this level we’re going to use a combination of upper-case, lower-case, numbers, and special characters. We’re also going to make the password at least 12 characters in length. You will be writing these passwords down on a card in your wallet or purse, so it doesn’t matter if you can’t remember the password at first. After you use it a few times it’ll become second nature regardless of how complex it is. Try something like this:

5PF.c9a8>12!

It looks pretty scary, but you’d be surprised how easy it is to remember once you type it a few times over a number of days. The point is that it’s not going to be guessed, and it’s not going to be tied to another account. If you absolutely have to, you can use a sentence algorithm to build the password, like so:

My Online Bank Password Is Not Simple To Guess At All, Julie.

M0bP1n5tGAAJ.

You will be writing these passwords down on a card in your wallet or purse, so it doesn’t matter if you can’t remember the password at first. After you use it a few times it’ll become second nature regardless of how complex it is.

One point on writing down passwords: Many people think this is a bad idea, but that fully depends on how you secure them once their written down. Sticky note on monitor? Bad. Wallet? Good. You have to balance the risk of strong passwords in your wallet vs. weak ones in your brain.

Regardless of the scheme you use to create your passwords, you want them to be a) pseudo-random/highly complex, b) over 10 characters in length, and d) absolutely unique. In short, we don’t want someone with your brokerage account password to be able to log into your bank with the same credentials.

Level 2 — Secret:

With the secret level accounts we’re going to introduce an aspect of simplicity/usability. We’ll do this by creating an algorithm for creating and varying passwords for various sites while still maintaining the appearance of randomness within each individual password.

In short, all level 2 (Secret) passwords will be generated by the same algorithm. As such, they’ll look very similar to you, but will look like random garbage when viewed independently by an outsider.

So let’s build your Level-2 (Secret) algorithm; we’ll use a Gmail account as a template:

[This is just a sample algorithm; you should make your own.]

1. First two letters + last letter of the account. GML
2. Add the three letters up and subtract your birthday. G (7) + M (13) + L (12) = 32 – 15 (if you’re born on the 15th) = 17 GML17
3. Add the two numbers you made to create a third number. 17 = 1 + 7 = 8 GML178
4. Add a word for length. Use character substitution for complexity if you want. GML178H0lid4y
5. Add special characters. !GML178H0lid4y#
6. Scramble as desired. !H0lid4y#GML178#

You now have a very solid password for your Gmail account. But it gets much better than that. You’re using the same algorithm for all your level 2 accounts. So do the same for your Hotmail account and you’ll end up with:

!H0lid4y#HOL358#

Level 3 — Confidential:

For our lowest security level (3) we’re going to use an algorithm similar to the secret level (2), only it’s going to be completely different and much simpler. Remember, these are your unimportant accounts; you wouldn’t want them to be compromised, of course, but if they were then it wouldn’t be that big of a deal.

Let’s make a level 3 algorithm for a site called cars.com:

1. Last letter then first letter of the site (cars). SC
2. A word to be used for all your low level accounts. Add a single character of number substitution (i to 1) SCPubl1c
3. Use a special character. SCPubl1c$
4. Scramble as desired. $Publ1cSC

Again, you now have a decent password that’s not easy to guess and will give a bit of difficulty if someone gets one and tries to guess others. Of course, if they get one of these level 3 passwords and try to break your Secret (2) or Top Secret (1) passwords, they’ll be unsuccessful.

Conclusion

Using this system can increase both security and usability when working with multiple accounts online. Here are a few additional guidelines about this technique and passwords in general:

• Vary your algorithm for level 2 and 3 accounts regularly (I recommend at least once a year)
• Memorize your algorithm and write down your passwords on a card in your wallet. Don’t write down the algorithm itself. Just seeing a password created with it should jar your memory.
• For an extra layer of security you can consider leaving out or modifying a crucial part of the passwords you write down. This way, even someone with the card will not be able to use it. Be warned that if you forget what you changed, however, you’ll be very upset.
• Change your level 1 passwords often as well. With the strength that we’re using in this article I’d advocate once every 6-months.
• Many also use what’s effectively a level 4 account, i.e. a throw-away password that is used for accounts even lower in importance than level 3. Usually this is a static password. Just be sure to be very selective about where you use such a password, and make it as complex and long as possible while retaining its benefit of simplicity.
• An encrypted database is another option for managing passwords. I advocate this method over that one due to issues with losing or damaging the portable storage that the DB is stored on, in addition to not being comfortable with using such a system on a foreign computer (where necessarily you open ALL of your passwords to the system being used). It’s really a matter of personal preference, however, as both systems have their strengths and weaknesses.

I hope this has been useful. For any questions or comments, please feel free to contact me directly.:

For anyone interested, I just completed a short write-up on the Diffie-Hellman protocol.:

Understanding The Diffie-Hellman Protocol

So it seems there are some reports of malware using Tor now. Inevitable perhaps, but no less scary.

The current Patriot Act is desperately in need of reform, and if we as citizens don’t make ourselves heard, nothing is going to be done about it. Rather than go into the details myself, here are a few paragraphs from Sentator Russ Feingold’s speech to the Senate. It’s long, but this is the future of our country’s freedoms we’re talking about. If you are moved by what the Senator has said here, I implore you to write or call your representatives and let them know you support Senator Feingold’s position.

The thing is, we literally forfeit our right to complain about our rights being taken away if we are too lazy to take 10 minutes out of a single day to make a couple phone calls or send a couple emails. If you care about this country at all, please read the text below and act on it via the link above.

I want to remind my colleagues of the serious problems with the Patriot Act that we have been discussing for several years. Let me start with Section 215, the so-called “library” provision, which has received so much public attention. I remember when the former Attorney General of the United States called the librarians who were expressing disagreement with this provision “hysterical.” What a revelation it was when the Chairman of the Judiciary Committee, the Senator from Pennsylvania, opened his questioning of the current Attorney General during his confirmation hearing by expressing concern about this provision of the Patriot Act. He got the Attorney General to concede that yes, in fact, this provision probably went a bit too far and could be improved and clarified. That was an extraordinary moment. It was a moment that was very slow in coming, and long overdue. And I give credit to the Senator from Pennsylvania because it allowed us to start having a real debate on the Patriot Act. But credit also has to go to the American people who stood up, despite the dismissive and derisive comments of government officials, and said with loud voices – the Patriot Act needs to be changed. These voices came from the left and the right, from big cities and small towns all across the country. So far, more than 400 state and local government bodies have passed resolutions calling for revisions to the Patriot Act. I plan to read some of those resolutions on the floor during this debate. There are a lot of them. And nearly every one mentions Section 215. Section 215 is at the center of this debate over the Patriot Act. It is also one of the provisions that I tried unsuccessfully to amend here on this floor in October 2001. So it makes sense to start my discussion of the specific problems I have with the conference report with the infamous “library” provision. Section 215 of the Patriot Act allows the government to obtain secret court orders in domestic intelligence investigations to get all kinds of business records about people, including not just library records, but also medical records and various other types of business records. The Patriot Act allowed the government to obtain these records as long as they were “sought for” a terrorism investigation. That’s a very low standard. It didn’t require that the records concern someone who was suspected of being a terrorist or spy, or even suspected of being connected to a terrorist or spy. It didn’t require any demonstration of how the records would be useful in the investigation. Under Section 215, if the government simply said it wanted records for a terrorism investigation the secret FISA court was required to issue the order — period. To make matters worse, recipients of these orders are also subject to an automatic gag order. They cannot tell anyone that they have been asked for records. Now some in the Administration, and even in this body, took the position that people shouldn’t be able to criticize these provisions until they could come up with a specific example of “abuse.” The Attorney General has repeatedly made that same argument, and he did so again in December in an op-ed in the Washington Post when he dismissed concerns about the Patriot Act by saying that “[t]here have been no verified civil liberties abuses in the four years of the act’s existence.” First of all, that has always struck me as a strange argument since 215 orders are issued by a secret court and people who receive them are prohibited by law from discussing them. In other words, the law is designed so that it’s almost impossible to know if abuses have occurred. But even more importantly, the claim about lack of abuses just isn’t credible given what we now know about how this Administration views the surveillance laws that this body writes. We now know that for the past four-plus years, the government has been wiretapping the international communications of Americans inside the United States, without obtaining the wiretap orders required by statute. You want to talk about abuses? I can’t imagine a more shocking example of an abuse of power, than to violate the law by eavesdropping on American citizens without first getting a court order based on some evidence that they are possibly criminals, terrorists or spies. So I don’t want to hear again from the Attorney General or anyone on this floor that this government has shown it can be trusted to use the power we give it with restraint and care. The government should not have the kind of broad, intrusive powers in Section 215 – not this government, not any government. And the American people shouldn’t have to live with a poorly drafted provision that clearly allows for the records of innocent Americans to be searched and just hope that the government uses it with restraint. A government of laws doesn’t require its citizens to rely on the good will and good faith of those who have these powers – especially when adequate safeguards can be written into the laws without compromising their usefulness as a law enforcement tool.

I think the InfoSec community needs to make a push to purge the PGP key servers. I think it’d be nice to start off with a clean slate, you know? Virtually everyone I know has at least one public key up on a server that they no longer have the secret key for. It’s a cluster to the n^th degree.

I just think it’d be nice to start fresh. Everyone who manages keyservers could send a series of notification emails to the addresses listed in their key database, and after like a year (or whatever agreed upon amount of time), the deletions would begin.

Worst case scenario is that some people need to re-upload their public keys. I think it’s a small price to pay given the resulting “fresh” feeling. I for one can’t stand looking at all those redundant, orphaned keys — it’s the OC in me I suppose.

Thoughts? Anyone agree?

Tons of people all over the Internets are shedding all vestiges of sanity over how much information Google has access to. They’re especially rabid over the fact that Google is now archiving all chats.

Many view this as proof that the company is heading down a dark path — a path that will eventually lead to them knowing virtually everything about their account holders.

I disbelieve.

I have seen nothing but honesty from the company since I began using their search engine in 1999. I have a high level of confidence that they are using my information for the reasons they claim, and not for some hidden, malicious purpose.

However — and this is a big one — this is all contingent on their current management structure.

This debate really needs to focus on the people in charge more than anything else. They are the ones who control the “morality” of the company’s culture. As I said, I’m relatively comfortable with them right now due to how they’ve conducted themselves over the years, but that could change in one night. One bad meeting, one change in the personal life of a key decision-maker — any number of catalysts could send the company over the edge.

Imagine a room full of highly explosive gas, and then imagine a giant match. Well, the room full of gas is Google, only it’s a room the size of 10,000 football stadiums, and it’s growing every day. So the issue isn’t so much whether or not the current management staff is the match, the issue instead is the fact that there will inevitably be one at some point.

So the question then becomes — how much of your information do you want Google to have of yours when they do have that management change and open their doors to the government (and God knows who else)? This, by the way, is the match. If you think about it, it’s actually quite easy to see. I believe the current heads of Google are decent, honest people, but do you want to bank your life’s information on the fact that they will always be there? Can you be sure they will always be successful at keeping those who want their infomation at bay?

Think about how much profit potential Google represents to someone willing to take advantage of it for business purposes, or how much intelligence information it holds about account holders. It’s seriously mind-boggling, and to believe that a few good people will be able to perpetually defend this massive gold mine is an exercise in naivity.

My point is simple — don’t overreact and label Google as the great Satan or some variant thereof; that’s just being a little silly at this point. But at the same time we need to stay aware of what could, and arguably will, happen in the future.

As for me, I’m going to continue using Google; they’re an exciting company that continues to bring out some awesome products. But I won’t be using it as a primary system for personal correspondence. I prefer having all my mail under my control, i.e. on a LAMP server that I admnister. So I may use the mail forwarding from time to time, or Analytics, or whatever other cool stuff they come up with as time goes on, but I’m not going to drink the punch.:

Awesome project. Launch Tor from anywhere via USB Stick:

Link: Tor On A Stick