Gwebs Cryptographer

I just read an review of a new 64 gb flash drive from Samsung on ComputerWorld.com and it got me thinking about the best way to distribute resources on a laptop. Here are some excerpts from the article, and my comments:

The no-moving-parts characteristic is, in part, what protects your data longer, since accidentally bumping your laptop won’t scramble your stored files. Samsung says the drive can withstand an operating shock of 1,500Gs at .5 miliseconds (versus 300Gs at 2 miliseconds for a traditional hard drive). The drive is heartier in one other important way: Mean time between failure is rated at over 2 million hours, versus under 500,000 hours for the company’s other drives.

….

Other specifications are equally “small”: power consumption is just 1 watt when the system is active, 0.1 watt when idle, and .06 watt in standby mode. (Equivalent power consumption figures with hard drives are 2.1, 1.5, and .2 watts, respectively.)

Flash drives will be the next big thing in laptop computing. The simple fact that they are three times more durable then platter drives is enough to make me want to lay out for one (data integrity is much more important to any business user then his/her screen, which can be replaced with minimal effort). Add to that the fact that they reduce energy consumption (thus increasing battery life), and it becomes a no-brainer for a non-media dependent person to use a flash HD.

On the other hand, many of us use massive amounts of storage for digital imaging, music, and video. These users require platter HDDs because you cant buy a 250 gb flash drive yet. (but with Moore’s law, we will have 256 gb flash drives in no time…)

Now there are two solutions to this problem (best practices) - if you are using your laptop as a digital video/photography production system, you can buy a dual hd system. Put your system on one partition (which you ghost after setting up your ideal system config) and your important word docs and the like on another (encrypted) partition on the flash drive , and then put your media files on your 250 gig platter drive (all of which you have backed up of course.)

The other (not so good) option is to carry around a minimal dataset on your laptop that is to say keep your images and video in highly compressed format for the laptop, and have them in RAW your whatever you use for uncompressed storage on some NAT drive or server (but don’t forget the sys partition and ghost… it will come in handy in the future).

Security, encryption, new best practices, data security, encryption, ghost, laptop, ssd, storage

Facebook, if you didn’t know already, asks you for your email address and password when you create an account, or even if you don’t. It’s a highly visible link on their homepage. The stated reason is so that you can send invite letters to your contact list. And you can’t blame the peeps for trying, right? We all gots our hustle. It’s just that Facebook’s particular hustle leaves a lot of room for doubt. It could be Facebook doing exactly what they claim to do and nothing else, or it could be that the largest data mining company in the world is applying to email what Nigerian scammers have been doing with bank accounts for years.

But it’s also a royal pain in the tuches to have to invite every one of your friends to your social networking site manually, and with the importance of social networking sites to many businesses, people in fields that require a little publicity, and people who really like attention, this is a useful feature.

Which is why this article from blogger Dragon’s Flag caught our eye. It’s not just a plug for our product (although an independent testimonial to how awesome we are it certainly is), it’s also a fantastic little piece of know-how that makes you kick yourself for not thinking of it. And so here it is, translated for your edification:

On National Day (October 1st), 2007, I created a Facebook profile, and as part of the registration process, Facebook asked for my email account and password. To test if Facebook poses a threat to social networks by doing this, I gave them my password. I can hand out my password to pretty much anyone who asks for it, but can you?

My email address is dragonflag@gmail.com, and there are over 3000 emails inside. (Facebook supports most of the major services, including gmail, hotmail, live, yahoo, aol, etc.) Before uploading my password, I changed it to 123456.

I’m a longtime user of the notable Gwebs WebmailSafety software. I have more than 50 people in my address list there, and all the email we’ve sent back and forth is stored on Google’s servers is encrypted using a RSA+AES mixed cipher. I’m definitely not worried about Facebook searching or selling my email, because they can’t understand a word of it.

So after I gave my password to Facebook, those 50-odd received their invitation letters, and after 30 minutes I changed it back. Everything was alright, and now Facebook and don’t owe each other anything, nor do we have to be concerned about one another.

I also used the same method to register at the domestic (mainland Chinese) social networking site XING.com, without any apparent danger to my privacy or data. My advice when dealing with commercial web service companies like this is not to trust them lightly. Their promises to you don’t mean a thing, and it’s never a bad idea to have some basic self-protection in place.

So take my advice, especially if you’re one of those people who haven’t invited their email contacts because you’re afraid of your email being searched or revealed.

Italicized text added by translator.

Encrypting his email, we approve of, and using our product to do it, we approve of even more. But another important step he’s taken is:

Before uploading my password, I changed it to 123456…and after 30 minutes I changed it back

This is very important, because people are often predictable when they create passwords, and even if you use “rules” to create less breakable passwords and change them regularly, if someone gets a sample or two of your work, they can figure out your formula, and you’re right back where you started. Change your password to a no-brainer before giving it to someone, and change it back as soon as possible.

The best advice here, though, is not to let a company that makes its living by selling highly specialized user data to advertisers rummage through your inbox. Using Gwebs WebmailSafety; which is free, remember; or any of the other programs on the market means that your email is safe from advertisers as well as hackers.

Security, email, encryption, marketing, passwords, personal, privacy address book, data mining, email, encryption, Facebook, password guessing, privacy, XING.com

Cnet.com is running a news article on our fifth amendment rights entitled “Judge: Man Can’t be Forced to Divuldge Passphrase.” I thought this was noteworthy because, as I argued just last week, being forced to reveal passkeys is tantamount to self-incrimination.

encryption, government, law, passphrases, passwords

One of the reasons we (yes, it’s a we now) at the Cryptographer are in this business is because we get to laugh at the messes we ourselves will never get into. Take, for example, Guo Li, a Hangzhou lawyer whose email was inadvertently “hung out to dry” online by Baidu (China’s search giant) and WanWang (one of China’s largest hosting providers). He sued for 1,000,000RMB (around $120,000), and the results speak for themselves.

I have translated the following article specifically for this blog.

Private Emails “Hung Out to Dry” for a Month, Victim Sues Baidu for
Violation of Privacy.
8-12-2007 3:35 A.M., Beijing Morning Post
After his private emails hosted in a Baidu (百度) account were posted online for more than a month, Hangzhou lawyer Guo Li (郭力) decided to sue Baidu Inc. and email services provider WanWang (万网) for 1,000,000 yuan in damages, claiming his communication privacy rights were violated. A judgment will be issued tomorrow at the Haidian District Court on this so-called “national precedent-setting email privacy case.” Guo Li stated at the conclusion of the trial, “It’s entirely possible to look into other people’s inboxes online, I’ve searched the information myself. This won’t be the last trial of this type.”

Read more…

Security, email, encryption, government, law, personal, privacy Baidu, email, email server, Internet Security, law, lawyer, privacy, search engine, Wanwang, 万网, 晒, 海淀区, 百度, 郭力, 金道律师事务所

Two news stories caught my attention this weekend. The first, “Wider Spying Fuels Aid Plan For Telecom Industry,” [NyTimes.com] is a great article describing the state of the NSA wiretapping investigation.  Most of my readers will have heard of the secret room at AT&T’s San Franscisco offices, which was built to mirror ALL of the data going into and out of AT&T. But the reporter for this excellent article turns up a ton of new information.

The N.S.A.’s reliance on telecommunications companies is broader and deeper than ever before, according to government and industry officials, yet that alliance is strained by legal worries and the fear of public exposure.

To detect narcotics trafficking, for example, the government has been collecting the phone records of thousands of Americans and others inside the United States who call people in Latin America…. The program dates to the 1990s, according to several government officials, but it appears to have expanded in recent years.

Terror, the government’s (not very good) excuse for renegigng on the 4th amendments promises of personal security, has nothing to do with drug trafficking.

In addition the article points to some further previously unknown facets of the government’s spying. A dedicated fiber optic cable mirroring all of Verizon’s traffic appears to have been uncovered during lawsuit depositions.

[what the accusing Verizon employee saw] “was decisive evidence that within two weeks of taking office, the Bush administration was planning a comprehensive effort of spying on Americans’ phone usage.”

The same lawsuit accuses Verizon of setting up a dedicated fiber optic line from New Jersey to Quantico, Va., home to a large military base, allowing government officials to gain access to all communications flowing through the carrier’s operations center. In an interview, a former consultant who worked on internal security said he had tried numerous times to install safeguards on the line to prevent hacking on the system, as he was doing for other lines at the operations center, but his ideas were rejected by a senior security official.

It doesnt say why his safeguards were rejected, but if the government is viewing all our telecommunications, that is bad enough - if they are negligently making that information available hackers, that is an even grater cause of concerns.

Security, government, law, privacy at&t, government, NSA, ny times, privacy, secret room, verizon

Check this out: To send relatively secure email (encrypted using weak encryption) to someone who doesn’t have WebmailSafety, (or any other encryption software, ) installed:First, enter some text to encrypt and click encrypt:

Copy the resulting text into your email or IM client or post it on your blog or whatever, and then tell your friends/readers/im buddies the password by some other method, and youve got yourself quick and dirty encryption.

encryption, fun encryption

I Just came across this article on why you should encrypt all your Google activities. The author notes that Google, like most other sites, doesn’t encrypt your connection data…

Google, like most other similar services, encrypts login traffic but not your content. So the moment you’re signed in they switch to plain-text communications and send everything to you in the open.

This means your mail, the news sources you read, your calendar events — are all able to be read by someone with access to any part of the network between you and Google. This could be your employer at work, the wireless network at your local coffee shop, whatever. This isn’t good.

And his commentors note a few things you can do about it:

1) log in to https://mail.google.com/mail (note the httpS://, the s stands for SSL)

2) Install the “Customize Google” Firefox Add-On to force the use of https for all google services. Also check out “Better gCal,”  and “Better GMail 2”

3) One user suggested  Google Secure Pro.

Security, email, google, privacy email, encryption, google, software

Here is an article on law.com titled Think Before You Send that all my readers should take a look at.

From the article

“Don’t put this in writing, but … ” Those are the opening words of an e-mail that got the writer’s company in legal hot water. And there are plenty more where that came from.”

I mean, you must be kidding me. If you don’t want something in writing, don’t write it. And if you write it, encrypt it! Common sense, kiddies!

Security, email, encryption, government, law, privacy email, encryption

Today I was helping my mom setup new Gmail and AIM accounts, (now that gmail chat and AIM are linked, its essential to have an account on AIM and gmail, and to link them) and I was horrified to discover that she keeps all of her passwords, including her bank, email, credit card, web and domain hosting, and other crucial sites, in a word doc on the root of her laptop’s hard drive. AHHHHHA! What a recipe for disaster! “But what should I do?” she asked me. Her passwords are myriad, and all different (good), but she can remember none of them (bad!).

Here are several ways to keep your passwords safe (and the pitfalls):

1) Do like my mom, and keep all your passwords different, and in one “password file”, but encrypt that file with PGP, GWEBS WebmailSafety, or some other asymmetric encryption.

Pitfalls: A) You could forget your PGP password. B) You could lose your private key or your password file. C) Someone could steal your private key and your password file and guess your password. D) Someone could steal your password file and crack your private key.

Avoiding Pitfalls: A) Write down your pgp password somewhere, but don’t label it “PGP password” and keep it safe and long. B) Keep both a copy of your private key and your password file backed up and offsite, but not on someone else’s systems. C) Not likely, but again, you have to keep your password long and secure. D) Even less likely. Use a high bit rate algorithm. WebmailSafety, for example, uses 2048 bit RSA, and you would need to string together several of today’s most powerful supercomputers to crack that within your grandchildren’s life time.

2) Use a commercial password keeper, like Apple’s keychain or similar.

Pitfalls: these password keepers are only as secure as their implementations – and the user must decide which software to trust. Apparently Apple’s keychain is pretty secure, but you should always find out as much as you can about critical security software.

3) Use several passwords that you can remember, but different passwords on important or often-used sites. And never write any passwords down. For example Password A for email, password b for your online bank and password C for everything non-mission critical.

Pitfalls: The more you use a password, the less secure it is, and the more places you use, the less secure it is.

Avoiding pitfalls: For daily use and important passwords, choose long, strong, and hard to guess passwords, enter them manually and change them often. Daily use passwords are easy to remember because you are entering them all the time, and repetition breeds memories. Your non-mission critical passwords may be guessed, and if the intruder guesses one, they know them all, but again, these passwords are non mission critical, so this isn’t such a big problem.

Well, there are three solutions that I recommend. This is a big topic, so I look forward to user comments. Tell me what you do. How you keep your passwords secure, and if I missed some pitfalls, help me fill those in too!

PGP, passwords, personal, privacy encryption, IT, PGP, Security

I am in LA visiting family for a few days – flew here Sunday – and am flying back to Beijing, via Seoul, on Thursday. My grandmother died. She was 92 years old, and lived a thoroughly long and heroic life. Her funeral service today was beautiful. My stepfather, a lawyer who takes two days off a week and is studying to be a rabbi intoned a beautiful prayer, my uncle Mark, a violinist, hired a solo cellist, and that performance too was haunting. My mother, her two brothers, my grandma’s rabbi, and several others, all eulogized my grandmother, and though I have asked her and others to tell me her personal history many times, today I got the most complete version of the story.

Elizabeth (Lisl) Shapiro was born in Budapest, Hungary in 1915, at the beginning of a time of great change and disaster in Europe. Her father, an engineer, was summoned to Moscow to work on the construction of that city’s subway, and Grandma began medical school there. When Stalin arrived, they moved to Vienna, but then Hitler decided to pay a visit. Her father was interned at Dachau, but her mother found a way to get him out. At that time everyone realized it was necessary to leave Austria, but everyone in the family had been born in different countries, so getting visas together was impossible. I don’t know where everyone else went, but grandma’s uncle, my name-sake, got her a visa to come to London as a domestic servant (just in time for The Blitz) and, so the story goes, she began knitting diamonds into hollow sweater buttons to provide exiles with a means of carrying their wealth with them when they fled the Third Reich.

When grandma went to London, her brother Otto found his way to Trenton, NJ, and when the time came, he found a way to bring her over. There, she met my grandfather at a party, where he was playing violin, and the two moved to Hollywood, where my mom and my two uncles were born. They then moved to Inglewood, and there my grandma stayed until she was 90.

personal