A few readers might be interested in this article about eReader privacy from the EFF.
Sadly, the privacy ratings for the eReader that many people are considering or already have is not included in the chart or article. If you have an eReader device and use the most popular reading softwares on it, chances are that what you read is being tracked and shared more than you'd like. I haven't seen any tinfoil hats available to block the eReaders from reporting back to the home office that don't also break the features. If you care about personal privacy, the 1 pg article is definitely worth your time.
Found myself needing a specialty product for that XBMC computer recently. Spent a few days doing research, thinking about it, then finally ordered directly from the main US distributor after getting an email from their sales team explaining a particular add-on that was required.
The cost for the items was reasonable, perhaps even a good value, we shall see, but when the shipping charges were displayed, something was wrong. I’m used to free shipping for my online orders, so seeing a $70 shipping option seemed completely out of place. Here’s the exact shipping prices offered:
- Next Day Air – $69.47
- UPS 3 Day Select® – $24.20
- UPS2Day – $31.24
- UPSGR – $10.92
Toggle a switch to see other shippers, USPS in this case:
- USPS Priority (Domestic) – $9.62
UPS is sticking it to the little guys, unless this company has a $5 base handling charge. Priority (if it fits, it ships) seemed like the best answer and arrived quickly across the country.
Do people really pay $70 for next day shipping of tiny objects? I still have this idea of a FedEx envelope costing $12 for overnight shipping. Maybe the prices have increased? These items would easily fit into a padded FedEx envelope.
What do you typically pay to get something that fits in a padded envelope shipped?
We’ve all felt screwed before. Today, I’m listing the computer/tech items that I felt unsatisfied buying after a little use. These items really go beyond unsatisfied and enter into the completely screwed over or forever hate category.
Watching Olympics on NBC
I’m addicted to Olympics. I admit it. As I watch them on my OTA setup, the fluffers, you know, the announcers between sports, are constantly saying to watch all the events Live by visiting nbcolympics.com. I’ve been there a few times and been disappointed.
Sorry, this becomes a rant.
A few years ago, I dropped an expensive cable TV plan to get limited basic service. This is just the local channels, public access and a few shopping channels. No CNN, no basic cable channels, just the local broadcast ones – or at least close enough. The cable TV bill is $29/month for this, which sucks. In total about 25 stations come in, but 10 are shopping channels and 5 are wacko religious channels – you know, the channels you remove from the TV? Yep, those.
Below I’ll detail my antenna trials and more importantly what I think I’ve learned about antennas that none of the sites with the plans talk about.
In short, we were getting 19 channels, but now have
58 66 (Dec 2013 update).
Where is Curiosity?
When you lose a smartphone, all sorts of personal and proprietary data may become available to the finder/thief. Recently, a friend had a smartphone that I’d given to him stolen, so some of my personal and proprietary data may have been on that device still. Below I’ll attempt to outline what we should have done. This is very much a work in progress, but my quick searches for best practices smartphone loss returned nothing current or useful to an average person.
There was lots of best practice information for corporate devices on the internet. Buy this add-on for policy management, password complexity mandates, whole device encryption. None of this will help a soccer mom or a small business traveler overseas. We’ll try to work through what normal people can do to protect their devices, their data and make a lost or stolen device nearly useless to a thief.
A smartphone today is more powerful than a desktop computer from 10 years ago. This means these are extremely well-connected and valuable devices for you, me and thieves.
Let’s get started. I can’t ensure that any of these features or techniques will be available on your device or in the operating system that you phone runs. I’m only familiar with GSM phones, not what Verizon or Sprint use. Apple devices are a complete mystery to me. Do your own research for your device’s capabilities.
There are many different types of passwords. Some are for a financial institution and others are for blog comment websites and others are for your email accounts. Not all of these need to be 100% secure, but it would be easier if they were. If someone gets into a blog or forum account, so what, provided you have different passwords for each login. Good password management works. OTOH, if they get into your primary email account, that will provide access to almost every other account, including financial ones, with just a little effort. It would be best if there aren’t any breaches for these sensitive accounts – either through password cracking or other back-end cracks that we hear about weekly. That’s the ideal world. Reality is a little different.
The problem isn’t just about cracking your passwords today. The smarter cracker will retain your encrypted data/packets so they might be decrypted/cracked in the future. Yes, we need to protect our sensitive data not just for today, but for the next 20-40 years when 256-bit encryption will be trivial to crack. Perhaps protecting it for our lifetime is the best practice?
So, what can we do to minimize the future risks?
I love KeePassX and the cross-platform versions of this password manager, so I try to always use a long, complex, random, generated password for most of my needs. Sometimes a website limits the complexity to only 20 characters or just letters and numbers, significantly reducing the strength of the crypto alphabet. To counter act those limitations, I’ll try to use a nonsensical userid too. There are lots of other uses for a password manager that might be useful.
All this is stored inside a KeePassX database and automatically replicated to 4-10 different systems daily. The actual number changes since not all of them are always available. It is also backed up on many of these systems daily with 30 or 90 or 365 day versions available. The DB will not be lost. I would be sad if it became corrupted on my main system that I consider read-write, but any of the read-only versions are good enough too, if something bad happens.
High Value Targets
With all this data stored inside a file, that means my cracking just that 1 file, everything important to me can be known. It is a very high-value target. Lots of people do this with their password databases too. They trust the strength of the encryption as the only protection.
That is a false sense of security. Here’s why. Just because some encryption cannot be cracked today, that doesn’t mean it can’t be cracked in 5 or 10 or 15 or 30 years. Anyone with a copy of the old file can crack it years later and gain access to sensitive data or passwords. It has been reported that the NSA has been recording SSL data packets on the internet for years – not because they can crack the crypto today, but for when they can crack it, then all that traffic will become available.
Keeping It Safe
There is no way to keep the data safe once it gets out, even if encrypted. At some point in the future, our 4096 AES encrypted data will be as easy to crack as anything encrypted with ROT13 is today. The point is that any current encryption will be trivial to crack in the future. Count on that. Here are a few steps to limit your exposure. You’ve probably heard most of them before:
- Use the strongest encryption possible.
- Use the longest keys/passwords possible, everywhere, not just for important data.
- Change your high-value passwords periodically, annually is probably often enough, unless there is a breach.
- Follow good password creation practices – which has been written about everywhere recently. There is no substitute for length.
- Try to prevent leaks of your passwords and password manager DB – don’t tempt fate.
- Other Techniques for Secure Passwords
About Future Cracking
Any encrypted packet, file, whatever-data, is only as secure as the crypto, passphrase, AND lack of access to the raw data can make it for your lifetime. In the future, we must assume that all our current state-of-the-art encryption will be cracked and the currently protected content will be available.
I use to offer my KeePass-database to anyone to show how confident I was in the crypto. That was stupid. Fortunately, nobody ever took a copy … unless it was on a USB flash drive I was sharing and they grabbed it without my knowledge. I can’t think of any of those people who are likely to spend more than a few hours on the file before deleting it. I could be wrong.
The file was also stored on a smart phone that was brazenly stolen during a recent trip overseas. It is out there now and forever. The smart phone had been reset to factory settings the day before the theft, SIM removed and the external SDHC memory was removed, my google account was not connected to the phone, but doing all that doesn’t remove all the data stored on the internal SDHC media. Some data is left behind, including my KeePassX database and a few photos. Of course, I had a strong passphrase on the DB, the phone was locked, but still, the general data on the device, not encrypted, could be recovered. I am not panicked about this, but I will be changing all the passwords over the next few months just to be certain. Obviously, the passphrase for KeePass has been changed too.
Don’t you just love reading about governments making stupid assumptions about people? No? Me neither.
It seems many people may be terrorists by doing things that are
- perfectly legal
- required due to other stupid government laws
- necessary to ensure privacy
Here’s the news article to provide some background on the FBI and DoJ thoughts.