Tag Archives: security

Free Kiera Wilmot

A young woman conducted an unauthorized science experiment with an unfortunate result. At school early, before morning bell, she was in the lab and mixed some common household chemicals in a bottle. There was a small explosion that injured no one.

She has been expelled and is being charged with a felony.

I am Kiera Wilmot. I was enthusiastic and bored in high school. I did unauthorized experiments, some of them very very stupid. I was well known as a smart person who did very very stupid things in high school.

I was not expelled or arrested, I was given guidance and understanding and was often yelled at for doing stupid dangerous things. The authorities at my school did not screw up my life by putting a felony on my record or kicking me out of school. I stand with Kiera and other troublemakers.

As a former troublemaker and soon to be parent of a future troublemaker I am very worried about the zero tolerance policies at our schools. They are crazy and would leave me a drain on society instead of a productive taxpayer.

The ethical car is a deathtrap

Non-nerds are talking about machine ethics because Google’s driverless cars show up in a New Yorker essay:

Within two or three decades the difference between automated driving and human driving will be so great you may not be legally allowed to drive your own car, and even if you are allowed, it would be immoral of you to drive, because the risk of you hurting yourself or another person will be far greater than if you allowed a machine to do the work.

That moment will be significant not just because it will signal the end of one more human niche, but because it will signal the beginning of another: the era in which it will no longer be optional for machines to have ethical systems. Your car is speeding along a bridge at fifty miles per hour when errant school bus carrying forty innocent children crosses its path. Should your car swerve, possibly risking the life of its owner (you), in order to save the children, or keep going, putting all forty kids at risk? If the decision must be made in milliseconds, the computer will have to make the call.

Heady stuff, right?! We must not be allowed to drive our cars because machines can drive them better. We’ll get standards for car ethics from a government agency.

I’m reading Bruce Schneier’s excellent “Liars and Outliers” so let’s look at this from a security perspective. If you have mandated ethics for machines, I understand that as a single set of rules that cars have to obey. We would have to decide, as a society, if it is better to save ourselves or kill the 40 kids. We have to come up with an algorithm that a machine could use that we could agree with.

The trouble is, this isn’t how ethics work in our brains. Our minds aren’t algorithms. They are a quorum. We make decisions by having different parts of our brain shout their opinion. Self preservation shouts. Pity shouts. One of them shouts louder and that’s how we decide to swerve off the bridge. Or that’s how we end up living with our decision.

So this isn’t how you’d get a machine to make a decision. You need a replicable algorithm, something that you can hold up in court to avoid liability. The problem here is you have a system – and those are hackable. Hackable systems get hacked.

What happens when the choices your car will make are all predictable? People don’t have a regular response to situations, they are very variable. Your ethical car will be making predictable responses to situations. Predictable responses are easy to manipulate. So you can expect hacking of those situations. You can expect people to manipulate the ethical responses of your car to their own ends – and you won’t have an input because you aren’t as trustworthy as a car.

But this is kind of a smokescreen, isn’t it. The article isn’t really about the idea of driverless cars having to make decisions. Driverless cars can’t make a decision between the bus full of kids and your own life. So what is this article really about?

Passwords – hard to do, important to get right.

Over on Staunchly Technical, Nate gives a rundown of his password scheme:

“Unique” memorized password: Google, Password manager(s), home server (exposed to Internet).

  • These are “master key” systems – if these are compromised then the hacker effectively has the ability to get my password to anything else. As a result, the password for these is not used on anything else (really, I ought to have a separate pw for each of these, but since they’re all so unrelated I’ve just got one for all 3).

Random stored individual passwords: All things potentially damaging (banks, brokerages, prosper, IRA, etc)

  • These are randomly generated 10-character passwords – they might get sniffed, but they’re not going to get hacked. These get saved in the Firefox password DB and are also in my password manager program (Keepass, for anyone who cares)

Work password: all things work-related

  • Everything I do at work requires me to change my password every 3 months – since I have trouble with multiple passwords anyway, I just set them all to the same thing. Only one of them can be accessed from outside the intranet anyway, and my VPN is protected by a keyfob.

Easy (but still relatively secure) non-changing password: social networks and anything else that can’t cost me money or too much heartache.

Useless password: sites that I really don’t care about and/or don’t trust.

Nate’s a really smart guy, so he wouldn’t be spending all this time thinking and writing about it unless it was important.  Why is he using so many different passwords?

What’s going on here

He’s segregating them into security zones.  The most important one is his email or his password system manager.  If someone gets the key to his email they can reset passwords to his bank or investment accounts and the password reset email goes where?  That’s right.

When Gawker’s poor security and  taunting of 4chan led to the usernames and passwords of every user being posted online, it was a very big deal.  Most people use the same username in many places – because they want a sense of identity and reputation that can follow them around.  Or maybe it’s just easier to remember.  That’s probably why most people use the same password everywhere.  Like their bank and gizmodo.  So those folks are having trouble.

Not Nate.  All they can do is post nasty comments on social networks under his name, and he can reset the password and get past that.

Also, not me.

My Suggestion

I tend not to use the same username on every website.  I register something using the site itself as a key.  So if my email is mk @ gmail.com (it isn’t) I would just use the gmail “name+” trick to register at lifehacker as mk+lifehacker@gmail.com. This lets you know who is selling your email address  or getting hacked into.

I manage my passwords differently, in a way you might use.  I use a passphrase and then I use select letters from the site to construct a unique password per site.  Like so:

My passphrase is a memorable poem or sentence. Let’s use the first two lines of Yeats’s The Second Coming

“Turning and turning in the widening gyre,The falcon cannot hear the falconer”

I take the first letter of every word to make my password: “TatitwgTfchtf”

That’s a big password and easy to remember!  But you want your password to be unique across many sites.  Let’s do that by pulling the site into it.

Lifehacker has 6 consonants and 4 vowels.  Let’s add those on to the end and the beginning: “6TatitwgTfchtf4”.  Even if someone gets your password and knows another account of yours, you have a unique password at the other account.  You could also put the first and last letter: “LTatitwgTfchtfR”.  Whatever you want to put a little extra randomness in the mix.

Want to see how strong your current favorite password is?  Go to the MicroSoft password checker and try it.

Practice good password safety – I don’t want to get emails from your account asking me to help split up your Nigerian fortune.

https://www.microsoft.com/protect/fraud/passwords/checker.aspx?WT.mc_id=Site_Link

Volunteer Your Computer to Keep Privacy Possible

The good folks over at Wild Bee have an excellent article about how you can use your computer to help the world while you sleep. Lotsa people run SETI@home – I think it is because of the screensaver. Instead of a looking for aliens, you could help political dissidents in repressive regimes, protect anonymous whistleblowers, and even protect our intelligence agents overseas. Install TOR and volunteer your computer for global privacy.

An explosive tale about airport security

I really really dug this post about carrying gunpowder through airport security.

You can’t create a secure airport that is worth traveling through.  The solution isn’t to figure out every possible way that people can attack airports and prevent those…  That’s an insolvable problem.  A better way is to find people who are trying to hurt us and deal with them in a legal, just way.

People who are trying to hurt us face many of the same problems we do.  They need networks, support, materials, etc.  They also recruit and are looking for moral support.

These seem like much richer avenues of investigation.

How to get around a proxy system

This sounds complicated but it is really simple.  That it is so simple is why the internet is amazing and awesome.

from flickr user Bright Tal with a CC licenseProxies are used by people in positions of authority who want to control what you view on the internet.  Such groups include the governments of Turkey and China.  Also, the internet security team of most major corporations.  Some of these motives are good:

  • Blocking you from visiting websites that will infect your computer with spyware.
  • Blocking you from looking at naked people at work and totally creeping your coworkers out.
  • Blocking you from using webmail or instant messaging to communicate with customers in insecure ways or in ways that can’t be audited for a lawsuit.

Some of these motives are bad:

  • Blocking you from learning about problems at the group.
  • Blocking you from “wasting” company time or resources.

Generally you will eventually find a situation where you want to look at a website that has been blocked improperly.  I’ve often seen sites that discuss internet security vulnerabilities classified as “hacking” – but I need to know if those sites affect my work.

kindly sourced from flickr user Dazzie DWhether your intentions are pure or not, here is a simple way to give yourself internet freedom.

Download CGIproxy and install it on something that faces the unfiltered internet.  This might be your web host if you have one.  If not, you can install a web server on your home computer.  It is easier than you might think, and with DynDns, you can have your own domain name for your home computer.

You are done.  Now you can navigate in your browser to where you installed CGIproxy.  It will surf the sites you are blocked from.   Doing that is a hassle, though.  You have to go to CGIproxy when you want to go to a different site.  Lame.

Let’s make it easier through the magical power of bookmarklets.  We will put two little buttons in your browser that let you proxy blocked sites and unproxy them when you are somewhere safe again.

I wrote up a little page for you that generates proxy and unproxy bookmarklets for CGIProxy.  Go there, put in the URL of your CGIproxy, and choose your options.  I’ll automagically generate the bookmarklets for you.  You just drag them up to your browser quick links and now you have the keys to the kingdom.

Let me know if anything isn’t clear – I did the extra work so that it could be useful for you.

BangoWhatthehell

I am intrigued by this weird advisory on cryptome, keeper of, if not all, then at least exclusively, things you are not supposed to know. There’s no attribution, no explanation, and no other mention of this on the web.

The very short gist is:

Avoid the treacherous anonymous web browser, bangotango.com. It is harvesting unwary user addresses. It is operated by triumphpc.com as a law enforcement/intelligence sting.

It would be an interesting concept, if only because it has such problems with the idea of entrapment. The idea that the some agency could make the promise of proxied worry free browsing, even going so far as to include the text of the 4th amendment on the website, and then use evidence gathered there in court is boggling.