Archives for category: Security

Here is an interesting piece of ethical gymnastics: Self-defence is justified, but self-defence with a gun is not.

I am a proponent of gun ownership, firearm safety, and the right to self-defence. If a person is willing and able, they should responsibly own a gun, know how to shoot it, and use it to defend themselves and their family in the unlikely event that the need arises. If a person is put in that position, they should use the most effective tool available.

While this is my position, I can understand if someone makes the argument that we should not defend ourselves, but hope for the police to arrive in time to defend us. This, in my opinion, is stupid beyond reason; but I will allow that a consistent person might make such an argument.

Then there is an intermediate position. Self-defence is fine, so long as you use an object not solely designed for that purpose. Steak knife: valid defensive implement. Katana: not valid. Shot-put: valid defensive implement. Shotgun: not valid. Crowbar: valid defensive implement. Morning-star: not valid.

What is needed here is simplification. Either I am justified in defending myself and my family, or I am not. If I am, then let me worry about the appropriate tool for the job. 😉

Advertisements

Here is a story that evokes memories of the excellent WWII cryptography book, Between Silk and Cyanide: Sabu, the leader of LulzSec, posted to an IRC server without going through his TOR client. This was all the information the Feds needed to track him down. As part of a plea deal, he has been working with the FBI since last summer to help take down his fellow Annons. As a species of more law abiding privacy nuts, what can we learn from this and related scenarios?

  1. Don’t have a set-up where you can unintentionally circumvent your annonymizing proxy.

    If you only allow the browser you use to access your anonymous blog/email/IRC account to connect to the internet via the TOR client, it is much more difficult to give yourself away. As an aside, if you find TOR to be of use, you may also want to consider deploying a bridge.

  2. Use HTTPS.

    The EFF has an excellent firefox plug-in to help with this, called HTTPS Everywhere. If an HTTPS connection is available to a well known server – e.g. WordPress – HTTPS Everywhere will cause the browser to use it. Here is a good article on TOR and HTTPS from the EFF.

  3. Keep various parts of your on-line life separate.

    In the old days this might have been done with a separate computer for your anonymous blogging. Now you can use virtualization tools like the VMware Player or Virtual Box. Just set up separate virtual machines for blogging and regular browsing.

  4. Avoid personally identifiable information.

    As we see in the second LulzSec story, it is particularly easy to reveal details about your life that would allow an attacker to deduce your identity.

  5. Block Flash and Javascript.

    Flash cookies are bad for privacy, and it is notorious for its security vulnerabilities. If you want to watch youtube, run it in a separate virtual machine.

  6. Don’t do anything you wouldn’t sign your name to.

    It might be tempting to use your power for evil. Trolling other people’s blogs, vandalizing other people’s servers, etc. Restrain this urge. Remember the tragic story of Sabu.

Just a brief post tonight. After reading this article on Ars Technica on how members of Anonymous were infected with the Zeus trojan, it struck me again how unsophisticated those taking part in the Anonymous movement actually are.

The fact that they were running an executable infected with a trojan is understandable. That can happen to the best of us. What is noteworthy is the fact that the trojan was apparently successful at stealing things like passwords and credit card info. Why did they trust this code to run in the same environment that they use to make financial transactions? I have trouble doing that with most legit and moderately trusted software.

The answer is that they did not know any better, or that they did not know of any way to mitigate the risks that they were taking. It is clear that – at least for the most part – they are script kiddies who barely know what they are doing. Does this make them any less destructive? No.

Though Anonymous is composed of a large mass of unsophisticated components, when working in concert they can still wreak a great deal of havoc.

I just thought that I would throw in something for a change of pace. As you may, or may not be aware, there are all sorts of things going on beneath the surface of your browser. Most are fairly innocuous, such as using javascript or flash to improve the appearance and usability of a website. Other things are not, such as tracking the browsing habits of users without their knowledge, exploitation of browser and plug-in vulnerabilities, cross site scripting attacks, and the like.

If you are not already using them, I would like to introduce you to two great Firefox plug-ins. The first is WOT, and the second is the NoScript. You can think of WOT as a warning light to keep you out of the bad neighbourhoods of the internet, and NoScript as an armored personnel carrier to keep you safe if you do stumble across something you shouldn’t.

WOT is a handy add-on that provides a number of useful features. A circular ring next to the navigation bar lets you know how much other users trust the current page you are visiting. It ranges from a dark green for trusted, to bright red for sites you should probably avoid. Additionally, these rings show up next to your search results in Bing or Google. If you set up a WOT account, you can rate the sites you trust and distrust, sharing your experience with the rest of the community. If you have something against Firefox, it even comes for a variety of other browsers.

NoScript is a bit more potent of a solution. It allows you as a user to decide exactly what sites you want running dynamic content in your browser, and stops everything else by default. It is up to you as a user to determine what domains you want to allow, so it will be a bit jarring at first. This will soon pass as you add more of the trusted domains you regularly visit to the white-list.

There are a variety of things that you can do to have a progressively more secure and private on-line experience, but these Firefox extensions are simple and have a high rate of return. Enjoy.