From the category archives:

security

Why You Should Turn Gmail s SSL Feature On Now (Webmonkey)

by Viviane on 08/22/2008

Letâ€™s talk security and why you should take advantage of Gmailâ€™s recent SSL feature, and why you might want to be careful using other non-SSL webmail services.

But first, make sure your connection is secured using SSL.

How do you know a connection is secured by SSL? The handy â€œsâ€ after â€œhttpâ€ will tell you. For example, https://mail.google.com is encrypted while http://mail.google.com is not. You can force an encryption by adding the â€œsâ€ yourself, or by turning on â€œAlways use httpsâ€ from the Browser Connection settings of your Gmail account.

Link

As soon as I read this, I turned on SSL security: Settings | General | Browser Connection | Always Use https.

Tagged as: email, google, privacy, security

{ Comments on this entry are closed }

Crossing Borders with Laptops and PDAs (Bruce Schneier’s Crypto-Gram)

by Viviane on 05/15/2008

in privacy,security

Last month a US court ruled that border agents can search your laptop, or any other electronic device, when you’re entering the country. They can take your computer and download its entire contents, or keep it for several days. Customs and Border Patrol has not published any rules regarding this practice, and I and others have written a letter to Congress urging it to investigate and regulate this practice.

But the US is not alone. British customs agents search laptops for pornography. And there are reports on the internet of this sort of thing happening at other borders, too. You might not like it, but it’s a fact. So how do you protect yourself?

. . . So your best defence is to clean up your laptop. A customs agent can’t read what you don’t have. You don’t need five years’ worth of email and client data. You don’t need your old love letters and those photos (you know the ones I’m talking about). Delete everything you don’t absolutely need. And use a secure file erasure program to do it. While you’re at it, delete your browser’s cookies, cache and browsing history. It’s nobody’s business what websites you’ve visited. And turn your computer off – don’t just put it to sleep – before you go through customs; that deletes other things. Think of all this as the last thing to do before you stow your electronic devices for landing. Some companies now give their employees forensically clean laptops for travel, and have them download any sensitive data over a virtual private network once they’ve entered the country. They send any work back the same way, and delete everything again before crossing the border to go home. This is a good idea if you can do it.

If you can’t, consider putting your sensitive data on a USB drive or even a camera memory card: even 16GB cards are reasonably priced these days. Encrypt it, of course, because it’s easy to lose something that small. Slip it in your pocket, and it’s likely to remain unnoticed even if the customs agent pokes through your laptop. If someone does discover it, you can try saying: “I don’t know what’s on there. My boss told me to give it to the head of the New York office.” If you’ve chosen a strong encryption password, you won’t care if he confiscates it.

(more . . .)

Tagged as: privacy, security

{ Comments on this entry are closed }

Potential Security Problem with Google Mail

by Viviane on 04/23/2007

in google,google mail,security

If you have a Google Mail account, you must read this. Please cross post!

A blogger alerted me to a potential security problem with Google Mail. As you probably know, Google Mail can be set up to send email from your other email addresses. You can also forward email to one account.

If you’re like me, you have several email addresses. A primary one, and a separate one for your blog activities. So these tools make it very easy and you don’t have to log in and out of multiple email accounts (or perhaps you use the Gmail Manager plug-in for your browser).

Gmail also lets you set your ‘reply preferences’ so that you can reply ‘as if” from the forwarded address (http://tinyurl.com/ytb86h).

So let’s say I have an email account under my real name. Let’s call it ‘realname@gmail.com.’ And I have another email address for my blog. Let’s call that ‘blogname@gmail.com.’

I can have all that forwarded to realname@gmail.com, and reply from the realname address, thinking the recipients email will say, ‘from blogname @ gmail” (or whatever ‘reply-to’ address you set up).

The recipient WILL get an email saying, ‘from blogname@gmail.com.’

Here’s what this blogger experienced:

Here is the problem: If the recipient *also* has Google Mail, my ‘realname’ email is automatically added to their contacts list, even though they’ve never received an email “from” my ‘realname’ account.

So there may well be people out there who are using one Gmail account as ‘primary’, which receives forwarded email from another account, who think they are replying to forwarded mail and think that the Gmail “reply as” function is preserving their anonymity, but it is not. Not if they are replying to someone with a Google Mail acct. The real Google Mail acct, the one they actually wrote the email from, will be auto-added as a contact to the recipients list of Google Chat contacts.

Most people (recipients) will not notice, not if they have had a Gmail acct for a long time–quick contacts only shows who you email most, and the new address will just be one on a long hidden list. If the recipient is someone with a brand new Gmail account, or someone who blocks contacts, it’s very, very obvious.

My friend who has more than one blog just answered a new sex blogger in this way, and got back an email saying, hey, are you also so-and-so? My friend called me and we checked this with my work Gmail, which I never list contacts on. Her ‘blogname” address appeared in my contact function immediately when she emailed me of course, but her primary one appeared there as soon as I replied to the ‘blogname’ address.

So this brand new blogger, a stranger to my friend, now knows about both her blogs. Fortunately it was only a blogging address and not one tied to her work, but it very easily could have been.

I did test this with another blogger and we weren’t able to duplicate it. However, we discovered something alarming. I added her ‘blogname’ address’ to my contacts list.

I then went into the Contacts list and pulled up this contact’s record and expanded it, by clicking on ‘Edit Contact’, and then ‘Add More Contact Info”. Under the ‘Personal’ section for email, was listed her ‘realname’ address.

As soon as I figured this out, I went into ‘Settings’ and deleted all the other accounts I was managing from the primary account.

If you’re concerned about your privacy, you should, too.

I’ve written Google Mail to advise them about this issue. And I’m checking my Contacts list and expanding contacts to see if I see any other email addresses in a contact’s record. I’ve found one contact already where I can see their other email address.

Tagged as: Blogging, media, privacy, r, security, sex, sexblog, tes, The Marketplace

{ Comments on this entry are closed }

Take Action: Julie Amero Porn Case (BoingBoing)

by Viviane on 02/22/2007

in crime,law,legal,privacy,security

Steve Bass at PC World has a good blog entry about the ridiculous conviction of Julie Amero, a substitute teacher who was arrested when a OC computer riddled with pop-up adware began displaying pornographic photos in front of junior high school students.

I’ve been privy to private conversations with a dozen security experts (you’d immediately recognize many names), forensic examiners, and an attorney (one that I’d choose for my defense if ever I needed one).
Unfortunately, there’s lots I can’t repeat. However, what I can say is the consensus is that Amero is getting a bad rap for a lot of reasons. High on the list was a poor defense, a not-very-PC-savvy judge, and a school district that won’t take responsibility of having no current protection on the computer in the classroom. For instance, one forensic investigator examined an image of the PCs hard drive said the anti-virus program was ancient and the last time it was updated was in “August 2004,” and, he said, “hopelessly out of date.”

Right after my newsletter was posted, many of you asked what you could do. You can check the Julie Amero blog and consider helping by way of the Julie Amero Defense Fund.

Steve also urges readers to take action by emailing the people who have the power to drop the obviously bogus charges against this woman:

The State’s Attorney responsible for supervision of David Smith, the prosecutor in the Amero case, is Michael L. Regan. You might want to write him and strongly urge he help Smith file a motion to vacate the conviction. An e-mail to the Chief State’s Attorneys of Connecticut Kevin T. Kane and Connecticut Governor M. Jodi Rell can’t hurt, either. (There are more e-mail links on the Julie Amero site.)
If you write, however tempting, try not to go on a rant. Use your computing expertise — and a civil argument — and you’ll likely get better results.

The case has the public’s attention and it’s taken on an energy that won’t be stopped. Stay tuned.

Tagged as: media, r, security, The Marketplace

{ Comments on this entry are closed }

Have you changed your passwords today?

by Viviane on 02/04/2007

in passwords,privacy,security

Chelsea Girl has a great post about privacy: the magic bullet newsletter: or, how to remain an X file.

I know, I know. You haven’t changed your passwords recently.

Did you ever email or IM your password to a friend, to make a onetime change when you were out of town? Time to change it.

Do you use a really simple word, like ‘canoe?’ A dear blogger friend used to use that as a password . Then I found out about it. Not anymore, he doesn’t.

IMHO, the best technique is called a compound password. You take two simple words, and interleave them.

Time to change them! Have fun with these password generators:

Secure Password Generator (Winguides)
Randpass.com
Password Generator (Bytes Interactive)
Java Password Generator for ‘pronounceable’ passwords

Make it even more random by adding numbers, making some letters uppercase, adding symbols, etc.

Be careful out there.

Tagged as: privacy, r, security, tes, The Marketplace

{ Comments on this entry are closed }

A Message from Magdalena of ‘Myths and Metawhores’

by Viviane on 02/01/2007

in bloggers,Blogging,hacking,privacy,security,sexblogs

My decadent friends,

Despite my best efforts, after 6 months of repeated hacking, I lost my site today. I don’t have the heart to even contemplate any form of restoration at this point. Weary with the cold faceless cyberworld, I am heading for the warmth of the sun. God bless last minute travel deals.

I will continue writing and will revive Myths and Metawhores, but when and how that will happen, I cannot say. I care little for the current climate, which has seen an ugly turn towards ‘career blogging’ and real life overspills. I know I’m not the only blogger on the sharp end of harassment. I also don’t want anyone else to endure all I’ve had to, so please, to everyone I say be mindful where and with whom you place your trust. Once again, I urge all writers to secure their site; WordPress users be especially keen to install the latest upgrades as a vulnerability in the script is looking like the way my site was first accessed.

I’m looking on the bright side and can’t help but smile when I look at my travel case, stuffed as it is with books and bikinis.

Stay wild, be beautiful and relish your real life.

With my love,

Magdelena

Tagged as: Blogging, r, tes, The Marketplace, wordpress

{ Comments on this entry are closed }