6 Steps to Better Security and Privacy

Nov 24, 2016

I wrote previously about securing your digital life. Technology and digital threats are advancing so fast that we’re almost inevitably all going to be attacked in some way. Here are a few more steps I’ve taken recently.

Staying Secure Online

Dec 18, 2013

This is a public service announcement. Many people I know are not taking important steps necessary to secure their online accounts and devices (computers, cellphones) against malicious people and software. It’s a matter of time before something seriously harmful happens to them.

It’s much easier than you think to do the basics right. If you turn on automatic updates, use a password manager, and use two-factor authentication, you can dramatically improve your personal safety and security. There’s a lot more you can do, but read on for the details.

Using GPG in Gmail on a Mac

Oct 24, 2013

I used to use the FireGPG extension to encrypt and decrypt text in a browser – including wikis, for example, where sensitive client information could be stored. It’s been a while since I had that need, but recently I wanted to send a GPG-encrypted message to a coworker, and FireGPG has been discontinued for years.

Email snooping is a small fraction of the story

Jul 17, 2013

I wrote previously about why privacy and security require open-source, inspectable hardware and software to run on, and software that makes encryption the default so everyone uses it. My example application was email, and I concluded that it’s currently impractical to think that we can block government snooping on a large scale even in the domain of email. Now, think what a small fraction of people’s Internet-connected activities we’re talking about: email.

Privacy is impossible unless it's the default

Jul 6, 2013

This is a follow-up to my last post, in which I asserted that without free software and hardware, privacy is impossible. Suppose we have trustworthy, free hardware and software. What else is needed to thwart efforts to monitor our everyday behavior on a massive scale? Let’s look only at one activity that’s currently being monitored: email. How can we make email less vulnerable to prying eyes? Technology to encrypt email between ordinary citizens (PGP, OpenPGP, and GnuPG) has existed for years, and in a form strong enough to frustrate any known attempts at decryption.

Without free software and hardware, privacy is impossible

Jul 5, 2013

The recent revelations about the NSA’s wide-ranging surveillance of Americans and non-Americans alike has spurred a lot of outcry. Of course, some people are crying for legal solutions, but there’s absolutely no chance of any present or future elected official changing or stopping it (it’s already completely illegal and always has been, so more laws can do nothing but poke loopholes in existing laws forbidding surveillance). We’re on a road that leads to only one place: total, absolute government monitoring of everything we do – and thus, to some extent, control of everything we do.

SSH public-key forwarding

Mar 30, 2006

SSH is one of the most important tools I have. I use it every day to communicate securely between many different computers, and consider it indespensable. In this article I’ll show you how to forward your SSH agent to connect from any remote server to any other remote server without putting your private key on either of them. Introduction First, the concept: SSH is a secure protocol for setting up a communications channel between two computers on a network.

How to Break Web Software

Nov 21, 2005

I recently did a technical review of How to Break Web Software: Functional and Security Testing of Web Applications and Web Services, by James A. Whittaker and Mike Andrews. My thoughts: it’s well worth reading. Though what I reviewed wasn’t yet a final draft (my job was to help find technical and other errors, make suggestions on organizing the information and so forth), the content was (mostly) all there. I own other work by Whittaker, and I encourage anyone who’s interested to read this book when it’s published.

How to exploit an insecure order of access to resources

Nov 3, 2005

When gaining access to resources, such as loading a DLL or invoking a program, beware of default order of access. Insecure defaults can result in using the wrong resource. I find this particularly a problem on the Microsoft platform. Here are two cases where the Microsoft approach, designed to “make it easy,” ends up making it insecure instead. Invoking an executable program If you do not specify the absolute location of the executable, where does the OS look for it?