6 Steps to Better Security and Privacy

I wrote previously about securing your digital life. Technology and digital threats are advancing so fast that we’re almost inevitably all going to be attacked in some way. Here are a few more steps I’ve taken recently.

Blue Marbles

» Continue Reading (about 1500 words)

Staying Secure Online

This is a public service announcement. Many people I know are not taking important steps necessary to secure their online accounts and devices (computers, cellphones) against malicious people and software. It’s a matter of time before something seriously harmful happens to them.


This article will urge you to use higher security than popular advice you’ll hear. It really, really, really is necessary to use strong measures to secure your digital life. The technology being used to attack you is very advanced, operates at a large scale, and you probably stand to lose much more than you realize.

However, it’s also much easier than you think to do the basics right.

» Continue Reading (about 3200 words)

Using GPG in Gmail on a Mac

I used to use the FireGPG extension to encrypt and decrypt text in a browser – including wikis, for example, where sensitive client information could be stored. It’s been a while since I had that need, but recently I wanted to send a GPG-encrypted message to a coworker, and FireGPG has been discontinued for years. I also use a Mac now, and Chrome is my primary browser. What to do? I looked around at a few Chrome extensions, but didn’t really like them.

» Continue Reading (about 200 words)

Email snooping is a small fraction of the story

I wrote previously about why privacy and security require open-source, inspectable hardware and software to run on, and software that makes encryption the default so everyone uses it. My example application was email, and I concluded that it’s currently impractical to think that we can block government snooping on a large scale even in the domain of email. Now, think what a small fraction of people’s Internet-connected activities we’re talking about: email.

» Continue Reading (about 700 words)

Privacy is impossible unless it's the default

This is a follow-up to my last post, in which I asserted that without free software and hardware, privacy is impossible. Suppose we have trustworthy, free hardware and software. What else is needed to thwart efforts to monitor our everyday behavior on a massive scale? Let’s look only at one activity that’s currently being monitored: email. How can we make email less vulnerable to prying eyes? Technology to encrypt email between ordinary citizens (PGP, OpenPGP, and GnuPG) has existed for years, and in a form strong enough to frustrate any known attempts at decryption.

» Continue Reading (about 900 words)

Without free software and hardware, privacy is impossible

The recent revelations about the NSA’s wide-ranging surveillance of Americans and non-Americans alike has spurred a lot of outcry. Of course, some people are crying for legal solutions, but there’s absolutely no chance of any present or future elected official changing or stopping it (it’s already completely illegal and always has been, so more laws can do nothing but poke loopholes in existing laws forbidding surveillance). We’re on a road that leads to only one place: total, absolute government monitoring of everything we do – and thus, to some extent, control of everything we do.

» Continue Reading (about 600 words)

SSH public-key forwarding

SSH is one of the most important tools I have. I use it every day to communicate securely between many different computers, and consider it indespensable. In this article I’ll show you how to forward your SSH agent to connect from any remote server to any other remote server without putting your private key on either of them. Introduction First, the concept: SSH is a secure protocol for setting up a communications channel between two computers on a network.

» Continue Reading (about 1100 words)

How to Break Web Software

I recently did a technical review of How to Break Web Software: Functional and Security Testing of Web Applications and Web Services, by James A. Whittaker and Mike Andrews. My thoughts: it’s well worth reading. Though what I reviewed wasn’t yet a final draft (my job was to help find technical and other errors, make suggestions on organizing the information and so forth), the content was (mostly) all there. I own other work by Whittaker, and I encourage anyone who’s interested to read this book when it’s published.

» Continue Reading (about 300 words)

How to exploit an insecure order of access to resources

When gaining access to resources, such as loading a DLL or invoking a program, beware of default order of access. Insecure defaults can result in using the wrong resource. I find this particularly a problem on the Microsoft platform. Here are two cases where the Microsoft approach, designed to “make it easy,” ends up making it insecure instead. Invoking an executable program If you do not specify the absolute location of the executable, where does the OS look for it?

» Continue Reading (about 800 words)