Privacy

Facebook

by Rob on

Some people noticed that I haven’t posted anything for some time on Facebook. And that is correct, I basically stopped using Facebook. Main reason for this that Facebook becomes more and more a privacy thread. If not by Facebook self, then it is by people with bad intentions.

For the second time now in the circle of people that I know someone is a victim of identity theft.
The first time it was more or less innocent (if identity theft can be innocent at all).
Now the second time it is not so harmless and most likely it will have financial consequences for the person involved.

Apart from that, Facebook is storing more and more private information of people. It is really becoming an privacy threat. And if the security of Facebook was optimal, but sadly it is not. And making an account secure is so difficult that it is hard to do for people who are not computer-minded (and not secure accounts can become a threat for those that do have things secured properly).

So I cleared out my friend list on Facebook for the most of it. If you still on it, you are lucky. It means I have regularly face to face contact with you or you are important to me for some other reason.
For the rest deleted and changed the settings for those who can send me friend request.
The people that are still on my friend list are there because I think it is important for them to be able to reach me. That is all to it.
You are not on my friend list any more? Sorry, but I care for my privacy.

So friend requests will not reach me. Same can be said for private messages from people that are not on my friend list.

I know this all sounds very harsh. But I want to stay in control of my privacy.

Here on my weblog I have full control over what happens and can I act directly when a threat appears, even when that means taken temporary my weblog down.

(3 comment to this article, press ‘Continue Reading’ to view it.)

The slight madness of cards…

by Rob on

Recently I have bought a metal case to keep all kind of cards that I carry around daily around with me. First this case protects the cards from damage (some cards are easily damaged). But what is maybe even more important is that this case makes the RFID readers (and equipment alike) cannot access the cards.

Then I realized how many cards I carry everyday around and I was surprised by that. These are the cards that I have always on me when I am not home:

» ATM/Bank card
» Dutch ID card
» A credit card
» A healthcare card
» A card of the Dutch rail company that I use to trave to my work
» OV Chipcard, an anonymous card for the public transport
» Access card “Noordhollands Duinreservaat” (Dune area)
» Airmiles card
» Ikea Family card
» Discount card of a Dutch drugstore
» Membercard of the Dutch Nikon Club

Sure, a number of these card not really needed to have them on you all the time. But that will simple mean for me that I will forgot to take them along when I would need them.

And as I talked about with Marion, she showed me that she has even more (as a business credit card, a gasoline card and several membership cards). And she assured me that there a lot of people out there with many more cards then she and I have together.

Here is the point to think about: All these card are somewhere and somehow registered into one or more databases. Some cards hold not that important information (as for example my Nikon Club card), but others contain very private and important information. ID cards, ATM cards en credit cards are a clear example of this. It is good to take care of these cards. As said, the metal case makes it impossible for RFID-readers and alike to access the data stored on the cards. And another nice thing of the metal case is that I keep it in the front pocket of my jeans and it is harder to steal something from those pockets as for example the pockets on the back.

Life is there to… secure data

by Rob on

Lately I have been pondering a lot about the data on my computers. There is a lot of private and more of less confidential information on those, specially on the one that I use the most.
All kind of documents with letters that I sent to people and companies… salary and tax forms… banking software…
But also more private things as mail threads with Marion and Sanne… photographs I made… so things that are of no concern to most people out there.

There is always the risk that a computer gets stolen. For mobile devices as laptop and tablets this risk is even rather high, but also desktops can be removed with a burglary.
And then there is something else where people hardly think about. What happens with a computer when someone passes away? Mostly they end up with someone in the family and that is basically okay with me, but not the data. The data should only be accessible by a very small group of people…

I have been overthinking how I protect this data that is so important to me.

Well, I had a BIOS password active on all computers (so you had to enter a password before the computer could boot). But this easy to pass by… remove the BIOS battery for two minutes… or play a bit with some dip-switches and this password is cleared. And how to do this exactly is freely available on the Internet. So not a real good solution.

The Windows password (especially on standalone computers) is a joke and gives only false sense of security. There are thousands of programs available on the Internet to reset a Windows password. Even more, it possible to boot with a special CD and bypass Windows completely and get full access to the file system directly.

So it was for someone who knows a little bit about computers not very hard to get past the two “security measures” I had in place. Of course I know this already all for a long time and I also knew the solution…. full disk encryption!

So what kept me from encrypting those hard disks? Performance of the computer… My previous experiences on this matter have not been very good. I have seen very fast computers turn into slow monsters by disk encryption.
And as I use my computer also for (online) gaming, performance is very important to me as well.

For some time have been using a solution in between. With TrueCrypt I created encrypted containers on my computers and stored in those the data I wanted to be safe. This worked well, as long you are aware where all the importanted data is located. TrueCrypt is an encrypting program that create encrypted containers, but can also encrypt devices as USB sticks and hard disks.
Why TrueCrypt? It has a very good reputation and above all, it is Open Source. This means that I can be sure that there are no back doors.
There are stories going around that people managed to hack TrueCrypt. But in all those cases TrueCrypt was not hacked, but the system where it was used on was compromised (as example, keylogger that registers a password that was entered).

Anyway, back to the performance issue. On many places I read that TrueCrypt encryption would have almost no effect on the performance. I saw many benchmarks to support this statement. Even for playing games it would not differ very much (after all much of gaming is done in memory).

So as test I encrypted the two hard disks in my “old” duo core machine (Intel Core 2CPU @ 1.86 GHz, AIT Radeon X1550 Graphic card, 2 Gb memory, running Windows 7 32 bits). Normally I use this computer only for things as MSN, Skype, IRC and such. And every now and then I use it for duo-boxing (playing on two computers with a character on each computer in a online game. Mostly the second characters is a healer-type to support the first character).
And yes, the difference in performance was very acceptable.

So after making a complete backup, I started yesterday early in the morning the encryption of the hard drive in my main computer (Intel I7 2600 CPU @ 3,40 GHz, ATI Radeon HD 5870 graphic card, 8Gb memory, running Windows 7 64 bits). During the day I had other things to do, so a nice opportunity to do this lengthy task. It took a bit over 13 hours to encrypt the 1.5 Terabyte hard disk.

Very nifty is the option of TrueCrypt that you can suspend the encryption process and use the computer as normal again or even to switch it completely off and resume the process later.

The end result? I am very happy with it.

The system is bit slower during booting, but that I will solve soon by installing a (encrypted) SSD (Solid State Disk) with the operation system on it.

But when it runs, it is as fast as it always was. Of course that the CPU in my main computer fully supports the hardware-accelerated AES encryption (Intel AES-IN instruction set) helps a lot. It boosts the encryption process to 4 to 8 times faster. This also explains that my duo-core computer shows a little decrease in performance as it doesn’t support this hardware-acceleration.

Even in heavy online games (as Everquest II) there is really no decrease in performance noticeable. Also not during the loading of new zones (and there I would have expected it).

To access this encrypted hard drive you need a password that is longer than 20 characters, contains uppercase, lowercase, numbers and reading signs…. It is nowhere written down and memorized by the 3 persons who should always have access to it.

If someone would consider a brute force attack on it (and no, I was not so stupid to enter the password on the website that made the calculation below, but entered a password that was constructed in a similar way):

Have fun with that…. *grins*

A black day for the Internet…

by Rob on

I just read that two big Dutch Internet-provider, XS4ALL and Ziggo, are ordered by a judge to block the site of The Pirate Bay. This is in my opinion very bad.

Why bad? No, not because the content that you can get at The Pirate Bay. To be honest, I never even connected to their site. People who know me a little are well aware of my rather nice collection of legal CD’s, DvD’s and BluRays. And I buy rather a lot at iTunes.
And I think everyone should do concerning downloading illegal content what he/she thinks is best. I don’t mind and I don’t judge.

It is bad because it damages the freedom of the Internet. It is bad because the rights of some big companies seems to be more important then the fundamental rights of Dutch citizens. This is another step to “Big Brother”. Today it is a server with illegal content. Tomorrow it may be a site with political content that “someone” doesn’t like.

And it dumb, because someone with a little knowledge of the Internet can easily by-pass such a blockade. And in no time there will be many manuals online how to do this for those that don’t know.

The only rightful way to handle servers with illegal content is bringing down that server. That may be hard when that server in another country. True, but forcing the “transporter” to block certain “ways” is a bad thing and even very dangerous when it comes down to freedom of speech and information.

XS4ALL will appeal against the decision of this judge and Ziggo may do the same. I truly hope that another judge may see how wrong this is….

Privacy again

by Rob on

It kinda funny, after reading a newspaper this morning I decided that it was about time to write an article on privacy again… and just I noticed that Patrick did the same on his weblog yesterday.

This morning I read that the government has far reaching plans to gain control on the information flow on the Internet. The technique they want to use for this is “Deep Packet Inspection”. This means that they will literally check the contents of the data-packets that are send over Internet (to put it simple, there is more to that).
This means that they can check every mail that is sent and check every file that is transported over the Internet.
They also want to check behavior of people. An example that was literally mentioned was that someone who bought an expensive camera and earned some more money then normal was already a suspect for producing porn with children? This is too stupid for words.

Don’t get me wrong. I think that porn with children is disgusting and should be acted very hard on… but not with any grounded proof. This is even forbidden by our Constitution. There is clearly stated that someone is innocent until proven different and there should be a very clear suspicion before there may be acted on someone.

To be honest, I think whole child porn-argument is not what is really behind this all. Governments and their “secret agencies” fear the Internet because it out of their control (see the whole Wikileaks matter). And I think the real reason is that they want to have grip on what is happening on the Internet.

I agree with Patrick what he writes on his log, that is too silly for word when you use PGP/GnuPG, masked IP-numbers, OpenProxy and things like that make you a suspect of cybercrime.

Me? I already use GnuPG (the Open Source version of PGP) and I will encourage all people I exchange regular mail with to do the same. Already all mail I exchange with Marion is encrypted with GnuPG. Chatting I will do more and more through Skype because of its high level of encryption. And if I can find a thing to protect my privacy…. I will!

This they promised never to do…

by Rob on

They promised us over and over again never to use the Dutch security number (“SOFI Number”) to connect all kind of databases together.

What did they do? They renamed the “SOFI Number” it to “BSN Number” and do with that what they said they never would do.

Today I needed to have some x-rays made. At the counter of the poli I was told that I needed a new medical card for the hospital. So okay I handed over my card for the insurance company. They also needed my ID card or passport. I was like “WTF?????”.

On the new medical card my BSN Number (better known as SOFI number) is registered. With other words, my complete medical history is now connected to all the other databases that are accessible that use the BSN Number….

WTF!!!!!

Something to think about

by Rob on

Today in another discussion about privacy and security (with many “I don’t have anything to hide” folks) I did read something that said it all for me…

When they came for the communists, I didn’t say anything…
I am not a communist.

When they came for the Union people, I didn’t say anything…
I am not an Union member.

When they came for the Jews, I didn’t say anything…
I am not a Jew.

When they came for the Catholics, I didn’t say anything…
I am not a Catholic.

When they came for me,
there was no one left to say something!!!

(Reverend Niemöller, Germany)

Privacy and security is something that should concern all of us and should be a reason for all to stand up! And specially nothing about turning away from things pretending you did not see anything!

Ashamed

by Rob on

Today we had the European elections… and for the first time I felt ashamed for my countrymen.

A hate spreading party as the PVV seems to be growing fast. I am so ashamed…. so ashamed….

Encryption, part II

by Rob on

Encrypting again…

Like I use to say, when you do something do it good. And when you find something to improve, do it.

For mail I can use GnuPG to sign and/or encrypt my mail. And this is working very well. Marion and I use it all the time. We talk often per mail about things that are not meant for everyone eyes. After all, mail has concerning privacy only the value of a postcard.
It is amazing to see what kind of confident information people sent through mail without even over thinking it.

Anyway, yesterday I suddenly realized that I also store confident information on my laptop outside my mail. Things as documents and pictures. Some work related files. These files were fully accessible by anyone who could put their hand on my laptop. Which could happen if in the worse case my laptop gets stolen, but even when my laptop stands on my desk and I am away from my desk.

So I looked for a program for file encryption. I found one that serves my purpose completely. This program is called TrueCrypt. TrueCrypt is Open Source and that way I can be assured that there are no backdoors (because the source is available to anyone).
With TrueCrypt you can create volumes, when not mounted these volumes are encrypted and so not accesible by anyone. And so their contents are safe for stranger eyes. And this is how it should be…

A Web of Trust

by Rob on

Sometimes the current gets passed by the past… Last week something like that happened again.

At work we had our weekly team-meeting. We always tell what we are busy with so everyone has an idea what all is going on.
My colleague Anitha told she was working on an encryption matter that involved key servers. As I did work a lot in the past with PGP (Pretty Good Privacy)/GPG (Gnu Privacy Guard) I made a remark that I could maybe be helpful with some resources and information I have or can get on the matter.
Then our team leader said that it is an fully PGP/GPG project. Later I learned from Anitha it was about verifying messages between applications we use (which are highly confidential)

This made me really think back at the time I used PGP/GPG all the time… and I wondered why I ever stopped using it. Apart from the not so good times I have been through (a relation that went wrong and things like that.. luckily all past) I couldn’t think of anything. So I restored my old keyring from a backup to find out that it was expired….
So I created a new keyring….

While I was working on all this I was chatting with Marion on MSN. She was really interested. Even more, she was very enthusiastic about it and saw personally use for it. So I talked her through installing the software and explained how it worked. And finally she created her own keyring and we signed each other keys, which means we can verify and decrypt messages we exchange. Mostly it is a sign of trust and that is between the Marion and me of course something that is very clear.

Hmmm… maybe in some words what this PGP/GPG is about. Simply said it is a way to add more security to e-mail. You can sign messages, which means that text in the mail is still readable to everyone, but those you exchanged (“signed”) keys with can be sure that the message was send by you and that message was not altered.
Also you can encrypt messages so only the receiver (who should have a signed key as well) can decrypt the message and will be able to read it.

This weekend I will send request to sign my keyring to people who did so before and maybe I will invite some new people to PGP/GPG (if they are interested of course).

PGP/GPG is a way to help defending your privacy… and that is something that is highly needed these days!!!!