Positive Security

“Computer security”, has a dark and mysterious aura to it, evoking images of dark rooms with hackers and anti-hackers battling it out on keyboards, of struggle between the powerful and the people.

Maybe the narrative we’ve built up around computer security is actually preventing people from protecting themselves. To suggest that a friend may need computer security, they ask themselves if they are feeling locked in power struggle and conclude, “I don’t have anything to hide.” I’m an open book.

There’s a certain quaintness about this notion. “I don’t have anything to hide” is closely connected to “No one’s going to look, my life is boring”; it’s a bit like the luxury of leaving your front door unlocked in a small town. Unfortunately, the internet is much more like a dense urban center than a small town. Literally everyone in the world can walk by your digital front-door and try the lock. Not locking your door in an urban center is really asking for trouble. It’s a prudent and wise habit you get in so you don’t have to worry about whether some stranger is riffling through your personal things. We call it “street smarts”.

Computer security is the basic “internet smarts” we should be encouraging everyone to get in the habit of doing. Things like turning on two factor authentication and remote-wipe. We do these things not because we’re afraid, but because we’re smart, confident, and ready to engage the world.

Assumptions Tech People Make While Trying to Save the World

For all the creative vision of technology entrepreneurs, it’s easy to forget a few basic facts about the world we think we know so much about. I had another reminder of this while chatting with a brilliant coworker from Pakistan today.

1) We assume that a smartphone won’t be stollen.
In the parts of the world we’re trying to save, we forget that the value of a smartphone itself exceeds the value of the data on it for thief, or official, under whose eyes it passes.  Encrypting that sucker has a very limited effect on reducing its value to the common theif.

2) We assume there will be internet.
Tweeting to revolution is the next big thing we say. But we forget that these places have little, or unreliable internet connections. While we live stream movies over Netflix, people in India can barely load the Facebook home page, everyone’s connection in Iran is bandwidth limited to 128kbs, and the Taliban blows up cellphone towers in Afghanistan.

3) We assume that people have a computer or smart phone of their own.
We forget that the most vulnerable are often poor and live communally. The “Personal Computer” people use is the grubby one in the basement of the cyber shop down the street, and who knows what kind of viruses live on that thing, or whether the shop owner looks through the digital crumbs left by his customers.

Sometimes we in Silicon Valley forget that it’s not computers that change the world, it’s people. People who face their fears and band together with both wisdom and courage and press for the respect of their human dignity.

Now what, technology or otherwise, would help facilitate that?
What kind of careful listening do we need?

A Free Encrypted Web Proxy for Android

There is a new Bandwidth Management feature in Chrome on Android that also provides some helpful security properties.  When Bandwidth Management is enabled, Chrome encrypts any unencrypted websites and also unblocks any sites that may be censored by a firewall. Turning it on is just a few clicks away:

  • Open Chrome on Android
  • Click settings
  • Click Bandwidth Management
  • Click Reduce data usage
  • Enable

What does it do?  Bandwidth Management will take every unencrypted (HTTP) webpage and send it through an encrypted SPDY tunnel to a Google proxy server.   The proxy reformats images, optimizes webpages, and compresses the webpages all before sending them back down to you. It’s basically a free VPN for your mobile web browser. What are it’s limitations?  It won’t proxy encrypted webpages (HTTPS), which might cause problems if the page you’re requesting is blocked. And it won’t proxy web pages in incognito mode, to protect your privacy. So don’t go surfing in incognito mode if you’re trying take advantage of this encrypted proxy. More info here:  https://developer.chrome.com/multidevice/data-compression

How to tell if you have secure email

“Secure email” is a misnomer, but it is still important to make sure that your emails are being sent in a not-terrible way.  How do you do that?  Well, I’ve just discovered an awesome website to help. https://starttls.info/ will verify that your email provider is setup to receive email in the industry standard, secure way called STARTTLS.

STARTTLS is a way for two email companies to send each other mail using encryption so that other people can’t read it before it gets to where it’s going.  Sending an email from or to an email that doesn’t support STARTTLS is like CC’ing the NSA, FSB (aka. KGB), MSS, and other intelligence agencies on your email, as we’ve learned.

Unfortunately, just a fraction of the email providers support security.  38% to be precise, according to the statistics at starttls.info/stats.  Now because it takes two people to have a conversation, this means that only 14% of email conversations are going to be secure.  In other words, your email only has a 1 in 7 chance of being secure unless you take action.

STARTTLS statistics

STARTTLS Statistics from starttls.info/stats

You need to do two things:

  1.  Make sure YOU have a secure email provider. Verify yours at https://starttls.info/.
  2. Make sure your FRIENDS have a secure email provider. Verify their email addresses at https://starttls.info/.  Then encourage them to get a decent email address and remember to only send sensitive emails to addresses that pass the test.

 

9 Ways to Steal Your Password. The Case for Two Step Verification.

Having a password is important, but stealing passwords has gotten so easy that it’s no longer enough by itself. In addition to your secret password stored in your head, many companies are confirming possession of some tangible thing, a phone for example, in order to login. That way if someone learns your password, they can’t use it without also physically taking your phone from you. A win for you. 

For perspective, 80% of the security breaches in a set of 621 companies in 2012 used a stolen password. That’s 44 million accounts that could have been protected if they had just turned on two step verification. Don’t be the next victim.

Why are passwords so easy to steal?  Secrets are hard to keep! It only takes one mistake before the cat’s out of the bag, and the cat may escape, so to speak, without you knowing it. Here’s some of the ways hackers will try to steal your password. The adversary could:

  • Watch you type it in through a telescope, or look over your shoulder.
  • Listen to you type it in through a web cam
  • Watch you send it unprotected if you ever use a website without HTTPS, as mentioned previously.
  • Trick you, and 80,000 other people a day into typing your password into a fake website that looks legitimate.
  • Make a cool app for you to download with a very nice box to type your password into.
  • Email you a link to a website that installs a password stealing virus that’s gotten over 3.6 Million installs as of 2009.
  • Hack into another website you use (including Adobe.comYahoo.com, and Linkedin.com) and steal your password. You don’t use the same password on multiple sites do you? Check if your account has been leaked already.
  • Reset your password by Googling the answers to your easy-to guess password reset questions.
  • Reset your password by calling the very helpful folks at customer service.

I could go on, but I hope that this short list is enough to motivate you to take a moment now and turn on two factor authentication so you don’t become the next victim.

What about all those sites that don’t care enough to setup two setup verification? Use a password manager to create a separate, complex password for each site.

Happy Passwords!

Have password, Turn in ON

Picking a secure email provider is great first step toward email security, but you need to do your part too. After all, it takes less technical wizardry to take advantage of your security mistakes than it is to break into an email company. Here’s what you need to do to make yourself more annoying to hack than the next guy.

Have password, Turn it ON.

You password isn’t doing you any good if you don’t have to actually type it in. Yes, it’s annoying.  There is some interesting research in replacing passwords with places and things, but for now your phone or computer is just asking to be messed with if you haven’t turned the password lock on.  People that might be interested in messing with your stuff include pesky siblings, untrustworthy partners, pick pockets, corrupt police, mob violence, silent border searches, etc. etc.  In some cases having a password won’t protect your data, but it will, at a minimum,force the adversary to inform you of the compromise by requesting you for your password.  Here’s how to turn on your password protected screen lock for your desktop (WindowsMac) and mobile phone (iPhoneAndroid).

Now that you have your password turned on, it’s time to pick a password that your friends as well as really smart computer people won’t be able to guess. The rule is simple: longer is better. For passwords, longer than 10 characters. For pins, longer than 6 digits.  You can check the security of your password at https://howsecureismypassword.net

Required bonus points: encrypt your device to protect yourself from technical people. Passwords are generally just a check that your computer performs before giving you access to your files.  If a technical person gets a hold of your stuff, he/she can just disable the check if they’re smart enough. What you need to do is scramble all your files with your password.  Now it’s not just a little check, the password is fundamentally required to understand your files.  This is called encryption, and here’s how to turn it on for WindowsMacAndroidiPhone.

Use HTTPS://.

Every website you visit, every email you check, every file you download, every password you type without the required “https://” can be easily recorded by anyone at the same coffee shop, hotel, or conference; in addition to the internet company, national police, and most countries’ intelligence apparatus. Furthermore, the adversary only needs to see your password once before I can simply login to to your account and read/modify/delete your data.

Remembering to type in https:// for every website is difficult. Here’s what you need to do:

  • Let your browser do the hard work for you. HTTPS Everywhere will add the s, for secure, in https:// to every website that supports it.
  • Make sure your email program isn’t leaking your password all over the internet by setting it up to only connect with SSL/TLS.
  • Run away from these protocols that send your password in the open for all to see: POP, IMAP, FTP, HTTP, TELNET.

4 Email Security Myths

If someone is offering you “secure email”, you’re probably getting a scam.  After a number of people referenced their custom email providers claiming to offer “secure” email, I decided to investigate. What exactly were they offering?  Turns out that most of these providers are giving a misleading set of security guarantees that, on the whole, could leave you a lot more insecure than you think.  Here are four things that won’t make your email secure.  Full disclosure: I work at Google, however, these thoughts are my own.

Ads don’t make your email insecure.

Let’s get this straight:  an ad matching algorithm is not a human. If you’re concerned that a computer might be running algorithms on your email, keep in mind that scanning for viruses and spam actually increases your security.  What matters is where information from your email goes. All* email companies can read your email if they wanted to.  There may be other reasons why you would prefer to not have ads based on your email content, but focusing on ads is a distraction from real email security.

What should you focus on?  Find a company that limits the number of people who can read your email, keeps audit logs so there’s evidence when they do, and has a strong corporate culture surrounding customer privacy – meaning that they look at their logs and severely reprimand people who abuse their access.

*All, except for messages sent using end-to-end encryption such as PGP.

Switzerland is not going to protect you.

Hosting your email in another country is most likely going to slow down, but not stop, a legitimate legal process from getting access to your account. Mutual Legal Assistance Treaties have been created between most countries to fix this exact loop hole. While we’re on the topic, you weren’t thinking of breaking international law were you?  If you’re not conspiring with known terrorists, trafficking in nuclear material, or running a drug ring your own laws probably work in your favor. Citizenship is a great thing. For a more detailed analysis of international law, talk to a lawyer.

What should you be looking for?  Companies that are incorporated in a countries with reasonable laws that are respected.  Servers that are in places with reasonable legal and political stability. You’ll also want the servers to be in places that are nearby, with good internet connections, and electricity. It also helps if the laws actually matter in a particular country:

“Chinese society is now in the process of transition from too much emphasis on the rule of person … to establishing concept of the rule of law.” – Privacy International

STARTTLS is great, but your friends need it too. 

You’ve been a good internet user. You have a long password, you make sure that your email website starts with https://. But there’s a dark secret to there internet: most email providers send your email without any protection!  “Secure” email providers support something called STARTTLS, which protects your email between servers. But there’s a catch: your recipient’s email provider also needs to support it.  Just because you’re sending from your “secure account” doesn’t mean that you’re safe. You have to check if your recipient is also using a secure provider!

Here’s what your email looks like most of the time because either you or your friend don’t have STARTTLS. Did I mention that the internet creeps have never been happier?

You - https - gmail.com   —   OUT IN THE OPEN   — hotmail.com — https — Recipient.
          (has STARTTLS)     BAD GUYS WATCHING    (no STARTTLS)

You want both sides to support STARTTLS so your email isn’t running around exposed on the internet.

You — https —    gmail.com — STARTTLS — fastmail.fm   — https — Recipient.
            (has STARTTLS)   (secure)   (has STARTTLS)

OK, STARTTLS is important, but how do I know if I and my friends have it? Fortunately there’s a list of the most popular providers here. Notable things to run away from: me.com, mac.com, hotmail.com, yahoo.com, att.net, comcast.net, verizon.net. Does your email address end in one of those? Get a new account NOW, and remember to not send anything important to any of your friends with any of those addresses. I’m serious. Unsure about an address that isn’t on that list? Verify that it supports STARTTLS here. That’s hard. Isn’t there anything easier? You could create a Google document and share it with your friends instead of emailing it. This will require them to setup a Google account to view the document, thus forcing all your friends to inherit the benefits of Google’s security efforts.  

Small is usually bad for security. 

Security is hard.  Even the best and the brightest don’t get it right all the time. The chances that a small company is going to get it right is even smaller.  There are a million ways to install a virus on an email server. You need a team that’s smart enough to keep up with all of them, keep things patched up around the clock, and maybe even stay ahead of the game a bit. What to look for?  Participation in respected security conferences, street cred from other security experts, and indications that security is part of the company’s core values. As a bonus, how are their lawyers at defending their customers from weird warrants?

 

Email securely!

… More data to come …

The Problem with Security

UN Post

Bring up the word “Security” with indigenous leaders in these countries and they may or may not understand what you’re talking about. They already live an a risk laden environment. Why should they be careful with technology?

Bring up “Security” with expats and they totally get it – to the point of being paralyzed.  Is the NSA watching, is the FSB watching? What about phones, what about email?  Security is a show stopper rather than an enabler.

Bring up “Security” with executives and they see a black hole for resources with little to show for it – but security sounds important.

The problem with all these attitudes towards security is that they deny the inherent uncertainties of security.  In trying to obtain absolute guarantees, they give up on any kind of balance or nuance. Security requires both understanding (wisdom), and an acceptance of risk (courage).

Wisdom: with a little help, the complexities of security can, in fact, be understood.  The adversary’s cost structures can work to your advantage. Tradeoffs between cost, convenience, and security can be made with informed judgement.  Wisdom is exactly this art of turning understanding into prudent behavior.

Courage: nothing in this world is guaranteed. Putting vague fears into a framework of understanding can help, but at the end of the day, it is you that need to step out and make a difference.

This blog is my stab at helping you understand the world of cyber security so you can step out and meet the world’s needs with confidence.

Sign up to receive blog updates via e-mail. Want to help? Get involved.

“Nothing in the world is worth having or worth doing unless it means effort, pain, difficulty… I have never in my life envied a human being who led an easy life. I have envied a great many people who led difficult lives and led them well.” – Theodore Roosevelt

Live well!

.. To be continued ..