The ethical principle that should have applied is very simple: will the people your decision affects the most feel they’ve been treated fairly? To be on the safe side, ask them anyway. If the answer is no, then do something else.
Category: Security
Quote of the Day: WannaCry about WannaCrypt?
Microsoft is externalising costs on to their customers. They are externalising the financial costs of quality assurance and testing. They are externalising the political costs of setting standards, sticking to them and enforcing them amongst developers.
Microsoft is shifting the burden of support to the end users by demanding an unrealistic level of compliance with constantly evolving standards and specifications that still move faster than developers can cope.
We not only let Microsoft get away with this, millions of people regularly savage digital laggards using social media on Microsoft’s behalf. There’s an army of True Believers out there piling up the wood, matchbooks at the ready.
Your name’s not on the list…
According to VRT, stricter identity checks are due to be introduced in Belgian airports by the end of this year. Specifically, the name on your ticket needs to be the same as the name on your passport.
The most surprising thing about this story is that they aren’t checking this already.
Quote of the Day: Progress
In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.
— Jeff Jarmoc via Bob Jonkman
Unplugging
Yesterday was Data Protection Day, which seeks to raise awareness and promote privacy and data protection best practices. Data protection and online privacy are issues that I have tended to think about in the abstract. While I am aware that my online data is exposed, I have a hard time motivating myself to do anything serious about it.
However, with the current global direction of travel, I started to think about how much of my data is going through US servers and the obvious first point of concern is Google, particularly Gmail.
Although I have a few email accounts, for the past few years I have been using Gmail as my primary email — and as my email client. The Accounts and Import page make it very easy to set up Gmail to send and receive from all of my email accounts, allowing me to easily synchronise everything across everything. It’s damnably convenient, but a complete disaster from a privacy point of view.
So today I have unplugged every other email account from Gmail. I have also installed and configured Geary on my desktop and started playing around with the default email client on my phone.
It’s not as convenient as letting Google do all the synchronisation for me, but the effort is minimal and it does mean that all of my email is no longer being pushed through the same server.
I haven’t decided whether to keep my Gmail account. It’s handy to have, but not irreplaceable. I shall watch how my email traffic changes over time and decide later. I shall also have to look into calendaring services.
But first, I shall see about scraping the Google Apps off my phone. This should be reasonably straightforward — if all else fails I just need to do a factory reset. But I must remember to take a backup first.
Eight questions to ask before buying that IoT gadget
Because, Of course smart homes are targets for hackers
- Does the vendor publish a security contact? (If not, they don’t care about security)
- Does the vendor provide frequent software updates, even for devices that are several years old? (If not, they don’t care about security)
- Has the vendor ever denied a security issue that turned out to be real? (If so, they care more about PR than security)
- Is the vendor able to provide the source code to any open source components they use? (If not, they don’t know which software is in their own product and so don’t care about security, and also they’re probably infringing my copyright)
- Do they mark updates as fixing security bugs? (If not, they care more about hiding security issues than fixing them)
- Has the vendor ever threatened to prosecute a security researcher? (If so, again, they care more about PR than security)
- Does the vendor provide a public minimum support period for the device? (If not, they don’t care about security or their users)
That facepalm moment
I’m not going to name any companies here but I recently cashed in an freebie. It was one of those introductory offers in which you get something for nothing and are then asked to sign up so you can use the (paid) service in future. As it happens, this piece of marketing worked and, having poked around the site for a bit, I decided I would create an account in order to order personalised presents in future.
So I opened KeePassX, generated a (very long, very random) password and pasted it into the sign-up form. This is where things started to go awry.
My sign-up password was rejected because it was too long. This is always a bit concerning. If a sign-up form tells you your password is too long, it’s a bit of a giveaway that they are not hashing passwords properly and are probably a bit ramshackle when it comes to security.
Still, they already have my address for the freebie so I shortened my password and pasted it in.
And then they emailed my (clearly unhashed) password back to me.
The company in question does not have my credit card details. This company will never have my credit card details.
Lightly Seared on the Reality Grill 