Erik L. Arneson — Writer and Software Developer

Security Link Rodeo: Privacy, Your Passwords, and Hackers

2015-06-19T21:34:02+00:00

Edward Snowden wrote an op-ed in the New York Times where he argues that people are finally starting to care about privacy and preventing global surveillance. And though we care more, we also feel more powerless, according to a recent survey.

Online password database service LastPass had a serious security breach. Encrypted master passwords were leaked. This further outlines the problem with our current password-based approach to security. We need something better!

https://twitter.com/intermedia_net/status/611925215526961152

Things are getting better for privacy and security on the web. Cedexis reports that SSL use is on the rise, and about 35% of the traffic they are routing is encrypted now. After switching to SSL, you might want to read about hardening your WordPress site against malicious use.

Finally, learn how to hire a hacker on the deep web, and read an interview with Jesse Victors, a new Tor developer.

https://twitter.com/ste_trombetti/status/451355792923688961

The featured image for this post is from Flickr user Marc Falardeau.

Security Link Rodeo: Silk Road, the Patriot Act, Alan Turing, and Your Passwords

2015-06-05T17:33:25+00:00

The man behind the Silk Road, Ross Ulbricht, received a life sentence after being convicted of money laundering and drug trafficking. It’s estimated that he made around $18 million on the website, which ran as a hidden service in the Tor network. Some of the operators for the Silk Road argue that it was a haven for libertarian philosophy, but does that really excuse the amount of damage they enabled? The Economist notes that since the Silk Road fell, illegal drug sales on the Internet have doubled.

Security Intelligence discusses the effectiveness of password security questions, pointing out that they are particularly weak points in a system. Two-factor authentication or some kind of physical key are definitely better. And when it comes to passwords, there’s a better way that produces easy-to-remember pass phrases!

Bitstamp, an online Bitcoin marketplace and wallet, now offers debit cards. I’ve used Bitstamp many times in the past and it’s always worked well for me.

Section 215 of the Patriot Act finally expired! Not willing to really stop bulk surveillance, Congress then pushed through the USA Freedom Act, which has nothing to do with freedom. Find out how long your mobile phone carrier will retain your call data in this handy chart. Demand Progress rightfully foamed at the mouth.

https://twitter.com/demandprogress/status/605849691675189248

Phil Zimmerman is still not happy with the state of privacy in the United States. He’s right to be concerned.

Two more papers are available from Alan Turing, the father of modern computing and an important cryptologist.

Finally, the UK Government has documented security guidance for Ubuntu. Read the document. It has a lot of really good suggestions for securing your Linux machines.

https://twitter.com/OUHOSCollection/status/603588936020131843

Security Link Rodeo: The Patriot Act, Logjam, and Hacked Websites

2015-05-29T17:51:59+00:00

Kind of good news: Senators Ron Wyden and Rand Paul teamed up to squash the Patriot Act extension. It’s going to expire on June 1st unless another vote is called on the 31st. The USA Freedom Act (which I think is good?) unfortunately didn’t make it through Senate, either.

https://twitter.com/RonWyden/status/601979044318547969

Regarding the Logjam vulnerability that I mentioned last week, if you’ve got a cloud server and you’re generating new Diffie-Hellman parameters, make sure you’ve got good random numbers! Digital Ocean has advice on generating sufficient random data on cloud servers. The short version is that you should be running haveged on all of your servers.

https://twitter.com/dholmesf5/status/601848616525942784 Here’s an informative and easy-to-understand description of the Logjam attack by Matthew Green. He just happens to be one of the cryptographers who helped discover the problem. And the EFF talks about the implications of Logjam and how the NSA is a bunch of jerks who really don’t care about our privacy at all. Seriously, NSA. It’s like you don’t even want to be our friend!

The creepy mobile spyware app mSpy was recently hacked, resulting in a leak of about 400,000 user accounts. They spent a long time denying it. You can check HaveIBeenPwned to see if you’re one of the users.

Last week it was also revealed that AdultFriendFinder was hacked, leaking about 3.9 million user records. Even worse, it is possible that “AdultFriendFinder may not get rid of data after customers leave.” This is just a reminder that you need to be mindful about what you share on the Internet. If you want to keep information secret and secure, make sure that you are the only one in control of it.

https://twitter.com/SwiftOnSecurity/status/601854610018414592

The featured image for this post is from Flickr user Jason Hollinger.

Security Link Rodeo

2015-05-22T20:57:00+00:00

My four-week History of Cryptography class at Portland Underground Grad School is almost over. While I’ve had plenty of experience with speaking to audiences about difficult subjects, this has been my first time with an ongoing class. I think I’m learning as much as my students! Because this class has helped rekindle my passion for cryptography and computer security, this link rodeo is going to focus on those subjects.

Crypto superstar Bruce Schneier has written a good overview of the new Logjam attack against the Diffie-Hellman key exchange protocol. If you want to test your browser and various websites against the bug, check this website. The CloudFlare blog also has a good explanation of the Logjam attack.

https://twitter.com/NSA_PR/status/601163480499093505

GNU Privacy Guard (GnuPG) version 2.1.4 was released earlier this month. Read the announcement here. The exciting thing about the 2.1 releases is that they support elliptic curve cryptography (ECC), and allow you to create ECC public keys. I still find ECC difficult to understand, but here’s a pretty good introduction written by Nick Sullivan.

Finally, back in February, Moxie Marlinspike wrote about how he hopes OpenPGP will die someday. I, on the other hand, still use it regularly and enjoy it! In fact, I’m going to encourage you to check out the FSF Email Self Defense website so you can get started with encrypting your email today. When you’re ready, drop me a line using my OpenPGP key.

The featured image for this post is courtesy of Flickr user Jaymis Loveday.