Illusory Follies Andrew Flanagan's Blog

21Feb/080

Whole Disk Encryption Insecure

Hmm... well this is kind of a blow for the security departments that have been relying on this. My "work" (notice the parentheses) laptop has whole disk encryption and it's terrible. For some reason it usually (like 4 out of 5 times) does not ask me for my password anymore (and it really does seem random) and it takes noticeably longer to do anything on the machine (which is why I barely use it and didn't even take it with me this trip). Now it's revealed that it apparently doesn't even really protect anything!

So much for "corporate security".

6Dec/075

Google: Ad me!

I just moved all my archived email going back to 1998 (when I really first started saving emails) into my Gmail account. There are probably two standard ways of responding to this:

1) Cool

2) Oh knows! Google can read all your private emails now!

I happen to be one of those people that actually take private property rights seriously and am concerned about privacy laws and so on. However, in this circumstance to those who hate the idea of storing email on Google's servers I can only respond by saying that I:

1) ...Have nothing that's too "secret" in my email. It's mostly boring stuff to others and interesting because it documents aspects of my life which flood me with memories that go way beyond the words and paragraphs of the emails themselves. I'm sure there are things in my emails that would be embarrassing if they were revealed but I should be able to live up to the mistakes I've made and the bad things I've said and been party to.

2) ...Realize that if the Feds want my email, I think they'll find a way to get it. I don't appreciate their nosiness but I don't think that Google is going to let Joe Shmoe into my email account or simply offer my email records to the Feds. I could be wrong, but then again, I could accidentally lose a hard drive that had a copy of the same emails and run into the same problem.

3) ...Think that instead of the common response of "don't let anyone online know anything about you", that I should attempt to embrace (ahh, the warmth) the future of broad information sharing with the full realization that everything that's out there including my blog, my resume, my family photos, my emails, my forums entries, etc. are potentially available for exploitation. What does this mean? It means that if you have secrets, stop recording them! If you must record them, encrypt them using a non-trivial encryption method and at some level, protect it with information that is (again) NOT RECORDED anywhere but in your brain.

The reason I make point 3 is that so many people I know are totally paranoid about the Internet and the potential for identify theft and other things. However, they don't live their life day-to-day in the knowledge that much of their information is in fact still leaking out and becoming available (dumpster diving, data theft and loss at financial companies, disgruntled -- heck, even gruntled employees stealing information). If it's leaking anyway and we must (or at least MOST of us must) rely on things like imperfect financial institutions and garbage companies then it's silly to pretend that you're protected. Instead, I think the better approach is to be aware that in the "digital age" information is incredibly easy to collect, extract, and decrypt. Put price tags on information (like your bank passwords) and be aware of policies that your bank has with regards to "insuring" you against loss should your account be compromised. Stop thinking it won't happen but start thinking about ways that it CAN happen and your life can still go on. People put far too much faith in things like SSL (for secure online transactions). Don't think that it can't be broken or that the NSA doesn't have a dedicated real-time SSL decryption method for something like that. Never believe it when people tell you that something is "unhackable".

I've heard people tell me about how posting pictures of your kids on the Internet could result in them being Photoshop'ed by child pornographers. I don't really know how to respond to this... It just seems a little silly. Of course they could -- but why does this matter to me? For that matter, how would I find out...??!? There's always a risk of having people find your personal information (like your address) but I just don't understand the obsession about trying to hide it. It's available! It's out there already! If you have a secret that no one else knows (at all) then maybe you should keep it "off the grid". But for things like your name, address, email, phone, etc. live with the realization that it's not private anymore. If you want it to be private, prepare to not use them for anything.

If you need anonymity, there are certainly some good ways of covering your tracks. However, the difficulty in doing this even one time is high -- I think it's likely impossible to do this routinely and still effectively communicate. If you're reading this post, you've left some trace of your presence. Yes, you might be using a proxy, but you left a trace at the proxy also. If you've accessed it via a proxy from a coffee shop,well, you've left a trace on the security camera there. It never really provides total anonymity -- it just makes it difficult and expensive to find you. Don't get me wrong, I think it's excellent that people develop attempts at anonymity on the Internet (like Tor) but it's not providing TOTAL anonymity any more than a password will ever provide TOTAL security. If all your doing is attempting to stop marketers from bombarding you with ads or targeted marketing, then great. I do the same (often, but not always).

So, that all said, I guess my philosophy could be summed up by saying that I'd rather wait up for trouble, ready to deal with it than fall asleep thinking that I'm safe. If it's worth securing, realize that you'll have to fight hard to keep it secure and that trivial things like emails are probably not worth the effort.

27Sep/073

OpenVPN

Well in my drug-induced down time I've been fiddling with my Gentoo server some more... I added Wake-on-Lan support to the kernel so that I can power the system up from upstairs or across the country. It's nice because I don't tend to leave it on all the time and even when I'm home, it's a pain to hit the power button since I keep the system squirreled away in a cabinet.

In addition however, I also added OpenVPN support to the server. I punched a hole in the firewall and set up Ethernet bridging in order to give me full access to the entire network when I'm away from home. It works amazingly well. It wasn't quick to set up but it was kind of fun. Basically you create an Ethernet bridge between a "real" network adapter and the virtual OpenVPN adapter and assign that bridge the IP address of the old "real" network adapter. I like.