Service providers that store user data need to GIVE USERS THE KEYS!

Comments on this post are welcome and strongly encouraged.

Service providers such as Gmail, Yahoo, Facebook, Twitter…all of these, they need to offer users a data encryption option that does the following:

1. It disables the password recovery system, so that no one else can exploit it or any weak links to it to get into our accounts, but if we “forget” our password then we can’t either; and
2. Our passphrase encrypts a larger key which encrypts our non-public data on their servers with 256-bit AES encryption.

In light of the fact that General Petraeus was brought down by someone other than him and a personally trusted party accessing the data in his Gmail account, I think the users need to be handed the keys to our accounts and service providers need to give them up. By far the largest method for hackers to steal highly important or sensitive data is the “forgot password?” link at any given website.Our email accounts are almost universally used as a skeleton key to our other accounts. Mat Honan’s Gmail, Twitter, and Apple ID accounts were all hacked into in the space of an hour this way, and the hackers deleted all of the data on his MacBook, iPhone, and iPad when they got in.

For services that offer this encryption option, there should be an additional option to unlink all email accounts as well. There are some services that exist already which allow you to open an account for which an email account is optional, but they’re not very common and typically are also obscure and small.

Obviously, this is something that won’t do much with services like Facebook and Twitter, because in order for the service to show tweets or posts to anyone else, they have to be readable by the service provider itself. However, if you’re on Facebook and change a post or picture to be visible to “only me,” the media should be encrypted with your encryption key, then all unencrypted copies deleted from the provider’s servers, including its content delivery network.

Another feature that absolutely needs to be in place is for all mail service providers to support mail delivery and hopping over SSL or TLS, so that plaintext email does not go over the wire without any encryption. If email is encrypted on Gmail and encrypted on Yahoo! Mail, then the end-to-end link between them also needs to have encryption. Ultimately, the amount of time an email spends stored or transmitted as plaintext should be minimized. It would also be nice if mail applications such as Mozilla Thunderbird had built-in encryption for the entire user profile (stored/locally cached mail, stored account passwords, configuration settings, etc.) utilizing a master password, though it seems that most people point to workarounds that don’t ask Mozilla to add such support directly into Thunderbird. (What if I don’t want to install full disk encryption software, or can’t do so, or want to use Thunderbird in a portable fashion on a flash drive?)

Yet another feature that would be very nice to have is a “lockdown” feature, where you can log into your encryption-enabled account on a service like Facebook or Twitter, go to some sort of security settings page, press a button called “lock down account,” confirm that you really meant to lock down the account, and all media that is stored in your account automatically gets changed to “only me” privacy and encrypted in one shot, plus any attached “escrow” methods of password retrieval such as cell phones or email addresses are rendered unusable. If you have reason to believe that your data needs to be locked down quickly, having a feature like this is critica

The biggest downside to this system is that if you lose or forget your password, you lose everything. The most common response to this “downside” will be “that’s a great feature to have!” and I strongly agree: if I don’t want anyone accessing my account, I desperately need to be able to lose the password with no means of recovery. However, another downside is that if someone gains access to your account, they can lock you out of your own data in the same way that you can lock others out. The most obvious answer to this would be some form of two-factor authentication, but adding TFA to the mix would imply such things as if you lose your second factor, you can’t lock down your account or change your encryption password, so it’s a bit of a double-edged sword.

The major reason that “encrypt everything” has not been adopted by knowledgeable users is that it’s not available as an option, and where it is available, you have to jump through ridiculous hoops to get it set up and working. Things like the HTTPS Everywhere extension and Google switching its services to use HTTPS by default are steps in the right direction. The fact that anyone can get online and dig up your maiden name, social security number, city you were born in, first vehicle you owned, and much more within minutes and for small fees means that password recovery options with security questions and whatnot are the equivalent of locking your five deadbolts and leaving the key under the WELCOME mat. Furthermore, if the FBI, CIA, NSA, or some other three-letter agency decides they want to read your mail without your knowledge, there’s nothing at all stopping them from doing so.

One of the big arguments against encryption is that it allows bad people to hide bad things. News flash: bad people can use encryption even if you DON’T allow it. The only thing that happens when you don’t have encryption available is that GOOD people can’t protect themselves and their privacy so easily, but the bad guys have an extraordinary motivation to jump through the extra hoops required and certainly will do so to avoid being caught. This argument against providing encryption has no substance in a practical world.

In summary: Service providers need to give us the keys to our data.

Did your ISP forward you a DMCA copyright infringement notice?

HUGE FAT WARNING: I AM NOT A LAWYER. If you need legal advice, GET A REAL LAWYER.

I will not answer unsolicited emails about this topic in a way you will like. Don’t email me. Ask for email in a comment if you need to talk privately. Also, comments are moderated and do not appear immediately!

Update 5, 2012-12-06: I’m working out the details of a next-gen P2P file sharing program that should fix up most of the problems with P2P file sharing today, including the IP address issue.

Update 4, 2012-10-18: Added a rambling post containing my thoughts on why it’s impossible to prove that individuals infringed over the Internet without their own confession to doing so.

Update 3, 2011-11-02: Added a new post with an analysis and the actual text of one of these notices.

Update 2, 2011-11-02: My little site at http://copyright-infringement-notice.com/ has been massively updated, including a guide for people who are panicking and feel a need to do immediate damage control.

Update: This is one of the most popular pages on my entire blog now…so, I’m now running a small website that provides information about copyright infringement notices. Check it out at http://copyright-infringement-notice.com/ and give me additional ideas, suggestions, or information to make it better!

I generally keep myself aware of what’s going on with the whole peer-to-peer file sharing scene, particularly because the case law it generates changes the nature of copyright law in this country, and as someone who writes software, I need to know about such changes.  Additionally, because I download a good number of legitimate files from BitTorrent trackers (i.e. Linux distribution CD images), I want to know what I’m stepping in.  I’ve noticed a very disturbing trend over time which concerned me enough to finally write a whole blog post:

“Copyright cops” who threaten users of BitTorrent trackers frivolously pursue anyone whose IP appears on their radar and their evidence would not stand up to even the most trivial review.

That’s right, companies such as BayTSP, Copyright Enforcement Group, U.S. Copyright Group, and other paid agents of large media companies are bringing claims against torrent users without even collecting evidence of infringement.  For example, the University of Washington was able to trigger a DMCA copyright infringement cease-and-desist notice being sent to their technical department.  The copyright cops caught the user at this UW IP address RED-HANDED, INFRINGING ON THEIR COPYRIGHT!

The IP address being accused of BitTorrent-based copyright infringement belonged to a network printer.

No, I’m not kidding.  The recording/movie/television industry copyright “enforcement” corporations accused their network printer of stealing movies.  That’s how easy it is to be wrongly accused.  But what else?  There’s another experiment from 2007 which was performed with a specially written BitTorrent client which explicitly did not download nor upload any material, only jumped on a tracker and added itself to peer lists.  This client, which was designed to be incapable of actually infringing copyrights, generated copyright infringement notices from BayTSP despite the fact that such infringement was simply not possible with that application!

I find this to be absolutely ridiculous, particularly because of the nature of these notices.  Many of them are also legal threats.  Regardless of innocence or guilt, any filing of a lawsuit against you costs money to handle, and if it’s so easy for these automated copyright scanning processes to both target the wrong person entirely AND target people who didn’t provably upload or download file data at all, that doesn’t bode well for any of the parties involved.  It’s fairly obvious that the “copyright cop” companies are basing their claims of infringement solely on the population of BitTorrent trackers’ peer lists.  They don’t actually download the entire file from you and keep logs that show they did so as evidence that you indeed infringed on their copyright; they merely see your address in a particular list and send off the notice.

Study 1:  http://dmca.cs.washington.edu/

Study 2:  http://bmaurer.blogspot.com/2007/02/big-media-dmca-notices-guilty-until.html

TechDirt article on this topic:  http://www.techdirt.com/articles/20100401/0846028831.shtml

What’s even more outrageous to me is that these companies advertise their services as being unethical right off the bat.  They resort to legal threats and mass lawsuits against “infringing parties” but they advertise it to content owners and rights holders this way:  “Monetize copyright infringement!  We can bring you income from a surprising source: people who download your content illegally!”  It’s not even about doing the right thing, it’s about the bottom line, meaning they have no reason to care about innocent people being caught in the dragnet.

Despite the risk of a lawsuit, if you happen to receive a DMCA copyright infringement notice which is forwarded by your ISP, either by email or regular mail, here’s my advice:

1. DO NOT EVER CLICK ON ANYTHING IN AN EMAIL, VISIT ANY WEBSITE IN A LETTER OR POSTCARD, OR OTHERWISE REPLY OR MAKE CONTACT IN ANY WAY WHATSOEVER! You run a plethora of risks if you respond in any way, even indirectly such as by visiting the “copyright cops” website out of curiosity.  They can fingerprint your computer, you may be implicitly admitting guilt even if you’re innocent, you could hand them personal information such as your full name by accident…the list goes on.  DON’T DO IT.
2. Read the studies above, as well as any other relevant material you find online such as articles on p2pnet.net, just in case anything happens.  If you end up in a bad situation, you need to be able to educate your lawyer on how their infringement detection tactics are grossly flawed.  Be prepared, JUST IN CASE.
3. If you really did infringe on someone’s copyright, do the right thing. That means disposing of the things you’ve downloaded and putting yourself in a position where you’re less likely to end up with more infringement notices.  That doesn’t mean admitting guilt. Don’t ever admit guilt in any way, just delete the downloads, stop downloading stuff you shouldn’t be, and shut up about the whole thing.  Admitting ANYTHING is just plain begging for a lawsuit.
4. If you’re truly paranoid, back up your data, zero out your hard drive using something like the Tritech Service System (running “dd if=/dev/zero of=/dev/sda” will do it on almost any computer out there), and reinstall clean so there’s no evidence left behind.  If you get in a legal fight and your computer gets subpoenaed for discovery, you can’t do this, but there’s nothing stopping you from doing as you please with your hard drive before receiving a subpoena.
5. Most ISPs won’t kick you off their service for this.  Don’t respond to the ISP unless you receive direct threats from them.  If your ISP threatens to disconnect your service, use the information in the experiments above to explain to them that these people are making claims for which they have no real proof, and that you are not infringing on anyone’s copyrights.  Remember that the ISP has no reason to boot you unless you’re a very egregious media thief, and if that’s the case you probably can’t read this by now anyway.

As a creator of copyrighted works, I can’t condone the piracy of copyrighted material, but I also feel that the major media industry corporations have gone way too far with their “sue them all” tactics.  If someone pirated my creation and I found out, I wouldn’t threaten them or demand a settlement payment so quickly; I’d ask them to do the right thing and just pay up for it if they liked it (or toss it if they didn’t and tell me why so I could make it better.)

Don’t steal stuff, but don’t let big companies steal from you for something you didn’t do either.

It would be nice to hear from a real copyright lawyer on this issue.  Feel free to comment, especially if you’re a lawyer.  I don’t post email addresses, your comment will be as anonymous as you name it to be.

Antivirus 2009

One of these days, I’ll find the guy who writes this stuff and leave his rotting carcass in a ditch.

How is it that people get more of these fake security programs than even actual viruses?

I’m becoming an expert at getting rid of stuff that’s just nagware, not even a real virus, and it’s getting quite old.  If I hunt the guy down that’s making the money off this thing (and I’m sure it can be done) perhaps I can spend my time helping customers with real issues instead of removing this trash from machines!

*sigh*

Anyone want to help me track down and de-fund the guy behind this stuff?

The worst kind of computer virus to catch…

Today I ran into two very troublesome situations.  One was a failing hard drive on a long-time client’s laptop, chock full of important information, but luckily the failure was gradual enough to cause serious speed issues and force them to call me before the whole thing could become a toaster.  The other was a far more difficult scenario: another returning client who uses the computer to run his business had somehow managed to pick up the worst class of computer virus I can think of: an executable-infecting virus.

You see, what these horribly nasty viruses do to your computer renders them essentially incapable of being repaired and returning to “like it never happened” functionality.  In case you don’t know, an “executable” is a term for the actual file that your icons run to start the program of your choice.  Essentially, they are the program.  A virus that infects executables will insert the virus code into the actual program file that you run to start software…including Windows itself.  I’ve only seen two infections before today that involved this class of virus, and the first one completely latched into everything, forcing a total wipe and reinstall.  The second one was not quite as “zealous” and didn’t infect things as readily, so I was able to recover that system from pending doom.  Today, however, is the second time I have encountered this type of infection to a point that I was incapable of repairing it.  My clients can tell you that I don’t play around on the computer: I know what I’m doing and I boast extremely high success rates where other “technicians” fail miserably.  I’d estimate that out of a random sample of 50 jobs, I have to do some sort of Windows reinstall on only about 1-2 of them.

Despite having six years of all-day-every-day experience tirelessly working to find every imaginable way to repair every computer problem under the sun without “major surgery” like reinstalling Windows, today I had to give in to the reinstallation machine that I so dreadfully despise, but I don’t regret doing so.

You must come to understand that even Windows itself is composed of hundreds of executable files.  They are often hidden behind the scenes and carry names such as “winlogon.exe” and “svchost.exe” and “ctfmon.exe” and “userinit.exe” and “logonui.exe,” and none of these should really ring a bell in your mind because you’re not supposed to know that they’re floating back there.  However, every single one of these files can be infected with a virus like this one.

Let’s put it this way: when you boot your computer, Windows loads a bunch of drivers, this thing called the HAL, and the NT kernel.  Basically, a bunch of really critical core stuff that makes everything else in the machine tick.  Once the pretty blue background pops up, however, those executables start firing off one by one.  svchost.exe starts in the background numerous times so that your sound card, automatic updates, Internet connectivity, and other system services can start working.  When you log in, logonui.exe runs, and then userinit.exe kicks in as well.  The ever-popular explorer.exe loads and shows you your icons and Start menu.  Any software you have installed may have startup items, such as the Adobe Reader Speed Launcher (reader_sl.exe) or the various America Online core services.

To bring all that irrelevant-sounding blah-blah-blah into perspective, nearly every single thing that runs in the list above gets infected with this kind of virus almost immediately once your machine is compromised. That means that Windows becomes a living virus.  The system is infected everywhere.  You can’t even boot halfway without running the virus itself, which then reinfects anything you may have cleaned.  Got Adobe Creative Suite?  They’re probably all toast–infected with the virus.  Hearts?  Infected.  Solitaire?  Infected.  Norton 360?  Infected.

I hope that this admittedly lengthy explanation brings you to appreciate the skills of a good computer technician (as well as the skills of the virus authors, who we’d all probably love to strangle one day), and the true importance of practicing good security habits when using your computer.  When I originally wrote the spyware and viruses page on the company website, my intent was to help you jump-start your computer security knowledge (and break some of the misinformation that exists today), and I hope you’ll read it now if you haven’t done so already.

I need to add this detail to said page, but I will dispense it here so that it will be clear: once your computer is compromised, you have NO SECURITY AT ALL!!! Modern viruses use rootkit-like technologies to hide themselves from virus scanners and bypass security measures such as software firewalls.  If you are compromised, security software is essentially rendered useless. Prevention should be your goal, not mitigation after compromise.  Don’t click on anything or say “yes” to anything unless you are 120% certain that it is legitimate.  Get Mozilla Firefox to avoid the plethora of security holes in Internet Explorer.  Take the time to find out what can get you in deep doo-doo when browsing the Internet (“free porn” searches are the biggest culprit, though many wouldn’t admit it–see that “.exe” at the end of the file name?!  It’s amazing how easy it is to infect a computer when the user is desperately looking for free porn and will download and run anything to get it.)  Most importantly, if your computer seems to be slower than usual, or pausing more frequently than is normal in your daily experience, do not hesitate to call a verifiably experienced computer technician to diagnose the problem.  If your water heater sprung a tiny water leak, would you hesitate to call a plumber, or would you try to patch it up until the pressure caused the leaking part to explode?

I can’t even begin to explain how frustrating it is to walk into a loyal client’s house to discover that the problem actually started months ago, and became disastrous because they chose to “live with it” and let it grow and compound rather than call me up and ask for a little bit of free assistance.  (Any computer business worth their salt will take five minutes to talk to you at no charge.  It’s called “customer service” and it gets left out a lot with many large businesses these days.)  When I perform computer services, it is a very personal matter for me, because the results of my work (short- and long-term) define what people think of me and my skills, and I can’t do my job for someone properly if they don’t tell me that there’s a problem.

If you take anything away from reading this post, (A) learn how to avoid danger on the Internet in the first place, and (B) don’t hesitate to call an expert when things may be getting beyond your control.

XP Antivirus 2008 and XP SecurityCenter

Greetings! This article has been moved to the Tritech Computer Solutions page called Fake/Rogue Antivirus, Security, and Utility Software. Please update your links and bookmarks to reflect this change.