Skip navigation

Tag Archives: Security

Comments on this post are welcome and strongly encouraged.

Service providers such as Gmail, Yahoo, Facebook, Twitter…all of these, they need to offer users a data encryption option that does the following:

  1. It disables the password recovery system, so that no one else can exploit it or any weak links to it to get into our accounts, but if we “forget” our password then we can’t either; and
  2. Our passphrase encrypts a larger key which encrypts our non-public data on their servers with 256-bit AES encryption.

In light of the fact that General Petraeus was brought down by someone other than him and a personally trusted party accessing the data in his Gmail account, I think the users need to be handed the keys to our accounts and service providers need to give them up. By far the largest method for hackers to steal highly important or sensitive data is the “forgot password?” link at any given website.Our email accounts are almost universally used as a skeleton key to our other accounts. Mat Honan’s Gmail, Twitter, and Apple ID accounts were all hacked into in the space of an hour this way, and the hackers deleted all of the data on his MacBook, iPhone, and iPad when they got in.

For services that offer this encryption option, there should be an additional option to unlink all email accounts as well. There are some services that exist already which allow you to open an account for which an email account is optional, but they’re not very common and typically are also obscure and small.

Obviously, this is something that won’t do much with services like Facebook and Twitter, because in order for the service to show tweets or posts to anyone else, they have to be readable by the service provider itself. However, if you’re on Facebook and change a post or picture to be visible to “only me,” the media should be encrypted with your encryption key, then all unencrypted copies deleted from the provider’s servers, including its content delivery network.

Another feature that absolutely needs to be in place is for all mail service providers to support mail delivery and hopping over SSL or TLS, so that plaintext email does not go over the wire without any encryption. If email is encrypted on Gmail and encrypted on Yahoo! Mail, then the end-to-end link between them also needs to have encryption. Ultimately, the amount of time an email spends stored or transmitted as plaintext should be minimized. It would also be nice if mail applications such as Mozilla Thunderbird had built-in encryption for the entire user profile (stored/locally cached mail, stored account passwords, configuration settings, etc.) utilizing a master password, though it seems that most people point to workarounds that don’t ask Mozilla to add such support directly into Thunderbird. (What if I don’t want to install full disk encryption software, or can’t do so, or want to use Thunderbird in a portable fashion on a flash drive?)

Yet another feature that would be very nice to have is a “lockdown” feature, where you can log into your encryption-enabled account on a service like Facebook or Twitter, go to some sort of security settings page, press a button called “lock down account,” confirm that you really meant to lock down the account, and all media that is stored in your account automatically gets changed to “only me” privacy and encrypted in one shot, plus any attached “escrow” methods of password retrieval such as cell phones or email addresses are rendered unusable. If you have reason to believe that your data needs to be locked down quickly, having a feature like this is critica

The biggest downside to this system is that if you lose or forget your password, you lose everything. The most common response to this “downside” will be “that’s a great feature to have!” and I strongly agree: if I don’t want anyone accessing my account, I desperately need to be able to lose the password with no means of recovery. However, another downside is that if someone gains access to your account, they can lock you out of your own data in the same way that you can lock others out. The most obvious answer to this would be some form of two-factor authentication, but adding TFA to the mix would imply such things as if you lose your second factor, you can’t lock down your account or change your encryption password, so it’s a bit of a double-edged sword.

The major reason that “encrypt everything” has not been adopted by knowledgeable users is that it’s not available as an option, and where it is available, you have to jump through ridiculous hoops to get it set up and working. Things like the HTTPS Everywhere extension and Google switching its services to use HTTPS by default are steps in the right direction. The fact that anyone can get online and dig up your maiden name, social security number, city you were born in, first vehicle you owned, and much more within minutes and for small fees means that password recovery options with security questions and whatnot are the equivalent of locking your five deadbolts and leaving the key under the WELCOME mat. Furthermore, if the FBI, CIA, NSA, or some other three-letter agency decides they want to read your mail without your knowledge, there’s nothing at all stopping them from doing so.

One of the big arguments against encryption is that it allows bad people to hide bad things. News flash: bad people can use encryption even if you DON’T allow it. The only thing that happens when you don’t have encryption available is that GOOD people can’t protect themselves and their privacy so easily, but the bad guys have an extraordinary motivation to jump through the extra hoops required and certainly will do so to avoid being caught. This argument against providing encryption has no substance in a practical world.

In summary: Service providers need to give us the keys to our data.

HUGE FAT WARNING: I AM NOT A LAWYER. If you need legal advice, GET A REAL LAWYER.

I have a dedicated site for my guide on what to do if you receive a DMCA complaint or copyright infringement notice/settlement “offer” threat from your ISP.

Update 5, 2012-12-06: I’m working out the details of a next-gen P2P file sharing program that should fix up most of the problems with P2P file sharing today, including the IP address issue.

Update 4, 2012-10-18: Added a rambling post containing my thoughts on why it’s impossible to prove that individuals infringed over the Internet without their own confession to doing so.

Update 3, 2011-11-02: Added a new post with an analysis and the actual text of one of these notices.

Update 2, 2011-11-02: My little site at http://copyright-infringement-notice.com/ has been massively updated, including a guide for people who are panicking and feel a need to do immediate damage control.

Update: This is one of the most popular pages on my entire blog now…so, I’m now running a small website that provides information about copyright infringement notices. Check it out at http://copyright-infringement-notice.com/ and give me additional ideas, suggestions, or information to make it better!

I generally keep myself aware of what’s going on with the whole peer-to-peer file sharing scene, particularly because the case law it generates changes the nature of copyright law in this country, and as someone who writes software, I need to know about such changes.  Additionally, because I download a good number of legitimate files from BitTorrent trackers (i.e. Linux distribution CD images), I want to know what I’m stepping in.  I’ve noticed a very disturbing trend over time which concerned me enough to finally write a whole blog post:

“Copyright cops” who threaten users of BitTorrent trackers frivolously pursue anyone whose IP appears on their radar and their evidence would not stand up to even the most trivial review.

That’s right, companies such as BayTSP, Copyright Enforcement Group, U.S. Copyright Group, and other paid agents of large media companies are bringing claims against torrent users without even collecting evidence of infringement.  For example, the University of Washington was able to trigger a DMCA copyright infringement cease-and-desist notice being sent to their technical department.  The copyright cops caught the user at this UW IP address RED-HANDED, INFRINGING ON THEIR COPYRIGHT!

The IP address being accused of BitTorrent-based copyright infringement belonged to a network printer.

No, I’m not kidding.  The recording/movie/television industry copyright “enforcement” corporations accused their network printer of stealing movies.  That’s how easy it is to be wrongly accused.  But what else?  There’s another experiment from 2007 which was performed with a specially written BitTorrent client which explicitly did not download nor upload any material, only jumped on a tracker and added itself to peer lists.  This client, which was designed to be incapable of actually infringing copyrights, generated copyright infringement notices from BayTSP despite the fact that such infringement was simply not possible with that application!

I find this to be absolutely ridiculous, particularly because of the nature of these notices.  Many of them are also legal threats.  Regardless of innocence or guilt, any filing of a lawsuit against you costs money to handle, and if it’s so easy for these automated copyright scanning processes to both target the wrong person entirely AND target people who didn’t provably upload or download file data at all, that doesn’t bode well for any of the parties involved.  It’s fairly obvious that the “copyright cop” companies are basing their claims of infringement solely on the population of BitTorrent trackers’ peer lists.  They don’t actually download the entire file from you and keep logs that show they did so as evidence that you indeed infringed on their copyright; they merely see your address in a particular list and send off the notice.

Study 1:  http://dmca.cs.washington.edu/

Study 2:  http://bmaurer.blogspot.com/2007/02/big-media-dmca-notices-guilty-until.html

TechDirt article on this topic:  http://www.techdirt.com/articles/20100401/0846028831.shtml

What’s even more outrageous to me is that these companies advertise their services as being unethical right off the bat.  They resort to legal threats and mass lawsuits against “infringing parties” but they advertise it to content owners and rights holders this way:  “Monetize copyright infringement!  We can bring you income from a surprising source: people who download your content illegally!”  It’s not even about doing the right thing, it’s about the bottom line, meaning they have no reason to care about innocent people being caught in the dragnet.

Despite the risk of a lawsuit, if you happen to receive a DMCA copyright infringement notice which is forwarded by your ISP, either by email or regular mail, here’s my advice:

  1. DO NOT EVER CLICK ON ANYTHING IN AN EMAIL, VISIT ANY WEBSITE IN A LETTER OR POSTCARD, OR OTHERWISE REPLY OR MAKE CONTACT IN ANY WAY WHATSOEVER! You run a plethora of risks if you respond in any way, even indirectly such as by visiting the “copyright cops” website out of curiosity.  They can fingerprint your computer, you may be implicitly admitting guilt even if you’re innocent, you could hand them personal information such as your full name by accident…the list goes on.  DON’T DO IT.
  2. Read the studies above, as well as any other relevant material you find online such as articles on p2pnet.net, just in case anything happens.  If you end up in a bad situation, you need to be able to educate your lawyer on how their infringement detection tactics are grossly flawed.  Be prepared, JUST IN CASE.
  3. If you really did infringe on someone’s copyright, do the right thing. That means disposing of the things you’ve downloaded and putting yourself in a position where you’re less likely to end up with more infringement notices.  That doesn’t mean admitting guilt. Don’t ever admit guilt in any way, just delete the downloads, stop downloading stuff you shouldn’t be, and shut up about the whole thing.  Admitting ANYTHING is just plain begging for a lawsuit.
  4. If you’re truly paranoid, back up your data, zero out your hard drive using something like the Tritech Service System (running “dd if=/dev/zero of=/dev/sda” will do it on almost any computer out there), and reinstall clean so there’s no evidence left behind.  If you get in a legal fight and your computer gets subpoenaed for discovery, you can’t do this, but there’s nothing stopping you from doing as you please with your hard drive before receiving a subpoena.
  5. Most ISPs won’t kick you off their service for this.  Don’t respond to the ISP unless you receive direct threats from them.  If your ISP threatens to disconnect your service, use the information in the experiments above to explain to them that these people are making claims for which they have no real proof, and that you are not infringing on anyone’s copyrights.  Remember that the ISP has no reason to boot you unless you’re a very egregious media thief, and if that’s the case you probably can’t read this by now anyway.

As a creator of copyrighted works, I can’t condone the piracy of copyrighted material, but I also feel that the major media industry corporations have gone way too far with their “sue them all” tactics.  If someone pirated my creation and I found out, I wouldn’t threaten them or demand a settlement payment so quickly; I’d ask them to do the right thing and just pay up for it if they liked it (or toss it if they didn’t and tell me why so I could make it better.)

Don’t steal stuff, but don’t let big companies steal from you for something you didn’t do either.

It would be nice to hear from a real copyright lawyer on this issue.  Feel free to comment, especially if you’re a lawyer.  I don’t post email addresses, your comment will be as anonymous as you name it to be.

One of these days, I’ll find the guy who writes this stuff and leave his rotting carcass in a ditch.

How is it that people get more of these fake security programs than even actual viruses?

I’m becoming an expert at getting rid of stuff that’s just nagware, not even a real virus, and it’s getting quite old.  If I hunt the guy down that’s making the money off this thing (and I’m sure it can be done) perhaps I can spend my time helping customers with real issues instead of removing this trash from machines!

*sigh*

Anyone want to help me track down and de-fund the guy behind this stuff?

%d bloggers like this: