Leaving your wi-fi network open

Wi-fi network
Wi-fi network

Bruce Schneier (a leading US computer security expert) and Electronic Frontier Foundation (EFY) advise leaving your wi-fi network open: meaning, not use encryption protocols such as WEP or WPA2. This allows neighbours and passers-by to use it while in urgent need, and increases societal cooperation. EFY states:

“If you sometimes find yourself needing an open wireless network in order to check your email from a car, a street corner, or a park, you may have noticed that they’re getting harder to find.”

Due to privacy concerns, and also to avoid letting terrorists and anti-national elements use the spectrum – people are closing down their wi-fi networks. This is also the official advice from my ISP.

EFY argues however, that allowing access to others is just another way of giving back to the society. In addition they argue that this allows more efficient use of spectrum compared to cell phone towers. It admits, however, that current protocols are not designed for efficient sharing. The ideal protocol, as per EFY, would allow sharing part of your bandwidth – while leaving the rest encrypted and closed for snooping. They are working on building such a protocol.

I would love to leave my network open – I do not use all my bandwidth, and in fact do not use it at all for several hours a day. I have an unlimited plan – so it would not be a financial burden. It would instead shift the burden to the ISPs, which I believe is fair – they have restricted trade practices too.

Given the current state of terrorism in India – however – I do not feel safe in doing so. America has understood terrorism only a decade ago – we have felt it for last several decades. We know that an open wi-fi was used to claim Mumbai attacks of 26/11. I am also not sure of the legal protection in India, if any. The government machinery works in an ad hoc basis – even though we may claim to be the world’s largest democracy.

Please post thoughts / comments.

Share

Wrenched back a hacked email account: and lesson learnt

Email Gone
Email Gone

I always advised people to enter random text in response to lost password questions – and keep the password written somewhere safe so you never forget. This incident changed my view point. Read on…

This incident happened to a friend of mine a couple of days back. He woke up one morning to find himself unable to log on to his account. Yahoo! had temporarily locked down the account, and people on his address book had received an email showing him to be in trouble, without any money and seeking money. He was unable to contact some people, and inform them that he was fine: the email address book was also inaccessible.

I told him to be patient and wait for Yahoo to unlock the account. It was apparent that someone had brute forced his password and was seeking money. This is more difficult to do with Gmail because of their ‘captcha‘, however is possible with Yahoo. His password was a non-English word.

Around 12 hours later, the account was unlocked and we tried to reset the password. The hacker had added his one email ID as the alternate ID, but luckily Yahoo allowed us to the reset questions (we selected ‘my account is compromised’, and ‘I am unable to access any of the passwords’). Initially we felt that the hacker would have changed those as well and didn’t try to respond. However a moment later I noticed that Yahoo was showing ‘June 09’ as the last modified date of these questions: so the hacker had not changed them! With some trial and error, my friend was able to correctly respond to those questions and the account unlocked! I went back and removed the hacker’s alternate account: this was important, else the hacker could still unlock the account if this was left unchanged.

Lessons learnt? As below:

  • Use a strong password, having a mix of letters, numbers and special characters – this one was clearly brute forced which is the easiest way to hack an account other than by social engineering (which is tough if you don’t know the person whose account you are targeting). If you have a tough time coping with passwords, use password safe.
  • The reset questions: answer them randomly so that someone who knows you, and happens to be able to guess the real answers can’t hack your password. However, keep backup of those random responses in a computer file so that YOU are able to answer them if something goes wrong. For example, many people know where you went for honeymoon or your mother’s maiden name. So respond using ‘monkey typing’ and save a copy.
  • Use updated alternate email IDs / set up to use mobile SMS as backup.
  • Maintain an offline backup of your address book. Most providers allow this
  • If you want you can go a step ahead and hide your real ID, as shown here – when submitting your email ID to unscrupulous websites and blogs/boards etc.
Share

Internet censorship and loss of privacy

Surveillance
Surveillance

An excellent essay by Bruce Schneider on government organized initiatives worldwide to reduce internet privacy and for censorship. There is also evidence that criminals can (mis)use such infrastructure for their own purpose. Please click here to read.
 
 
 
 
 
 
 
 
 
 
 

Every year brings more Internet censorship and control — not just in
countries like China and Iran, but in the United States, the United
Kingdom, Canada and other free countries.

The control movement is egged on by both law enforcement, trying to
catch terrorists, child pornographers and other criminals, and by media
companies, trying to stop file sharers.

It’s bad civic hygiene to build technologies that could someday be used to facilitate a police state. No matter what the eavesdroppers and censors say, these systems put us all at greater risk. Communications systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in.

Share

False sense of security

Photo by public15

 

http://www.e-signature.com/ provides logo and signature embedded fonts. Per se, there is nothing wrong with the service, and is useful for people who need it.

However, a look at the website throws up the claims below. Each one has a quote from me below it on the truth behind the statement.

Imagine being able to distribute a signed word processing document to your staff or clients without fear of the logo or signature being copied…

DW: Even if the font is embedded, the logo/signature can still be copied and used on other documents. While this is not possible as a font letter, it can be done as a bitmap.

No embedding is the option most often selected for signatures as it ensures the highest security – the signature will only appear on computers that have the font installed. If you use signature fonts for signing checks, no embedding is also recommended.

DW: Please don’t use this for cheques. Its easier for someone to access your computer and steal the font than you think. The font will be installed on your PC and will remain there, its not something that you can carry on a pen drive and keep in lock and key.

The recipient does not have access to the font to reproduce it in another document nor can they cut-and-paste the on-screen signature or logo.

DW: Again wrong. It cannot be cut-and-pasted as a font letter, but can be done as a bitmap.

Keep your font proprietary. No one can copy your font because it will reside in an inaccessible cache on the browser. You can display your text the way you want without fear of anyone copying it.

DW: What’s an inaccessible cache? No cache is inaccessible – a smart user can always take your font away. Remember: if the browser can download it (and use it to show your content), a user can download it too.

It appears to me that these folks are very much aware that they are making statements that are not 100% truth. A false sense of security is worse than no security.

Share

Scripted thumbnail generation: security perspective

Money gone!
While searching for something on the net, I came across some scripts that generate image thumbnail on the fly.

For example: http://tech.mikelopez.info/2006/03/02/php-image-resize-script/.

While using such scripts we should be aware of the security point of view: your site can easily become a proxy for other people or websites. Continue reading “Scripted thumbnail generation: security perspective”

Share

Remembering your passwords

Remembering passwords
Remembering passwords

In today’s online world we have to remember a lot of passwords. Security advice is that they must all be different (so that if one account is compromised, we don’t loose the security of all accounts), and be changed every now and then.

It is sometimes difficult to cope with such requirements, without writing down the passwords – and if you do write them down, what happens if you loose your notebook?

The answer to such problems is a piece of software called ‘Password Safe’ – it has been developed under the watchful eyes of a well known security expert. It keeps all your passwords encrypted by one single password. So you only need to remember one password from now on. You can keep the software on a USB pen-drive (its even platform independent so you can run it both on Windows and Linux) and take it along with you – no harm if you loose the pen-drive – no one can retrieve your passwords.

Note that there are a lot of different software applications with the same name, and not all of them may be equally secure. Please download only from http://passwordsafe.sourceforge.net/.

Note: this is not professional advise, use at your own risk.

Share