Candidate Obama debates President Obama on liberty vs security

Computer security for the lazy

I’ve been writing a guide to all things computer security and privacy. Given the news recently, I might as well promote it. I’m not an expert and the guide hasn’t been reviewed by anyone else to make sure I’m not giving you bad advice, but it’s at least worth a read to start understanding some of the issues.

Here’s the full guide, just the intro is pasted below. Please give me criticism and contributions on the github page.

Computer security for the lazy

This is a draft still being written, so you might want to wait until it’s completed and reviewed by a third party to make sure I’m not giving any bad advice. It’s a guide for the lazy. If you are living under an opressive government (like Syria or Iran), or if you are a whistleblower, activist, or a journalist wanting to protect your sources, you can’t afford to be slack.

For the rest of us lazy bastards, here’s the shit you need to worry about (in order of importance):

• losing your files
• losing your accounts
• losing your privacy

Losing your files

All your photos of family and friends. All your financial records. All your university homework. All that porn you’ve been stashing. The biggest computer security threat you’ll ever have to worry about is losing them. Every hard drive is a ticking time bomb, just waiting to fail. You could accidentally leave your laptop in the back of a taxi and never see it again. Recently there has been a spate of attacks where criminals will gain remote access to your computer, encrypt everything on it, and then demand ransom payment to decrypt it. However it happens the results are the same – you’ve lost your shit.

Thankfully preventing these problems is easy; I’ll show you how to back your shit up.

Losing your accounts

Your email. Your internet banking. Your Facebook, Twitter and World of Warcraft character. These are all “accounts” and you can lose them. If you choose a shitty password someone can just guess or “brute force” it. If you’re tricked into installing malicious software it can log every keystroke you press, recording your passwords. If you are directed to a spoofed version of a trusted website and you try to log in, you’ve just given the bad guys your password. If you use the same password everywhere you’re truly fucked.

Unfortunately there isn’t a single easy solution to these threats. Having a well calibrated “bullshit” detector is essential. Using a password manager and keeping your computer up to date with security patches will also help. Don’t get hacked, keep reading and I’ll show you how.

Losing your privacy

Take any private photos of you and your partner? Do you write a pseudonymous blog like “Belle de Jour” or at the other end of the sexual activity spectrum, “Nice Jewish Girl”? Don’t want someone going through the soppy love poems emailed to your partner? Want to complain about work to a friend over chat / IM without getting fired?

Remember that laptop you left in the back of a taxi? Someone could go through all the files on it. Browsing on an insecure wifi network could give you away to anyone within range. Depending on which country you live in, your ISP could be obliged to log your browsing history, where criminals will undoubtedly hack in and get access to it at some point.

The threat to privacy is a bit more esoteric than losing your files or accounts, because it isn’t obvious when it happens. When you lose your hard drive, you know about it. When someone steals money out of your bank account, you know about it. When Facebook gathers information about the websites you visit and sells it to other companies, you’re left in the dark.

To stop this, I’m going to teach you how to keep that shit private.

Newspaper ownership in Australia

Today I spent some time hacking together an ownership graph of Australian newspapers. Spoiler: it’s all owned by News Limited and Fairfax, but click on the pretty picture below and you can see exactly how stuffed it is in an ugly interactive physics based format where you can click and drag stuff around.

Arrows indicate ownership of course, with X–>Y meaning that X owns Y. You can see the code if you want. I might make it less ugly in the future but for now, it is what it is.

Incremental backups using rsync with bonus backup to amazon glacier storage

I’ve been using Crashplan for backups for 3 years and highly recommend their service. If you want set and forget backups of your important stuff, go for it. But for a few reasons I’ve switched to running my own incremental backup system, namely:

• The cheap 3 year deal I signed up with ran out, so to continue I’d have to pay $9 a month.
• Crashplan doesn’t work very well with encrypted home directories in linux (ecryptfs) being unmounted at boot time, and deletes your home directory from the backup.
• To get around this you generally set Crashplan to backup /home/.ecryptfs instead of /home/user, but in the process you miss out on Crashplan’s ability to restore arbitrary files (you have to restore entire backup to pull out one file).
• Crashplan’s attempts to compress and encrypt data that is already encrypted wastes cpu time and makes it take longer.
• Storage on amazon glacier is cheap as chips – 1 cent per GB per month

For these reasons I set about finding a new backup system and stumbled on Rubel’s snapshot method. It works a treat but wasn’t easily configurable or installable, and doesn’t backup to amazon glacier, so I set about tinkering with it. I’ve released the end result of this tinkering as lincremental. Lincremental does incremental backups that you can access anytime, and if you are using ecryptfs like me, just do an ecryptfs-recover-private when you want to pull out a file from backup. As a bonus it also has a script to upload the latest daily backup to amazon glacier once every 28 days (configurable). I had planned on making incremental rather than wholesale backups to glacier but ran out of time to devote to the project.

It seems to be working fine and dandy for me, but it needs a lot more testing. Don’t blame me if you lose all your stuff. Use at your own risk and check the issues on github.

How to use tor

In my last post I told you how data retention will affect you, and hinted at what you can do to bypass it. You can bypass it by using tor, watch the video to learn how.

Data retention and you

That’s right peeps, it’s video blog time.

Relevant links:

• The tor project
• Someone else’s guide to downloading and running tor (until I get mine recorded)
• My guide to downloading and running tor
• Learn more about securing your privacy at a cryptoparty

Metadata retention

Without the content of a message, you’re privacy can’t be breached, can it? What the hell is metadata anyway? Thankfully the Attorney General has posted a clarifying letter which makes it quite clear they will be pursuing the EU model (which has already been declared unconstitutional in Germany, Romania and the Czech Republic).

The metadata applies to:

landline, mobile telephony, internet access, internet email and internet telephony.

And the metadata contains:

• the source of a communication
• the destination of a communication
• the date, time and duration of a communication
• the type of a communication
• the users’ communication equipment or what purports to be their equipment
• the location of mobile communication equipment

Let’s break this down. Millions of Australians have smart phones which are constantly using the internet to check for new email, download updates, synchronize calenders etc. Every time this happens, their location (presumably which mobile phone towers they are connected to) will be monitored and stored.

If this model is followed, the minute to minute movements of millions of Australians for two years will be monitored and stored. If that isn’t a gross invasion of privacy, I don’t know what is.

Edit: Rodney posted the video below which tells the story better than I ever could.