How are public restrooms and public computers alike?

There is an article in Slate that suggests that we should treat public computers like we treat public restrooms – very cautiously.

I had never made that analogy before, but I do like it.

Both public restrooms and public computers may harbor germs and viruses.  Both may have been frequented in the recent past by people of dubious character and you don’t know what you might catch if you visit either one of them.

The article talks about hackers installing key logging software on hotel business center computers, thereby grabbing every keystroke you type – including userids and passwords, of course.  The article is based on a US Secret Service advisory from early July 2014, so I am guessing that the Secret Service found some infected computers.  Obviously, this type of attack is not limited to Hotels – schools, libraries and any other place where shared computers are available are susceptible to this kind of attack.

I know that on those rare occasions that I use public computers, I sort of touch them gingerly and would never use them for anything important – like online banking or paying bills for example.

The article says, and I would agree with it, that it is not hard to install such software on most business center computers, although it is also fairly easy to make it more difficult to do.  (It is impossible to make something bullet PROOF.  On the other hand, bullet RESISTANT is definitely possible).  In the old days, you just stuck a wedge on the parallel port and came back later to retrieve it.  Now all you do is log on to your internet connection and harvest the data.

Unfortunately, there is not the equivalent of the sheet of tissue paper to put down before you use the public computer, so beware.


Benefits of the cloud

ITWorld reported yesterday that a New York judge  granted a warrant on June 11th that allowed the police to seize an entire GMail account, including the address book and drafts and sift though that to find what they were looking through.

While this is no where near as bad as the NSA hoovering entire fiber optic pipes into their data centers, it does point to a lack of privacy.

Lets say you were discussing things you wanted to be private, but were not illegal.  Maybe they were embarrassing or personal (view my post from yesterday on the NSA).  Or maybe they should be part of your freedom of speech.

Should you choose to store that stuff in the cloud, then I would say you should consider your privacy options limited.  One option would be to store it in the cloud, but encrypt it first.  This limits your ability to view it in the cloud, of course, but it does make it difficult for the feds to trample on your roses, so to speak.  Is it possible that they could decrypt it – sure – but that would be a lot of work.  A few courts have even said that you have to turn over your encryption keys, although none of those decisions have ever made it to the Supremes, so it is not clear if that would be upheld on appeal.  I don’t think the feds are keen to have that precedent established at the Supreme Court level, because if that decision goes against them, that would be a big problem.  Now they can try and strong-arm people into giving up their encryption keys.

Maybe you don’t care if the feds get the pictures of your dogs – I don’t – but there are many things that I do care about.  Those I don’t store in the cloud unencrypted.

Just a word of advice.


iOS devices safe – well sort of

It was reported yesterday that there are undocumented services in iOS that allow  someone to bypass all of Apple’s security and encryption features.  The researcher did not say that  either Apple or the NSA were using these features, but….

The researcher, Jonathan Zdziarski, reported his findings at the HOPE/X conference in New York.  According to Zdziarski, the data collected is of a personal nature and the hooks to do this are not documented in any Apple documentation.

Apparently, once a device has been booted in iOS 7, the data can be accessed, even if the device is locked.

The researcher claims that several forensic software firms, such as Cellbrite and Elcomsoft either have discovered these features or were informed about them and may be using them to suck data  out of your device.

Now here is the really interesting question —

Is Apple the only vendor that has this form of back door – whether it be accidental or on purpose?

I, for one, are not going to say that Apple is in bed with the Feds, but it will be interesting to hear what their response to this is.  No response, in my opinion, is tantamount to admitting they did this on purpose.  If they say “trust us”, DO NOT.


The NSA likes your sexually explicit content

Both the New York Times and USA Today reported on an interview with former NSA employee Edward Snowden that appeared in the Guardian.

In the interview, Snowden says that NSA analysts do exactly what you would expect twenty something single guys to do when they come across sexually explicit pictures as part of looking for terrorists.  They share it with other analysts, who share it again.

Snowden says – and this does not particularly conflict with anything the brass has said – that most of what is being collected is not the communications of ‘targets’ – their code word for potential terrorists – but rather the communications of your neighbors, including intimate communications of consenting adults.

Assume that during the course of their normal search activities they come across a nude photograph of a cute young thing in a sexually compromising position.   Purely coincidental to what they are searching for.  Assume that she is not holding a block of C4 or Semtex (military grade explosives) while in this compromising situation.

What SHOULD happen is the analyst should go about his business looking for people trying to harm the United States.  What DOES happen is that he shows it to the guy in the next cube.  Then they share it with Bill and Bill shares it with Sam.  You get the idea.

Does this happen every time?   Highly unlikely.  Does it happen sometimes?  Highly likely.  Is there anything you can do about it?  Probably not directly, but get involved in the political process.  Ask your politicians what their position is on government snooping.  Vote.  Speak out.  It will not change things overnight, but if we don’t participate, it likely will get worse.

Of course the person in the photo has no clue that she has become a virtual pinup girl inside the NSA.  In fact, she has no way of knowing that the photo or sext has found it’s way into an NSA database.

They call it a fringe benefit s of working at the NSA.

I suspect that some in the NSA will deny this is happening.

Remember that this is the same agency that allowed a 29 year old contractor to walk out the door with almost 2 million documents and were not aware of that until he told them, so I would not particularly believe that they know the answer to your question.

Think about that before you send that next intimate text or email.  Someone may be watching you.  And sharing it.


Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed