Archive

Posts Tagged ‘security’

Keybase Brings Free Security to Novice Users

02-Sep-17 11:59 pm EST Leave a comment
P

GP encryption is not new – quite the opposite.  But it’s always had one big advantage over its leading competitor: S/MIME.  S/MIME is used to encrypt email using certificate-based, 3rd-party authentication whereas PGP relies on dual, private/public key encryption.  And thanks both to S/MIME gaining commercial vendor support relatively early, coupled with being easier than the open-source-supported PGP (with relatively primitive tools that required some degree of technical competency to master); those wanting to encrypt email easily had to deal with investing in 3rd party certificates that could cost hundreds or even thousands of dollars before the feature was available.

KeybaseThanks to Edward Snowden, we’re all now pretty-well acquainted with the notion we’ve lost privacy and will likely never get it back.  But even so, that doesn’t mean the government (or God-knows-who nowadays) ought to have carte blanche to read chats, emails or become privy to what you’re downloading via bitTorrent or what cash you’re exchanging with parties online.  (At least not until tax time.)  And a tool that works on all platforms big and small, like Keybase, is now available to assist with all of the above!

To begin, it’s best to start on a Mac or Windows environment – somewhere where the configuration utility can operate.  The system does a pretty decent job of talking one through the process of setting up one’s first PGP (security) keys and getting the app installed.  However, one improvement for the future might be getting this utility (also called a “CLI” or “command-line interface”) to work within a web browser so one can perform the entire process using a hand-held device.  Once the software is installed, one finds installed an icon in their system tray (on Windows) which will present the list of users and some very heavily shaded icons (despite) which are used to access other parts of the Keybase app.  The CLI also has its own icon deployed to the Windows ‘Start’ menu and this is where you can quickly access many of the features associated with setup.  In my case, I already had PGP keys and so using the CLI was a necessary part of the setup.  Regardless, to get acquainted with the CLI and how it works with setup, I’d begin by loading up a copy of the “new user” docs in a web browser.  Then in the CLI utility, run two commands:

First, run “keybase help” to see what commands are instantly available to you as a new, unregistered user (there are a few), and

Second,, run “keybase signup”.

Finally, I’d quickly read through the “basic docs” you have open in your browser and drill down into any areas where you have questions.  Still more questions about Keybase and maybe PGP?  I strongly advise you get a Reddit account if you’ve not already got one and access the group called r/Keybase.  You’ll find this well-trafficked!

Although the Keybase app (accessed from the system tray) links to several choice apps, PGP is extremely versatile and plug-ins exist for Microsoft Outlook 2016 (and earlier) and is used with numerous other applications.

If there is a down-side to the app, there is a concern that — since a Keybase account can be used with several keys — it could be possible for someone to associate 2 keys (which typically involve two email addresses being known) together and thereby create an identity profile on a Keybase user.  This is a security concern, although an obvious workaround would be to register PGP keys to separate Keybase accounts and thereby never expose oneself.  Keybase itself claims it never advertises personal details, but if one connects to another user (say, for secure chat) and exchanges their public key; in such a case the potential would exist for that 3rd party to disclose your email at their discretion.  (This itself isn’t a security flaw, but it is something to be mindful of when exchanging data security regardless of the means used.)

Advertisements

Police Requests for New Internet Powers Could Cost You Big

19-Nov-16 07:29 pm EST Leave a comment

datalegislation

C

anada’s CBC (a leading media and news organization in the country) promoted a story this past week concerning a very public request to the senior politicians for greater investigative powers.  This was followed by a poll that showed a degree of support for the police requests – seemingly predicated on a desire to curb child pornography among other crimes.  While civil libertarians and technology professionals raised the alarm on hearing this request, there was only limited consideration given to the cost of granting powers of this sort to police – tied largely to the cost of potentially onerous data warehousing by ISPs.  (As a footnote here, I want to cite the case of the UK which, this past week, saw Parliament enact legislation that would be largely in-line with the kinds of legislative change the RCMP would like to see enacted here in Canada.)

“Two parliamentary committees examined this issue.  Then there was the unanimous Supreme Court [of Canada] decision.  What part of ‘unconstitutional’ doesn’t [RCMP] Commissioner Paulson understand?”

Michael Harris, iPolitics.ca, November 25, 2016

Privacy and Internet Commerce

C

anadians (and people generally) can still be very reluctant to share their personal information online.  A recent website delivered by The AppRefactory — the Edgewater Tenants’ Community Website — has been off to something of a slow start with the administration fielding questions about why an end-user’s address is needed as part of the signup process.  This is done with the awareness and limited support from the property management company that acts as the landlord which has data about every tenant’s address, yet that same information is not so readily volunteered when it takes digital form.  The information in this case is used to simply verify that an end-user signup request is for a tenant as opposed to some random user from the Internet; in order to ensure that any information a tenant elects to access or share on the site is kept within the tenant community only.  As such it is a measure intended to protect tenant privacy, but there can still be reluctance about sharing it.

This is just an example of how users have adapted over the years to safeguard their privacy.  Yet now the police want measures taken by Internet Service Providers (ISPs) to circumvent privacy to such a degree that they will never again be aware of who exactly has access to their information.  (We saw in another article posted this past week how police could access computer records without appropriate authorization or authority.)  And should police officers once again demonstrate how human they can be and make a mistake, suddenly the information they’ve been entrusted with is available to parties unknown.

Such cases, once known to the public (as they will tend to be, thanks to our free press), could easily put end-users further on the defensive about their information.  And, despite poll results suggesting some support for increased police powers, there remains the likelihood the average person in Canada (which, historically, tends to be a person that trusts police authority) hasn’t thought the issue through very thoroughly and certainly not technically.  The regime Canadians will be confronted with, whatever their decision about the powers police should have online, could easily be one business is less well-able to thrive in and would find it harder to operate in without being less able to solicit end-user consent and confidence meaningfully.

And they wouldn’t know it until it really was too late.

New Powers Add Onerous Burdens on All Business (Not Just ISPs)

T

he legislation in the UK does not specifically distinguish nor give license to ISPs to operate or grant any special legal distinction to them apart from providers of Internet-facing services generally.  As such it would seem to stand as a matter of law that anyone providing Internet-facing services could be compelled to maintain logs concerning end-user activity.  From a technical perspective, the law wouldn’t be all that meaningful if it couldn’t extend, for example, to providers of Virtual Private Network (VPN) services which are frequently used to both secure corporate communications online as well as anonymize network access to  BitTorrent media sharing sites or “Deep Web” network traffic.

msazurelogoSo the law must apply to businesses using the Internet equally (or at least be seen to apply as such).  And how will the small business be impacted when they’re suddenly required to maintain a database documenting (as the RCMP want) up to two years of end-user activity?  One approach we could use would be to use Microsoft Azure’s service calculator to take a service that uses a very modest 5GB of data monthly to track data transfer activity for a service, numbering just 10,000 transactions.  Without any service connections, charging just for the storage of table-based data only, we get an added cost of $409.00 per month, including a $364.00 Standard Support feature on local redundancy only.  (Nothing could immediately be found on legislative requirements for backing up this data, but a vendor support feature seemed logical to imagine in this scenario.)  That’s a not-so-inconsiderable $4,900 per year and is getting pricey for the average small business.

Now if you run a big business, things get interesting: scaled up to 5TB of data and 1 million transactions, the costs at the same level of support (with local redundancy only) balloon out to $5,223.68 per month or a whopping $62,684.16 per year.

These costs are certainly something to consider when it comes to determining who is paying for all this extra monitoring.  One thing is clear, it won’t be coming out of the RCMP’s budget!

And although this is the costs according to one vendor, it is an industry leader in a space oft-credited with reducing the costs associated with maintaining large warehouses of data (a main selling point behind “the cloud” movement).  One shudders to think how much more onerous these costs could become if one is required by law to maintain hardware and software of their own, in a facility that is solely under their own control.

Final Analysis: Restrain Police Powers Online

W

ith passage of the UK legislation this past week, the Government of Canada may be best-advised to stay the course for now and weigh its options again at a later date if it chooses.  While I suspect both in the wake of Brexit and their now police powers law (called the “Investigatory Powers Bill”) will lead the UK (and England in particular) into a self-made socio-economic crisis, there remains the question as to what exactly the impact of their measures will have.  The opportunity here isn’t to regulate early and hopefully stop child sexual abuse — a cause I’m very sympathetic to and have even had occasion to assist police with.  Rather, it’s to gain the wisdom about whether the impacts of these measures will simply drive it further underground or make a meaningful difference (as opposed to being an issue cited simply as a political red herring to grant powers that will be used for other purposes).  To discover whether the economic impact is too burdensome.  And to learn comprehensively if there will be the promised ‘greater good’ worthy of the limits a free and democratic society — a just society — places on itself and its citizens.

Terry Glavin

CHRONICLES

Techno Manor

Geek's Corner

VM.Blog.

an IT blog.. and an occasional rant

Yammer Site Status

Is Yammer down? Offline? Broken? Undergoing scheduled maintenance? When will it be back? Find out here.

jalalaj

A journey full of wonderful experiences

Azure and beyond

My thoughts on Microsoft Azure and cloud technologies

TechCrunch

Startup and Technology News

Ottawa Citizen

Ottawa Latest News, Breaking Headlines & Sports

National Post

Canadian News, World News and Breaking Headlines

Targeted individuals's

One Government to rule them all.

Joey Li's IT Zone

Everything about IT

jenyamatya

Unravelling the magik of code...

The Bike Escape

Because Cycling is Life

The Ross Report

Now you know where you need to know more...

Lights in the Dark

A journal of space exploration

Strength Rehabilitation Institute

Bridging the gap between physiotherapy and exercise.

The Ross Report

Now you know where you need to know more...

Little Girl's Mostly Linux Blog

Nothing to see here. Move along...

David Eedle

Geek, tech, programmer, business owner. Serial starter of things. Occasional finisher. Oh, and please don't call me Dave.

%d bloggers like this: