Category Archives: Privacy

Ad-blocking is essential for your privacy and security on the web.

Adblocking software has been in the news quite a bit recently due to their increasing popularity.

Guillermo Beltrà spends a lot of time surfing the web.

Yet like many avid Internet users, Mr. Beltrà hates the annoying pop-up advertisements that litter many websites. “It’s just very cumbersome,” he said.

So like a growing number of people, Mr. Beltrà, a Spaniard who works for a consumer protection organization in Brussels, decided to block them by downloading software for his desktop browser that removed any online advertising from his daily Internet activity.

While he acknowledged that advertising was often the primary source of income for many websites, Mr. Beltrà said he remained wary of how much data companies were collecting on his online activities. Mark Scott, New York Times, Blog

I have long advocated the blocking of advertising network because while many user find advertisements “Annoying” there is a far more sinister side to advertising that marketers would rather you didn’t know about.

Unknown to many users is the fact that many advertising networks embed spyware that is designed to track you across the Internet with every website you visit. They do this by embedding trackers into the advertisement that your browser then loads whenever you vist Website X using Advertising Network Z. Now when you visit Website Y who just happens to be using Advertising Network Z you are instantly identified as the person who visited Website X earlier.

But the thing that surprises most people is just how many trackers an otherwise innocent website may harbour. Let’s take a quick sample; I am using the browser extension Ghostery to show detected trackers in the purple box bottom right. (Click Images to Enlarge them.)

So CNN has 18 Trackers and The Daily Telegraph has 26 Trackers setup to betray their readers privacy, and these are only the trackers that Ghostery is able to detect.

Let’s check the last site again with both trackers and advertisements blocked:

Now we can see that AdBlockPlus has removed 23 of the 26 trackers and all the advertisments. Ghostery has detected and blocked the three remaining trackers.

These are only two websites on the Internet that I have chosen to demo for no particular reason. There is nothing abnormal about the behaviour of these sites, it is now a common practice for website operators to install malware (spyware) into websites for commercial gain because there is a lot of money to be made in violating your privacy.

It wasn’t always like this. Advertising didn’t used to involve malicious action towards the end user. Although advertisements have always been annoying it is only over the course of the past decade that they have become a specific threat that users need to block by default.

Fortunately there is a way to block most of these trackers. I highly recommend everybody install AdBlock Plus and Ghostery into their browser. Both programs are free and both will block trackers. Ghostery in particular will give you an alarming insight into just how many trackers are being used to invade your privacy. I have been using both programs for years and would not consider browsing the Internet without either of them.

Opposition to Password Managers is Opposition to Security.

These days password managers are becoming popular security tools for end users to manage their passwords. The most popular solutions available to consumers are Lastpass, Dashlane, KeePass, 1Password and RoboForm. These applications enable their users to create unique-strong passwords for all their online accounts and store them in an encrypted database to keep them safe.

I personally have more than 3,200 credentials stored in multiple encrypted databases. The databases I manage include everything from Electronic copies of my passports, access for this blog, DNS Servers, Email accounts, service providers, application credentials, domain registrars, Encryption/Decryption keys, private x.509 keys, remote access to alarm and CCTV systems and more.

I have worked in IT since 2003, even with only part time contract work the amount to credentials that I have needed to store is phenomenal and if I didn’t clean out the database could be significantly larger than it currently is.

Password managers have become an essential way of life for me. There simply is no alternative when you need to manage so many systems/services, and those credentials need to be kept secure. Of the 3,200+ credentials in storage at least 200-300 of them are for personal use such as, Facebook, Youtube, eBay and anything else I’ve created an account for over 10+ years.

Password Management software is perhaps our best hope for getting users out of the habit of picking weak passwords or reusing the same passwords on multiple services. So it is frustrating to discover that in 2015 some companies are deliberate preventing their users from using password managers.

As if educating users not to write passwords down or reuse passwords in multiple places is not already a challenge. The fact that British Gas has gone out of its way to prevent their customers from using a Password Manager to keep unique passwords safe really shows how out of touch with the modern world they are. Perhaps British Gas would prefer their users to resort to Post-It notes on the monitor?

De-anonymised Luke O'Hehir of Elegant Logic loses the plot.

For sometime now an Internet Troll by the name of Luke E Lawless has been hassling skeptical blogger Peter Tierney aka Reasonable Hank, winner of last years Skeptic Of The Year Award. 

Message sent to Peter; from Luke.

Like much of the harassment that members of this community face it was done behind the veil of anonymity as Luke E Lawless is clearly a fake name, this is also confirmed by the fact that this individuals identity has since been revealed. Due to a comment he made on Peters Blog.

Normally an IP address alone is not enough to identify an individual and most people have nothing to be concerned about. However the anonymous Luke E Lawless certainly wasn’t happy and immediately accuses Peter of promoting criminal activity. 

So concerned was Luke E Lawless that he found a question on Stack Exchange about IP Addresses and posted it to his Facebook wall in order to reassure himself that everything would be alright.

Actually when a person engages in a campaign of harassment getting their IP address is often the first stage in identifying the culprit. People like Luke O’Hehir owner of Elegant Logic in Melbourne who believe  they can engage in abusive behavior behind the veil of anonymity will always slip up eventually and allow us to build their profile.

Luke O’Hehir was de-anonymised using more traditional investigative methods but a court order against his Internet Service Provider would also have worked to identify him via his IP Address. It wasn’t used this time but yes, once we have your IP we can potentially identify you with it.

Since being identified Luke O’Hehir has been posting even more batshit crazy things to Peter. Here’s a classic.

This is the old “I have a lawyer and you better believe it” tactic. It’s a beyond pathetic attempt to curb criticism. I have yet to meet a Lawyer who uses Facebook to communicate with clients. Luke O’Hehir is simply upset that he was caught.

Equally funny (and Pathetic) is the “I have a cop” tactic.

Keep going Luke O’Hehir. As someone who presents themselves as an IT Professional you seem to have a poor understanding of both the Internet and the law. I look forward to the headline “De-anonymised Internet Troll sues harassment victim for whambulance fees.” 

Dawson Drama Queen vs Trolls.

Charlotte Dawson has been in the news recently for being trolled on the Internet. That’s right just for being trolled this drama queen has generated headline across Australia for her alleged victimisation at the hands of some anonymous twitter users.

While I don’t agree with the actions of the trolls I also find it hard to have too much sympathy for Ms Dawson because she went troll feeding.

There is an old saying that goes back at least as far as the 1980s. “Don’t Feed the Trolls”

On the Internet a “Troll” is a person who attempts to incite an emotional response from others by either posting offensive material or performing an action that causes inconvenience and frustration to other users of the medium in use. The best way to deal with trolls is by NOT giving them exactly what they want so they get bored and leave. As someone who’s been dealing with internet trolls since the 90s I can confirm that this is a tried and proven method for dealing with the issue.

However Charlotte Dawson decided to engage with the trolls instead. First mistake, she has also been retweeting some of the trolls messages to her followers. Honestly what sort of moron thinks it’s a good idea to help spread the trolls’ message as far and wide as you can? These trolls are anonymous; as a result ALL publicity is good publicity.

Of course now the politicians are wetting themselves in excitement as they are now given a new excuse to remove free speech and privacy from the public internet.

HATE-filled Twitter trolls who anonymously taunt, threaten or urge their victims to take their own lives are on notice from today.

Today we launch a campaign to stand up to the faceless bullies and to urge Twitter to unmask them and turn them in to authorities so they can be prosecuted.

Kevin Rudd has 1.2 million followers – more than any other federal MP – and he last night committed to the campaign from China with the declaration: “The time has come for us to build a bridge over the trolls.”

Attorney-General Nicola Roxon is also behind the campaign: “Cyber bullying is reprehensible and has no place in our society.

“What we need is strong co-operation from governments, law enforcement and the community. But we also need the assistance of US-based social networks.” News.com.au

It quickly gets to the point where the persecuted becomes the persecutor. This is where the #StopTheTrolls comes in. The aim is to bully Twitter into disclosing user details so the Australian Government can punish people for what they said online. That’s right; you can be punished for saying something that upsets people.

People not just trolls, often choose to be anonymous on the Internet because they either don’t believe what they say strongly enough to put their name to it. Or because they face serious consequences for speaking out be it government persecution or litigation.

By removing anonymity and punishing trolls all that will happen is the trolls move to more secure form of anonymity and people with a “legitimate” need of anonymity might not have that option available.  Of course what is or is not a “legitimate” use of anonymity is purely subjective.

Terms like ‘Hate Speech’ are thrown about far too easily in today’s society. But classifying what is and isn’t ‘Hate Speech’ is a value judgement. I have people accuse me of ‘hate speech’ simply for disagreeing with them.  So the idea that the government could or should punish people for something based on opinion of another should be a concern to all Australians, not just trolls.

I deal with ‘trolls’ a fair bit. What I post online tends to attract them and it’s the reason user comments below need to be approved by a moderator before they appear. Yet, I still stand by what I’ve been saying for the last 14 years. Don’t feed the trolls, don’t give them the recognition and attention they crave, they will get bored and leave.

Also don’t do a massive Dawson Drama Queen. That only empowers them.

Google owes you nothing; get over it.

Pseudonyms on Social Networks

Today it seems that bitching about Google is a fashionable trend. Last year we had the so called ‘Nym Wars‘ where people complained about having to use their real name instead of a pseudonym on Google Plus a new social networking site operated by Google.

Given that Google Plus is a social networking site the idea of being anonymous is an oxymoron because a name does not equal an identity. Names alone mean nothing, it is the information attached to that name that make up the identity. A pseudonym offers no privacy in the context of a social network because if you’re going to maintain a friends list and communicate with people on that list in a forum that allows other to observe your discussion, then you’re are very quickly building a profile of yourself for the world to see. Combine that profile with photographs and information shared by your friends and suddenly any privacy you thought your pseudonym offered is gone; and it’s not coming back.

Keeping your eggs in one basket.

When Google began to suspend users for non-compliance of their real names policy some users found themselves locked out of not only Google Plus but also Gmail, Calendar etc, because Google links accounts across it’s multiple services. Therefore if you get banned from one service, you get banned from all services. I don’t know if Google has a means in place to only terminate individual services linked to an account rather than ban the whole account, but I hope users would learn a lesson from this.

It’s never a good idea to put all or even a significant amount of data into any one company. I know plenty of people who use Google services for everything Documents, Email, Calendar, Address Book, it’s insane how much data people are trusting to Google. Not because Google are bad (they aren’t) but because Google is a single entity. If you find yourself cut-off for any reason then you’re screwed. Especially if you use a Gmail address in which case you lose your email address aswell. (This is why I use my own domains)

You can opt-out.

Google has just announced that it will begin sharing user data amongst the multiple services that it offers.

Google announced on Monday that it would be enacting a new privacy policy that, when customers agree to it, will allow the company to collect and store information across all of its services. Not only that, but Google will share information gathered across those services in order to “maintain, protect and improve” the services, but also to target search results and ads for each user. There is no way to opt out of the information-sharing aside from deleting your entire account and saying goodbye to your Gmail, YouTube videos, and Calendar, among other things.

….

Privacy groups such as Common Sense Media are concerned about users’ inability to opt out of the information collection and sharing. “Even if the company believes that tracking users across all platforms improves their services, consumers should still have the option to opt out,” 

ArsTechnica

This is just common sense, Google are going to collaborate their records to make statistical analysis more efficient. This is for data that Google already collects from their own users, people who choose to use their service. The concern is that users “Can’t opt-out” which is not true. Users have to option of not using Google services. I should point out that most of Google’s services are provided for free, and no one is “required” to use them.

Google is a private company offering services to the public; they don’t owe the world. If you don’t like the terms of service them your opt-out is to simply not opt-in by putting all your information into Google. I’m a Google user myself but there is some information I choose not to put into Google, while other information I am happy for them to have.

You have a way to opt-out of Google, by not using their (free) services if you don’t like the terms that come as part of the deal. You will only become Google’s bitch if you let it happen. The same applies to Facebook and Twitter. Take control of your data and realise that Google don’t owe you anything.

A security podcast that I recommend.

While I predominantly focus on Skepticism I do have other areas of interest. One of them is Computer Security. Having been to a couple of Skeptic conventions I have noticed that there is more than a handful of computer people within the skeptics community. So I’m sure allot of the people who do find my blog will also have have some good knowledge of computer security and computers in general. Security Now is a podcast that I think my appeal to allot of technical skeptics, although it isn’t a skeptical podcast itself.

Security Now is a computer security podcast released on a weekly basis and covers security vulnerabilities, firewalls, password security, spyware, rootkits, Wi-Fi, virtual private networks (VPNs), virtual machines, full virtualization, hardware-assisted virtualization, and virtual appliances. I have been listening to it since 2005 when the show was first debut, and I have been following Steve Gibson’s work at GRC.com since at least 2001.

So if you have an interest in computer security definitely checkout Security Now. I also recommend Steve’s hard drive maintenance software SpinRite, which I’ve been using the rescue and maintain hard drives.

DDoS attacks are a cowards 'protest'.

There seems to be this belief floating around that the DDoS attacks that are carried out by the so called “hacker” group Anonymous are the equivalent of a legitimate protest. Some members of Anonymous even have the audacity to liken themselves to civil rights protesters; the irony.

Launching a Denial of Service attack against somebody you wish to silence is not the equivalent of a virtual sit-in for several reasons the one of which is accountability. When you conduct a sit-in protest you are held accountable for it, it’s an illegal activity (trespass) for which you can be prosecuted. In contrast when you lunch a DDoS attack on someone’s website over the internet with or without a proxy server you are removing the accountability for your actions. You are hiding like a sniveling coward.

It takes a certain amount of courage to stand-up for what you believe in and throughout history we have seen many examples of just that. People standing up for what they believe in from the civil rights movement to the Tiananmen Square protesters and countless others throughout history. Many of these people put themselves on the line to stand-up for their belief and ideologies and for many the price was high. It is at the very least a tremendous insult to these activists that a group of cowards hiding behind an IP address on the internet could ever compare themselves to real activists.

The group Anonymous is built upon hiding as opposed to standing-up. They are not activists but cowards who hide online and attack from the shadows some even employ the use of proxy networks to further cower away behind their keyboards.

If you think I’m being harsh on Anonymous then take a look at this and explain the logic to me because I cannot find it.

Lastly, they set up this website called mybart.gov and they stored their members information with virtually no security. The data was stored and easily obtainable via basic sqli. Any 8 year old with a internet connection could have done what we did to find it. On top of that none of the info, including the passwords, was encrypted. It is obvious BART does no give a fuck about its customers, funders and tax payers,THE PEOPLE.

Thus below we are releasing the User Info Database of MyBart.gov, to show that BART doesn’t give a shit about it’s customers and riders and to show that the people will not allow you to kill us and censor us. This is but the one of many actions to come. We apologize to any citizen that has his information published, but you should go to BART and ask them why your information wasn’t secure with them. Anonymous Dataleak

Wow, did I just read that? Anonymous is critical of BART.gov for not taking adequate steps to secure customer information. So in response they steal the data themselves and publish it on the web for the whole world to find. They then apologise to the users who have had their information published.

That right there shows the childish attitude towards accountability that characterises the group that calls itself ‘Anonymous’. Protecting privacy and free-speech while violating both? What a joke these so called ‘hackivists’ really are. You cannot claim to defend Freedom of Speech while attacking websites and you cannot claim to value the privacy of follow citizens while simultaneously publishing their personal information on the web.