Alex's Adventures on the Infobahn - security

Google Gate-gate

2010-10-25T14:13:00+01:00

Google was on the news this morning for the latest piece of fall-out from their WiFi survey.

For the uninitiated for some time the Google Street View cars have been scraping WiFi data as they roam the streets. The intention has been to build a database of SSIDs as an alternative way of locating position than using GPS or Cell Tower information (which I assume is out of Google's control). It's a testament to Google's resources that these sort of mass data collection exercises are seen as a simple exercise. I do have to wonder what a geo-location database of thousands of "linksys" WiFi SSIDs will achieve though*.

However it seems the configuration of the information gathering was a little over zealous. Instead of just recording WiFi information they also recorded live network data, i.e. what was being transmitted when the Street View car went past peoples houses. This has rightly gotten Google into hot water with the Information Commissioner for the sort of mass surveillance that GCHQ just wish they could afford. A lot of noise has been made about the potential capture of private emails and passwords. There is more than a hint of hysteria building up with MPs getting in on the act and rent-a-quote heads turning up on TV. However as per-usual there is a distinct lack of perspective.

For one thing the window of data is very small. Unless you had a street view car parked outside you house the amount of potential privacy busting information have on you personally will be quite low. It also ignore the fact that when sending data across the Internet you don't actually need to be outside someones house. The Internet is made up of a collection of networks run by a disparate group of corporations and individuals. None of these organisations have the security of your data at the top of their list of concerns and any one of them could actively be snooping on every packet of information you send. In fact as far as networks go it's about as untrustworthy as you get.

As far as passwords are concerned if your not sending them over an encrypted channel then anyone can see what they are. At the very least you should ensure all web-sites your log-in to over a SSL link (usually signified by a padlock or similar icon in your address bar). Nowadays the padlock may turn another colour or show a cross if there is some other problem with the connection that may indicate your connection is secure but maybe not to who you thought it was too. None of these precautions addresses the issue of if you should trust the remote end not to tell anyone else your user name and password. This is why you should have different passwords for each service you use and not share credentials between sites (i.e. only give your Google logon details to Google).

When it comes to email not many people seem to be aware that it's less secure than sending a postcard. Everything in the email is readable by any system between you and the person your sending it to. Even worse any system could tamper with the message and make alterations the message and neither you or the recipient would know it. If you really want to send email that can only be read by you and your recipients you really should use encryption**.

So while I applaud the ICO for bringing Google to book for not thinking through what they were doing please realise it's not the new Big Brother. Big Brother has been quite happy reading everybody's data before the first Street View car took to the roads and ultimately you are the only person that can actually do anything to stop him.

* - slightly facetious, if they were recording MAC addresses they would be guaranteed unique.
** - my key can be found here

While you were out...

2010-07-12T21:00:00+01:00

On Sunday we headed down to the Shelford Feast to catch up with my parents and generally enjoy beer in the sunshine. However while we were out thieving scumbags attempted to break into our house. Apparently there is a bit of a spate of break-ins around fete times as it offers a weekend opportunity when houses are generally empty during the day.

They started by trying to leaver the back door open. However the multi-point lock system held up well. They did however put enough force into it to wedge one of the lock point so solidly that even when we unlocked the door we couldn't get in. They also attacked the patio door with some sort of heavy implement. Although the window is fairly smashed up the laminate finish held it together to thwart their attempt. Unfortunately they didn't leave empty handed as after forcing the lock on the garage they left with Fliss' old mountain bike (fortunately we had taken our brand new bikes with us to ride to Shelford). They also forced the lock on one of the outbuildings but as far as I can tell they didn't nick anything from what is essentially our walk-in LARP wardrobe.

The police turned up fairly quickly followed fairly shortly by the "method of entry" specialist. There was much discussion about the subtle and the not-so-subtle way to gain entry. After the subtle way failed we declined the more direct method to wait for the insurance authorised engineer to turn up. Eventually the SOCO turned up (offering to wear his sunglasses if it would us feel better :-) and managed to get some potential evidence from the scene. Hopefully it won't have been in vain.

Our lovely neighbours put us up and allowed us to watch the World Cup final while we waited for the engineer to turn up and get us into the house. It's a shame the game was so disappointing.

All in all the experience wasn't too bad, the Police (2 officers responsible for most of the villages to the north of Cambridge) were especially helpful. I've been burgled before so from my point of view I can write this of as a failed attack, Fliss however has a slightly different perspective. Overall we are happy* that the house withstood the attack however we will however be reviewing security to make the place even more fortress like. While Cambridge is not like Manchester this has been a reminder of some of the downsides to our relatively exposed rural setting.

* modulo the hassle that is inevitable with dealing with insurance companies and the magic vaporware cover.

New Keys Please

2010-03-08T11:25:00+00:00

I've finally gotten around to updating my personal GPG key. At the same time I've plumbed in the various bits I need into my mail client so it's a little easier to sign, encrypt, and verify GPG enabled email. Of course the super paranoid will want to check the public key linked to is in fact mine and not some evil twin clone of me. Contact me by some other means (any of my XMPP accounts* will do although to be safe I recommend using a Off the Record plugin).

If you show me your cryptographic fingerprint I'll show you mine ;-)

* That would be LJ chat, Google Talk or the new Facebook chat