Gizmodo has decreed that today, February 1st, is “Change Your Password” day. I wholeheartedly agree, especially if you re-used passwords (which you shouldn’t!). In fact, I’d go further: change your password, and start using a password manager. Did I changed my passwords today? I did not, because I used said password manager. I don’t reuse passwords, and my passwords are all random. So even if one is revealed, it’s not going to make a difference outside of that one website.

Read the rest of this entry »

• Current Mood: Healthy
• Currently Listening To: "Ship of Fools", The Doors

Zappos.com recently had a data breach. As data breaches go, it was not nearly as bad as it could has been: no full credit card numbers leaked, nor any plaintext passwords. What makes it special, then? It’s somewhat special to me, since it is, to my knowledge, the first time that I have been part of a data breach: I have a Zappos.com account, and I received the email about the breach. Notice I said “to my knowledge”; plenty of data leaks don’t get reported. I haven’t been a part of a major one, though, at least according to pwnedlist.com, where you can check to see if your email address or username has been leaked.

Read the rest of this entry »

• Current Mood: Meh
• Currently Listening To: "Under My Thumb", The Rolling Stones
• Just Watched: True Grit

I’m currently working on my MSST Capstone project, which is going to focus on IT security in small organizations and small businesses. If you work in a small business, especially if you have an IT role, please fill out a short survey I’ve put together. It’s 36 questions, mainly yes or no, so it shouldn’t take up too much time. You can access the survey here.

• Current Mood: Hungry
• Currently Listening To: "Thunder Road", Bruce Springsteen

My GnuPG key was set to expire at the end of this year, so I created a new one. The key is located here. In the extremely unlikely event you need to email me something securely, use this!

I’m a big fan of crypto and secure email. Too bad I so rarely have need to use it.

• Current Mood: Full
• Currently Listening To: "Roadhouse Blues", The Doors

Google has recently enabled two-factor authentication for Google products like Gmail. What is two-factor authentication? It means that in addition to providing your password, you need to provide a random verification number that Google will send to your phone, either via an app, a text message, or an actual phone call. Thus, to log in, you need two things: a password and your phone. With only one or the other, you can’t get it. This is much stronger than a password alone, which is why some banks have been moving to two-factor authentication for customers. Google’s decision to enable it for email, and for just about everybody with an account, is certainly groundbreaking.

Read the rest of this entry »

• Current Mood: Inspired

Some time ago I blogged about the password manager I had been using for many years: Password Safe. It’s a great program, one that I recommend wholeheartedly. However, I’ve since switched to a new manager: KeePass. Like Password Safe, it is a pretty functional password manager that allows you to automatically generate and save passwords. Also like Password Safe, KeePass is open-source.

Why did I switch? Well, essentially because I like the interface and functions better in KeePass. The UI looks a bit better, and there is a graphical representation of how strong a password is. Other than that, though, it’s almost identical to Password Safe. Password Safe is even a bit easier to use for the novice, as it doesn’t have quite as many options to fiddle with as KeePass. One issue with KeePass 2.x is that is requires the .NET architecture, which isn’t always available, especially if you plan on using it on a computer that you don’t have control over.

I’d unhesitantly recommend either of the two for your password manager needs. Play with both of them and decide which one you like better. But pick and use some kind of manager. Using strong, random passwords is an important part of security, and password managers help make doing so simpler.

• Current Mood: Cyber-educated

The Obama administration is talking about creating a unique “Internet ID” for web users in the U.S. Commerce Secretary Gary Locke is quick to say it isn’t a national ID card, or even a government-controlled system, but private creation of “trusted digital identities”. Although there are plenty of times where the need for a trusted digital identity is real, I really don’t think e-commerce is one of those times. The benefits of such a system for e-commerce are far outweighed by the costs.

Read the rest of this entry »

• Current Mood: Monday
• Currently Listening To: "The Crunge", Led Zeppelin

CNN did a story on the Masters of Science in Security Technologies (MSST) program I’m enrolled in at the U. The story can be found here. I’m in the story for a few seconds of talking and clicking around on my computer at work (I’m clicking on the database app I created, not Solitaire). Except for my appearance on ‘N Sync’s website many years ago, it’s probably my broadest media appearance yet. I’m so proud!

As for the MSST program itself, it’s going very well. Our first course, dealing mainly with the psychology of terrorism, is already over, and it was very interesting. Ron Krebs, the instructor for the majority of the class, handled the class exceptionally, with a very good balance of lecture and group activities, as well as engrossing readings. I and several of my classmates were interested in taking a course he is teaching in the fall, but the workload just isn’t something I could handle while working, planning a wedding, and electioneering. Our current two courses, on critical infrastructure protection and science and technology in security, are also very interesting. They are pretty broad courses with a number of guest speakers lecturing on their particular expertises (cybersecurity, biosecurity, food security, pandemic preparedness, and so on) and they will provide for a good base upon which we can expand in later classes. They are also great at scaring the crap out of us.

In a little more than a month, the summer semester will be over and I’ll be 25% done with my degree. Not bad. Next on the to do list: thinking of a capstone project.

• Current Mood: Hump day
• Currently Listening To: "Let It Bleed", The Rolling Stones

Why am I so interested in issues of data privacy and data security? I think this story about “black boxes” in Toyota cars illustrates it well. In short, Toyota cars have airplane-like black boxes in many of their cars that can track data like speed, whether the airbags deployed, and so forth. However, the data is stored in a proprietary format, and only Toyota can access it; they only do so when requested by law enforcement. I am interested in security and privacy precisely because I want to see the end to what I consider to be horrible practices like this.

I don’t think it’s horrible because black boxes shouldn’t exist, or that they infringe upon privacy. On the contrary: my major problem with this is that it is far too private: only Toyota has access to the data, despite the fact that the owner of the car paid for the black box and the driver of the car is the one generating that data. Toyota should not store this data in a proprietary format that only Toyota has access to, and only when Toyota wants to divulge the information. The owner of the vehicle should have full access to the data at all times and should be able to control it.

Read the rest of this entry »

• Current Mood: Friday
• Currently Listening To: "Cityscape", Matt Hunstad