…and around it goes

It looks like it may be worse than feared.  Thousands of ghost tankers parked off Malaysia (more than the combined navys of the British and US).  Tens of thousands of abandoned box cars in the US.  All this at a time when the ramping up for the Christmas season should be happening.  Could this be a harbinger?

http://www.dailymail.co.uk/home/moslive/article-1212013/revealed-the-ghost-fleet-recession.html

http://online.wsj.com/article/SB123535033769344811.html

Wait, it’s not just cargo ships and trains, it’s planes too:

http://www.usatoday.com/travel/flights/2009-04-06-airlines-parking-planes_N.htm

Not to mention Insiders are selling like there is no tomorrow:

http://money.cnn.com/2009/09/10/news/economy/insider.sales/index.htm?postversion=2009091219

It certainly does not look good.  All this TARP spending is a temporary fix.  Anyone who owns a credit card knows that spending off it is only a temporary boost, until it’s maxed and the bill comes due.  What will come when the country is maxed and this bill is due and there are no goods moving to pay it?

Mainboard failure.  It was a nice machine, now history.  Not sure what I’ll do with it.  I do have an extended warranty, but with the company gone and nobody to fix it I’m probably out of luck.  Time to shop for a laptop, think I’m done with UMPCs. This was an expensive lesson, only got a year and a half out of it.

I usually stay away from discussing politics on my blog that do not relate to privacy, however a recent article on The Drudge Report is rather interesting. Regardless of where you stand politically and/or on the Health Care debate, if what is written is true then it’s a bit troubling to see ABC News pulling a Micheal Moore. There is more than one side of an issue, even if you may not agree with it.

In the effort towards full disclosure:

Politically I try to remain neutral and evaluate each issue independently. However, I suppose that due to my strong belief in personal freedom and privacy, along with my belief that big government just breeds bigger and more inefficient government, and that spending is something to track carefully so that you remain within a workable budget, that I may learn somewhat conservative/libertarian.  I am a registered Libertarian, it seems to fit best, although I do not agree with all of their beliefs.  I view extremism at any end as bad.

As for this particular debate, I’d love to see money we effectively waste elsewhere covering the health issue, health is important and costs are out of control.  I’m paying $700 a month to cover myself and my daughter and each year that premium goes up as do the copays and the coverage goes down along with the caps.  My taxes also go up with me seeing little in return.  That angers me.

Yet I also see how poorly the government handles health care where they already handle it (medicare/veterans administration/etc).  I also know as a business man that just throwing more money that you don’t have into a broken system has only one result, bankruptcy.
Idealistically, I’d love to see good government run health care that resulted in me and my family covered well at less of a cost.  Realistically, I fear we’ll get less and pay even more.

This is a little scary for privacy.  It was bound to happen, everything is getting smaller in the move towards nanotech, but still scary none-the-less.  Imagine a spec of dust able to transmit your position everywhere.  I know the “I’ve got nothing to hide, I welcome all my privacy being stripped” folks won’t care, but the rest of us certainly do.  Even though I don’t do anything criminal, I don’t want to be able to be found at all times by anyone looking, especially if there are certain people I am ducking (”you told me you had to work and couldn’t help me shop, why are you at your fishing spot?”  I can’t think quick enough to answer that one).

A subscriber brought RexSpy to my attention after reading here that I took the plunge into a smartphone.   This, of course, sent me off on a fact finding journey through Google.  There seems to be some trepidation at validating this threat.  It may just be a company (SecurStar) trying to drum up business for their product.  In fact, little has been heard of it since it was announced and I cannot even find the supposedly free removal tool offered by Securstar anymore.  However, it did make me wonder about the safety of what I had thought were plain text messages.

It appears that there is a new version of SMS that allows embedding, because of that SMS messages are not all that secure.  So even if RexSpy was just a marketing ploy it is apparently possible for an invisible SMS message to execute things on the phone, change settings, and potentially copy info while the phone shows nothing happening (apparently all newer smartphones are vulnerable).  Granted, there are limitations and it’s not easy, but it is possible.

This lead me to delve into my Blackberry for some type of solution.  It turns out that it’s firewall (Settings->Security->Firewall) gives you the ability to block SMS, MMS, PIN, and more for: all, all but address book contacts, and all but address book and special addresses (I need to find out what the special addresses means).  Of note is that blocked items are lost if you accidentally block something you want, but I suppose that strict settings here would help mitigate an SMS attack.  I set mine to just address book.

Smartphones, while useful, are still relatively new and as such are probably not going to be trustingly secure for a while, I’d use them with that understanding.  Do a battery pull in any really secure environment you need to be in (or leave your phone behind) and any remote access done should have a secondary access control that is out of band from the phone, like SecureID, either that or utilize a one time use password design.  Also favor certificates for internal authentication, so that you are never typing reusable passwords on the phone.  That way even if the phone is lost or compromised it is less likely to lead to a network compromise.

PS: SMS isn’t your only threat, don’t forget that your phone is a mobile workstation and as such vulnerable to bluetooth attacks, WIFI attacks (if it has WIFI), application vulnerabilities, and viruses/trojans.

Further information on securing your blackberry.

More on the Blackberry firewall.

Phone web sessions hijacked via SMS.

Youtube video showing SMS hotspot attack.

A rough weekend hardware-wise has me now using the OQO as a desktop.  I’ve never used it this way before.  Once I tried connecting it to my KVM, but the resolution was only 800 x 480 and on a 22″ wide monitor that was horrendous.  This time I connected it directly to the monitor and I guess this allowed it to detect the monitor because it snapped into 1680 x 1050 without issue.  I then plugged in all my USB drives and peripherals and I was good to go (I’m a USB nut and went USB everything, my desktop was basically just a cpu, ram, video, and an OS drive).  Turns out the OQO, while certainly no power house, is surprisingly usable as a desktop machine.

I shouldn’t be surprised, it is what the OQO is designed to do, to use it as a desktop machine that you can take with you and stick in your pocket.  I just never used it as a desktop until forced.  I may stay with it for a while.  It may be no gaming machine, but my desktop is strictly work anyway (ok, I may occasionally watch hulu too), and for that it is fine.  I can only assume that the OQO didn’t like being confined to mothballs except for weekend trips and so it offed my desktop while I was sleeping.  I’ll have to watch it more carefully.

I was reading the latest accusation against the NSA for overstepping it’s legal bounds on truthout.org (article).  It’s interesting, but really nothing new or unexpected.  History has taught us all that powers given will be abused if they can be.  I’ve noticed (and I’m sure many others have as well) that most often that abuse will be by the entity controlling those powers for it’s own protection and preservation.  Granted, the NSA doesn’t yet appear to be at that stage (NSA folks are probably laughing at this comment), but could it become this type of monster?

Well, we originally had checks and balances to guard against the creation of  a self-protecting powerful entity at a risk of self-preservation becoming it’s main goal.  By removing oversight we are creating just such a potential monster and then playing Russian roulette with it.  Which political entity will be in power when it’s finally all powerful after passing through administration after administration that removed checks and balances?  Think of the influence on the democratic process such an entity could exert.  Stop allowing oversight to be removed now and put more in place.

After all, you have nothing to fear from oversight if you have nothing to hide.

I frequently receive questions similar to the following:

“I came across this link (http://cryptogon.com/?p=877), and was wondering if you folks were aware of this type of activity; also, can your Proxy/Tunnel service help to mitigate my exposure.”

Some questions also mention Tor and ask which is better protection.  I recently answered another of these and thought the (now slightly edited)  answer was a good entry for this blog.

The answer:

No proxy service can guarantee to hide you from governments or guarantee flawless anonymity, there are too many areas of potential compromise in every one of them.  The closest to anonymity out there is Tor, due to it’s design, but because it still has to be as real time as possible to be functional it is subject to traffic analysis (an entity who sees both sides can time your packets going in and match them to packets coming out by factoring in the delay it takes to pass through.  In an overly simplistic analogy, cars maintaining the same steady rate of speed enter a tunnel staggered, you know that they will slow down in the tunnel and by how much, you can calculate when each one of those cars will exit that tunnel even if they change lanes inside).

One must also assume a large number of hostile exits with Tor (a researcher recently set up Tor exit nodes and published captured passwords and usernames (PDF), I have to believe that he’s not the only one who ever thought of this).  Yet even given these pitfalls, Tor is still the closest you can get to anonymity because of its decentralized approach and onion encryption.  That makes it the best protection from an entity who can only see the exit, which is most.  Unfortunately given the nature of it’s setup (untrusted and potentially hostile end users running servers), it’s going to be slow and you should probably never use it to log into bank accounts, etc.  Even though many of those are end to end encryption you place yourself at a greater risk of man-in-the-middle attacks.  Your safest bet with those types of accounts is direct access, you lose little as theoretically they already have your personal information.

Paid services and single hop proxies are even more vulnerable to traffic analysis because they are more centralized, strive for as little delay as possible (speed is everything to them), and pass through fewer hops.  Its much easier to match the packets going in to those coming out (the faster the proxy the easier the traffic analysis).  They suffer somewhat like Tor in the way that you must trust that the service you are using is not capturing your login and passwords or compromising you itself (ie. maliciously being a man-in-the-middle), which you can trust most well known paid services in this manner (I would not easily trust free single hop proxies, I have to wonder what they get in return for the cost).  Where paid services really fall behind Tor is back tracing from an entity that can only see the exit.  Tor is going to provide you with better anonymity there.

Both Tor and paid services/single hop proxies can protect you from the unwashed masses as well as snooping ISPs.  Both can also provide you ways of accessing data you might not otherwise be able to access.  Tor will provide you with better anonymity than a paid service/single hop proxy will for an entity that only sees the exit, at the cost of speed.  But neither can protect you from a government that wants to get you.  To be honest, they likely wouldn’t even need traffic analysis in either case.  Their preferred mode of intercept for proxy users appears to be to trojan their machine via a vulnerability in either the browser software and/or plugins and through email or messaging client vulnerabilities (see: http://blog.wired.com/27bstroke6/2009/04/fbi-spyware-pro.html)

It all means that if you want to hide from a government focused on catching you, it’s going to take a lot more than just a proxy.

For those unaware of CIPAV, you can get details here and here.  It’s really not a new concept but it does bring up a point I’d like to make again for the novices.  If the FBI can do it, malicious people or oppressive governments can do it too (and actually have been for some time).

It’s extremely important that you choose the software you use carefully and that you stay current with patches.  Many of your favorite applications have had serious vulnerabilities in the past and may so again in the future.  Only you can protect yourself from what is allowed to run on your machine.

Things running on your machine are your greatest risk.  They can get any information that is available to them and send it anywhere, negating any proxy or vpn, even Tor.  There is nothing automated that will secure everything for you and keep it all updated properly.  You will need to learn about your system and it’s configuration, pay attention to what runs on it, watch for reported vulnerabilities, and patch them.

Each system is different so I won’t try to go into details, but favor peer reviewed open source to closed source whenever possible and get it from jurisdictions that have no issues with how you intend to use it (helps minimize prospect of source tampering).  In other words, don’t download from any entity software you may be using to report abuses by that entity (this should be common sense).

Those of you in serious situations should lose the “cool things” on the net, like video, flash, java, and other plugins, or at least run something that makes them unavailable to untrusted sites.  Participation in Facebook, Myspace, and other large social networks should probably be avoided where possible in favor of a blog you fully control (users may request our web hosting, which allows even a novice to easily install and run things like this blog).

Try to remain as text based as possible on the Net.  Run antispyware, antitrojan, and antivirus software and frequently scan.  Don’t open unknown attachments and don’t follow unknown links sent by mail or message.  Don’t leave your computer on or able to be woken up when you are not at it.  And as always, stay up to date with security patches (not enough of you do this).

Google and ask what you do not know and investigate anomalies.  Everything mentioned is especially important for those of you reporting on abuses or accessing forbidden information from behind a wall of information blackout.

Well, not completely, but my love affair with it has faded.  It fits my needs for a lightly packed weekend trip and it is something I’ll keep for that and for using as a car computer, but I stopped carrying it daily.  Even given it’s pocketable size it’s a tad large to be in your pocket all the time.

In spite of this I was still considering upgrading to the new model for more RAM and the better video performance, but their customer support has fallen through the floor.  Given the unreliability of these machines, that is a huge issue, a showstopper for me.  I won’t be upgrading because of it.  Personally, I think OQO is faltering as a company.  I believe they are trying to find an exit with a buyer now.

What do I use daily now?  Well, I’m trying out a Blackberry Curve 8330 (Verizon had a two for $49 deal when I re-upped and that fit perfectly with my tightwad side…although they did soak me an additional $30 a mo for the unlimited net for it).  I’ve never been one for “smart phones”, to me a phone was just to make calls and use as a modem.  I didn’t even use the contacts list in my last phone.   As for Blackberry, in particular, I’d always though that Blackberries were just glorified phones with a PIM, address book, SMS, and perhaps some limited Internet via their proxy.  I didn’t know they can now do what they do.

So far I am impressed.  I have a SSH client to manage servers with in an emergency (screen is a tad small for any real work on it, but it’s ok for emergency troubleshooting and even managing accounts), I have my e-mail (although I refuse to use Blackberry’s push service and instead use LogicMail, the privacy side of me does not want someone in the middle), I have my real time server monitoring alerts, and I have my web access, in fact I have full net access.  That is all I really need when out daily.

It also has some things that I do not really need, but I like them.  Pandora is something I use a lot.  It’s Internet radio and my first foray into it.  I just plug the phone into the line in jack on my truck then start Pandora and I’m good to go, it even pauses the music if the phone rings.  Slacker is another internet radio app I installed and like.  No need for a Sirius subscription anymore (I think as phone networks and Internet radio progress that it means the death of satellite radio, unless they morph or merge).  I also find myself using Viigo a lot for RSS feeds.

BTW: If you are using a smartphone and Opera Mini, please be aware that everything goes through a proxy in Norway and that it operates as a man in the middle for SSL.  Obviously this is not good from a security or privacy standpoint.  Don’t use Opera Mini for anything like online banking, Paypal, etc. where you really want end to end encryption.

So I have only had the Blackberry for a couple of weeks now which means it is too early to find out if it has staying power, but I do expect it does, at least for a while.  Now I have to WAP enable Cotse somehow as LogicMail, though functional, is very basic. Either that or it’s time to learn to code in Java and write my own mail app for it, which I am considering.