Tag Archives: Security

Krytonite D-Lock

I recently acquired a new D-lock (or U-lock), my old ‘masterlock’ had failed with a key stuck un the lock (fortunately, not on the bike). I did contact masterlock – no response.

I need a new lock to complement the AXA Defender for longer stops, and so decided to switch brands from masterlock – I went with a Kryptonite New York U-lock (Evans) (Wiggle).

The lock is currently attached to the bike rack at work. This is because that is far enough, and the lock heavy enough, that I don’t want to be carrying the lock to and fro each time I commute in. The lock has a pretty sturdy looking keyhole cover to protect against the elements.

This does, however, mean that I don’t have a U-lock for use near home. I could get a second one, but then I’d be forever using the wrong key – a minor annoyance, true, but still an annoyance it should be possible to avoid. Kryptonite do a ‘keyed alike’ service, a second lock made to fit the same key. Perfect, yes?

No.

They will only post to addresses in the US and Canada. I understand that there might not be the volume for transatlantic sales to be worthwhile for a one-off, that said it’s rather surprising that, given they sell the lock in the UK, there isn’t a deal with one of the major retailers whereby they can put the ‘keyed-alike’ lock in with a regular shipment.

Great. Grr.

(Now, if there are any US’ians I know who are planning to come to the UK….)

Facebook Security

On the website of the University of Washington Computer Security and Research, they have posted a review on facebook security, which is worth reading for anyone with an account with that website.

The essential features are these:

  1. Facebook is opening itself to problems from shoddy/malicious code, one example of this was ‘secret crush’
  2. To use an application, a user exposes all of their confidential information (this is not news to me)
  3. If a friend has installed a malicious application they have exposed all of my information

The latter is a real problem, some of my contacts have hundreds of applications for no apparently good reason – any one of which could be a spam harvester. I know this as I often get invites to install some obscure application which routinely ignore as I have no wish to expose my account for a five minute wonder application – however I had not realised that everything except for my friends’ information was already exposed by the act of my contact having this application installed.

Fortunately there is an (obscure) fix. You can limit how much information is exposed to applications that your friends have installed by going to an obscure facebook options page. I have no idea how to click into these settings within facebook, they seem to make it tricky to manage account security, indeed, it’s probably not really in their interest to allow people to lock things down.

The summary of the article is this:

Although Facebook has some provisions to protect users, applications are an easy way to sidestep any security measures put in place by Facebook.

If I were you, I’d limit the amount that you expose to applications your friends have installed, and remove any applications you don’t need – the latter will also make your whole experience that bit more efficient. You can remove applications with this settings page.

Whilst you’re at it, you should do is to control who can see your stuff and separate your contacts into ‘friends’ and ‘people I know on facebook’. The latter do not need to see all of your details. You should also give some thought into what is visible to someone who searches for your name.

Data Loss

Up until Monday, we hadn’t had any of our data lost by the government (as far as we knew). We shouldn’t have been one of the 25 million lost due to being child benefit claimants, or one of the many other breaches.

Some of the breaches are potentially very serious should it fall into the wrong hands, for example, the list of military applicants, of prison officers, or (and think of the children!) families with young kids.

However, Monica may have been among the three million lost on Mondays.

It does annoy slightly that they always call it ‘lost’, this can imply that the issue is that government no longer has the information. This isn’t the problem – it’s ‘duplicated, then lost’. The issue is that people who shouldn’t have the information ultimately acquire it.

Having the entire population on one big database is not a way to improve security. It’s a big target for identity theft, and recent history shows that it cannot be kept totally secure.

Having said that, the ‘losses’ that have happened have been rather silly. Lots of data transported without strong encryption, often when there was no need to transport it. It shows a general carelessness that is not befitting anyone claiming to be worthy of trust with this data.

You can take this survey to find out how likely it is that the government has treated your information shoddily.

For more on the proposed ID card database, see the No2ID website, including this rundown of the issues.

The ORG data loss questionnaireYou hand over your personal details to councils, hospitals, employers and businesses all the time. But these institutions don’t always keep that data safe. In fact, since HMRC lost its entire database of child benefit claimants last year, high profile data losses have hit the headlines with worrying regularity. But how does this affect you and your family? Click here to find out how likely it is that a government department or corporate entity has been losing your data recently.

Industry and Government want to aggregate and share more and more of your personal data. Schemes like the National Identity Register, ContactPoint and the Intercept Modernisation Programme are just the tip of the iceberg. But data insecurity is inevitable if large datasets are stored centrally and accessed by hundreds of different people. Data loss can lead to identity fraud and harassment for anyone affected. It is also likely to further complicate or even threaten the lives of those who are fleeing abusive relationships or on witness protection schemes. And that’s without even getting into the debate about how data sharing and aggregation can change the relationship between citizen and state [.pdf].

Once you’ve taken the test, please share the link – http://www.openrightsgroup.org/dataloss/ – with friends. And if you learn of other incidents that should be added to the questionnaire, then please add them to our list of UK privacy debacles, which feeds into the questionnaire.

Thanks to Sam, Glyn, Casey and Rowan, the Open Rights Group volunteers who conceived and realised this project. Finally, please note that the application does not record users’ responses or IP address. In fact we don’t store any user data, which means there is no danger of us losing or leaking anyone’s personal information.

Mythbusters Gagged

Adam Savage, of the excellent ‘Mythbusters’ programme(*) reports that they were going to do a segment on RFID chips only to have the lawyers descend from Visa, American Express etc.

Texas Instruments comes on along with chief legal counsel for American Express, Visa, Discover, and everybody else… They were way, way outgunned and they absolutely made it really clear to Discovery that they were not going to air this episode talking about how hackable this stuff was, and Discovery backed way down being a large corporation that depends upon the revenue of the advertisers. Now it’s on Discovery’s radar and they won’t let us go near it.

A great quote from the video:

You do have about 3000 people in the room who aren’t under such legal arrangements.

The full video is here, and starts with a great talk from Savage about his obsessions.

The point is that keeping the information ‘secret’ does not stop the bad guys getting it – it stops the rest of us knowing that our information is insecure. If you’re reliant on security by obscurity you have no security at all. Given that RFID is a widely distributed technology, the RFID chips should be able to withstand full scrutiny if they’re to be trusted for the purpose.

They can’t withstand that scrutiny, as evidenced by the reaction of the lawyers, and by this video.

With a bigger antenna on this I can go into Starbucks and get the [details] of everyone there.

It’s a shame discovery didn’t feel able to nod at the lawyers, and then make the programme anyway – including the conversation with the legal people. Still, when you’re depending upon ad revenues, it’s not as easy as all that – at least in the short term. A good argument for the BBC TV Licence!

(*) Although the announcer in the UK does often mix concepts of mass, pressure, force etc. Not sure about the guy in the US – the people in the show sometimes do this too, but that comes across to me as more of a ‘shorthand’ – as they obviously know the difference!