Updating @datahole

Datahole's Twitter avatar Datahole is a Twitter account I have been ‘maintaining’ for over four years. In practice I’ve simply been letting it run itself.

It takes RSS feeds from Ars Technica, Wired, The Guardian and Bruce Schneier‘s blog and looks for stories containing words like ‘leak’, ‘phishing’ and ‘password’.

Then it adds in unfiltered posts from The Register’s security news and The Open Rights Group.

Last night I updated the look and feel of the account with a new avatar, header and background image. Besides these cosmetic tweaks I added two feeds from the blog of security expert Brian Krebs, specifically his categories ‘latest warnings’ and ‘the coming storm’.

How? And why? →


Apple insecurity questions

Apple has been prompting me to add some additional security to my account for a while now, and I’ve actually put off some purchases simply to avoid answering these questions…

Continue reading

Container Bob

This curious aside is from a fascinating (if overlong) Wired article about a radioactive container that turned up in a Genoan port:

It was hardly the first fishy shipment to pass through Gioia Tauro. Famously, just six weeks after 9/11, workers there heard noises coming from inside a container being transshipped to Nova Scotia via Rotterdam. Inside, police found an Egyptian-born Canadian carrying a Canadian passport, a satellite phone, a cell phone, a laptop, cameras, maps, and security passes to airports in Canada, Thailand, and Egypt. The container’s interior was outfitted with a bed, a water supply, a heater, and a toilet. Nicknamed Container Bob, the man posted bail in Italian court and was never seen again.

(via Why Is This Cargo Container Emitting So Much Radiation? – wired.com)

Apparently he also had ‘an airline mechanic’s certificate valid for Chicago’s O’Hare and New York’s Kennedy airports.’1 He was ‘a well-dressed man’ only caught because he was drilling ventilation holes.2

Despite the ‘Container Bob’ nickname, ABC News reported at the time that he was Rizk Amid Farid, then 43.

Italian investigators say everything about Farid — his documents and claims about himself — appear to be either false or obscured. They have checked his stories with police in other countries — including Egypt, Canada and the United States — and believe none has panned out. Canadian investigators are further investigating the suspect’s background.

Though police have not said they have any direct evidence tying Farid to terrorism, he is the first person to be arrested in Italy on the basis of a new counterterrorism law passed last week in the wake of the Sept. 11 attacks. Under the new law, he can be held for at least six months as investigators try to determine whether he is a terrorist.

A prosecutor said the stowaway had studied in Egypt and in North America to qualify as a commercial jet engine mechanic. Before leaving Egypt, however, he was believed to be working at a magazine distribution company. Investigators say he claimed to be “running away” from a powerful brother-in-law in Egypt and had traveled in the container for five days.

(via Italian Police Probe Man Found in Box – 25 October 2001 – abcnews.go.com)

Continue reading

What your apps know about you

This diagram is one of many interactive infographics from the Wall Street Journal, illustrating how many apps are accessing more of your personal data than you may realise.

An examination of 101 popular smartphone “apps”—games and other software applications for iPhone and Android phones—showed that 56 transmitted the phone’s unique device ID to other companies without users’ awareness or consent. Forty-seven apps transmitted the phone’s location in some way. Five sent age, gender and other personal details to outsiders.

The findings reveal the intrusive effort by online-tracking companies to gather personal data about people in order to flesh out detailed dossiers on them.

via Your Apps Are Watching You – online.wsj.com
Continue reading

Most common passwords in the Gawker database

This is a Wordle showing the 80 most common passwords from the cracked Gawker database. There are 2090 passwords containing the word ‘password‘ (132 clever people used ‘passw0rd‘). Next is ‘lifehack‘, appearing 680 times and then ‘qwerty‘ at 663.

I haven’t really explored this a great deal, but I saw many numerical passwords that were clearly birthdates and loads of names and short dictionary words. Basically, everything you’re not supposed to use as a password.

[Check the updates at the bottom of this post for more info]

Continue reading

Create strong passwords

I thought this was a good method for creating strong but easy to remember passwords.

What to do Suggestion Example
Start with a sentence or two (about 10 words total). Think of something meaningful to you. Long and complex passwords are safest. I keep mine secret. (10 words)
Turn your sentences into a row of letters. Use the first letter of each word. lacpasikms (10 characters)
Add complexity. Make only the letters in the first half of the alphabet uppercase. lACpAsIKMs (10 characters)
Add length with numbers. Put two numbers that are meaningful to you between the two sentences. lACpAs56IKMs (12 characters)
Add length with punctuation. Put a punctuation mark at the beginning. ?lACpAs56IKMs (13 characters)
Add length with symbols. Put a symbol at the end. ?lACpAs56IKMs” (14 characters)

Test your password with a password checker

A password checker evaluates your password’s strength automatically. Try our secure password checker.

via Create strong passwords – microsoft.com

To add complexity with case though, I might use vowels to select uppercase letters instead. Splitting the alphabet in half seems like it would be much trickier to remember, for me at least.

Found via Tech Radar’s 25 internet security tips, which has 24 other excellent suggestions…

Should you delete your Facebook account?

This May 31st is Quit Facebook Day, but I won’t be deleting my account. No, I got rid of it a few weeks ago. As much as I’d like to claim that this was entirely some kind of ethical stance, the simple truth was that I didn’t actually make much use of the service. If I had the same negative feelings about Twitter, quitting would be a much tougher decision.

Should you leave Facebook? Maybe. It’s certainly a question that a lot of people are asking. Then, if they decide to, they ask ‘so how the hell do I delete the thing?’ Enough that this has become a Google suggested result:

There’s actually a website dedicated to helping you find the elusive ‘delete’ hidden in the unnecessarily complicated settings. You can find out how well you have protected your privacy at Profile Watch. There’s also a handy bookmarklet at Reclaim Privacy that will similarly assess your profile. For a laugh, you can also read through some posts of other Facebook users, who probably think they are talking to their friends, not the entire internet: Openbook.

Are there real reasons to be worried? Well, after Facebook held a developer conference, lots of worried Google engineers left. And Google has hardly earned any privacy gold stars. And then there’s Mark Zuckerburg, the man behind the company, with a few thoughts on privacy (taken from an IM conversation when he was creating the service, then called The Facebook):

Zuck: Yeah so if you ever need info about anyone at Harvard
Zuck: Just ask. 
Zuck: I have over 4,000 emails, pictures, addresses, SNS
[Redacted Friend’s Name]: What? How’d you manage that one?
Zuck: People just submitted it. 
Zuck: I don’t know why. 
Zuck: They “trust me” 
Zuck: Dumb fucks.

Business Insider also has a fascinating expose on Zuckerburg. Decide for yourself if it holds much water, and if you think his character is likely to have improved in the last six years. 

It’s also interesting to witness how Facebook has eroded the default privacy settings over the years, from friends and family to almost completely exposing everything.

While most users may not understand/care about these issues, there are plenty who do. Enough that when a new project to create an open-source distributed social network asked for $10,000 to get started, they were overwhelmed with donations. As I write this, they have over $170,000 pledged.

So I guess Facebook just gives me the creeps.

Continue reading

“haha. This you????”

I’ve only had two of these phishing DMs that are currently all the rage on Twitter. Curiosity got the better of me, so I followed the link. I’m tempted to create a dummy account and give it the credentials to see what it does.

I’ve attached screenshots, comparing the fake login page with the real one, and the destination you get to when you give the fake page your credentials. (I used fake info, naturally!) It’s just an empty Blogger blog. Most of the other links on the fake page don’t work.

Honestly, I can see how people are taken in. I instantly noticed the padding errors where they hadn’t duplicated the page properly, but Twitter hasn’t always had the best design, so I could easily believe it was the real login page on a bad day. Of course, the URL is totally wrong, but that could be missed by people with no reason to doubt the link.

Verified by Visa: How not to design authentication

A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers.

The system is called 3-D Secure (3DS) but known better under the names Verified by Visa and MasterCard SecureCode. Implemented and paid for by e-commerce vendors, the systems require a person to enter a password or portions of a password to complete an on-line purchase.

As a reward for investing in the systems, merchants are less liable for fraudulent transactions and are stuck with fewer chargebacks. But banks such as the Royal Bank of Scotland are now holding consumers to a higher level of liability if fraudulent transactions occur using either system, said Steven J. Murdoch, a security researcher at the University of Cambridge.

via pcworld.idg.com.au

I’ve been aware of the security issues with Verified by Visa for a while now, but it’s becoming increasingly difficult to avoid using the scheme. Right now I’m having to decide if it’s worth compromising my security for a cool pair of trainers. Previously, I’ve been able to use PayPal, or some other alternative, but Adidas offer VbV or nothing.

If you shop online often, read up on this a little. here’s a link to the actual paper, which is quite short and readable.

Veri ed by Visa and MasterCard SecureCode: or, How Not to Design Authentication [PDF 164KB]

Help me improve the @datahole feed!

Firstly, I need to find some good sources. I’m starting with the Open Rights Group (data protection tag) and The Register (Security / ID tag). I’d look at the EFF, but they seem to be down at the moment. I’m also using a Twitter Search feed for #datahole. I’m open to any and all suggestions for good news sources. I’m hoping the Twitter and Identica community will contribute other valuable links and commentary too.

Some of these feeds should probably be filtered using keywords like lost, personal and data. Suggest any more?

Secondly, I need a plumber. Well, not exactly! I’ve used Yahoo! Pipes for some pretty basic stuff before, but for some reason, I can’t seem to get the Reg stories to mix in with the other feeds. I think it’s because their pubDate is formatted differently, but I don’t know how to fix that. I’ve published the pipe. Please, have a look and feel free to rewire the feed.

It’d be nice to make some other tweaks too. I’d like to cite the source at the start of the tweet (eg: [EL REG]), and strip out all the other gubbins, so each post becomes: [SOURCE] Headline – Link.

Click for the Datahole 0.5 pipe

Tweeting every time your data is compromised

Tonight, my project is to add some polish to my Twitter project: Data Hole. It’s an automated Twitter account that uses Twitterfeed to post links to news stories about companies and governments that loose personal data records, or otherwise compromise your privacy. The goal is to raise awareness about the issue. At the moment it’s just taking in a Google News feed, but I plan to use Yahoo! Pipes to refine it a bit, and add some other features. I’m going to look into using TweetLater too.

I may also write a follow up to my blog post, ‘Build a Robot Slave in Twitter‘. But probably not.