Category: Privacy

If Vigilance Is Required At Home…

Lorin Olsen
… then how much more important is it at work?
It is well said that the price of freedom is eternal vigilance. Similarly the price of personal freedom must be paid on a recurring basis. For me, activity during the week focuses upon work. And updating of security at home is almost always deferred until the weekend change window – when my wife (i.e., the CAB chairperson) can accept a more protracted outage.
So the change was scheduled for last night. And what were the contents of the change? Security updates were the sole focus.
Last month, the Talos team (at Cisco) issued a warning about an old threat (i.e., VPNFilter) that had returned from the dead – in a much more virulent form. Talos (and the FBI) recommended immediate reboots of home routers. I did this the same day of the warning. But after Talos (and the FBI) repeated their warnings about VPNFilter, I determined that it was time to rebuild the router from scratch following a factory reset. So once my wife disconnected from her “work” network, I started the changes. And it went reasonably well.
 
Since I coupled the change with a complete renumbering of the IP address space at home, the time before service restoration was longer than it would otherwise have been. In fact, the total rebuild of the router – and the assignment of new IP addresses across the network – took about two hours. After that window, normal services were successfully restored. But it took another two hours to clean up a few items – including the rebuilding of my Home Assistant hub. So the total change window lasted approximately four hours. At the end of the change window, we had a completely rebuilt home network.
 
When I got up this morning, I realized that it was also time to further secure my browser. My posture was immeasurably better than most of my neighbors. I browse via a VPN. I use uBlock Origin and Pi-hole to block ads. I use Privacy Badger for another layer of browser protection. But “good enough” is not good enough for me. So I decided to deploy uMatrix as an additional means of both understanding all network interactions and controlling those interactions.
 
For those not familiar with uMatrix (which is pronounced “micro matrix”), think of it as the next step beyond the NoScript tool. With uMatrix, you see a matrix of external sites and access types used when you load pages from any site (or domain). And you can allow access on either a temporary or a permanent basis. Once you get past the first shock of seeing all of the cross-site and cross-domain activity, you realize that uMatrix does provide you with incredibly granular control over how pages are rendered in your browser.
 
The first thing that I realized when I started to dig deeper was that securing my browsing experience almost always results in a “broken” user experience. This was not a new revelation. When I first used NoScript, I had to whitelist a whole lot of sites – or live with reduced functionality. So the process of evaluating sites and functions was both expected and welcomed.
 
The first sites that I decided to validate were those associated with security-related podcasts. And as expected, every podcast was accompanied by necessary changes to enable streaming. The most ironic thing that I saw was just how much cross-site activity was required to even listen to security podcasts. But knowing the precise elements that were needed by a page allowed me to open just those elements that were truly required. Basically, uMatrix provided me with fine-grained access control. And it also reminded me that “free” almost always means trading function/feature access against limited access to me (and my data) by advertising agencies/networks.
 
Once I dealt with the security podcasts, I wanted to see just how pernicious Facebook access was. Currently, I do not use any Facebook “apps”. Instead, I use a simple browser. I run their browser pages inside of a “container” that limits data leakage. Nevertheless, I still expected some additional cross-site activity. What I saw was positively astonishing. Over two-hundred elements requiring cross-domain access were requested. And that was after ad blocking was done by my Pi-hole and by uBlock Origin. Am I surprised? No, not really. But the scope of what remained – even after ad blocking – was positively astonishing.
 
So what are the key takeaways from yesterday and today?
 
  1. Change control is always needed – even at home. Of course, the discipline that you follow at home will depend upon the willingness of family members. But this is no different than how things function at the office. Build your processes to meet your stakeholders’ and customers’ needs. Please remember that there are differences between the needs of both groups. At home, you and your spouse are the stakeholders while your kids (and guests) are the customers. As the stakeholders, you need to make the choices about how much security is too much security. And I guarantee that whatever you decide, your kids will probably disagree with you. 😉
  2. There is no such thing as secure enough. You can always do more in order to be even more secure. And if you do nothing, you will just lose ground over time. To stay secure, you need to always do more.
  3. Always remember that “free” just means that the price may not be immediately discernible or quantifiable. Use tools that help you discern the heretofore indiscernible. I do recommend uMatrix. But other tools can be used.

The work of ensuring security is never complete. Your home is not safe just because you have a door lock. You need to lock it. And then you need to realize that your windows are a threat vector. In the same way, information security is not just about having an ISP-provided router and a password on you primary system. But whether you are totally insecure or currently “state-of-the-art” in your practices, there is always more that you can do. So take the next steps to further secure your home. Then remember, your workplace is no different than your home. It requires constant tending – by both the security professionals and by every employee.

Trading Privacy for a Little Convenience

Lorin Olsen
Benjamin Franklin once wrote, “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.” The quote (and its source) is often disputed (see https://www.npr.org/2015/03/02/390245038/ben-franklins-famous-liberty-safety-quote-lost-its-context-in-21st-century). But it is clear that modern privacy advocates see this quote as a proof text for the shortsightedness of exchanging your privacy for your security. Indeed, I too have used this quote as a rallying cry. But in candor, my use of this quote is more of an “appeal to authority” rhetorical argument rather than a reasoned defense of unfettered freedom.
 
But how should we respond to HART (the Homeland Advanced Recognition Technology project)? DHS is building a massive repository of identity information. This is, ostensibly, for ensuring our security. From the Electronic Freedom Foundation (at https://www.eff.org/deeplinks/2018/06/hart-homeland-securitys-massive-new-database-will-include-face-recognition-dna-and),
 

DHS’s plans for future data collection and use should make us all very worried. For example, despite pushback from EFFGeorgetownACLU, and others, DHS believes it’s legally authorized to collect and retain face data from millions of U.S. citizens traveling internationally. However, as Georgetown’s Center on Privacy and Technology notes, Congress has never authorized face scans of American citizens.
 
Despite this, DHS plans to roll out its face recognition program to every international flight in the country within the next four years. DHS has stated “the only way for an individual to ensure he or she is not subject to collection of biometric information when traveling internationally is to refrain from traveling.”

On its face, this is repulsive. And for most Americans, this kind of assault on our freedom and our right to privacy is unthinkable. But the federal government apparently hoped that this effort would gain little public attention.

But while we chafe over such obvious governmental incursions, why do we embrace the same incursions when they come from a private company? Most Apple users applauded the availability of facial recognition as part of the new Face ID feature. And I daresay that Android users would welcome the very same technology, if they knew that it already existed on their phones.

So what’s the problem with a company doing this?

There is little problem if you trust the company and if you read your grant of license. I daresay that miwe do trust companies and we don’t read license agreements. Of course, it should be the other way around. If we read the grant of license, then we would realize that most companies will use whatever they can leverage to increase profits for their owners/shareholders. And if we give away our rights (as well as personally identifiable information), then we are worse than those who gave away freedom for security. We’re doing it to save a few seconds of login time.

Which One Will I Choose?

Lorin Olsen


Over the past several weeks, I’ve spent time and money on assessing a variety of streaming audio solutions. My assessment has considered many factors. But chief among those factors was the mobile experience. When I was at home, I used iTunes. It’s not that iTunes is necessarily the best. Indeed, I’ve used dozens of tools at home.  As a general rule, I have always favored things that also provide for metadata management (e.g., MediaMonkey). But iTunes has always been the “gold standard” for both “look and feel” as well as for application compatibility. Everyone is “compatible” with iTunes because it IS the de facto market leader.
But that market may be shifting – at least for me.  Over the past few weeks, I’ve assessed two different audio streaming tools: Amazon Cloud Player and Google Music.  Both have their pros and cons.  Google has much more storage available that is (currently) free of charge.  Amazon has a pre-exisiting (and built-in) retail channel that allows for easy (and impulsive) music purchasing.  Both have good web clients.  And both have good Android clients.
But both suffer from one key problem: I can’t capture and record my listening data on Last.fm.  Yes, I can scrobble data from the web client (if I use third-party scripts to do the job).  But neither product has any native capability to scrobble from an Android device.  There are music players that do scrobble from Android.  If you use the Android Music player, you can use tools like ScrobbleDroid.  And if you are a fan of Winamp, you can scrobble through the Last.fm Android app.  But neither of these players can stream audio from my library.  So I was stuck in a quandary.  Should I store music on my phone and utilize a player that scrobbles?  Or should I use a cloud-based music player and forego the ability to scrobble my music?
The only solution was to either code up my own solution – or use something that already does both.  Since I still have another wedding in five weeks,I chose the latter approach.  Based upon some searches in Google and Twitter, I decided that I would try out the Audiogalaxy product.  Based upon its marketing, the product provides streaming audio (from your home and through their servers) and the product scrobbles via the Last.fm Android app.  So I began yet another quest in search of a mythical chalice.
Audiogalaxy is relatively simple to install.  The site provides the step-by-step instructions that will get you going.  But the basic process is as follows:

  1. Create a free account on the Audiogalaxy site.
  2. Download and install the Audiogalaxy “helper” application.
  3. Point the “helper” application at your music files.
  4. Wait for the helper application to collect metadata and send it to the Audiogalaxy service.
  5. Install the Android app on your phone.
  6. Start listening to your music.

The process is relatively straightforward.  And I had no technical issues with the setup.  I can now listen to my music library from my phone.  And as I listen, my listening habits are recorded at Last.fm.

Unfortunately, Audiogalaxy has the same privacy issues that are present in Amazon’s service and also present in Google’s service: all of your music is streamed through a third-party service.  So the architecture of all of these products is an architecture of control, not anonymity.
As I’ve said before, this doesn’t pose a problem for me at this time.  After all, my music is positively pedestrian.  But what would happen if my musical tastes were more scandalous?  Or what would happen if the government decided that rock music was not to be tolerated at all? Then where would I be?  I would need to rethink my listening habits.  Of course, if something that draconian ever happened, then I would rethink my need to scrobble at all!  And for those kinds of over-the-top situations, I might need to assemble a BOB (bug out bag)! 😉
After this exercise, I now have a streaming solution that I can utilize.  And I think I know what to look for when it comes to government snooping into my private life.  And there is one more option that has to be noted: Apple has not put its offering on the table yet.  Maybe that offering will be announced this week.  If so, I suspect that my options will grow even broader.
Finally, I really ought to point you to a vey fine comparison of all of these options.  David Ruddock (and the folks at AndroidPolice) put together a great comparison of music apps on the Android platform.  Check it out for a comprehensive view of all of the Android options.
-Roo

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine