Category: Privacy

More reasons to ditch GMail?

Posted on

gmail-logo

Google quietly dropped it’s informal “Don’t be evil” motto back in 2009, and since then seems to have become progressively more … well, evil.

The motto originated in a 2004 founders’ IPO (Initial Public Offering) letter from the company’s founders entitled “An Owner’s Manual” for Google’s Shareholders’:

Don’t be evil. We believe strongly that in the long term, we will be better served-as shareholders and in all other ways-by a company that does good things for the world even if we forgo some short term gains. This is an important aspect of our culture and is broadly shared within the company.

So how are they being evil?

In a US court case last August, Google admitted that users couldn’t expect privacy when sending messages via GMail. Then last November, they tweaked their terms and conditions thus: (my emphasis)

When you upload, or otherwise submit, store, send or receive content to or through our Services, you give Google (and those we work with)

The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services.

Those strictures were again tweaked a few weeks ago to add:

Our automated systems analyse your content (including emails) to provide you personally relevant product features, such as customised search results, tailored advertising, and spam and malware detection … This analysis occurs as the content is sent, received, and when it is stored.

I know a number of people who keep everything on GMail. People like US tech commentator Robert X. Cringely who recently wrote:

Under the Gmail Terms of Service, Google can legally go through the 100,000+ messages sitting in my IN and SENT boxes … I have accessible right now online more than 1200 columns and stories totalling more than 1,000,000 words.

That data is now effectively Google’s, even if Cringely changes providers, because “This license continues even if you stop using our Services.”

All of which leads me to suspect Google’s Executive Chairman Eric Schmidt must have had an irony by-pass when he complained about the US government’s alleged spying on the company’s data. He told the Wall Street Journal:

It’s really outrageous that the National Security Agency was looking between the Google data centres … The steps that the organization was willing to do without good judgement to pursue its mission and potentially violate people’s privacy, it’s not OK.

That was last November. The same month his company gave themselves “a worldwide license” to everything in your account.

 

 

Share this ...
Share on FacebookTweet about this on TwitterPin on PinterestShare on Google+Share on TumblrShare on LinkedInDigg thisShare on RedditShare on StumbleUponEmail this to someonePrint this page

Secure data deletion

Posted on

In my last blog I detailed why it wasn’t necessary to take a hammer to your hard drive to protect your data. So what can you do if you’re sending an old PC off for recycling and don’t want Joe Random looking over your supposedly deleted files?

.

Whole disk deletion

The simplest whole-disk solution is DBan — Darik’s Boot and Nuke — “a self-contained boot disk that automatically deletes the contents of any hard disk that it can detect.”

DBANDBan is an open source program that securely erases hard disks by overwriting them with with random garbage. It can be run from a CD, DVD or USB stick and can even be configured to automatically wipe every disk that it finds on a system or network. Download it here.

.

File-by-file deletion

Linux users have a built-in command-line tool called shred. It overwrites the specified file(s) with random junk — 25 times by default.

Here’s how to use it:

shred secrets.txt
Will shred the contents of secrets.txt but it leaves the file in place! While this is a good way of checking what shred does, you probably really want to …

shred -u secrets.txt
… remove the file after you’ve shredded it. For extra security you can …

shred -u -n 100 secrets.txt
… tell it to overwrite the file 100 times instead of the default 25, and even …

shred -u -n 100 -z secrets.txt
… overwrite the file with zeros on its last pass. This disguises the fact that there was ever any file there at all!

Note that shred does however come with a couple of caveats. The man shred command will give you the full details, but essentially it assumes that the file system overwrites data in place. That’s the usual way of doing things, but Linux has a wide variety of possible file systems and they don’t all work the same way! Still, shred works just fine with the default ext3 file system used on most distributions.

.

The full kit

The Secure-Delete toolkit provides a suite of tools to:

  • securely wipe files
  • wipe free disk space
  • wipe swap space and computer memory

All work in a similar fashion; writing and rewriting random data, then a set of special cryptographic values, followed by more random data. In addition, the file tool also randomly renames and truncates the file.

Secure-delete may not be installed by default, so use your package manager to add it. Debian / Ubuntu / Mint users can just do:
sudo apt-get install secure-delete

Here’s a quick run-down of the SD tools and how to use them:

.

srm (secure remove) :
wipes files or directories currently on your hard disk. The algorithm used is based on this paper by local boy Peter Gutmann.

To wipe a file:
srm filename.txt

To wipe a directory:
srm -r folder_name

.

sfill (secure free space wiper) :
wipes the free space areas on your disk. If you haven’t used secure deletion tools before, chances are there’s still a lot of recoverable data in regions where files have been unsecurely deleted. sfill will clean this up!

Clean up your home folder:
sfill /home/yourname

.

smem (secure memory wipe) :
deletes data stored in your computer’s memory. Why? Because data held in SDRAM doesn’t “fade away” and can be easily recovered!

To wipe memory:
smem

Note: a full smem run can take some time! Try
smem -l
or
smem -ll for a quicker (though less secure) run.

.

sswap (secure swap space wipe) :
does a secure wipe of your swap partition.

Find your swap partition:
cat /proc/swaps
Disable swap:
sudo swapoff /dev/swap_partition
Securely wipe it:
sudo sswap /dev/swap_partition
Re-enable swap:
sudo swapon /dev/swap_partition

 

Share this ...
Share on FacebookTweet about this on TwitterPin on PinterestShare on Google+Share on TumblrShare on LinkedInDigg thisShare on RedditShare on StumbleUponEmail this to someonePrint this page

Don’t hammer your hard drive!

Posted on

Last year, The Guardian took a set of power tools to the computers — and particularly the hard drives — that had stored data released by Edward Snowden. There’s even a video of what they did.

.

.

This, without a doubt, is the best way of preventing anyone from ever recovering data from your machine. Indeed, a few years ago the BBC reported that that British consumer magazine Which? Computing recommended taking a hammer to your old hard disk drive to prevent secondhand purchasers recovering data from it. They bought eight used computers and recovered 22,000 supposedly deleted files.

There’s a popular misconception that Delete actually deletes files. It doesn’t. It simply removes them from the disk’s index. (Ever wondered why it’s just as quick to delete a 2GB file as it is a 2-byte one…?) The same applies to the Format command. It doesn’t delete files either, it simply prepares the disk drive for new data by completely wiping the index. Recovering “deleted” and “formatted” files is just a matter of using the right software to rebuild the index.

But in most cases, you don’t need power tools, or even a hammer. Because in most cases, your data isn’t as sensitive as the Snowden files.

Instead, I suggest you use a good file shredder instead. These overwrite the target file(s) with garbage — again and again and again.

While it’s theoretically possible to recover at least some overwritten data, others reckon that these claims are “overwrought”. Besides, it’s highly unlikely that the person picking up your old drive will have access to a scanning transmission electron microscope and the other bits and pieces of kit necessary!

All that most people need is a really good file shredder. There are plenty of free ones around, especially for Linux users. We’ll take a look at them next time. So put that hammer away!

.
Share this ...
Share on FacebookTweet about this on TwitterPin on PinterestShare on Google+Share on TumblrShare on LinkedInDigg thisShare on RedditShare on StumbleUponEmail this to someonePrint this page

I’ve got your password!

Posted on

Compiled from files containing millions of stolen passwords, SplashData have released a list of the world’s worst passwords. Here they are …

SplashData’s “Worst Passwords of 2013”

Rank
Password
Change from 2012
1
123456
Up 1
2
password
Down 1
3
12345678
Unchanged
4
qwerty
Up 1
5
abc123
Down 1
6
123456789
New
7
111111
Up 2
8
1234567
Up 5
9
iloveyou
Up 2
10
adobe123
New
11
123123
Up 5
12
sunshine
Up 2
13
1234567890
New
14
letmein
Down 7
15
photoshop
New
16
1234
New
17
monkey
Down 11
18
shadow
Unchanged
19
sunshine
Down 5
20
12345
New
21
password1
Up 4
22
princess
New
23
azerty
New
24
trustno1
Down 12
25
000000
New

 

For the first time in years, “password” has dropped from its number 1 slot. And a couple of newcomers — “adobe123” and “photoshop” — no doubt reflect the heist of 2.9 million Adobe passwords last October.

Unfortunately, there’s one key element missing from the data: the actual frequency the passwords are used. “123456” might be top of the heap, but if only 0.01% of ten million users use it, it’s not terribly significant. However, if it featured in 5% of all captured passwords, then it’s a cause for concern.

And then there’s institutions that seem to actively discourage using decent passwords. Banks, for example. Many restrict internet passwords to 8 characters — so you can’t use vastly more secure pass-phrases like “most_bankers_are_bastards” — and you must use only alphabetic characters and numbers. No underscores, ampersands, exclamation marks or the like are permitted. But the hell, it’s only money. If someone does crack your account, no doubt their security policy will say it’s your fault.

 

bank_pw

Still, if you’re using dumb passwords like “1234” and “000000”, you really are asking for trouble!

 

Share this ...
Share on FacebookTweet about this on TwitterPin on PinterestShare on Google+Share on TumblrShare on LinkedInDigg thisShare on RedditShare on StumbleUponEmail this to someonePrint this page

Spy-free searching

Posted on

spy

If you’re uncomfortable with Google snooping and storing all your searches, try StartPage.

It gives you Google search results without them tracking and recording every search term you enter.

In operation it’s very simple and functions just like a regular search engine, except that your query goes via StartPage in Europe. There, identifying information such as your IP address is stripped off and the search is sent on. In the blink of an eye the results are then returned to you, but as far as Google’s concerned the search query came from Europe. In short, “Your IP address is never recorded, your visit is not logged, and no tracking cookies are placed on your browser.”

Check out 10 Ways StartPage Helps You Take Back Your Privacy for more details.

Why should you be concerned about your searches? Just take a look the information Google captures and stores. It’s all spelled out in their Privacy Policy. Some snippets …

We may collect device-specific information (such as your hardware model, operating system version, unique device identifiers, and mobile network information including phone number). Google may associate your device identifiers or phone number with your Google Account…. we may automatically collect and store certain information in server logs. This may include:

  • details of how you used our service, such as your search queries.
  • telephony log information like your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls.
  • Internet protocol address.
  • device event information such as crashes, system activity, hardware settings, browser type, browser language, the date and time of your request and referral URL.
  • cookies that may uniquely identify your browser or your Google Account.

What all that adds up to over time is a detailed and intimate portrait of who you are, what you’re interested in and what you’re concerned about.

And it you still doubt you can be identified by search terms alone, think again. Back in 2006 AOL released 20 million anonymised search queries. Within hours the New York Times had identified one user:

No. 4417749 conducted hundreds of searches over a three-month period on topics ranging from “numb fingers” to “60 single men” to “dog that urinates on everything.”

And search by search, click by click, the identity of AOL user No. 4417749 became easier to discern. There are queries for “landscapers in Lilburn, Ga,” several people with the last name Arnold and “homes sold in shadow lake subdivision gwinnett county georgia.”

It did not take much investigating to follow that data trail to Thelma Arnold, a 62-year-old widow who lives in Lilburn, Ga., frequently researches her friends’ medical ailments and loves her three dogs. “Those are my searches,” she said, after a reporter read part of the list to her.

 

So, still think you’re anonymous …?

 

 

Share this ...
Share on FacebookTweet about this on TwitterPin on PinterestShare on Google+Share on TumblrShare on LinkedInDigg thisShare on RedditShare on StumbleUponEmail this to someonePrint this page