A beta release of HTTPS Everywhere was released today. It’s a collaborative project between those at the Tor project and the EFF.

Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site.

The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.

It’s good to see a project like this, especially after giants like Google finally step up and start offering more secure search features in their search engine. It’s only in beta so far, but it does look very promising.

One area to look out for though, just because you have a plug-in like this doesn’t mean every site you go to is going to be secure. You still need to check your browser’s security notifications/icons to ensure you’re on a protected site.

In celebration of Facebook’s recent privacy control revamp, I present a very informative tutorial video from the Electronic Frontier Foundation that gives a brief rundown of the changes, the highs, and the lows. This might also be something beneficial to share with friends or relatives on Facebook who may not be in-the-know about the increased focus on privacy control in social networking and social media.

Enjoy:

Lately, Google has been apologizing for mistakenly collecting data from unprotected Wi-Fi networks with the fleet of vans the company has sent out for its StreetView service.  Some have pointed out that, by leaving their wireless networks unprotected, companies had no reason to expect their data would not be collected somehow.

And so we have another example of what can happen when data and communications are left unprotected.  You’re even susceptible to accidental disclosure of information.  What other accidents might occur?  One thing that comes to mind is accidental loss of bandwidth.  Someone who doesn’t know any better might turn on their laptop and find that they have Internet access.  What they didn’t realize is that they automatically connected to your network, and while they are streaming high-quality video, your employees are struggling to get their work done.

Accidents will happen.  If you must have a wireless network, and you still have not secured it, do something about it (hint: WPA2).

Have you ever looked into researching your family tree? Have you noticed what kind of information you can find out about people, especially older people who have been around since the 1930 census (and pretty soon, the 1940 census)? Upon death, social security numbers are published in the Social Security Death Index, and some of that information is still useful. For example, my father passed away in 2000, my mom still receives social security benefits based on his SSN – which is now public information. All of the joint accounts they had together are mostly still with his social. It would make it easy to steal the identity of a dead person. The SSDI is supposed to prevent that, but it doesn’t always work.

Additionally, genealogy searches turn up information about living people as well – things such as the US Public Records Index – which includes current address information and birthdate – all useful information if you’re searching for someone. By default, most web sites “hide” living relations in your family tree, but you have an option to make it public (and there are incentives to do so to find more about your family).

If you’re interested in genealogy, try using some of your skills to find information about someone not in your family tree (the older they are, the more likely you’ll find information), or if you know how to find information about people, there are genealogists waiting to talk to you to help them find long lost relatives.

This has been a debate among policy writers since personal e-mail started to become popular: Can your company monitor/sniff/access your personal e-mail?

Up until this week, it was commonly accepted that you didn’t use company resources to access/read/write your personal e-mail if you didn’t want it to be monitored. However, that seems to have changed – in one specific case. In New Jersey, a woman used her company laptop to exchange information with her lawyer over a web-based e-mail over an issue at work that later went to court. The company used her e-mail communications (presumably) cached on the laptop as evidence against her in court.

While this is (so far) the first case I’ve heard of like this, it doesn’t mean that all employees have personal e-mail privacy all the time. The first thing is that this was in NJ state supreme court, which only applies in that state – however, the case is likely to influence other courts. The second is that the e-mail was considered client-attorney communications – which are “sacred” in most cases. A defendant could tell his lawyer that he did murder someone and the lawyer can not disclose it except under very specific circumstances. Finally, the e-mail was “reasonably” protected – she used a web based service and did not store the password on the laptop.

While it seems to be a blow to companies’ abilities to monitor employee communications, it only applies in specific cases. Either way, as an employee, it’s a better idea to keep your personal e-mail/life separate from your work life.

Last weekend, people from all corners of the technology converged on Austin, Texas for the 2010 South By Southwest Interactive (SXSWi) conference. Much of the coverage has echoed the focus of an old real estate mantra: Location, location, location. In a rivalry dubbed the “geolocation wars,” mobile start-ups Foursquare and Gowalla competed for attention as attendees used GPS-enabled phones to record electronic check-ins at various conference events. And while these two players often come up in reports on location-aware social networking, Twitter has begun letting users record where they tweet (giving new meaning to the word “follow”), and sources indicate Facebook will be rolling out a similar feature soon.

Across the Web, sites are adding features that will quite literally put them on the map. And while letting the online world know where you are offline can certainly offer benefits, the sudden overlap raises fresh privacy concerns. One tongue-in-cheek response, aptly named “Please Rob Me,” drew attention to Foursquare users who publicly broadcasted when they were not at home. From a security perspective, problems have been observed on several platforms. An early flaw in Google Buzz risked exposing private location data. One researcher has noted that Gowalla’s API can apparently override privacy settings, then demonstrated location spoofing. Foursquare does not verify location, making fake check-ins trivial. But Foursquare also uses HTTP Basic authentication, meaning an attacker could steal logins sent over open Wi-Fi connections.

Of course, trailblazing applications are not the only ways people can share their location. Facebook users often leave a trail of event RSVPs that show past places visited. But even on the real-time Web, data can leak accidentally. A study of posts on Twitpic, a Twitter-based photo-sharing service, found that some pictures’ EXIF data included GPS information. In one case, an iPhone snapshot even included compass and accelerometer metrics.

All of these ways to track users, particularly when combined with other content, can create real risks for companies seeking to shield sensitive transactions or avoid corporate espionage. Similarly, those using company-owned devices with GPS capabilities ought to be aware of how such functions are used. With the online world increasingly intersecting the real world through geolocation services, it’s time to figure out what place they have in a secure business environment.

An uproar was recently started in reference to some privacy concerns about the new release from Google, Google Buzz. One of the first to sound the alarm was a blogger who was quite explicit about disliking some of its default options (and by explicit I mean “NSFW language” explicit, the post is here) which prompted some quick changes from Google.  In order to start using Buzz, you have to create/modify your Google public profile which will appear next to all of your activity in the Buzz feed.  By default, the public profile would display all those you follow. Chances are you’ve followed everyone in your contact list, so you just made your whole contact list public.  Now in the new behavior:

A box titled “How do you want to appear to others” will now include a check-box that says “Show the list of people I’m following and the list of people following me on my public profile.” To hide your followers, click the box, or click the “View and edit the people you follow” to customize your account.

The interesting thing here to me is that Buzz is essentially a service like Facebook or Twitter, designed to let other folks know what you are up to.  The fact that there is a privacy uproar around it is somewhat amusing, because it is designed to provide the opposite of privacy – to provide your followers information about what you are doing.  If you don’t want to share this information, don’t use Google Buzz!

I’ll enlist a famous quote from Scott McNealy, then CEO of Sun Microsystems: “You have zero privacy anyway. Get over it.”

It is amusing to me what people – especially young people – are willing to post online.  As a child, my parents once told me that once you say something you can’t take it back.  In today’s Internet-connected age, this holds true and is even more significant: once you say something online, hundreds if not thousands of people will see it instantly, and potentially billions of people will be able to track it down in archives, Google searches, the wayback machine, or in countless other ways.  Be careful what you share online.  Be careful what you say.  It might–probably will–come back to haunt you.

Recently, Imperva released a study (pdf) of the passwords extracted from the December 2009 RockYou security breach that resulted in the compromise of over 32 million user accounts. This study examined some statistics of the passwords retrieved, including the number and variation of characters use to construct them. The results were pretty bad. Here are the highlights:

-30% of users had passwords made up of 6 characters or less. Most brute force attempts are moderately successful against short passwords.

-Over 50% of passwords were all lowercase, or all numbers. This is bad because the keyspace is reduced. Even a password that is longer than 6 characters is weakened if it has a small character set distribution.

On the surface, these two statistics aren’t a good look at all, especially considering the ease with which an attacker could successfully guess simple passwords.

Also, in many cases, a password breach may not just make a user’s account vulnerable on the breached site, but can also lead to their account being compromised on other sites as well (plenty of people use the same password on multiple sites).

However, there is an alternative way to interpret this data. Although there is no way to verify this, it could be the case that users are starting to give value to the importance of some accounts AND the security of the website associated with it. And those accounts that are of low significance (like a site they just sign up on to play a game) get simple, easy-to-remember passwords, while accounts of greater personal significance (banks, primary email, etc.) get the more robust passwords. Similarly, it could be the case that users think sites like RockYou are sketchy anyway, and thus more likely to get hacked than other more-serious sites.

So, in a way, the user could be protecting themselves from a site breach. I know I wouldn’t care if I had a RockYou account and the site got breached since I wouldn’t really use that same password anywhere else important. It may be annoying, but it is much better than knowing that my super-secret 28-character password is sitting on some stranger’s computer simply because somebody left the door open.

So if you think of this report from the perspective of users managing risks reasonably instead of users being victimized, it almost makes sense that 29,000 people had ’123456′ as a password.

If you haven’t heard yet, Google has opened up their own public DNS servers. Many people I know would love to use them rather than their ISP’s DNS servers for various reasons – mostly due to lack of availability.

I’ve been using OpenDNS’s resolvers for the last year or so now, so this service isn’t exactly new, neither is the free option as OpenDNS has one. So what does Google bring to the table from a security perspective?

Google has a great document that they’ve created all about the security of their DNS service. Basically, they’re concerned about the availability (hence the overprovisioning), and the replay, birthday, and Kaminsky attacks. The only thing they might offer above and beyond your ISP is random ports and name server resolution. And in exchange, not only does Google get your searches, they get *every* web/e-mail/bittorrent/IRC server you go to. *put on privacy nut hat* Maybe I’m strange, but I’d prefer that Google – with their core competency as data and trends gathering – not have that much information about me.

Google has obviously considered the security implications of running public DNS servers, but is the “cost” worth it to you?

Overnight, the Clear Registered Traveler Program ceased operation.  I do travel by air 5-10 times per year, and had considered the program to speed my visits through airports.  There were three main reasons why I didn’t, and I wonder if they are reasons why they have had to cease operation.

1. There weren’t Clear lanes at every airport I travel to; the only way this system could be cost effective for me would be if it worked everywhere.
2. As mentioned at the Consumerist, the Clear lanes just provide shorter lines; you still were subject to all the security checkpoint hassles.
3. My home airport, Dulles International, opened the Black Diamond lanes: basically the same as Clear without the fee.

In addition to the $199/year charge, enrolling in Clear required presentation of two IDs, your social security number, and the capture of your fingerprints and retinal scan. Clear lost (and found) a laptop last year, and although their privacy policy (pdf) indicates that all personal information is always stored and transmitted encrypted, it doesn’t indicate what algorithm is used or how key management is performed. (Remember, ROT13 is an encryption algorithm…)  Biometrics are the only identification factor that you can’t have revoked and reissued, so giving mine up to both a private company and the Transportation Security Administration to save perhaps 15 minutes didn’t seem like a good idea.

The privacy policy also indicates that personal information is removed from their system automatically after 90 days if you are no longer a Clear member. It is not yet clear if the cessation of operation that occurred overnight will trigger this data removal event. It is also not clear if the TSA ever gives up your data which Clear shares.  All told, if I had been a Clear member, I would seriously examine tools for detecting and preventing identity theft for a while.