By now probably everyone has heard about the Heartbleed problem, but just in case you haven’t, here’s a quick summary. One of the programs1 that websites use to communicate securely with customers, called OpenSSL, turns out to have a vulnerability that would let bad guys snoop on traffic to and from those websites even though the data exchanged between them is supposed to be encrypted (as indicated by the icon of a closed padlock in the address bar, and https in the address itself).
The accidentally unlocked ‘door’ has been around for a while, and so there is a chance that your communications with Gmail, Facebook, tumblr and others have been snooped on. There is even a chance that your password has been swiped, and, of course, if you use the same password in various sites, any stolen password will work on all those sites.
What can you do? First of all, all your Wayne State data is safe–the WSU systems were not running OpenSSL, so they are all safe. The Wayne VPN is vulnerable, but the VPN itself was protected from external attacks in another way, so there is no risk there. But, of course, you have passwords on many other sites, and for some of those you should probably consider some password ‘maintenance’. Specifically, you should probably change those once a month for a while. I’ve already changed my Gmail and Dropbox passwords, and am working on several others.
The real takeaway from this event is that you should not reuse passwords from site to site. Of course, that’s easier to say than to do–most of us have dozens, if not hundreds of passwords, so some kind of password management device is becoming more and more necessary. I, myself, use Lastpass, which stores my passwords online (of course I use a unique, complex but rememberable password for that). It not only stores all my passwords, it even suggests complex non-memorable passwords. Since it will automatically fill them in for me I don’t need to remember them. If you don’t like having it fill things in automatically you can invoke it (there’s a plug-in for every popular web browser), display the password and copy it into the relevant website as you log in.
Note that I have no connection with Lastpass, and there are other worthy competitors such as Keepass and Roboform. You can read a review of them here
Lastpass has an interactive form you can use to see whether your favorite websites have been protected. You can find that here.
If you are interested in the technical details on how Heartbleed works you can watch this video , which lasts about 8 minutes. It’s not horribly abstruse–if you kinda know how websites communicate with your computer you can follow it.
Mashable has a good summary of which websites you need to worry about.
One final thought. NEVER send your password to anyone for any reason through email. And, in fact, if an email tells you to change your password, if you think it actually is authentic, don’t follow a link in the email to change it. Instead, use a bookmark, or type in the web address yourself, so that you know you are changing the password in the right place, and not in a rogue server in Tuvalu.
1 I know that calling it a ‘program’ oversimplifies things, but this characterization will suffice for our purposes.
In the past weeks, Pearls Before Swine and Dogs of C-Kennel commented on the NSA surveillance program. These comics run in the Free Press (and elsewhere, of course).
Pearls Before Swine
Dogs of C-Kennel
On Friday The Guardian, which has been hosting most of the significant revelations about NSA surveillance, has a series of think pieces on the topic, including one written by Edward Snowden himself, as well as one by Tom Stoppard (!):
And finally, this morning, on CNN, Bruce Schneier, the inventor of the term ‘security theater’ proposes a new future for the NSA. He points out that some of the NSA’s activities actually make us all less safe. Schneier spoke on campus a number of years ago and his writings on security, both electronic and physical have had a major influence on my understanding of security theory.
C&IT has used the Zimbra email system (branded as Wayne Connect) for a number of years now, and is looking at other cloud-based alternative systems. Across the country a number of universities have adopted Google Apps for Education as their email system1, and others have settled on Microsoft’s Office 365 Education suite2.
These products enable universities to provide ad-free, University-branded email accounts hosted and maintained by Google or Microsoft. The interface would be similar to either Gmail (Google’s popular email service) or Outlook.com (Microsoft’s webmail answer to Gmail). I’d be interested in hearing from folks who use one or the other about your experience with them and any preferences you might have. Note that Outlook.com is not the same as Outlook on your desktop – Microsoft simply wants consistent branding. Both Gmail and Outlook.com can be synced with Outlook on your desktop if you are used to that kind of setup.
Adding to the mix, both of these solutions will include collaborative document editing, and if you have used either company’s tools (Google Docs or Office Web Apps), thoughts about those would be useful too.
Please use the comments section below, or feel free to email me directly if you would prefer not to share your thoughts with others.
1 This includes the University of Minnesota, UCLA, Brandeis, Rutgers, Maryland and the little college down the road in Ann Arbor.
2 Universities using Office 365 include Duke, Emory, Iowa and University of Washington.
Speaker: Robert Ellis Smith, privacy expert and publisher of Privacy Journal
Date: January 30, 2014
Time: 1-2 p.m. ET
Location: TRC located in the Purdy/Kresge Library
Join me as I host a a free, hour-long nationally broadcast webinar, “Location, Location, Location.” Two contradictory federal court decisions in 1979 and in December 2013 focus on whether the National Security Agency’s massive data collection program is constitutional. The NSA argues that their actions are legal because they do not probe into the content of phone calls, only the digits dialed to and from a phone. A 1979 U.S. Supreme Court opinion held that collecting data on dialed phone numbers, but not acquiring the content of the calls does not require a prior court order.
Today that decision does not make sense. The extent to which many people rely on their phones means dialing information establishes patterns of personal relationships and can reveal private interests, needs, and even our locations. This information can include employment or credit information, and can be far more sensitive than our commonly disclosed medical and financial records. It has the potential to be every bit as revealing and damaging as the content of our conversations.
Everyone who is exposed to this new technology must recognize this new reality. The principles of fair information practice do not fit this important change in sensitivity. And, of course, the new reality may change again in an instant. This is an example of how learning the historical development of privacy concerns helps us focus our efforts on what is most important today, not on concerns of the last century.
Light refreshments will be provided.
If there is sufficient interest a discussion will follow, or a further local forum will be arranged.
Some of my fan base may recall that I’ve posted on this topic
On Jan. 14 the US Court of Appeals for Washington DC ruled that the FCC’s Net Neutrality Rules were impermissible, because the FCC did not have the authority to regulate the Internet. Essentially it ruled that Verizon isn’t a ‘telephone company’ (like the old Laugh-In skit where Lily Tomlin said: ’you’re dealing with the Telephone Company’)
Instead, the judge ruled that Verizon is an ISP (an internet service provider) and therefore not a ‘common carrier’, so the FCC lacks jurisdiction.
Naturally many people have concluded that the end is nigh, and that poor people won’t be able to afford the Internet. Or that Comcast won’t let you get to Google. Or Apple. Or maybe Apple won’t let you get to Google. Of course, prior to the FCC trying to regulate in this way nobody could find an instance of where this actually happened. So I’m not horrified. YMMV.
News reports available here:
Like a number of gadget-happy people I bought a Nest last month. It’s a cool programmable thermostat (sorry…)
Although it is expensive, it has a number of intriguing features–it can sense when you’re in the house, and after a while, it will turn down the thermostat (in winter–up if you have air conditioning in summer) when you’re not at home.
It’s also extremely easy to program, with up to a dozen temperature changes a day, for every day of the week.
And finally, and most importantly, it’s web-enabled, and there’s an app for that (both iPhone and Android-flavored). So you can change the temperature while you’re away. And the Nest company just brought out a smoke detector that awakens you with an increasingly urgent voice-based tone (apparently kids can sleep through the beep that traditional smoke detectors make) and can be silenced by a wave of your hand near it.
But I didn’t write this post to advertise the Nest, as cool as it might be. I’m writing it because the company was just bought by what many people consider to be the personification of THE BORG–namely Google. Since this morning the blogosphere has lit up with dire warnings of how your comings and goings will be available to the gnomes at Google. Here are just a few of the dire warnings:
I myself am not terribly happy about this development. I use Google, and many of its facilities (Picasa, Google Docs, etc.) but I’m not greatly pleased that the two are now one. Currently Nest claims the data will be segregated. Only time will tell…
We’ve all heard the terrible story about Target’s sloppiness with our credit card data. And one writer for the New York Times says:
On the other hand, we now know that the password for the nuclear launch codes was never reset from ’00000000′. Anything else was hard to remember.
Finally, a competitor to TheOnion1 suggests that the NSA has other fish to fry now that they have access to all American’s emails:
Happy New Year from Proftech.
1For those who are unfamiliar with TheOnion, it is a satirical news website. lightly braised turnip is similar.
This is not how to choose a password for something important:
Your students are not using laptops. Or tablets…
And, of course, this is yesterday’s news (literally) but it’s still going to be very interesting to watch:
and many other links…
A couple of weeks ago I wrote about setting up your smartphone so it could be made useless if it was stolen. Turns out there’s a controversy about it, at least according to CNN. While Apple provides a remote wipe facility easily (Find my iPhone), the Droid community has not followed suit, and some think it’s not an accident.
For your interest: