How to protect yourself against the CIA (or anybody with their files)

By now most people have heard about the WikiLeaks revelation that the CIA has for years been developing programs to break into iPhones, Droids and Samsung TV’s. Assuming you don’t want them to do that, it turns out there are ways to keep them out of your house.

First, the background. WikiLeaks is the infamous source of supposedly secret data managed by a consortium and led by Julian Assange (who is currently living in Ecuador’s embassy in London to avoid extradition). On Tuesday, WikiLeaks  released thousands of pages of data supposedly lost by the CIA (and hence floating around the less public areas of the internet). These include programs for hacking Skype, your Wi-Fi router, Apple and Android smartphones, the apps Signal, Whatsapp, Telegram and more — several millions lines of code (computer programming). So far crucial bits of the code have been redacted by WikiLeaks to prevent it from being used by those who download the files.

But what if you think there’s no reason for the CIA to be snooping on your devices? Unfortunately, WikiLeaks released these files because they were floating around “in the wild” already, which means that not only the CIA but other folks have access to them. And, whatever you think of the CIA, we have no assurance that the outsiders who passed these files around have motives as “pure” as the CIA’s.

There’s been some discussion about whether these files are authentic, but betting in the security community is that they are. Bruce Schneier, who I consider to be a reliable judge of such things, seems to believe they are real and has discussed the topic on his blog twice now:

What you can do

Can you do anything to protect yourself against these tools? Probably, yes. The New York Times had an article on Thursday detailing simple steps you can take to make your devices somewhat more secure. The primary thing is to keep your operating system up to date. This is not news, of course — we in the C&IT Security/Privacy team have been saying this for years.

Make sure your iPhone is using iOS 10 if it can (any iPhone with a model number of 5 or above and any iPad younger than 2013 can run this OS).

For Android devices, (both phones and tablets) any version of the Android OS after version 4.0 should be safe, but older devices such as the Samsung Galaxy S3 won’t run it.

To protect your Wi-Fi router, you are advised to upgrade to the latest firmware, but this is rather trickier to do unless you are comfortable logging in to your router, but you can probably get your internet service provider’s help desk to talk you through the task.

Unfortunately it doesn’t seem so easy to lock your Samsung SmartTV down. Of course, you can always unplug it when you’re not watching it1, although then you have to wait for it to boot up before you can head over to Amazon to watch Mozart in the Jungle or whatever your favorite online streamed program happens to be.


1 Just turning the TV off with your remote does not turn it off. It’s still in listening mode and a malicious hacker can also turn on the camera — yes SmartTV’s have cameras. So watch the hanky-panky in front of your TV — someone may be watching.

Privacy in the Twenty-First Century

Privacy policy wordcloud

For the next couple of months we will be focusing on the rapidly growing area of privacy concerns that are raised by the technologies that are ubiquitous in our current age.

In our houses, new devices such as refrigerators and home thermostats are connected to the internet — but who is also looking at our milk or when we have set our thermostats to ‘away’?

Or, in another arena entirely, large organizations like universities collect huge amounts of data on their customers (read: students) and then use that data to mine for information about what is likely to happen to them (for example, which students are likely to not do well in a specific course). In addition to the tricky philosophical issues involved in this kind of big data research, there are also questions of privacy. Who should see these predictive analytics? Should students know what predictions are being made about them? Should their teachers? Their advisors? The legislature? The police? These questions about the right way to use Big Data are being discussed and debated in universities around the world.

Thursday, Jan. 26 is National Data Privacy Day and the Privacy Office, C&IT and University Libraries are sponsoring a web-based talk from 1 to 2 p.m. in the Simons Room (on the first floor of Purdy/Kresge Library; refreshments will be provided).

The speaker is Cindy Compert, who is Chief Technology Officer for Data Security and Privacy at IBM. Further details about the talk can be found here:

http://events.educause.edu/educause-live/webinars/2017/big-data-whats-the-big-deal

Later this spring, additional live speakers will be announced. Watch this space and campus announcements elsewhere for details.

The goal of this campaign is to raise awareness of privacy as an important issue and perhaps to gather a group of people on this campus who are interested in ongoing conversation about these issues.


Image source: http://www.top10bestwebsitebuilders.com/how-to-create-a-website/free/free-privacy-policy-generator

Help us help you–participate in the ECAR survey

Many WSU faculty (50% of them, to be precise) have been receiving requests to take part in a national survey of faculty attitudes towards technology at the university. The survey is being run by Educause, the national educational IT organization. This is the second year this survey has been run, and last year’s survey produced some interesting results about faculty interests and desires around everything computing-related.

Last year’s results, which are available in ‘infographic’ format here:

http://net.educause.edu/ir/library/pdf/ers1407/eig1407.pdf

Some relevant findings from last year:

  • Nationally, fewer than fifty percent of faculty are satisfied with IT support for research.
  • Opinions on the use of smartphones in class are mixed, with about half of faculty banning or discouraging them and only a third encouraging or requiring laptops (I myself don’t see how I could ban smartphones, and I’ve taught classes where laptops were required because we were all learning how to use some online tool).
  • Many faculty feel they could be better at using web-based content and online collaboration tools in their courses, but there was less enthusiasm about social media as a teaching tool.

There are two versions of the survey, one that takes about twenty minutes to half an hour, and another that takes only ten minutes. Whichever one you choose, your participation will be greatly appreciated, and will help C&IT plan our investments for the next couple of years.

Look for a reminder and your personalized invitation to join in the survey tomorrow. If you don’t get one, you’ll be asked to participate in a more general survey of IT satisfaction that all other faculty, staff and students will take part in later this semester.

More on leaking selfies

I just read a particularly good discussion of the (now dying down) controversy over the leaking of celebrities’ sexted photos. It makes a number of points that haven’t been raised elsewhere:

  1. Saying ‘don’t take revealing pictures of yourself’ because they might leak is like saying ‘don’t use a credit card because your identity might get stolen’.
  2. Phones are a new kind of sex toy, and they and their use is not going away.
  3. People don’t know where their photos go when they use their phones. Almost all phones (iPhones, Androids, at least) automatically, and without our noticing, back photos up to the cloud.
  4. Cloud providers need to get their security act together, but probably won’t, because there isn’t enough shrieking going on.

Just FWIW….

http://www.forbes.com/sites/kashmirhill/2014/09/01/sext-abstinence-education-doesnt-work/

Replace Pipeline with Academica in your Bookmarks, soon

Pipeline is about to be replaced with a totally new, social-media-oriented website/portal called Academica. It is device-agnostic, which means it works with all computers, all tablets and most smartphones (something people have been requesting for almost as long as there have been smartphones).

It’s also smart itself. It remembers the tasks within the system that you use most, and bubbles them up to the front page so that most common tasks are always one click away. For example, if you’re a faculty member it will put Download Classlists and TravelWayne up front and center, but if you have to approve timesheets that link will be right there as well. In general most tasks should be no more than one, or at most two clicks away.

It also comes with a built-in messaging system that is similar in features to Twitter. It allows you to use hashtags (#hashtag) and mentions (@GeoffNathan). There will be streams associated with a number of common topics of discussion, as well as streams for departments and one for each class being taught.

Academica is still being developed (technically it’s in beta), but you’re welcome to try it right now. Just go to academica.wayne.edu and log in as usual. You will have the option to switch to exclusive use of Academica (instead of Pipeline), but there is always a button available to switch back to the old Pipeline interface if you need to.
Since it’s still under development, C&IT is looking for feedback, which you can send by writing to academica@wayne.edu, or by going to http://computing.wayne.edu/academicafeedback .

The official roll-out will be some time in the fall, but feel free to play with it now. Who knows, you may never want to switch back to Pipeline. Academica and Pipeline will both be available at first, but Pipeline will be shut down in the 2014-2015 academic year when we are confident that Academica can support all of our campus needs.

Here’s a preview of what the interface looks like, showing only the links part:

Academica Links Section

Important Federal Court Decision on Online Book Search Engines

The 2nd Circuit Court released a decision today in a case involving the Hathi Trust, which has been scanning old books and making them available online for search purposes. Some author’s unions sought to prevent them from doing this on copyright grounds, but Hathi (and many supporters) argued that the open-source non-profit partner with Google Books was entitled under the ‘fair use’ provision of the Copyright Act to scan millions of books (including, particularly, ‘orphan’ books whose copyright was still valid, but whose authors were either long gone or unlocatable) and make the results searchable.. Hathi Trust is an invaluable tool for historical, linguistic and literary research because it means that millions of out-of-print books were accessible to the world of research.

This doesn’t mean you can now just read any book in their repository. You can’t. What you can do, however, is search for every instance of a word in the millions of books and get the surrounding context for each use (which is a gold mine for linguists), or find mentions of historical events or people (or political theories or scientific experiments) in millions of books scattered around the country.

The court’s conclusion was that making snippets available through searches, and making entire texts available to the visually impaired constituted fair use through the ‘transformative’ clause of the fair use clause (you can read all about it on the  WSU Library’s Copyright page).

Here are two news items on the court case:

Volokh Conspiracy (libertarian law school-oriented blog)

Inside Higher Ed

Further thoughts on email in the cloud

A couple of months ago I wrote about a future Wayne State  email system based in the cloud. At the time we were considering Gmail and Microsoft’s Office 365. Since then we’ve pretty much settled on the Microsoft offering, although no formal decision has yet been made.

An alarming development at the University of Illinois Chicago about a month ago made many question the value of working with Google–an infected machine on the UIC network caused Google to block them from sending any email from UIC. This is something that occasionally happens (every now and then AOL or someone like that blocks Wayne State email for a day or so). What was alarming was that it took Google almost two weeks to unblock UIC’s mail, mostly because they were unable to get hold of anyone at Google. That certainly didn’t help Google’s reputation among universities.

Even more interesting is the fact that Google normally uses their customers’ data to tailor ads. You may have noticed that ads in your Gmail account sometimes reflect something you searched for in Google earlier in the week. This is not a coincidence–Google admits that they do this. When universities contracted with Google to use Gmail, they agreed to Google mining the email to target ads, even if the ads didn’t show up in the university-based email accounts.

Yesterday Google announced that they would no longer mine academic Gmail accounts. Apparently the drumbeat of the privacy advocates got a little too loud for them. I’ll be attending an academic computing privacy conference in DC next week–no doubt that will be one of the topics of conversation.

Maybe our students aren’t so savvy after all

And maybe we aren’t either.

An article in this week’s Chronicle suggests that we’re on shaky grounds if we assume our students know tons about how the Internet works and what that means for their (and our) future.

A couple of faculty  at Northwestern (Eszter Hargittai and Brayden King) teach a course called ‘Managing your Online Reputation’, where they encourage students to find out what the Internet knows about them and think about what it’s advertising to the world.

Their idea is that students should be encouraged not only not to post videos of stupid things they might have done, but also to think about posting (tweeting, instagramming, tumblr-ing) positive views about their skills, attainments, knowledge and capabilities in a way that the usual searches will turn up not only nothing bad, but rather some good stuff.

The course was based partly on research by one of the faculty (Hargittai) that showed that, contrary to what many of us believe, many students today know less about online life than most of us. For example,

about one-third of the survey respondents could not identify the correct description of the ‘bcc’ email function. More than one-quarter said they had not adjusted the privacy settings or content of social-media profiles for job-seeking purposes.

My experience has been that I have a few students who are really tech-savvy, a few who have no idea what they are doing, and the rest somewhere in between. And, of course,  being tech savvy is a moving target. I’ve been doing email since 1990, so I certainly understand how that works. But I only joined Instagram about a month ago, and Tumblr  a few weeks earlier than that, mostly to follow a nephew who’s traveling around the world and documenting it on Tumblr.

On the third hand, I actually understand what the Heartbleed vulnerability is exploiting (and I even understand what that last sentence means…).

Anyway, some food for thought.

And, for a contrary view, try this. And for an even more contrary view on brand-building, there’s this.

 

How to prevent your heart from bleeding

By now probably everyone has heard about the Heartbleed problem, but just in case you haven’t, here’s a quick summary. One of the programs1 that websites use to communicate securely with customers, called OpenSSL, turns out to have a vulnerability that would let bad guys snoop on traffic to and from those websites even though the data exchanged between them is supposed to be encrypted (as indicated by the icon of a closed padlock in the address bar, and https in the address itself).

The accidentally unlocked ‘door’ has been around for a while, and so there is a chance that your communications with Gmail, Facebook, tumblr and others have been snooped on. There is even a chance that your password has been swiped, and, of course, if you use the same password in various sites, any stolen password will work on all those sites.

What can you do? First of all, all your Wayne State data is safe–the WSU systems were not running OpenSSL, so they are all safe. The Wayne VPN is vulnerable, but the VPN itself was protected from external attacks in another way, so there is no risk there. But, of course, you have passwords on many other sites, and for some of those you should probably consider some password ‘maintenance’. Specifically, you should probably change those once a month for a while. I’ve already changed my Gmail and Dropbox passwords, and am working on several others.

The real takeaway from this event is that you should not reuse passwords from site to site. Of course, that’s easier to say than to do–most of us have dozens, if not hundreds of passwords, so some kind of password management device is becoming more and more necessary. I, myself, use Lastpass, which stores my passwords online (of course I use a unique, complex but rememberable password for that). It not only stores all my passwords, it even suggests complex non-memorable passwords. Since it will automatically fill them in for me I don’t need to remember them. If you don’t like having it fill things in automatically you can invoke it (there’s a plug-in for every popular web browser), display the password and copy it into the relevant website as you log in.

Note that I have no connection with Lastpass, and there are other worthy competitors such as Keepass and Roboform. You can read a review of them here

Lastpass has an interactive form you can use to see whether your favorite websites have been protected. You can find that here.

If you are interested in the technical details on how Heartbleed works you can watch this video , which lasts about 8 minutes. It’s not horribly abstruse–if you kinda know how websites communicate with your computer you can follow it.

Mashable  has a good summary of which websites you need to worry about.

One final thought. NEVER send your password to anyone for any reason through email. And, in fact, if an email tells you to change your password, if you think it actually is authentic, don’t follow a link in the email to change it. Instead, use a bookmark, or type in the web address yourself, so that you know you are changing the password in the right place, and not in a rogue server in Tuvalu.

———-

1 I know that calling it a ‘program’ oversimplifies things, but this characterization will suffice for our purposes.