Confidesk

I had to contact eBay to change some details about my account whihc I can’t do. They needed to verify my account, which is as it should be. However I’m not sure that the verification process was good enough.

I used chat, because waiting on the phone is always a pain and needs full attention, while a chat window can be open in the background and it sends notification if they send me a reply.

They asked me to verify who I am, and they asked information available for everybody, becasue as a company, I must make my contact information public. Which means anybody can provide the right answers.

Yes, I started the chat as an authenticated user, so that is at least some kind of verification too. But the asked questions added nothing to it. I could have been anybody, my account could have been hacked.

They accepted my answers, I was verified, and they applied the changes.

The title sugest that email encryption is easy, and in a way, it is is.

The internet is not secure

Email is, by design, not secure. It is a simple text message sent on a computer network. Originally, the network itself was like a phone line, anybody who had access to it could copy and read the data. It is still the case. Therefore new features were introduced to make the communication more secure. The network itself is still not secure, but the data sent on the network is. Protocols like ssh and https send the data encrypted, therefore even if somebody has access to the network, the data they can read doesn’t make sense.

Something similar happened in email. The network it uses is the same, the email itself is the same, but there is way to send the email encrypted.

One big issue is that to do so, you need your own infrastructure. Reason is that the encryption happens on the service level, the mail server itself creates the encrypted channel to send the message.

Just a little more details what this means

In case of ssh, you have your own private encryption keys, and you install the public parts on servers you have access to. This is a very individual approach, and it needs resources only from you. You are the one who maintain your own keys. This obviously can’t work for email, you can’t install your public key on everybody’s devices where you send email. There is a solution that does this exactly, but it is not convenient.

The public/private key infrastructure is used in case of https too. Contrary to the marketing which successfully convinced many to pay thousands per year to buy fancy certificates, https encryption is nothing more than encrypting the communication. Well, it was used to provide authenticity, but it was a mistake. When a root certificate was stolen, many fake site could claim it was authentic, becasue authenticity based on the signature of the owner of the root certificate. Letsencrypt is a more open approach and it does what https is for: it tells you that you comminucate with the domain itself and encrypts the communication. It is possible in this case, because there is an infrastructure behind the encryption certificates that is used by the browsers to verifiy the keys. This wouldn’t be convenient for individual email accounts either.

We have email encryption already

However, it works on the server side. When you send an email, your email client contacts the server which manages your email address. The client can be  browser based or a program, it doesn’t matter. So the client contacts the server, and it is actually the server that sends your email, not you. The server contacts the server of the recipient email account, and sends over the message. Then the recipient use their client program to download or access the email. The encryption can happen between the two servers. That is the phase when the message is in a public space. It can happen, becasue it is not encrypted by default. The same certificates that are used for https can be used here, therefore server admins very easily can have Letsencrypt certificates to be used on mail servers. If it is done, the message sent encrypted on the public network automatically. Only condition is that both servers have to be configured for TLS. This means that if you and the recipient have control over the email server, and both of you use TLS, the email is actually encrypted and can be read only by you.

Only you need your own server

Which sounds scarier than it is. It is very easy to have and maintain your own mail server, you only need a Virtual Private Server which has a properly configured mail server and that is all.

Google is not your friend:

Google uses Gmail to track a history of things you buy — and it’s hard to delete

Have you ever asked it to collect your shopping and invoices? No? Well, who cares? Do you want to opt out? Not an easy task.

The funny part:

“Google says it doesn’t use this information to sell you ads.“

Sure, it doesn’t ;).

“To help you easily view and keep track of your purchases, bookings and subscriptions in one place, we’ve created a private destination that can only be seen by you,”

Well, the NSA is supposed to guard the US interest. Now an NSA tool is used against US organizations.

I don’t get how it can happen. Not that the tool is stolen, but:

- it is made by a US organization

- so this organization should have protected its own country against it

But it is late and government offices don’t have the resources to patch Windows:

In Baltimore and Beyond, a Stolen N.S.A. Tool Wreaks Havoc

The article says everything, let’s hope it is not just smoke:

I rarely agree with what Google says or does.  They don’t serve my interest at all, and I don’t like when I’m used for profit. Therefore I don’t use Google if possible or use it anonymously.

However they are right in this. GCHQ should not get what it wants:

Google and Apple criticise GCHQ eavesdropping idea

I don’t understand how anybody at any organization can think it is a good idea to be able to read any messages sent through the internet, in the name of security. This is a road to dictatorship, when the state can collect and examine what you have and then they can use it against you.

Mark Zuckerberg tried to make us believe that Facebook will change and it will be a privacy oriented service.

Its business model depends on information about its users, so this sounds like a joke. Privacy is so hard to configure, that even if you try, chance is you will not succeed for the first try.

I had to remind a friend that even if his friends are private, some of his posts are not, and people who comment on those posts are usually his friends and family, therefore these comments show many of them publicly.

And now you don’t need to worry that Facebook will really be built on privacy in the future:

Facebook lawyer says you don’t actually have any privacy on the site

So it seems Zuckerberg’s speech was the marketing, but the lawyer had to tell the truth in a hearing :D.

I love what he said:

“There is no invasion of privacy at all, because there is no privacy,” 

I already posted about how I don’t like streaming, because I don’t or can’t have access to many content I like and I have no control at all.

There is an other downside of the new approach of how content and software is sold to you. We actually become vulnerable to service providers. They restrict our usage and access to the tools we buy from them: We Are Tenants on Our Own Devices

I don’t like this, not a little. This is something you can do almost nothing against. There is a reason I use Linux and I log in to my online accounts only when I have to and on platforms what I consider safe. For example my mobile is not safe, neither any computers that run Windows or Mac. I use Linux, my Windows runs on a virtual Machine only in cases when I need it. I practically use Google only in business, my private life is not exposed to Google or Facebook. Why? I don’t know and I can’t know what these companies and their software do.

Your devices can be the tool used against you, even if at this moment, you are told they are used to support you.

Online identification is getting more and more intrusive

It is a controversial regulation. Some say it is too restrictive and suffocates the internet, others say it shows EU is the leader in protecting privacy.

In case of Facebook, it certainly is our friend:

Facebook 'labels' posts by hand, posing privacy questions

This is off topic.

I spent an hour yesterday finding my favorite 20 movies on Netflix, Amazon and Now TV. I pay for 3 streaming services to have access to as much movies as possible (actually four: Cinema and Entertainment Pass on Now TV) . I like movies. I have a collection of the good ones, around 600 discs.

Not half of the movies I was looking for is available. 

I still have to buy disks to be sure I can watch what I like. Yeah, I can rent them, but renting costs more than a disc. I am not the enemy of myself.

Disturbing and annoying is, that very classic and often referred ones are not available. Like Basic Instinct. It is not even a very good one, it is old, yet, not available. If you want to watch very popular ones, blockbusters, chance is you need to be a subscriber of too many services to be able to. And even then, there is no guarantee. Try to watch Star Wars, all the episodes. You can’t.

I think this needs change. After a given period, which should not be longer than 10 years, all the movies should be available on a streaming platform for a subscription fee. 

And now comes Disney and Apple TV. Should I pay for them too? I will certainly not. This is waste of money.

Music isn’t better.

I stopped buying CDs, I only listen to music using streaming. I tried more than one, then I stopped trying, all are the same with the same issues:

One:

They change the available music, and it too often happens that my albums are not available partially or totally. One day it is a full album from a band, next day it is 5 songs from 3 different singles, other songs are not available.

Two:

You can upload your music to the cloud then the streaming service identifies it and adds it to your music. Except if it doesn’t. I uploaded one of my favorites, and when I tried to listen to it, I got something else. I tried again, same. I called support and they told me that happens, I should try to modify my mp3. Really? Who am I? Sony Entertainment? To modify my mp3???

And the reason? Copyright holders are like monopolies. You can’t buy from a competitor, and if your service provider doesn’t pay the fee, they don’t sell. 

My big problem with cloud is the same as the problem with email. It is not designed to be safe, secure and private. All the services that are offered on big centralized networks (which is, in short, the cloud) are designed as big enterprise architectures.

It is natural that when you log in to a company network, everything you do is logged and often checked. It is not yours, it is company owned, you are there to work and help making profit.

However when it is not a company network but something in your private life, the same architecture should not be used.

The latest example is Snapchat.

Snapchat Employees Abused Data Access to Spy on Users

SnapLion would not be problematic on an enterprise network. But even if its purpose was only legitimate at a company like Snapchat, it would still be problematic. My opinion is that to access any photo I uploaded to any cloud service would need my explicit approval. Which is not the case. If you do something online, you can be sure that there is at least one person who can check it without your consent. With the exception if the data is encrypted and you can be sure the encryption is such that only you can decrypt it.

You can say the very often said reason that you have nothing to hide. I would refer back to one of my earlier posts: imagine that these people visit your house and watch as you are eating or as you are having sex. You say this is extreme, but it isn’t. When you chat about your love life online with a closest friend, it is not a private chat. Again, except if it is encrypted and you are sure only you can access it.

This must not be true:

Google says some G Suite user passwords were stored in plaintext since 2005

Google stores passwords in plain text.

Read it again.

Google stores passwords in plain text.

So this is a company who tries to tell us it cares about security, who uses https as a marketing tool, who enforces things even when they are not necessary, again, as a marketing tool, and it is like amateurs, it stores passwords in plain text. If it was a small nobody-heard-about company, OK, they’ve made a huge mistake, I would say. But this is Google. 

If it was a broken storage solution which allowed access without authentication because of a bug in a third party application, which situation is not easy to avoid, I would understand. But:

“Google said it discovered in April that the way it implemented password setting and recovery for its enterprise offering in 2005 was faulty and improperly stored a copy of the password in plaintext.“

You don’t store password in plain text. Never, ever. Yet, they implemented it.

:DDDDD

There is an other big leak of sensitive user data, this time, the source is Instagram:

Millions of Instagram influencers had their private contact data scraped and exposed

Boring, isn’t it? Yes, Facebook and attached companies leaking their customer’s private data. 

However I want to point out a few things.

The worst:

“Two of the people responded and confirmed their email address and phone number found in the database was used to set up their Instagram accounts. Neither had any involvement with Chtrbox, they said.“ (Chtrbox collected the data and made it public accidentally or otherwise.)

Do you know what this means? Your account details are not guarded at all on the servers of Instagram. There are ways to discover information that is supposed to be private. 

And:

“The database, hosted by Amazon Web Services, was left exposed and without a password allowing anyone to look inside. At the time of writing, the database had over 49 million records — but was growing by the hour.”

It is very easy, but not very simple, because you need to make too many steps.

First of all,  LUKS (Linux Unified Key Setup) is used to encrypt partitions.

A few words about how to create an encrypted partition

The process is very simple. You need a partition (we work on Debian, so from now on, everything is Linux), like /dev/sdb1.

First step is to prepare the partition to use with LUKS.

cryptsetup luksFormat /dev/sdb1

This will destroy all the data you have on this partition and it will also ask you to provide an encryption password (you can have more than one).

Then to use this partition, you need to open it:

cryptsetup luksOpen /dev/sdb1 cryptvolume

“cryptvolume” can be any name that will identify your partition. I usually use something like crypt_sdb1, so in my case

cryptsetup luksOpen /dev/sdb1 crypt_sdb1

If this is the first time, then you need to format the partition before you can attach it.

mkfs.ext4 /dev/mapper/crypt_sdb1

Then you can mount it:

mount /dev/mapper/crypt_sdb1 /mnt

How to extend it

What if the partition is smaller than you need? You have to make it bigger, of course :). Condition is that you need to have space on your hard drive to do so.

First, detach  and close the encrypted volume if necessary:

umount /mnt

cryptsetup luksClose /dev/mapper/crypt_sdb1

Use parted to resize the partition.

Start parted:

parted /dev/sdb1

Extend the partition:

resizepart <partition number> <end>

Open the partition again:

cryptsetup luksOpen /dev/sdb1 cryptvolume

Run e2fsck to check the filesystem:

e2fsck -f /dev/mapper/cryptvolume

Run resize2fs to resize it:

resize2fs /dev/mapper/cryptvolume

Remount the partition:

mount /dev/mapper/cryptvolume /mnt

One of my friends told me that she cant agree with my view of protection of the natural environment. Which is that at least the third of nature should be closed off from people to let other living things to live their lives, and these should include every kind of environment and the richest ones too, like the Galapagos Islands. She said she wanted to visit these areas and see the animals and that makes no harm. So I told her what if I just walked into her house at dinner time, watch as she is eating with her family, then I follow her into the bedroom watching having sex. Would it bother her? - I asked. Of course. So protection is important after all.

Encryption is something like this. Until we feel it in our everyday life that it is necessary, we say that we have nothing to hide. Well, there are many things. If I can get enough details of your life, IDs, address, bank account number etc, I can pretend I am you, and I can live your life and rob you of your own identity.

This is not a remote possibility and not a sci fi scenario. This article is not an easy to read, but it is worth it:

China’s Maxim – Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking, https://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1050&context=mca

Yes, if you are a private person, this is not something you should care much about. But if you have a company and  you have any kind of advantage over your competitors, you should take notice.

However we will need to change the technology we use for encryption. The Atlantic has a short article about quantum computing, which really seems to be waste of bits on your screen :).

Its title promise something extraordinary, the loss of free will because of the huge computing capacity of quantum computers. But it doesn’t deliver its promise, it declares free will is not in danger, but encryption probably is.

You can read it if you want, however I already told most of it :).