Out of Twitter

Tuesday, July 28, 2009 at 23:30 | Posted in internet, web 2.0. | 2 Comments
Tags: ,

I appriciate that Twitter is concerned of my security but this is a bit too much of the good stuff. Locking me out of my account does not help me at all, neither does it prevent any unauthorised usage of my account. On the contrary, it makes things worse because as long as I have no access to my account, I am unable to make sure that nobody else has that access.

What happened was that I temporarily granted access to my account to a third party application. As soon as that app had done what it was supposed to, I cancelled the access and changed my Twitter password, just to be on the safe side. What I failed to observe was that when I changed my password in the web interface I had TweetDeck running all the time and I did not come to think that I needed to change the password there as well. Hence, TweetDeck kept trying to access my account using the old password and naturally failed.

Twitter apparently took this as an unauthorized attempt to crack my account. But rather than letting me update the password in TweetDeck they chose to lock me out in both TweetDeck and web interface. Security is fine but I wonder what the point in this action might be and how exactly is it going to increase my security.

Edit: Looks like I have my access back. I still honestly do not understand why it was necessary to keep me out for a couple of hours.

A matter of security

Tuesday, January 20, 2009 at 15:55 | Posted in e-mail, internet | 3 Comments

If you had reason to believe that somebody’s e-mail has been compromised and your only means of warning them about it would be e-mailing them, how would you go about? You could not just tell them about your suspicions because that would be most helpful for the suspected crackers. You could, of course, try to reach your friend some other way but what would you do if that were not possible?

This is not a hypotethical question, I am afraid.

Take the phising challenge!

Monday, November 17, 2008 at 16:50 | Posted in internet, web tests | 1 Comment
Tags: , ,

Unlike most other web tests, PayPal Fight Phishing Challenge is dead serious. If you have a PayPal account, I suggest you take the test right away. If you fail to get all five questions right, that is, even if you provide one single wrong answer, click here and read more!

via Kai

How secure is secure?

Friday, August 22, 2008 at 11:05 | Posted in great britain | Leave a comment

Another massive data loss has taken place in Britain, this time concerning offenders and prison inmates:

A Home Office spokesman said the data was lost by PA Consulting, a private contractor working for the Home Office, and was “held in a secure format on site and downloaded onto a memory stick for processing – which has since been lost”.

Holding data in a “secure format” on site is absolutely the correct way to go about but it is of no use if the data can be downloaded and then recorded onto an unsecure media. A “secure system” is just as unsecure as the weekest link in the processing chain. The British government seems to be a huge data security disaster.

659 laptops

Sunday, July 20, 2008 at 22:40 | Posted in great britain | Leave a comment

Another laptop has been stolen from an official of the British Ministry of Defence. This brings the number of stolen laptops during the past four years up to 659. The latest stolen computer had sensitive information stored on the hard drive.

It is just unbeliavable that confidential and sensitive information is widely allowed to be stored on devices like laptops, CD’s and memory sticks. The only sensible place for such information is a secured server that can only be accessed by authorized personnel. Downloading and recording anything from the servers must be stopped and made punishable. It is as simple as that.

With dickheads like that in charge of the British government’s data security I do not wonder that Brittons do not trust the per se good idea of a national ID card and e-government. How can you trust a government that keeps loosing vital data on laptops and other portable devices?

Have any sensitive data?

Friday, February 8, 2008 at 4:12 | Posted in civil rights, USA | 1 Comment
Tags: ,

Do you have any sensitive data in an electronic device like a laptop or a cell phone? I sometimes do as I think do most of us. I am making an effort to store everything of importance in secure servers but it happens all too often that I forget to delete something from the hard drive of my laptop.

If you cross a US border there is a chance that your cell phone or laptop may be searched or even seized by the border control officers. I have never crossed a US border and am not likely to do so but the thought of my laptop being poked by a border controller makes me feel sick. It is like x-raying my brain and reading my thoughts.

So what should you do if you are frequently travelling to and from US and need a laptop for your business? In such a situation I would have my data in servers as I have it now. I would need to have two computers: one in US and one outside. I would upload and access whatever I need to where ever I happen to be and make sure not to leave copies on hard drive.

I would leave my laptop in a safe location in or outside US and not carry any electronic devices with me at the border. I would certainly not be 100 % safe that way either but it would make me feel hell of a lot better.

Not even Hitler and Stalin could be quite sure they had access to most secret thoughts of citizens but now those thoughts are not protected against insight of the very government that successfully fought Hitler and Stalin and everything they stood for. When did this happen? Just wondering.

A constitution worth protecting

Thursday, January 24, 2008 at 7:19 | Posted in civil rights, Germany, internet, privacy | Leave a comment
Tags: ,

The German public broadcaster Südwestrundfunk say (via StoiBär and Heise online) they are in possession of a 14 page German security service memo compiled to evaluate the judicial problems faced by the security service in their investigation leading to arrest of three suspected terrorists known as the “Sauerlandgruppe” four months ago. According to the memo, checks and balances in German legislation made the success of their investigation depend on info received from foreign security and intelligence services. Not surprisingly, the security service now want some of those legislative and constitutional checks removed.

Among the recommendations of the memo is to make audio and video surveillance of suspects’ flats easier. They also want operative real time access to cell phone position data. Perhaps the most controversial proposition suggests that visitors to Internet coffee shops would be obliged to present a paper copy of their photo ID combined to a recognizable user ID during their stay in the web café.

Disregarding for a moment the petty little detail that this kind of intrusions into privacy could be regarded as unconstitutional, I wonder what practical consequences these suggestions might have if approved. If I were a terrorist or even a legitimate whistleblower interested in anonymity, I would not use a cell phone or a web café for my communications as it is. Neither would I post sensitive anonymous messages in the Internet using my domestic web connection.

After all, there are practically an unlimited number open wifi networks allover for me to access. I would have no problem to create a clean partition in my laptop hard drive to be used only for that kind of messages through wireless networks. So even if the security services managed to plant a governmental trojan onto my hard drive they would have hard time connecting any sensitive info I posted with my person.

If the recommendations of the memo were indeed approved and those constitutional checks and balances were eased, just imagine who would be more likely to take protective measures for their communications: a member of a terrorist organization or an innocent whistleblower? The problem is that those checks and balances were explicitly supposed to protect the privacy of the wistleblower. Or that is at least what I thought.

On a more philosophical point, if protecting a constitution requires that constitutional rights of citizens must be essentially limited, is the constitution itself worth protecting? The secret services are after all supposed not only to protect the constitution but also the values behind it. As Kai put it a couple of months ago:

I do not like it. I still want to keep my door closed when I go to the toilet. You see, I expect anonymity – even if you all know what I am doing in there. And I would like things to continue that way. So no thank you, Mr. Kerr, I will not leave my anonymity so you can control my privacy.

Stupidity can not be beaten by stupidity

Monday, December 17, 2007 at 11:04 | Posted in Germany, traffic | Leave a comment
Tags: ,

According to Spiegel On Line International a German man was denied a one liter bottle of vodka on board a flight, in accordance with air travel security rules banning anything but small amounts of liquids. He was presented the options of dumping the bottle or paying for getting his luggage checked in. The man opted for neither but decided to drink the booze on the spot which caused him a nearly fatal alcohol poisoning.

Lessons to be learned? Sure! You can not beat stupid security rules by acting equally stupid yourself.

Electronic Jihad or cyber hoax?

Monday, November 5, 2007 at 6:05 | Posted in internet | Leave a comment
Tags: , ,

Debka.com writes that their sources allegedly picked up “a special Internet announcement” originating from “Osama bin Laden’s followers“. The message is said to be about an “electronic Jihad” supposedly actived at 11th November 2007:

On Day One, they will test their skills against 15 targeted sites expand the operation from day to day thereafter until hundreds of thousands of Islamist hackers are in action against untold numbers of anti-Muslim sites.

Roehr.com specifies several reasons why this announcement does not sound credible and concludes that it is nothing but a hoax:

I call this to be a hoax – a poor attempt by war lovers and anti-Muslims to “prove” the dangers of the Muslims. A PR stunt.

I tend to believe that Kaj’s arguments sound plausible enough. Ergo, it is rather a hoax than anything else.

TSA security

Tuesday, July 10, 2007 at 13:05 | Posted in funny, video, youtube | Leave a comment

This is about security in the air. Exactly those liquids. And it is seriously funny.

via Jaanus

Edit: Relating to this video, Reality on a stick refers to a true story about TSA missing a fake bomb in the same bag where they confiscated a bottle of water. I am not sure about the bomb but at least there was apparently more than 3 ounces of water in that bottle. 😛

Edit: In the same context, The chawed rosin points at  an article in ZUG by Joh Hargrave. A nice piece of writing.

The fuzz around Estonian KAPO review

Sunday, May 27, 2007 at 2:23 | Posted in censorship, Estonia, information, internet, Journalism, Personal, Press freedom | 8 Comments

There has been radio silence in this blog for a few days but the site has been busy as you can see in the graphic screen shot above. The otherwise modest statistics for May have two peaks: one just before mid May connected to Hubertus Albers who prefers to appear under his artist name Atze Schröder. Unlike the German TV clown, the other peak these last couple of days associates to a serious topic: the annual review of the Estonian Security Police.

Some of my friends in the wide World have asked me what the fuzz is around the annual review. As I am a part of that fuzz in that the documents were at least partly spread out allover the Internet through my actions, this post is strictly written on my personal point of view. I am referring to some outside sources, most of which, however, are in the Estonian language. I hope you will appreciate that I may not be able to disclose all details in my knowledge partly to protect my sources and partly because the legal situation around publishing the files is contested. So I may need to “take the fifth”, as it were.

As Wolli writes here, the Estonian Public Information Act specifically stipulates that government agencies (both local and national) are under obligation to publish reports about their work and fulfilling their responsibilities in the Internet. They also have to guarantee access through the web as soon as possible to all information obtained or created in course of fulfilling their legal function.

The Estonian KAPO printed their annual report and distributed it to selected media outlets and their partners. The printed copy was also available for free for anybody who would ask. For some reason which can only be speculated, they were not even planning to publish it in the web.

Up untill a couple of days ago, KAPO did not have the earlier editions of the annual review in their web site had the reviews up to 2004 in their web site. They have since hastily uploaded previous editions the 2005 editon but not the review for 2006 which is what we are talking about. Their freshest press releases were three years old and they had a list of wanted persons which was last updated in 2003. Press releases have since been added and at this moment they are almost up to date. The list of wanted persons has been taken down which is obviously good for the persons who were entered there but may not be wanted any more or may even have been found innocent.

These shortcomings in informing the general public through the Internet suggest that KAPO have been concentrating in their actual function which is protecting the country. If you download and read the review, I think you would agree that they are doing that well. Nevertheless, that is not an excuse for failing to interact with the public and make public information accessible through the web.

Many bloggers and IT specialists in Estonia were concerned that the country which has otherwise been praised for its outstanding achievements in the area of e government and e society (the first country in the World to have had a nationwide election with possibility for secure voting over the web) has a security police that does not seem to understand what the Internet is all about. Some of these concerned citizens got hold of pdf files of the annual review prepared for the printing purposes of the book. Their contents were identical to the printed version. Since there is not a single statement in the files restricting the use of them and the documents are public according to the law, some bloggers uploaded the files (Estonian and English) into the Internet.

Each of the bloggers, including Jaanus Kase, were rapidly contacted by the KAPO and asked to remove the files. The bloggers complied the request and for a short while the documents were not available in the web.

Having the two pdf files in my possession (how I got them falls under a journalist’s privilege to protect their sources), I was evaluating the situation in the afternoon of Wednesday 23rd May 2007. I had information that the KAPO was only interested in making the printed copies available. The documents are public and KAPO is under legal obligation (Public Information Act) to specifically make them available in the web.

Colorful parts of the document had been published in media, here a few appetizers by Eesti Päevaleht. There was definitely a public interest to have the files downloadable in the Internet. I judged that the public interest outweighs any other concern. While I understand that people who were asked by KAPO to take the files down did so for personal reasons, I think I would have been a bad journalist if I did not upload and link to them.

At 15.43 local time I published a short post with links to the two pdf files I had uploaded in a secure server. The post has been read during the last three days almost as much as my first post about Atze Schröder during the last 30 days. The interest has been beyond borders, both the Estonian and the English version has been downloaded heavily. (Sorry, I am not releasing download stats at this moment to protect myself legally.)

Within less than an hour and a half after my post was published, a somewhat odd comment appeared in the blog. It was a polite request to “block the downloading access to kapo’s yearbook”. While the Estonian bloggers were contacted by KAPO, this comment was signed by Ms. Evely Ventsli who indicated she was a project manager of Smile Group, the ad agency that had compiled the document for KAPO. Strangely enough, Ms. Ventsly indicated that she was writing “on behalf of” KAPO. No proper reason to the request was given, other than I had no permission from them nor KAPO to publish the documents.

Having made arrangements to secure the files (I thank a number of distinguished members of the blogging community for their kind help, no names obviously) and consulted a number of friends and colleagues, also having informed the board of the Estonian Journalist Union, I wrote to Ms Evlyn Ventsli asking on what grounds and authorization she made the request. I also pointed out that the files were public documents which is why I did not need consent of neither her agency nor KAPO to make them available in the Internet. I sent the letter at 21.35 local time.

At 15.35 the following day (Thursday 24th May) I received a reply to my inquiry. It was anonymously signed “Kaitsepolitseiamet” (the official name of the agency supervising the Security Police) but it was sent from the mail address of Evely Ventsli from the ad agency (evely@smilegroup.ee). This raises a number of questions, obviously.

If a government agency drafts and sends an official letter, it is signed by the appropriate official within the agency who is authorized to do so. They sign it with their own name and rank. Has Ms Ventsli been authorized by the Security Police to act as their mail box or is she a member of KAPO? Who authorized her? Was the authorization legal? Or did Ms Ventsli appear as an agent of the Security Police on her own?

The letter itself was obviously written by somebody with legal education. It was quoting copyrights under sections of the Estonian copyright legislation. It ended with an insinuation that I may be about to commit or have committed an action that could be prosecutable as crime.

As far as I am concerned, I do not regard the anonymously signed letter delivered through an ad agency as the official response of the Security Police. Neither do I recognize that documents that are public under law and should have been published in the Internet by the Security Police themselves would be protectable by copyright. I question if Ms Ventsli had any legal right to act in this matter. I am also asking, who exactly is claiming copyright. The Security Police or the Smile Group?

By now it is just academical whether I take the files down or not. They are already in so many places in the web that they can not be put back to the bottle. Somebody has even made copies in HTML, MS Word, plain text and even Mp3!

For the moment the files stay in my server. I am going to take them down as soon as KAPO puts them up in their own site. That is what they should have done in the first place. Had they done so, none of this fuzz would have happened.

Update: Since KAPO have released the Estonian version on their own web site, I took it down. I am happy that the joint efforts of bloggers in Estonia and elsewhere have contributed to a reconsideration by KAPO. Public documents must be availbale for members of public.

I am happy to take down the English version as well, as soon as KAPO will have it in their web site.

Update: KAPO have now released also the English version. It is downloadable as a pdf file on their web site. Therefore, I am also taking it down as obsolete.

Download the annual review of the Estonian Security Police

Wednesday, May 23, 2007 at 15:43 | Posted in Estonia, information | 11 Comments

The Estonian Security Police KAPO recently published their annual review of 2006. It is an interesting reading as always and widely commented by media. While the review is a public document, it is not quite simple to get hold of.

I accidentally happened to stumble on two pdf files.The English edition is here and the Estonian version here. How they came into my possession is a matter of confidentiality between a journalist and his source.

Although the 40 page document was drafted before the riots in Tallinn at the end of last month, it gives you an accurate background to the events. It also offers detailed explanations about the Russian government’s strategies and methods of their operations. This also puts the cyber attacks into a perspective.

Update: Since KAPO have released the Estonian version on their own web site, I took it down. I am happy that the joint efforts of bloggers in Estonia and elsewhere have contributed to a reconsideration by KAPO. Public documents must be availbale for members of public.

I am happy to take down the English version as well, as soon as KAPO will have it in their web site.

Update: KAPO have now released also the English version. It is downloadable as a pdf file on their web site. Therefore, I am also taking it down as obsolete.

Blogger friendly Spiegel

Monday, October 30, 2006 at 8:52 | Posted in Blogosphere, Germany, internet, Not serious | 3 Comments

Spiegel On Line has at least temporarily introduced a blogger friendly face. I suppose this sponsoring feature will be removed as soon as they discover it themselves.

via Farliblog and RA-Blog

Edit (14th November 2006): This security hole has been repaired today. The links were up for more than two weeks. I hope the Spiegel people are not as careless in their other web routines.

Blog at WordPress.com.
Entries and comments feeds.